Neighbor Discovery Protocol (NDP) Proxy

itsmorefun · Feb 20, 2013, 11:42 AM

Hello,

Any chance to add a NDP proxy like one of them:

http://gitweb.fperrin.net/?p=ndp6.git;a=summary
http://priv.nu/projects/ndppd/

Thank :)

athurdent · Feb 20, 2013, 12:28 PM

So you would basically be able to use the same IPv6 subnet on both WAN and LAN? Strange. Wouldn't it be more elegant to just bridge the two interfaces and use transparent firewalling instead? Never tried that with IPv6, though…

itsmorefun · Feb 20, 2013, 12:47 PM

@athurdent:

So you would basically be able to use the same IPv6 subnet on both WAN and LAN? Strange. Wouldn't it be more elegant to just bridge the two interfaces and use transparent firewalling instead? Never tried that with IPv6, though…

Need NAT for ipv4.
Static routing only. (Provider want to see all ipv6 on the WAN side of the dedicated server.

http://linux-attitude.fr/post/proxy-ndp-ipv6
http://www.kueisaho.com/blog/mesfluxrss/author/frederic-perrin/
http://x0r.fr/blog/12
http://blog.vsense.fr/maj-vyatta-6-5-et-proxy-ndp/
http://resel.eu/

athurdent · Feb 21, 2013, 6:13 AM

You might be able to create a workaround using NAT: http://forum.pfsense.org/index.php/topic,58937.0.html together with IPv6 aliases on your WAN and ULA on the LAN side I guess. But maybe one of the IPv6 pro's here can come up with a better solution, I only tried "IPv6-Hide-NAT" so far which worked fairly well.

jimp · Feb 20, 2013, 1:58 PM

I think that just broke my brain.

Why on earth would they do that? That goes against the purpose of IPv6. IPv4 logic doesn't apply to IPv6, there is no scarcity of addresses forcing them to make you do that.

Demand a routed /64 at least or find a new ISP… (if you can)

itsmorefun · Feb 21, 2013, 7:33 AM

@jimp:

Demand a routed /64 at least or find a new ISP… (if you can)

I have a /64 BUT can't add route to it in the ISP router….
With tcpdump on wan side of pfsense i see "[ISP IPV6 'sGATEWAY]> ff02::1:ff79:8611: ICMP6, neighbor solicitation, who has [LAN COMPUTER'S IPV6], length 32

The ISP gateway know that the IPV6 of the wan pfsense is on @mac of the wan pfsense card because pfsense answer for his own ipv6.
But for ipv6 on my LAN side a NDP proxy is need…

cmb · Feb 21, 2013, 7:39 AM

there is a feature request open for a NDP proxy, which won't happen for 2.1 but maybe some point. But that isn't the intended use case, rather to have a proxy ARP equivalent for VIPs strictly at layer 2 w/v6. The described scenario is trying to fix something that's broken in ways that NDP proxy isn't a solution for, a proper routed v6 setup is the solution there.

itsmorefun · Feb 21, 2013, 8:23 PM

@cmb:

a proper routed v6 setup is the solution there.

but not possibly with my dedicated server hoster…

You understand that it's not me that don't want, but that i technically can't...

jimp · Feb 21, 2013, 8:33 PM

Then find a hoster that isn't trying to implement broken IPv6?