NDP proxy where are you



  • Hello

    pfsense versuin : 2.2.4

    i try to find the NDP on the gui but i don't find
    i try with ICMP proxy but it is not working

    i need it because :

    i can see ICMP6 echo request (tcpdump on wan interface)  IPv6 lan but not the echo reply , ISP box don't  reply (ping is not  blocked/dropped on the box)
    ping working from lan to pfsense wan interface

    thank you for your help

    pra


  • Banned

    Dude, fix your firewall rules to allow ICMP(v6), instead of searching for proxies (WTF?!?!)



  • same rules as IPv4.
    ICMP IPv4 running fine …
    is other rule(s) needed ?
    as i say tcpdump run fine lan to pfsense's lan and wan IPv6 ip
    pfsense's lan can't ping IPv6 internet (eg : google.fr)
    pfsense's wan can ping IPv6 internet (eg: google.fr)
    thank you for your help
    pra


  • Rebel Alliance Developer Netgate

    There is no NDP proxy. There is no need for one.

    The LAN subnet and WAN subnet must be different. You can't use NPt or similar to NAT a "private" IPv6 LAN to the WAN IPv6 subnet. There must be separate subnets for WAN and LAN and the LAN subnet must be routed to your firewall's IP address in the WAN subnet.



  • hummm
    fxxxxxg ISP ….
    give me a /56 without  subnet ...., so i think i can't use pfsense for IPv6

    i go to see with ISP
    thank you


  • Banned

    @pra:

    give me a /56 without  subnet …., so i think i can't use pfsense for IPv6
    i go to see with ISP

    Errrrrrrr… Sounds more like you need to do some IPv6 for dummies reading... You have 256 /64s in your /56.



  • yes but the box don t see it
    i use a /64 in my lan
    see up i can ping my wan IPv6 pfsense from my lan , but i can t ping IPv6 box ….

    (IPv6 pfsense wan is in the /64)



  • Show your numbers if you like help. Report your WAN address subnet-value and your LAN subnet value… [(f you must), hide the first /48 and show the last /80 part… ]


  • Rebel Alliance Developer Netgate

    Try using ::2 in the first /64 for your WAN IP address and then use the second /64 for your LAN. Usually when ISPs give you just one large block they assume the first /64 inside it is the WAN.


  • Rebel Alliance Global Moderator

    You know if you don't like the way your isp is doing ipv6, you can just get a free tunnel from HE.. You cant get a /48 from them if you want.. I have both a /64 and /48 I use the /64 on my lan and then I use a few of the /64's out of the /48 for my other segments and openvpn clients, etc.

    Rock solid works deployment.. They even allow you to setup PTR on your ipv6 addresses if you want, etc.  Or even delegate the ipv6 networks to your own nameservers, etc.  Does your isp let you do that ;)

    And you don't have to worry about your isp giving you a different prefix next week.. When you hit a different dhcp server, etc.

    https://www.tunnelbroker.net



  • Thank you all

    ISP : SFR
    they give me : 2a02:8428:ef:7500::/56
    the box can't be configured in bridge mode : ip is : 2a02:8428:ef:7500::1/56
    i use 2axy:8428:ef:7501::/64 for my LAN (ex : 2a02:8428:ef:7501::100, gateway : 2a02:8428:ef:7501::10)
    ping from 2axy:8428:ef:7501::100 to :
    2a02:8428:ef:7501::10 -> ok
    2a02:8428:ef:7500::2 -> ok
    2a02:8428:ef:7500::1 -> ko
    on tcpdump on em3 (2a02:8428:ef:7500::2) i can see the echo request , but i don't see the echo reply …. :

    tcpdump -lni em3 host 2a02:8428:ef:7501:216:3eff:fe8c:edd0
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on em3, link-type EN10MB (Ethernet), capture size 65535 bytes
    capability mode sandbox enabled
    08:07:10.341717 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 65, length 64
    08:07:11.349705 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 66, length 64
    08:07:12.357754 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 67, length 64
    08:07:13.365748 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 68, length 64
    08:07:14.373745 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 69, length 64
    08:07:15.381684 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 70, length 64
    08:07:16.389735 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 71, length 64
    08:07:17.397731 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 72, length 64
    08:07:18.405693 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 73, length 64
    08:07:19.413624 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 74, length 64
    ^C
    10 packets captured
    6077 packets received by filter
    0 packets dropped by kernel

    my config : for pfsense :

    --------------LAN------------
                      |
                      |
                      |
                      |
                  2a02:8428:ef:7501::10/64  IPv6 LAN pfsense
                      |
                      P
                      F
                      S
                      E
                      N
                      S
                      E
                      |
                    2a02:8428:ef:7500::2/56 IPv6 WAN pfsense
                      |
                      |
                      |
                      |
                    BOX
                    2a02:8428:ef:7500::1/56
                      |
                      |
                      |
                      |
    -------------WAN-----------------

    thank you for your help
    pra



  • i can t change PTR
    i can t do bridge the box
    i can use a DMZ , they impose (i try this) :
    2a02:8428:ef:7501::/64
    gateway :
    2a02:8428:ef:7500::2/56

    for my rules you can see the attachments






  • You have two router in series, cascading networks. ?

    If you want public IPv6 on your pfSense-LAN, then your pfSense-WAN have to request your ISP-box with DHCP6-Client for a prefix&subnet first ?, provided your ISP-box can function as a DHCP6-Server…

    IPv6, no pfSense issue forya. Your ISP-box has the /56. Your pfSense is a slave with other LAN subnet-value and local prefix between /57 and /63.

    Your pfSense-WAN on mask /56 doesn't look correct. (but /64 or /128).


  • Rebel Alliance Developer Netgate

    Sounds like your settings are OK. If your LAN IP address can ping the upstream gateway then your local setup is fine, and probably even the routing at your next hop is OK, but it sounds like maybe the routing/rules upstream from you is broken.

    A traceroute6 to your WAN and LAN IP addresses both stop at your gateway. I'd normally expect it to work if all that is fine, unless the ISP is filtering the traffic.

    If you can ping your gateway and a traceroute from the outside to your LAN subnet is OK, then the routing is probably OK at the ISP end of things.

    Sure you used /64 for the prefix on all your interfaces?



  • thank you for your help.

    traceroute to google.fr :
    =>traceroute6 google.fr
    traceroute to google.fr (2a00:1450:400a:805::1017), 30 hops max, 80 byte packets
    2a02-8428-00ef-7501-0000-0000-0000-0010.rev.sfr.net (2a02:8428:ef:7501::10)  0.552 ms  0.538 ms  0.524 ms
    2  * * *
    3  * * *
    4  * * *
    5  * * *
    6  * * *
    7  * * *
    8  * * *
    9  * * *
    10  * * *
    11  * * *
    12  * * *
    13  * * *
    14  * * *
    15  * * *
    16  * * *
    17  * * *
    18  * * *
    19  * * *
    20  * * *
    21  * * *
    22  * * *
    23  * * *
    24  * * *
    25  * * *
    26  * * *
    27  * * *
    28  * * *
    29  * * *
    30  * * *

    =>traceroute6 2a02:8428:ef:7500::1
    traceroute to 2a02:8428:ef:7500::1 (2a02:8428:ef:7500::1), 30 hops max, 80 byte packets
    2a02-8428-00ef-7501-0000-0000-0000-0010.rev.sfr.net (2a02:8428:ef:7501::10)  0.532 ms  0.518 ms  1.364 ms
    2  * * *
    3  * * *
    4  * * *
    5  * * *
    6  * * *
    7  * * *
    8  * * *
    9  * * *
    10  * * *
    11  * * *
    12  * * *
    13  * * *
    14  * * *
    15  * * *
    16  * * *
    17  * * *
    18  * * *
    19  * * *
    20  * * *
    21  * * *
    22  * * *
    23  * * *
    24  * * *
    25  * * *
    26  * * *
    27  * * *
    28  * * *
    29  * * *
    30  * * *

    in attachment you find my routing






  • No idea?
    Thank you



  • @pra:

    No idea?
    Thank you

    Sure, comment on reply #12 ?



  • @hda -> not sure to anderstand :

    You have two router in series, cascading networks. ?

    If you want public IPv6 on your pfSense-LAN, then your pfSense-WAN have to request your ISP-box with DHCP6-Client for a prefix&subnet first ?, provided your ISP-box can function as a DHCP6-Server…

    IPv6, no pfSense issue forya. Your ISP-box has the /56. Your pfSense is a slave with other LAN subnet-value and local prefix between /57 and /63.

    Your pfSense-WAN on mask /56 doesn't look correct. (but /64 or /128).

    do you suggest to have a ip by the dhcp from box for wan IPv6 pfsense?
    i can try



  • @hda ->dhcp give me a /128 :
    inet6 2a02:8428:ef:7500:c9ca:8e5d:732b:d96b prefixlen 128

    i try to use : 2a02:8428:ef:7500::10 / 64 for pfsense WAN
    2a02:8428:ef:7501::10 /64 for pfsense LAN
    default getway : 2a02:8428:ef:7500::1/56
    2a02:8428:ef:7501::10 can't ping box (2a02:8428:ef:7500::1)

    have you an idea?

    thank you

    pra



  • @pra:


    do you suggest to have a ip by the dhcp from box for wan IPv6 pfsense?
    ...

    Yes DHCP6, and ask for a prefix /62 to pfSense.
    Then try to use Track Interface on your pfSense-LAN.
    Put a host-PC on the LAN and see if that PC get response from http://ipv6-test.com/



  • @hda:

    @pra:


    do you suggest to have a ip by the dhcp from box for wan IPv6 pfsense?
    ...

    Yes DHCP6, and ask for a /62 to pfSense.
    Then try to use Track Interface on your pfSense-LAN.
    Put a host-PC on the LAN and see if that PC get response from http://ipv6-test.com/

    dhcp give me a /128, do you suggest to use a IPv6 /128 for pfsense WAN and a /62 for IPv6 pfsense LAN?

    i try :
    2a02:8428:ef:7500::10 / 64 for pfsense WAN
    2a02:8428:ef:7501::10 /64 for pfsense LAN
    default getway : 2a02:8428:ef:7500::1/56
    2a02:8428:ef:7501::10 can't ping box (2a02:8428:ef:7500::1)

    what do you suggest ? because  /128 in pfsense WAN and /62 for pfsense LAN seems strange



  • Consider: your ISP-Box supplies on request, you probably can not grab a number you like…

    SO, don't do all static, but do DHCP6 from pfSense-WAN to your ISP-Box. Then read reply #19 again...



  • @hda
    i try :
    => pfsense WAN IPv6 DHCP6 -> give me inet6 2a02:8428:ef:7500:c9ca:8e5d:732b:d96b prefixlen 128
    but how to configure pfsense LAN because the pfsense WAN has a /128 prefixe

    thank you

    pra



  • You may read & understand to request a prefix /62 for pfSense from ISP-box (/56) for the pfSense LAN's. The WAN address mask (/64 or /128) no problem for that, just an intermediair. The LAN's are each with a unique subnet and mask /64.



  • @hda :
    sorry but i can't configure the box ….
    DHCP is imposed : 
    2a02:8428:ef:7500:c9ca:8e5d:732b:0000 to 2a02:8428:ef:7500:c9ca:8e5d:732b:ffff
    i tray this :
    i fixe the ip on the DHCP6 on the box :
    IPv6 pfsense WAN : 2a02:8428:ef:7500:c9ca:8e5d:732b:1/128
    IPv6 pfsense LAN :  2a02:8428:ef:7500:c9ca:8e5d:732b:8001/113

    i test:
    pfsense WAN can't ping  the box (2a02:8428:ef:7500::1)
    PING6(56=40+8+8 bytes) 2a02:8428:ef:7500:c9ca:8e5d:732b:1 --> 2a02:8428:ef:7500::1
    ping6: wrote 2a02:8428:ef:7500::1 16 chars, ret=-1
    ping6: wrote 2a02:8428:ef:7500::1 16 chars, ret=-1
    ping6: wrote 2a02:8428:ef:7500::1 16 chars, ret=-1

    --- 2a02:8428:ef:7500::1 ping6 statistics ---
    3 packets transmitted, 0 packets received, 100.0% packet loss

    pfsense LAN can't ping the box (2a02:8428:ef:7500::1):
    PING6(56=40+8+8 bytes) 2a02:8428:ef:7500:c9ca:8e5d:732b:8001 --> 2a02:8428:ef:7500::1
    ping6: wrote 2a02:8428:ef:7500::1 16 chars, ret=-1
    ping6: wrote 2a02:8428:ef:7500::1 16 chars, ret=-1
    ping6: wrote 2a02:8428:ef:7500::1 16 chars, ret=-1

    --- 2a02:8428:ef:7500::1 ping6 statistics ---
    3 packets transmitted, 0 packets received, 100.0% packet loss
    thank you for your help
    pra



  • Why are you now trying to divide up a /64? You'll have a horrible time trying to use IPv6 with an allocation narrower than /64 on a LAN unless everything on that network supports address allocation via DHCPv6. Some devices only support SLAAC (such as Android devices, also Windows XP if you still use it and haven't installed a DHCPv6 client). SLAAC requires you to advertise a /64 (and exactly a /64) for things to work correctly.

    Are you running router advertisement on your LANs (Services -> DHCPv6 Server/RA, Router Advertisements tab)?

    I'd start by working out what your ISP supplied box offers. If it will allow you to delegate prefixes via DHCP-PD, your task becomes a lot easier. You've said you can't bridge this device, but does the ISP allow you to replace it with a DSL bridge and use PPPoE or similar?



  • I have a similar issue where NDP proxy would be really useful.

    My colo provider gives me a /64 for my rack. I use NPt to do 1:1 NAT so I can have my pfsense firewall while still allowing machines behind it to have IPv6 connectivity.  This works, but I have to manually configure a virtual IP for each machine. I'd really like to avoid that by just proxy NDPing the whole range.


  • Rebel Alliance Developer Netgate

    Don't do that. NAT sucks. The main point of IPv6 is to do away with NAT. Make them give you another /64 and route it properly.



  • I can try, but I don't have much leverage over them. They're the central IT department for the university I work for.

    As an aside, this is what I really don't like about IPv6.  It takes away the ability for end users to do stuff on their own.  NAT was invented to begin with because ISPs weren't interested in giving out extra subnets; now we're back to begging for them to give out static routes again.  I remember the "bad old days" when ISPs would only allow you one computer per Internet connection…one of IPv6's goals seems to have been to enable that kind of restriction again. :/


  • Rebel Alliance Developer Netgate

    IPv6 was designed to eliminate the need for any of that. Any ISP that doesn't give you multiple subnets is implementing IPv6 incorrectly. IPv4 was scarce, IPv6 is not. There is no reason (aside from pure greed) that they should not give you at least two /64's with one routed to your address in the other.



  • The response to my ticket asking for another routable block was "why don't you use NAT?"  Trying to get it escalated to someone who at least understands the difference between IPv4 and IPv6.  ::)


  • Banned

    @davidbrodbeck:

    The response to my ticket asking for another routable block was "why don't you use NAT?"

    Perhaps this might clarify the issue to them?



  • I have now come across two providers in the UK who give you a flat /48: i.e. the CPE is configured with address 2001:db8:1234::1/48, and no static routes.

    It's nuts. You need to ndp proxy blocks of /64 to make routing work. We are back to the bad old days of "ip proxy-arp".

    Anyway, it looks like FreeBSD ndproxy(4) can be used to implement this:
    http://www.fenyo.net/newweb/ndproxy.html


  • Rebel Alliance Developer Netgate

    @candlerb:

    I have now come across two providers in the UK who give you a flat /48: i.e. the CPE is configured with address 2001:db8:1234::1/48, and no static routes.

    Are you certain there are no routes? It's also quite common to see a /48 allocation like that with the first /64 assumed to be the interconnect and the balance of the /48 routed to the CPE.

    NDP Proxy is the wrong answer though, getting the provider to fix their broken design is better. Might take significant convincing, though. A flat /48 is insane and should not be encouraged.



  • I was just searching the same for a friend who uses pfsense, when I stumbled on this post. I'd like to clarify what the OP is asking as it seems to me.

    Asking how to do ndp proxying is not like asking "how to build a socks5 proxy". In fact: what OP is asking is very similar to the question "how do I do ARP proxying". FD: I am not using pfsense (not right now anyway, but I used to and might again!) but still, here's a setup I am using myself on a linux box, and shows what ndp proxying does:

    This is my host:

    Upstream router -> host(eth0)
    host(bridge1) -> guest(eth0)

    As you can see, bridge1 connects the host and the guest together, without having added eth0. It's like a cable between host and guest. I know you guys probably understand this, but I'm just adding it for brevity.

    On host(eth0) I have configured an IPv6 address, let's call it haddr1::1/64. On bridge1 I have configured an address, let's call it baddr1::0/127, which is inside the /64 subnet.

    On the guest(eth0) I have configured the address baddr1::1/127. The host and guest can now ping each other: from the host, ping6 baddr1::1 gets a reply, and from the guest, ping6 baddr1::0 gets a reply. Next, I configure the guest to use baddr1::0 as the default route. So far so good.

    Now the guest wants to connect to a host; let's say that the guest wants to ping orange.kame.net*. It does ping6 orange.kame.net and the packet with source address baddr1::1 goes out, the host receives it on bridge1, and because forwarding is enabled, the host forwards it to its default route which means via eth0 to the upstream router. No problem.

    But now the reply comes. The upstream router asks something like "who has baddr1::1". Gets no reply. Packet discarded.

    This is where ndp proxying comes in, cf. the following command: "ip -6 neigh add proxy baddr1::1 dev eth0" and this commmand means: "answer on behalf of baddr1::1 on eth0". This causes the host to say "I'm the one you need for baddr1::1" and the packet gets through. Full duplex connectivity, fully working!

    It's the same as arp proxying: I have a route to an IP on some interface, so I answer arp requests to that IP on some other interface.

    This is exactly what I have been using for a long time. It does not violate specs, it does not work around problems, it's doing exactly what it's supposed to be doing: enable normally routed packet flows. I know people might disagree or think that other ways are better, that's fine, but to each their own: it does not mean that this way of doing things is wrong. Not at all. There are more ways to do anything and everything.

    Hope this makes it clear what OP is asking with ndp proxying, or if anyone thinks I have it wrong, feel free to say so as well. Just know: this setup works for me 100% and arp/ndp proxying is a normal thing to do with virtual machines and multiple networks. It's a lot better than NAT and so forth.

    • I'm being nostalgic!

  • Rebel Alliance Developer Netgate

    Yes – I'm aware of what he's asking and what it does -- but it does not solve the problem of the ISP delivering him a broken configuration. He's trying to work around it and enable their awful behavior, but doing proxy NDP for billions of addresses is not the answer. Getting the ISP to deliver a proper configuration is the answer. Don't let the ISP get away with it, you're paying them for the service and they're failing to provide a proper configuration for the service.

    You have a choice between an ugly, ugly hack (proxy NDP) and the ISP doing what amounts to a one or two-line change in their upstream router config for the customer to do it properly.



  • Agreed, jimp. I wasn't under the impression that you didn't get it, so when I was reading my own post again just now, I realised I had to reword the first few sentences: I didn't want to sound like I thought no one understood what OP was trying to say. Just that some of the replies came across to me like they didn't get what proxy ndp is all about. Much is lost in translation and English also isn't my first language.

    I'm also wondering - In the explanation of my own setup, do you also think ndp proxy is an ugly hack? Or just in the case of him trying to work around his provider's setup. I agree that an ndp subnet proxy is not exactly the cleanest way to go, but if you have to deal with this setup, I can see why he asked for this. Better than NAT I would think. And some ISPs, or actually, many of them, probably think "ok we have it working now so let's not touch anything IPv6 related ever again!"



  • @candlerb:

    I have now come across two providers in the UK who give you a flat /48: i.e. the CPE is configured with address 2001:db8:1234::1/48, and no static routes.

    It's nuts. You need to ndp proxy blocks of /64 to make routing work. We are back to the bad old days of "ip proxy-arp".

    Anyway, it looks like FreeBSD ndproxy(4) can be used to implement this:
    http://www.fenyo.net/newweb/ndproxy.html

    Few Hosting companies do this as well, They'll allocate a /64 but presumably assume you are just going to direct bridge any VM's you run to the physical port and don't want to route yourself :-(

    Fine in some cases but can't really do that with my VPN (well i could but it would be messy)



  • Just came across this issue with OVH using their Dedicated Private Cloud product.    They terminate a /56 on the WAN vlan and provide no routing capability for /64 addresses.  I'm trying to find out if there is some way to use PD or RA to get them to route /64's properly but no responses from their team yet.



  • Just a follow up,  OVH provide no way to route /64 at all,  you are forced to use ndp proxy if you want to use some of the /56 address space internally.