NDP proxy where are you
-
Hello
pfsense versuin : 2.2.4
i try to find the NDP on the gui but i don't find
i try with ICMP proxy but it is not workingi need it because :
i can see ICMP6 echo request (tcpdump on wan interface) IPv6 lan but not the echo reply , ISP box don't reply (ping is not blocked/dropped on the box)
ping working from lan to pfsense wan interfacethank you for your help
pra
-
Dude, fix your firewall rules to allow ICMP(v6), instead of searching for proxies (WTF?!?!)
-
same rules as IPv4.
ICMP IPv4 running fine …
is other rule(s) needed ?
as i say tcpdump run fine lan to pfsense's lan and wan IPv6 ip
pfsense's lan can't ping IPv6 internet (eg : google.fr)
pfsense's wan can ping IPv6 internet (eg: google.fr)
thank you for your help
pra -
There is no NDP proxy. There is no need for one.
The LAN subnet and WAN subnet must be different. You can't use NPt or similar to NAT a "private" IPv6 LAN to the WAN IPv6 subnet. There must be separate subnets for WAN and LAN and the LAN subnet must be routed to your firewall's IP address in the WAN subnet.
-
hummm
fxxxxxg ISP ….
give me a /56 without subnet ...., so i think i can't use pfsense for IPv6i go to see with ISP
thank you -
@pra:
give me a /56 without subnet …., so i think i can't use pfsense for IPv6
i go to see with ISPErrrrrrrr… Sounds more like you need to do some IPv6 for dummies reading... You have 256 /64s in your /56.
-
yes but the box don t see it
i use a /64 in my lan
see up i can ping my wan IPv6 pfsense from my lan , but i can t ping IPv6 box ….(IPv6 pfsense wan is in the /64)
-
Show your numbers if you like help. Report your WAN address subnet-value and your LAN subnet value… [(f you must), hide the first /48 and show the last /80 part… ]
-
Try using ::2 in the first /64 for your WAN IP address and then use the second /64 for your LAN. Usually when ISPs give you just one large block they assume the first /64 inside it is the WAN.
-
You know if you don't like the way your isp is doing ipv6, you can just get a free tunnel from HE.. You cant get a /48 from them if you want.. I have both a /64 and /48 I use the /64 on my lan and then I use a few of the /64's out of the /48 for my other segments and openvpn clients, etc.
Rock solid works deployment.. They even allow you to setup PTR on your ipv6 addresses if you want, etc. Or even delegate the ipv6 networks to your own nameservers, etc. Does your isp let you do that ;)
And you don't have to worry about your isp giving you a different prefix next week.. When you hit a different dhcp server, etc.
https://www.tunnelbroker.net
-
Thank you all
ISP : SFR
they give me : 2a02:8428:ef:7500::/56
the box can't be configured in bridge mode : ip is : 2a02:8428:ef:7500::1/56
i use 2axy:8428:ef:7501::/64 for my LAN (ex : 2a02:8428:ef:7501::100, gateway : 2a02:8428:ef:7501::10)
ping from 2axy:8428:ef:7501::100 to :
2a02:8428:ef:7501::10 -> ok
2a02:8428:ef:7500::2 -> ok
2a02:8428:ef:7500::1 -> ko
on tcpdump on em3 (2a02:8428:ef:7500::2) i can see the echo request , but i don't see the echo reply …. :tcpdump -lni em3 host 2a02:8428:ef:7501:216:3eff:fe8c:edd0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em3, link-type EN10MB (Ethernet), capture size 65535 bytes
capability mode sandbox enabled
08:07:10.341717 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 65, length 64
08:07:11.349705 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 66, length 64
08:07:12.357754 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 67, length 64
08:07:13.365748 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 68, length 64
08:07:14.373745 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 69, length 64
08:07:15.381684 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 70, length 64
08:07:16.389735 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 71, length 64
08:07:17.397731 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 72, length 64
08:07:18.405693 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 73, length 64
08:07:19.413624 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 74, length 64
^C
10 packets captured
6077 packets received by filter
0 packets dropped by kernelmy config : for pfsense :
--------------LAN------------
|
|
|
|
2a02:8428:ef:7501::10/64 IPv6 LAN pfsense
|
P
F
S
E
N
S
E
|
2a02:8428:ef:7500::2/56 IPv6 WAN pfsense
|
|
|
|
BOX
2a02:8428:ef:7500::1/56
|
|
|
|
-------------WAN-----------------thank you for your help
pra -
i can t change PTR
i can t do bridge the box
i can use a DMZ , they impose (i try this) :
2a02:8428:ef:7501::/64
gateway :
2a02:8428:ef:7500::2/56for my rules you can see the attachments
-
You have two router in series, cascading networks. ?
If you want public IPv6 on your pfSense-LAN, then your pfSense-WAN have to request your ISP-box with DHCP6-Client for a prefix&subnet first ?, provided your ISP-box can function as a DHCP6-Server…
IPv6, no pfSense issue forya. Your ISP-box has the /56. Your pfSense is a slave with other LAN subnet-value and local prefix between /57 and /63.
Your pfSense-WAN on mask /56 doesn't look correct. (but /64 or /128).
-
Sounds like your settings are OK. If your LAN IP address can ping the upstream gateway then your local setup is fine, and probably even the routing at your next hop is OK, but it sounds like maybe the routing/rules upstream from you is broken.
A traceroute6 to your WAN and LAN IP addresses both stop at your gateway. I'd normally expect it to work if all that is fine, unless the ISP is filtering the traffic.
If you can ping your gateway and a traceroute from the outside to your LAN subnet is OK, then the routing is probably OK at the ISP end of things.
Sure you used /64 for the prefix on all your interfaces?
-
thank you for your help.
traceroute to google.fr :
=>traceroute6 google.fr
traceroute to google.fr (2a00:1450:400a:805::1017), 30 hops max, 80 byte packets
1 2a02-8428-00ef-7501-0000-0000-0000-0010.rev.sfr.net (2a02:8428:ef:7501::10) 0.552 ms 0.538 ms 0.524 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *=>traceroute6 2a02:8428:ef:7500::1
traceroute to 2a02:8428:ef:7500::1 (2a02:8428:ef:7500::1), 30 hops max, 80 byte packets
1 2a02-8428-00ef-7501-0000-0000-0000-0010.rev.sfr.net (2a02:8428:ef:7501::10) 0.532 ms 0.518 ms 1.364 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *in attachment you find my routing
-
No idea?
Thank you -
-
@hda -> not sure to anderstand :
You have two router in series, cascading networks. ?
If you want public IPv6 on your pfSense-LAN, then your pfSense-WAN have to request your ISP-box with DHCP6-Client for a prefix&subnet first ?, provided your ISP-box can function as a DHCP6-Server…
IPv6, no pfSense issue forya. Your ISP-box has the /56. Your pfSense is a slave with other LAN subnet-value and local prefix between /57 and /63.
Your pfSense-WAN on mask /56 doesn't look correct. (but /64 or /128).
do you suggest to have a ip by the dhcp from box for wan IPv6 pfsense?
i can try -
@hda ->dhcp give me a /128 :
inet6 2a02:8428:ef:7500:c9ca:8e5d:732b:d96b prefixlen 128i try to use : 2a02:8428:ef:7500::10 / 64 for pfsense WAN
2a02:8428:ef:7501::10 /64 for pfsense LAN
default getway : 2a02:8428:ef:7500::1/56
2a02:8428:ef:7501::10 can't ping box (2a02:8428:ef:7500::1)have you an idea?
thank you
pra
-
@pra:
…
do you suggest to have a ip by the dhcp from box for wan IPv6 pfsense?
...Yes DHCP6, and ask for a prefix /62 to pfSense.
Then try to use Track Interface on your pfSense-LAN.
Put a host-PC on the LAN and see if that PC get response from http://ipv6-test.com/