Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    NDP proxy where are you

    IPv6
    17
    50
    8991
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pra last edited by

      Hello

      pfsense versuin : 2.2.4

      i try to find the NDP on the gui but i don't find
      i try with ICMP proxy but it is not working

      i need it because :

      i can see ICMP6 echo request (tcpdump on wan interface)  IPv6 lan but not the echo reply , ISP box don't  reply (ping is not  blocked/dropped on the box)
      ping working from lan to pfsense wan interface

      thank you for your help

      pra

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned last edited by

        Dude, fix your firewall rules to allow ICMP(v6), instead of searching for proxies (WTF?!?!)

        1 Reply Last reply Reply Quote 0
        • P
          pra last edited by

          same rules as IPv4.
          ICMP IPv4 running fine …
          is other rule(s) needed ?
          as i say tcpdump run fine lan to pfsense's lan and wan IPv6 ip
          pfsense's lan can't ping IPv6 internet (eg : google.fr)
          pfsense's wan can ping IPv6 internet (eg: google.fr)
          thank you for your help
          pra

          1 Reply Last reply Reply Quote 0
          • jimp
            jimp Rebel Alliance Developer Netgate last edited by

            There is no NDP proxy. There is no need for one.

            The LAN subnet and WAN subnet must be different. You can't use NPt or similar to NAT a "private" IPv6 LAN to the WAN IPv6 subnet. There must be separate subnets for WAN and LAN and the LAN subnet must be routed to your firewall's IP address in the WAN subnet.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • P
              pra last edited by

              hummm
              fxxxxxg ISP ….
              give me a /56 without  subnet ...., so i think i can't use pfsense for IPv6

              i go to see with ISP
              thank you

              1 Reply Last reply Reply Quote 0
              • D
                doktornotor Banned last edited by

                @pra:

                give me a /56 without  subnet …., so i think i can't use pfsense for IPv6
                i go to see with ISP

                Errrrrrrr… Sounds more like you need to do some IPv6 for dummies reading... You have 256 /64s in your /56.

                1 Reply Last reply Reply Quote 0
                • P
                  pra last edited by

                  yes but the box don t see it
                  i use a /64 in my lan
                  see up i can ping my wan IPv6 pfsense from my lan , but i can t ping IPv6 box ….

                  (IPv6 pfsense wan is in the /64)

                  1 Reply Last reply Reply Quote 0
                  • H
                    hda last edited by

                    Show your numbers if you like help. Report your WAN address subnet-value and your LAN subnet value… [(f you must), hide the first /48 and show the last /80 part… ]

                    1 Reply Last reply Reply Quote 0
                    • jimp
                      jimp Rebel Alliance Developer Netgate last edited by

                      Try using ::2 in the first /64 for your WAN IP address and then use the second /64 for your LAN. Usually when ISPs give you just one large block they assume the first /64 inside it is the WAN.

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • johnpoz
                        johnpoz LAYER 8 Global Moderator last edited by

                        You know if you don't like the way your isp is doing ipv6, you can just get a free tunnel from HE.. You cant get a /48 from them if you want.. I have both a /64 and /48 I use the /64 on my lan and then I use a few of the /64's out of the /48 for my other segments and openvpn clients, etc.

                        Rock solid works deployment.. They even allow you to setup PTR on your ipv6 addresses if you want, etc.  Or even delegate the ipv6 networks to your own nameservers, etc.  Does your isp let you do that ;)

                        And you don't have to worry about your isp giving you a different prefix next week.. When you hit a different dhcp server, etc.

                        https://www.tunnelbroker.net

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

                        1 Reply Last reply Reply Quote 0
                        • P
                          pra last edited by

                          Thank you all

                          ISP : SFR
                          they give me : 2a02:8428:ef:7500::/56
                          the box can't be configured in bridge mode : ip is : 2a02:8428:ef:7500::1/56
                          i use 2axy:8428:ef:7501::/64 for my LAN (ex : 2a02:8428:ef:7501::100, gateway : 2a02:8428:ef:7501::10)
                          ping from 2axy:8428:ef:7501::100 to :
                          2a02:8428:ef:7501::10 -> ok
                          2a02:8428:ef:7500::2 -> ok
                          2a02:8428:ef:7500::1 -> ko
                          on tcpdump on em3 (2a02:8428:ef:7500::2) i can see the echo request , but i don't see the echo reply …. :

                          tcpdump -lni em3 host 2a02:8428:ef:7501:216:3eff:fe8c:edd0
                          tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
                          listening on em3, link-type EN10MB (Ethernet), capture size 65535 bytes
                          capability mode sandbox enabled
                          08:07:10.341717 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 65, length 64
                          08:07:11.349705 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 66, length 64
                          08:07:12.357754 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 67, length 64
                          08:07:13.365748 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 68, length 64
                          08:07:14.373745 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 69, length 64
                          08:07:15.381684 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 70, length 64
                          08:07:16.389735 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 71, length 64
                          08:07:17.397731 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 72, length 64
                          08:07:18.405693 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 73, length 64
                          08:07:19.413624 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 74, length 64
                          ^C
                          10 packets captured
                          6077 packets received by filter
                          0 packets dropped by kernel

                          my config : for pfsense :

                          --------------LAN------------
                                            |
                                            |
                                            |
                                            |
                                        2a02:8428:ef:7501::10/64  IPv6 LAN pfsense
                                            |
                                            P
                                            F
                                            S
                                            E
                                            N
                                            S
                                            E
                                            |
                                          2a02:8428:ef:7500::2/56 IPv6 WAN pfsense
                                            |
                                            |
                                            |
                                            |
                                          BOX
                                          2a02:8428:ef:7500::1/56
                                            |
                                            |
                                            |
                                            |
                          -------------WAN-----------------

                          thank you for your help
                          pra

                          1 Reply Last reply Reply Quote 0
                          • P
                            pra last edited by

                            i can t change PTR
                            i can t do bridge the box
                            i can use a DMZ , they impose (i try this) :
                            2a02:8428:ef:7501::/64
                            gateway :
                            2a02:8428:ef:7500::2/56

                            for my rules you can see the attachments




                            1 Reply Last reply Reply Quote 0
                            • H
                              hda last edited by

                              You have two router in series, cascading networks. ?

                              If you want public IPv6 on your pfSense-LAN, then your pfSense-WAN have to request your ISP-box with DHCP6-Client for a prefix&subnet first ?, provided your ISP-box can function as a DHCP6-Server…

                              IPv6, no pfSense issue forya. Your ISP-box has the /56. Your pfSense is a slave with other LAN subnet-value and local prefix between /57 and /63.

                              Your pfSense-WAN on mask /56 doesn't look correct. (but /64 or /128).

                              1 Reply Last reply Reply Quote 0
                              • jimp
                                jimp Rebel Alliance Developer Netgate last edited by

                                Sounds like your settings are OK. If your LAN IP address can ping the upstream gateway then your local setup is fine, and probably even the routing at your next hop is OK, but it sounds like maybe the routing/rules upstream from you is broken.

                                A traceroute6 to your WAN and LAN IP addresses both stop at your gateway. I'd normally expect it to work if all that is fine, unless the ISP is filtering the traffic.

                                If you can ping your gateway and a traceroute from the outside to your LAN subnet is OK, then the routing is probably OK at the ISP end of things.

                                Sure you used /64 for the prefix on all your interfaces?

                                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                Need help fast? Netgate Global Support!

                                Do not Chat/PM for help!

                                1 Reply Last reply Reply Quote 0
                                • P
                                  pra last edited by

                                  thank you for your help.

                                  traceroute to google.fr :
                                  =>traceroute6 google.fr
                                  traceroute to google.fr (2a00:1450:400a:805::1017), 30 hops max, 80 byte packets
                                  1  2a02-8428-00ef-7501-0000-0000-0000-0010.rev.sfr.net (2a02:8428:ef:7501::10)  0.552 ms  0.538 ms  0.524 ms
                                  2  * * *
                                  3  * * *
                                  4  * * *
                                  5  * * *
                                  6  * * *
                                  7  * * *
                                  8  * * *
                                  9  * * *
                                  10  * * *
                                  11  * * *
                                  12  * * *
                                  13  * * *
                                  14  * * *
                                  15  * * *
                                  16  * * *
                                  17  * * *
                                  18  * * *
                                  19  * * *
                                  20  * * *
                                  21  * * *
                                  22  * * *
                                  23  * * *
                                  24  * * *
                                  25  * * *
                                  26  * * *
                                  27  * * *
                                  28  * * *
                                  29  * * *
                                  30  * * *

                                  =>traceroute6 2a02:8428:ef:7500::1
                                  traceroute to 2a02:8428:ef:7500::1 (2a02:8428:ef:7500::1), 30 hops max, 80 byte packets
                                  1  2a02-8428-00ef-7501-0000-0000-0000-0010.rev.sfr.net (2a02:8428:ef:7501::10)  0.532 ms  0.518 ms  1.364 ms
                                  2  * * *
                                  3  * * *
                                  4  * * *
                                  5  * * *
                                  6  * * *
                                  7  * * *
                                  8  * * *
                                  9  * * *
                                  10  * * *
                                  11  * * *
                                  12  * * *
                                  13  * * *
                                  14  * * *
                                  15  * * *
                                  16  * * *
                                  17  * * *
                                  18  * * *
                                  19  * * *
                                  20  * * *
                                  21  * * *
                                  22  * * *
                                  23  * * *
                                  24  * * *
                                  25  * * *
                                  26  * * *
                                  27  * * *
                                  28  * * *
                                  29  * * *
                                  30  * * *

                                  in attachment you find my routing




                                  1 Reply Last reply Reply Quote 0
                                  • P
                                    pra last edited by

                                    No idea?
                                    Thank you

                                    1 Reply Last reply Reply Quote 0
                                    • H
                                      hda last edited by

                                      @pra:

                                      No idea?
                                      Thank you

                                      Sure, comment on reply #12 ?

                                      1 Reply Last reply Reply Quote 0
                                      • P
                                        pra last edited by

                                        @hda -> not sure to anderstand :

                                        You have two router in series, cascading networks. ?

                                        If you want public IPv6 on your pfSense-LAN, then your pfSense-WAN have to request your ISP-box with DHCP6-Client for a prefix&subnet first ?, provided your ISP-box can function as a DHCP6-Server…

                                        IPv6, no pfSense issue forya. Your ISP-box has the /56. Your pfSense is a slave with other LAN subnet-value and local prefix between /57 and /63.

                                        Your pfSense-WAN on mask /56 doesn't look correct. (but /64 or /128).

                                        do you suggest to have a ip by the dhcp from box for wan IPv6 pfsense?
                                        i can try

                                        1 Reply Last reply Reply Quote 0
                                        • P
                                          pra last edited by

                                          @hda ->dhcp give me a /128 :
                                          inet6 2a02:8428:ef:7500:c9ca:8e5d:732b:d96b prefixlen 128

                                          i try to use : 2a02:8428:ef:7500::10 / 64 for pfsense WAN
                                          2a02:8428:ef:7501::10 /64 for pfsense LAN
                                          default getway : 2a02:8428:ef:7500::1/56
                                          2a02:8428:ef:7501::10 can't ping box (2a02:8428:ef:7500::1)

                                          have you an idea?

                                          thank you

                                          pra

                                          1 Reply Last reply Reply Quote 0
                                          • H
                                            hda last edited by

                                            @pra:

                                            …
                                            do you suggest to have a ip by the dhcp from box for wan IPv6 pfsense?
                                            ...

                                            Yes DHCP6, and ask for a prefix /62 to pfSense.
                                            Then try to use Track Interface on your pfSense-LAN.
                                            Put a host-PC on the LAN and see if that PC get response from http://ipv6-test.com/

                                            1 Reply Last reply Reply Quote 0
                                            • P
                                              pra last edited by

                                              @hda:

                                              @pra:

                                              …
                                              do you suggest to have a ip by the dhcp from box for wan IPv6 pfsense?
                                              ...

                                              Yes DHCP6, and ask for a /62 to pfSense.
                                              Then try to use Track Interface on your pfSense-LAN.
                                              Put a host-PC on the LAN and see if that PC get response from http://ipv6-test.com/

                                              dhcp give me a /128, do you suggest to use a IPv6 /128 for pfsense WAN and a /62 for IPv6 pfsense LAN?

                                              i try :
                                              2a02:8428:ef:7500::10 / 64 for pfsense WAN
                                              2a02:8428:ef:7501::10 /64 for pfsense LAN
                                              default getway : 2a02:8428:ef:7500::1/56
                                              2a02:8428:ef:7501::10 can't ping box (2a02:8428:ef:7500::1)

                                              what do you suggest ? because  /128 in pfsense WAN and /62 for pfsense LAN seems strange

                                              1 Reply Last reply Reply Quote 0
                                              • H
                                                hda last edited by

                                                Consider: your ISP-Box supplies on request, you probably can not grab a number you like…

                                                SO, don't do all static, but do DHCP6 from pfSense-WAN to your ISP-Box. Then read reply #19 again...

                                                1 Reply Last reply Reply Quote 0
                                                • P
                                                  pra last edited by

                                                  @hda
                                                  i try :
                                                  => pfsense WAN IPv6 DHCP6 -> give me inet6 2a02:8428:ef:7500:c9ca:8e5d:732b:d96b prefixlen 128
                                                  but how to configure pfsense LAN because the pfsense WAN has a /128 prefixe

                                                  thank you

                                                  pra

                                                  1 Reply Last reply Reply Quote 0
                                                  • H
                                                    hda last edited by

                                                    You may read & understand to request a prefix /62 for pfSense from ISP-box (/56) for the pfSense LAN's. The WAN address mask (/64 or /128) no problem for that, just an intermediair. The LAN's are each with a unique subnet and mask /64.

                                                    1 Reply Last reply Reply Quote 0
                                                    • P
                                                      pra last edited by

                                                      @hda :
                                                      sorry but i can't configure the box ….
                                                      DHCP is imposed : 
                                                      2a02:8428:ef:7500:c9ca:8e5d:732b:0000 to 2a02:8428:ef:7500:c9ca:8e5d:732b:ffff
                                                      i tray this :
                                                      i fixe the ip on the DHCP6 on the box :
                                                      IPv6 pfsense WAN : 2a02:8428:ef:7500:c9ca:8e5d:732b:1/128
                                                      IPv6 pfsense LAN :  2a02:8428:ef:7500:c9ca:8e5d:732b:8001/113

                                                      i test:
                                                      pfsense WAN can't ping  the box (2a02:8428:ef:7500::1)
                                                      PING6(56=40+8+8 bytes) 2a02:8428:ef:7500:c9ca:8e5d:732b:1 --> 2a02:8428:ef:7500::1
                                                      ping6: wrote 2a02:8428:ef:7500::1 16 chars, ret=-1
                                                      ping6: wrote 2a02:8428:ef:7500::1 16 chars, ret=-1
                                                      ping6: wrote 2a02:8428:ef:7500::1 16 chars, ret=-1

                                                      --- 2a02:8428:ef:7500::1 ping6 statistics ---
                                                      3 packets transmitted, 0 packets received, 100.0% packet loss

                                                      pfsense LAN can't ping the box (2a02:8428:ef:7500::1):
                                                      PING6(56=40+8+8 bytes) 2a02:8428:ef:7500:c9ca:8e5d:732b:8001 --> 2a02:8428:ef:7500::1
                                                      ping6: wrote 2a02:8428:ef:7500::1 16 chars, ret=-1
                                                      ping6: wrote 2a02:8428:ef:7500::1 16 chars, ret=-1
                                                      ping6: wrote 2a02:8428:ef:7500::1 16 chars, ret=-1

                                                      --- 2a02:8428:ef:7500::1 ping6 statistics ---
                                                      3 packets transmitted, 0 packets received, 100.0% packet loss
                                                      thank you for your help
                                                      pra

                                                      1 Reply Last reply Reply Quote 0
                                                      • D
                                                        David_W last edited by

                                                        Why are you now trying to divide up a /64? You'll have a horrible time trying to use IPv6 with an allocation narrower than /64 on a LAN unless everything on that network supports address allocation via DHCPv6. Some devices only support SLAAC (such as Android devices, also Windows XP if you still use it and haven't installed a DHCPv6 client). SLAAC requires you to advertise a /64 (and exactly a /64) for things to work correctly.

                                                        Are you running router advertisement on your LANs (Services -> DHCPv6 Server/RA, Router Advertisements tab)?

                                                        I'd start by working out what your ISP supplied box offers. If it will allow you to delegate prefixes via DHCP-PD, your task becomes a lot easier. You've said you can't bridge this device, but does the ISP allow you to replace it with a DSL bridge and use PPPoE or similar?

                                                        1 Reply Last reply Reply Quote 0
                                                        • D
                                                          davidbrodbeck last edited by

                                                          I have a similar issue where NDP proxy would be really useful.

                                                          My colo provider gives me a /64 for my rack. I use NPt to do 1:1 NAT so I can have my pfsense firewall while still allowing machines behind it to have IPv6 connectivity.  This works, but I have to manually configure a virtual IP for each machine. I'd really like to avoid that by just proxy NDPing the whole range.

                                                          1 Reply Last reply Reply Quote 0
                                                          • jimp
                                                            jimp Rebel Alliance Developer Netgate last edited by

                                                            Don't do that. NAT sucks. The main point of IPv6 is to do away with NAT. Make them give you another /64 and route it properly.

                                                            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                                            Need help fast? Netgate Global Support!

                                                            Do not Chat/PM for help!

                                                            1 Reply Last reply Reply Quote 0
                                                            • D
                                                              davidbrodbeck last edited by

                                                              I can try, but I don't have much leverage over them. They're the central IT department for the university I work for.

                                                              As an aside, this is what I really don't like about IPv6.  It takes away the ability for end users to do stuff on their own.  NAT was invented to begin with because ISPs weren't interested in giving out extra subnets; now we're back to begging for them to give out static routes again.  I remember the "bad old days" when ISPs would only allow you one computer per Internet connection…one of IPv6's goals seems to have been to enable that kind of restriction again. :/

                                                              1 Reply Last reply Reply Quote 0
                                                              • jimp
                                                                jimp Rebel Alliance Developer Netgate last edited by

                                                                IPv6 was designed to eliminate the need for any of that. Any ISP that doesn't give you multiple subnets is implementing IPv6 incorrectly. IPv4 was scarce, IPv6 is not. There is no reason (aside from pure greed) that they should not give you at least two /64's with one routed to your address in the other.

                                                                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                                                Need help fast? Netgate Global Support!

                                                                Do not Chat/PM for help!

                                                                1 Reply Last reply Reply Quote 0
                                                                • D
                                                                  davidbrodbeck last edited by

                                                                  The response to my ticket asking for another routable block was "why don't you use NAT?"  Trying to get it escalated to someone who at least understands the difference between IPv4 and IPv6.  ::)

                                                                  1 Reply Last reply Reply Quote 0
                                                                  • D
                                                                    doktornotor Banned last edited by

                                                                    @davidbrodbeck:

                                                                    The response to my ticket asking for another routable block was "why don't you use NAT?"

                                                                    Perhaps this might clarify the issue to them?

                                                                    1 Reply Last reply Reply Quote 0
                                                                    • C
                                                                      candlerb last edited by

                                                                      I have now come across two providers in the UK who give you a flat /48: i.e. the CPE is configured with address 2001:db8:1234::1/48, and no static routes.

                                                                      It's nuts. You need to ndp proxy blocks of /64 to make routing work. We are back to the bad old days of "ip proxy-arp".

                                                                      Anyway, it looks like FreeBSD ndproxy(4) can be used to implement this:
                                                                      http://www.fenyo.net/newweb/ndproxy.html

                                                                      1 Reply Last reply Reply Quote 0
                                                                      • jimp
                                                                        jimp Rebel Alliance Developer Netgate last edited by

                                                                        @candlerb:

                                                                        I have now come across two providers in the UK who give you a flat /48: i.e. the CPE is configured with address 2001:db8:1234::1/48, and no static routes.

                                                                        Are you certain there are no routes? It's also quite common to see a /48 allocation like that with the first /64 assumed to be the interconnect and the balance of the /48 routed to the CPE.

                                                                        NDP Proxy is the wrong answer though, getting the provider to fix their broken design is better. Might take significant convincing, though. A flat /48 is insane and should not be encouraged.

                                                                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                                                        Need help fast? Netgate Global Support!

                                                                        Do not Chat/PM for help!

                                                                        1 Reply Last reply Reply Quote 0
                                                                        • C
                                                                          chorus last edited by

                                                                          I was just searching the same for a friend who uses pfsense, when I stumbled on this post. I'd like to clarify what the OP is asking as it seems to me.

                                                                          Asking how to do ndp proxying is not like asking "how to build a socks5 proxy". In fact: what OP is asking is very similar to the question "how do I do ARP proxying". FD: I am not using pfsense (not right now anyway, but I used to and might again!) but still, here's a setup I am using myself on a linux box, and shows what ndp proxying does:

                                                                          This is my host:

                                                                          Upstream router -> host(eth0)
                                                                          host(bridge1) -> guest(eth0)

                                                                          As you can see, bridge1 connects the host and the guest together, without having added eth0. It's like a cable between host and guest. I know you guys probably understand this, but I'm just adding it for brevity.

                                                                          On host(eth0) I have configured an IPv6 address, let's call it haddr1::1/64. On bridge1 I have configured an address, let's call it baddr1::0/127, which is inside the /64 subnet.

                                                                          On the guest(eth0) I have configured the address baddr1::1/127. The host and guest can now ping each other: from the host, ping6 baddr1::1 gets a reply, and from the guest, ping6 baddr1::0 gets a reply. Next, I configure the guest to use baddr1::0 as the default route. So far so good.

                                                                          Now the guest wants to connect to a host; let's say that the guest wants to ping orange.kame.net*. It does ping6 orange.kame.net and the packet with source address baddr1::1 goes out, the host receives it on bridge1, and because forwarding is enabled, the host forwards it to its default route which means via eth0 to the upstream router. No problem.

                                                                          But now the reply comes. The upstream router asks something like "who has baddr1::1". Gets no reply. Packet discarded.

                                                                          This is where ndp proxying comes in, cf. the following command: "ip -6 neigh add proxy baddr1::1 dev eth0" and this commmand means: "answer on behalf of baddr1::1 on eth0". This causes the host to say "I'm the one you need for baddr1::1" and the packet gets through. Full duplex connectivity, fully working!

                                                                          It's the same as arp proxying: I have a route to an IP on some interface, so I answer arp requests to that IP on some other interface.

                                                                          This is exactly what I have been using for a long time. It does not violate specs, it does not work around problems, it's doing exactly what it's supposed to be doing: enable normally routed packet flows. I know people might disagree or think that other ways are better, that's fine, but to each their own: it does not mean that this way of doing things is wrong. Not at all. There are more ways to do anything and everything.

                                                                          Hope this makes it clear what OP is asking with ndp proxying, or if anyone thinks I have it wrong, feel free to say so as well. Just know: this setup works for me 100% and arp/ndp proxying is a normal thing to do with virtual machines and multiple networks. It's a lot better than NAT and so forth.

                                                                          • I'm being nostalgic!
                                                                          1 Reply Last reply Reply Quote 0
                                                                          • jimp
                                                                            jimp Rebel Alliance Developer Netgate last edited by

                                                                            Yes – I'm aware of what he's asking and what it does -- but it does not solve the problem of the ISP delivering him a broken configuration. He's trying to work around it and enable their awful behavior, but doing proxy NDP for billions of addresses is not the answer. Getting the ISP to deliver a proper configuration is the answer. Don't let the ISP get away with it, you're paying them for the service and they're failing to provide a proper configuration for the service.

                                                                            You have a choice between an ugly, ugly hack (proxy NDP) and the ISP doing what amounts to a one or two-line change in their upstream router config for the customer to do it properly.

                                                                            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                                                            Need help fast? Netgate Global Support!

                                                                            Do not Chat/PM for help!

                                                                            1 Reply Last reply Reply Quote 0
                                                                            • C
                                                                              chorus last edited by

                                                                              Agreed, jimp. I wasn't under the impression that you didn't get it, so when I was reading my own post again just now, I realised I had to reword the first few sentences: I didn't want to sound like I thought no one understood what OP was trying to say. Just that some of the replies came across to me like they didn't get what proxy ndp is all about. Much is lost in translation and English also isn't my first language.

                                                                              I'm also wondering - In the explanation of my own setup, do you also think ndp proxy is an ugly hack? Or just in the case of him trying to work around his provider's setup. I agree that an ndp subnet proxy is not exactly the cleanest way to go, but if you have to deal with this setup, I can see why he asked for this. Better than NAT I would think. And some ISPs, or actually, many of them, probably think "ok we have it working now so let's not touch anything IPv6 related ever again!"

                                                                              1 Reply Last reply Reply Quote 0
                                                                              • D
                                                                                dragon2611 last edited by

                                                                                @candlerb:

                                                                                I have now come across two providers in the UK who give you a flat /48: i.e. the CPE is configured with address 2001:db8:1234::1/48, and no static routes.

                                                                                It's nuts. You need to ndp proxy blocks of /64 to make routing work. We are back to the bad old days of "ip proxy-arp".

                                                                                Anyway, it looks like FreeBSD ndproxy(4) can be used to implement this:
                                                                                http://www.fenyo.net/newweb/ndproxy.html

                                                                                Few Hosting companies do this as well, They'll allocate a /64 but presumably assume you are just going to direct bridge any VM's you run to the physical port and don't want to route yourself :-(

                                                                                Fine in some cases but can't really do that with my VPN (well i could but it would be messy)

                                                                                1 Reply Last reply Reply Quote 0
                                                                                • B
                                                                                  bruor last edited by

                                                                                  Just came across this issue with OVH using their Dedicated Private Cloud product.    They terminate a /56 on the WAN vlan and provide no routing capability for /64 addresses.  I'm trying to find out if there is some way to use PD or RA to get them to route /64's properly but no responses from their team yet.

                                                                                  1 Reply Last reply Reply Quote 0
                                                                                  • B
                                                                                    bruor last edited by

                                                                                    Just a follow up,  OVH provide no way to route /64 at all,  you are forced to use ndp proxy if you want to use some of the /56 address space internally.

                                                                                    1 Reply Last reply Reply Quote 0
                                                                                    • First post
                                                                                      Last post