Netgate SG-1000 microFirewall

Author Topic: NDP proxy where are you  (Read 4876 times)

0 Members and 1 Guest are viewing this topic.

Offline pra

  • Newbie
  • *
  • Posts: 22
  • Karma: +0/-0
    • View Profile
NDP proxy where are you
« on: August 14, 2015, 06:18:59 am »
Hello

pfsense versuin : 2.2.4

i try to find the NDP on the gui but i don't find
i try with ICMP proxy but it is not working

i need it because :

i can see ICMP6 echo request (tcpdump on wan interface)  IPv6 lan but not the echo reply , ISP box don't  reply (ping is not  blocked/dropped on the box)
ping working from lan to pfsense wan interface

thank you for your help

pra
« Last Edit: August 16, 2015, 01:15:26 pm by pra »

Offline doktornotor

  • Hero Member
  • *****
  • Posts: 8553
  • Karma: +962/-278
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: NDP proxy where are you
« Reply #1 on: August 14, 2015, 05:17:10 pm »
Dude, fix your firewall rules to allow ICMP(v6), instead of searching for proxies (WTF?!?!)
Do NOT PM for help!

Offline pra

  • Newbie
  • *
  • Posts: 22
  • Karma: +0/-0
    • View Profile
Re: NDP proxy where are you
« Reply #2 on: August 16, 2015, 11:57:39 am »
same rules as IPv4.
ICMP IPv4 running fine ...
is other rule(s) needed ?
as i say tcpdump run fine lan to pfsense's lan and wan IPv6 ip
pfsense's lan can't ping IPv6 internet (eg : google.fr)
pfsense's wan can ping IPv6 internet (eg: google.fr)
 thank you for your help
pra

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21571
  • Karma: +1471/-26
    • View Profile
Re: NDP proxy where are you
« Reply #3 on: August 17, 2015, 10:07:33 am »
There is no NDP proxy. There is no need for one.

The LAN subnet and WAN subnet must be different. You can't use NPt or similar to NAT a "private" IPv6 LAN to the WAN IPv6 subnet. There must be separate subnets for WAN and LAN and the LAN subnet must be routed to your firewall's IP address in the WAN subnet.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline pra

  • Newbie
  • *
  • Posts: 22
  • Karma: +0/-0
    • View Profile
Re: NDP proxy where are you
« Reply #4 on: August 17, 2015, 02:15:06 pm »
hummm
fxxxxxg ISP ....
give me a /56 without  subnet ...., so i think i can't use pfsense for IPv6

i go to see with ISP
thank you

Offline doktornotor

  • Hero Member
  • *****
  • Posts: 8553
  • Karma: +962/-278
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: NDP proxy where are you
« Reply #5 on: August 17, 2015, 02:17:48 pm »
give me a /56 without  subnet ...., so i think i can't use pfsense for IPv6
i go to see with ISP

Errrrrrrr... Sounds more like you need to do some IPv6 for dummies reading... You have 256 /64s in your /56.
Do NOT PM for help!

Offline pra

  • Newbie
  • *
  • Posts: 22
  • Karma: +0/-0
    • View Profile
Re: NDP proxy where are you
« Reply #6 on: August 17, 2015, 02:43:39 pm »
yes but the box don t see it
i use a /64 in my lan
see up i can ping my wan IPv6 pfsense from my lan , but i can t ping IPv6 box ....

(IPv6 pfsense wan is in the /64)


Offline hda

  • Sr. Member
  • ****
  • Posts: 599
  • Karma: +32/-4
    • View Profile
Re: NDP proxy where are you
« Reply #7 on: August 17, 2015, 03:12:57 pm »
Show your numbers if you like help. Report your WAN address subnet-value and your LAN subnet value... [(f you must), hide the first /48 and show the last /80 part... ]

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21571
  • Karma: +1471/-26
    • View Profile
Re: NDP proxy where are you
« Reply #8 on: August 17, 2015, 03:34:43 pm »
Try using ::2 in the first /64 for your WAN IP address and then use the second /64 for your LAN. Usually when ISPs give you just one large block they assume the first /64 inside it is the WAN.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15187
  • Karma: +1414/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: NDP proxy where are you
« Reply #9 on: August 17, 2015, 04:07:08 pm »
You know if you don't like the way your isp is doing ipv6, you can just get a free tunnel from HE.. You cant get a /48 from them if you want.. I have both a /64 and /48 I use the /64 on my lan and then I use a few of the /64's out of the /48 for my other segments and openvpn clients, etc.

Rock solid works deployment.. They even allow you to setup PTR on your ipv6 addresses if you want, etc.  Or even delegate the ipv6 networks to your own nameservers, etc.  Does your isp let you do that ;)

And you don't have to worry about your isp giving you a different prefix next week.. When you hit a different dhcp server, etc.

https://www.tunnelbroker.net
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline pra

  • Newbie
  • *
  • Posts: 22
  • Karma: +0/-0
    • View Profile
Re: NDP proxy where are you
« Reply #10 on: August 18, 2015, 12:45:26 am »
Thank you all

ISP : SFR
they give me : 2a02:8428:ef:7500::/56
the box can't be configured in bridge mode : ip is : 2a02:8428:ef:7500::1/56
i use 2axy:8428:ef:7501::/64 for my LAN (ex : 2a02:8428:ef:7501::100, gateway : 2a02:8428:ef:7501::10)
ping from 2axy:8428:ef:7501::100 to :
2a02:8428:ef:7501::10 -> ok
2a02:8428:ef:7500::2 -> ok
2a02:8428:ef:7500::1 -> ko
on tcpdump on em3 (2a02:8428:ef:7500::2) i can see the echo request , but i don't see the echo reply .... :

tcpdump -lni em3 host 2a02:8428:ef:7501:216:3eff:fe8c:edd0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em3, link-type EN10MB (Ethernet), capture size 65535 bytes
capability mode sandbox enabled
08:07:10.341717 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 65, length 64
08:07:11.349705 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 66, length 64
08:07:12.357754 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 67, length 64
08:07:13.365748 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 68, length 64
08:07:14.373745 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 69, length 64
08:07:15.381684 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 70, length 64
08:07:16.389735 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 71, length 64
08:07:17.397731 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 72, length 64
08:07:18.405693 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 73, length 64
08:07:19.413624 IP6 2a02:8428:ef:7501::100 > 2a02:8428:ef:7500::1: ICMP6, echo request, seq 74, length 64
^C
10 packets captured
6077 packets received by filter
0 packets dropped by kernel


my config : for pfsense :

--------------LAN------------
                   |
                   |
                   |
                   |
               2a02:8428:ef:7501::10/64  IPv6 LAN pfsense
                   |
                  P
                  F
                  S
                  E
                  N
                  S
                  E
                   |
                2a02:8428:ef:7500::2/56 IPv6 WAN pfsense
                   |
                   |
                   |
                   |
                BOX
                2a02:8428:ef:7500::1/56
                   |
                   |
                   |
                   |
-------------WAN-----------------

thank you for your help
pra
« Last Edit: August 18, 2015, 01:27:21 am by pra »

Offline pra

  • Newbie
  • *
  • Posts: 22
  • Karma: +0/-0
    • View Profile
Re: NDP proxy where are you
« Reply #11 on: August 18, 2015, 01:22:54 am »
i can t change PTR
i can t do bridge the box
i can use a DMZ , they impose (i try this) :
2a02:8428:ef:7501::/64
gateway :
2a02:8428:ef:7500::2/56

for my rules you can see the attachments
« Last Edit: August 18, 2015, 01:55:14 am by pra »

Offline hda

  • Sr. Member
  • ****
  • Posts: 599
  • Karma: +32/-4
    • View Profile
Re: NDP proxy where are you
« Reply #12 on: August 18, 2015, 06:40:54 am »
You have two router in series, cascading networks. ?

If you want *public* IPv6 on your pfSense-LAN, then your pfSense-WAN have to request your ISP-box with DHCP6-Client for a prefix&subnet first ?, provided your ISP-box can function as a DHCP6-Server...

IPv6, no pfSense issue forya. Your ISP-box has the /56. Your pfSense is a slave with other LAN subnet-value and local prefix between /57 and /63.

Your pfSense-WAN on mask /56 doesn't look correct. (but /64 or /128).
« Last Edit: August 18, 2015, 04:49:29 pm by hda »

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21571
  • Karma: +1471/-26
    • View Profile
Re: NDP proxy where are you
« Reply #13 on: August 18, 2015, 07:49:11 am »
Sounds like your settings are OK. If your LAN IP address can ping the upstream gateway then your local setup is fine, and probably even the routing at your next hop is OK, but it sounds like maybe the routing/rules upstream from you is broken.

A traceroute6 to your WAN and LAN IP addresses both stop at your gateway. I'd normally expect it to work if all that is fine, unless the ISP is filtering the traffic.

If you can ping your gateway and a traceroute from the outside to your LAN subnet is OK, then the routing is probably OK at the ISP end of things.

Sure you used /64 for the prefix on all your interfaces?
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline pra

  • Newbie
  • *
  • Posts: 22
  • Karma: +0/-0
    • View Profile
Re: NDP proxy where are you
« Reply #14 on: August 18, 2015, 10:37:29 am »
thank you for your help.

traceroute to google.fr :
 =>traceroute6 google.fr
traceroute to google.fr (2a00:1450:400a:805::1017), 30 hops max, 80 byte packets
 1  2a02-8428-00ef-7501-0000-0000-0000-0010.rev.sfr.net (2a02:8428:ef:7501::10)  0.552 ms  0.538 ms  0.524 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *


 =>traceroute6 2a02:8428:ef:7500::1
traceroute to 2a02:8428:ef:7500::1 (2a02:8428:ef:7500::1), 30 hops max, 80 byte packets
 1  2a02-8428-00ef-7501-0000-0000-0000-0010.rev.sfr.net (2a02:8428:ef:7501::10)  0.532 ms  0.518 ms  1.364 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

in attachment you find my routing
« Last Edit: August 18, 2015, 10:51:04 am by pra »