Netgate Store

Author Topic: NDP proxy where are you  (Read 5465 times)

0 Members and 1 Guest are viewing this topic.

Offline pra

  • Newbie
  • *
  • Posts: 22
  • Karma: +0/-0
    • View Profile
Re: NDP proxy where are you
« Reply #15 on: August 19, 2015, 10:47:31 am »
No idea?
Thank you

Offline hda

  • Hero Member
  • *****
  • Posts: 601
  • Karma: +32/-4
    • View Profile
Re: NDP proxy where are you
« Reply #16 on: August 20, 2015, 02:53:18 pm »
No idea?
Thank you

Sure, comment on reply #12 ?

Offline pra

  • Newbie
  • *
  • Posts: 22
  • Karma: +0/-0
    • View Profile
Re: NDP proxy where are you
« Reply #17 on: August 20, 2015, 03:16:26 pm »
@hda -> not sure to anderstand :

Quote
You have two router in series, cascading networks. ?

If you want *public* IPv6 on your pfSense-LAN, then your pfSense-WAN have to request your ISP-box with DHCP6-Client for a prefix&subnet first ?, provided your ISP-box can function as a DHCP6-Server...

IPv6, no pfSense issue forya. Your ISP-box has the /56. Your pfSense is a slave with other LAN subnet-value and local prefix between /57 and /63.

Your pfSense-WAN on mask /56 doesn't look correct. (but /64 or /128).

do you suggest to have a ip by the dhcp from box for wan IPv6 pfsense?
i can try 

Offline pra

  • Newbie
  • *
  • Posts: 22
  • Karma: +0/-0
    • View Profile
Re: NDP proxy where are you
« Reply #18 on: August 20, 2015, 03:24:38 pm »
@hda ->dhcp give me a /128 :
inet6 2a02:8428:ef:7500:c9ca:8e5d:732b:d96b prefixlen 128

i try to use : 2a02:8428:ef:7500::10 / 64 for pfsense WAN
2a02:8428:ef:7501::10 /64 for pfsense LAN
default getway : 2a02:8428:ef:7500::1/56
2a02:8428:ef:7501::10 can't ping box (2a02:8428:ef:7500::1)

have you an idea?

thank you

pra
« Last Edit: August 20, 2015, 03:49:46 pm by pra »

Offline hda

  • Hero Member
  • *****
  • Posts: 601
  • Karma: +32/-4
    • View Profile
Re: NDP proxy where are you
« Reply #19 on: August 20, 2015, 03:48:18 pm »
...
do you suggest to have a ip by the dhcp from box for wan IPv6 pfsense?
...

Yes DHCP6, and ask for a prefix /62 to pfSense.
Then try to use Track Interface on your pfSense-LAN.
Put a host-PC on the LAN and see if that PC get response from http://ipv6-test.com/

« Last Edit: August 20, 2015, 05:55:24 pm by hda »

Offline pra

  • Newbie
  • *
  • Posts: 22
  • Karma: +0/-0
    • View Profile
Re: NDP proxy where are you
« Reply #20 on: August 20, 2015, 03:55:56 pm »
...
do you suggest to have a ip by the dhcp from box for wan IPv6 pfsense?
...

Yes DHCP6, and ask for a /62 to pfSense.
Then try to use Track Interface on your pfSense-LAN.
Put a host-PC on the LAN and see if that PC get response from http://ipv6-test.com/

dhcp give me a /128, do you suggest to use a IPv6 /128 for pfsense WAN and a /62 for IPv6 pfsense LAN?

i try :
2a02:8428:ef:7500::10 / 64 for pfsense WAN
2a02:8428:ef:7501::10 /64 for pfsense LAN
default getway : 2a02:8428:ef:7500::1/56
2a02:8428:ef:7501::10 can't ping box (2a02:8428:ef:7500::1)

what do you suggest ? because  /128 in pfsense WAN and /62 for pfsense LAN seems strange


Offline hda

  • Hero Member
  • *****
  • Posts: 601
  • Karma: +32/-4
    • View Profile
Re: NDP proxy where are you
« Reply #21 on: August 20, 2015, 04:01:33 pm »
Consider: your ISP-Box supplies on request, you probably can not grab a number you like...

SO, don't do all static, but do DHCP6 from pfSense-WAN to your ISP-Box. Then read reply #19 again...

Offline pra

  • Newbie
  • *
  • Posts: 22
  • Karma: +0/-0
    • View Profile
Re: NDP proxy where are you
« Reply #22 on: August 20, 2015, 04:19:55 pm »
@hda
i try :
=> pfsense WAN IPv6 DHCP6 -> give me inet6 2a02:8428:ef:7500:c9ca:8e5d:732b:d96b prefixlen 128
but how to configure pfsense LAN because the pfsense WAN has a /128 prefixe

thank you

pra

Offline hda

  • Hero Member
  • *****
  • Posts: 601
  • Karma: +32/-4
    • View Profile
Re: NDP proxy where are you
« Reply #23 on: August 20, 2015, 04:32:58 pm »
You may read & understand to request a prefix /62 for pfSense *from* ISP-box (/56) for the pfSense LAN's. The WAN address mask (/64 or /128) no problem for that, just an intermediair. The LAN's are each with a unique subnet and mask /64.
« Last Edit: August 20, 2015, 05:53:35 pm by hda »

Offline pra

  • Newbie
  • *
  • Posts: 22
  • Karma: +0/-0
    • View Profile
Re: NDP proxy where are you
« Reply #24 on: August 21, 2015, 01:54:14 am »
@hda :
sorry but i can't configure the box ....
DHCP is imposed :     
2a02:8428:ef:7500:c9ca:8e5d:732b:0000 to 2a02:8428:ef:7500:c9ca:8e5d:732b:ffff
i tray this :
i fixe the ip on the DHCP6 on the box :
IPv6 pfsense WAN : 2a02:8428:ef:7500:c9ca:8e5d:732b:1/128
IPv6 pfsense LAN :  2a02:8428:ef:7500:c9ca:8e5d:732b:8001/113

i test:
pfsense WAN can't ping  the box (2a02:8428:ef:7500::1)
PING6(56=40+8+8 bytes) 2a02:8428:ef:7500:c9ca:8e5d:732b:1 --> 2a02:8428:ef:7500::1
ping6: wrote 2a02:8428:ef:7500::1 16 chars, ret=-1
ping6: wrote 2a02:8428:ef:7500::1 16 chars, ret=-1
ping6: wrote 2a02:8428:ef:7500::1 16 chars, ret=-1

--- 2a02:8428:ef:7500::1 ping6 statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss


pfsense LAN can't ping the box (2a02:8428:ef:7500::1):
PING6(56=40+8+8 bytes) 2a02:8428:ef:7500:c9ca:8e5d:732b:8001 --> 2a02:8428:ef:7500::1
ping6: wrote 2a02:8428:ef:7500::1 16 chars, ret=-1
ping6: wrote 2a02:8428:ef:7500::1 16 chars, ret=-1
ping6: wrote 2a02:8428:ef:7500::1 16 chars, ret=-1

--- 2a02:8428:ef:7500::1 ping6 statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss
thank you for your help
pra
« Last Edit: August 21, 2015, 02:06:59 am by pra »

Offline David_W

  • Sr. Member
  • ****
  • Posts: 386
  • Karma: +74/-0
    • View Profile
Re: NDP proxy where are you
« Reply #25 on: October 12, 2015, 01:07:39 am »
Why are you now trying to divide up a /64? You'll have a horrible time trying to use IPv6 with an allocation narrower than /64 on a LAN unless everything on that network supports address allocation via DHCPv6. Some devices only support SLAAC (such as Android devices, also Windows XP if you still use it and haven't installed a DHCPv6 client). SLAAC requires you to advertise a /64 (and exactly a /64) for things to work correctly.

Are you running router advertisement on your LANs (Services -> DHCPv6 Server/RA, Router Advertisements tab)?


I'd start by working out what your ISP supplied box offers. If it will allow you to delegate prefixes via DHCP-PD, your task becomes a lot easier. You've said you can't bridge this device, but does the ISP allow you to replace it with a DSL bridge and use PPPoE or similar?

Offline davidbrodbeck

  • Newbie
  • *
  • Posts: 9
  • Karma: +0/-0
    • View Profile
Re: NDP proxy where are you
« Reply #26 on: October 20, 2015, 01:13:23 pm »
I have a similar issue where NDP proxy would be really useful.

My colo provider gives me a /64 for my rack. I use NPt to do 1:1 NAT so I can have my pfsense firewall while still allowing machines behind it to have IPv6 connectivity.  This works, but I have to manually configure a virtual IP for each machine. I'd really like to avoid that by just proxy NDPing the whole range.

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21840
  • Karma: +1526/-26
    • View Profile
Re: NDP proxy where are you
« Reply #27 on: October 20, 2015, 01:16:57 pm »
Don't do that. NAT sucks. The main point of IPv6 is to do away with NAT. Make them give you another /64 and route it properly.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline davidbrodbeck

  • Newbie
  • *
  • Posts: 9
  • Karma: +0/-0
    • View Profile
Re: NDP proxy where are you
« Reply #28 on: October 20, 2015, 01:26:18 pm »
I can try, but I don't have much leverage over them. They're the central IT department for the university I work for.

As an aside, this is what I really don't like about IPv6.  It takes away the ability for end users to do stuff on their own.  NAT was invented to begin with because ISPs weren't interested in giving out extra subnets; now we're back to begging for them to give out static routes again.  I remember the "bad old days" when ISPs would only allow you one computer per Internet connection...one of IPv6's goals seems to have been to enable that kind of restriction again. :/

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21840
  • Karma: +1526/-26
    • View Profile
Re: NDP proxy where are you
« Reply #29 on: October 20, 2015, 01:32:37 pm »
IPv6 was designed to eliminate the need for any of that. Any ISP that doesn't give you multiple subnets is implementing IPv6 incorrectly. IPv4 was scarce, IPv6 is not. There is no reason (aside from pure greed) that they should not give you at least two /64's with one routed to your address in the other.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!