On Tue, Aug 01, 2017 at 01:57:01PM -0500, Adam Thompson wrote: > *** As a consequence, all IPv4 addresses must respond to ARP, and all IPv6 > addresses must respond to NDP, in order to be successfully publicly routed.
The last time I had this issue, I had a Fortinet installed, and I used this featureset: I don't think the PFSense currently exposes the NAT66 for configuration. When you use it, you can use an internal ULA subnet from a ULA generator, and use NAT66 to get the right exterior origin. http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-IPv6-54/IPv6%20Features/IPv6_NAT.htm It would be best solved using IPv6 VIPs for the inbound NAT. I have tested that and had it working on Linux and PFSense myself. The other thing you can perhaps do, since they sent you a whole /56, is hand out /64s inside the PFSense that are chopped out of the /56 given to you. I've done that in my house using DHCPv6-PD from Comcast. But it should be possible with classic DHCPv6 and some static routes and/or a routing protocol inside your setup. It depends just how their layer 2 restrictions work. In my colo company it was fine because I didn't have to directly do ARP / NDP as long as I could route properly both ways. > (NDP for an entire /56? Fee fi fo fum, I smell a DoS attack...) Yes.. this problem was called out during the lead-up to World IPv6 Day and World IPv6 Launch in 2011 and 2012. https://en.wikipedia.org/wiki/World_IPv6_Day_and_World_IPv6_Launch_Day Some patches to rate-limit the priority and request rate of new NDP neighbor adjacency discovery were added to the vast majority of major Cisco, Juniper, ... etc. router firmwares. Matthew. _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
