We have this exact setup. You are correct, you will need Virtual IP's for each public WAN IP that OVH have assigned you. We have separate services listening on x.x.x.1, x.x.x.2, x.x.x.3 etc, works like a charm.
JC -----Original Message----- From: List [mailto:[email protected]] On Behalf Of Adam Thompson Sent: August-01-17 12:57 PM To: [email protected] Subject: [pfSense] IPv6 problem at OVH Wondering how anyone else manages (or would manage) this scenario: * Private Cloud at OVH. (Runs VMware, which isn't terribly relevant AFAICT.) * OVH provides a single VLAN that is connected directly to their router * ALL public IP addresses are terminated on that VLAN (i.e. bound directly to that interface on their router) including the entire IPv6 /56. *** As a consequence, all IPv4 addresses must respond to ARP, and all IPv6 addresses must respond to NDP, in order to be successfully publicly routed. (And yes, they gave me an entire /56 of IPv6... that isn't routed or broken up in any way. And they won't subnet or route anything to me. Yay.) * Meanwhile, I have public services (multiple tenants) running on multiple VLANs, each behind a single pfSense firewall with a WAN interface in the massive public-address-space VLAN. * I very much want the service address to be different from the firewall address, i.e. the firewall WAN i/f might be bound to 1.2.3.4, then I want the publicly-accessible service to live at 1.2.3.5, so that I can distinguish based on reverse DNS whether outbound connections are coming from the firewall or from the customer's server. This works great with IPv4, a Proxy ARP VIP, and 1:1 NAT. * I also need to provide IPv6 connectivity inbound AND outbound, ideally with the same reverse-dns differentiation. I've tried 1:1 NAT, which seems to break IPv6 altogether every time I configure it (although JimP can't reproduce it yet, so presumably it's somehow environment-specific). I'm unclear whether this will work anyway with the NDP adjacency requirement. I've tried NPt, which doesn't do NDP, and so doesn't work in this scenario. The next thing I can try (but haven't yet) is an IP Alias VIP with Port Forwarding, and then... maybe a custom Outbound NAT rule? Am I missing something fundamental? I know what OVH is doing is stupid (NDP for an entire /56? Fee fi fo fum, I smell a DoS attack...) , but they have 2000+ other customers on this exact platform, surely ONE of them must have a similar situation! I know IPv6 is new, but ... surely one them must run IPv6? Again: IPv4 isn't a problem because Proxy ARP works great and solves the silliness of them not routing those allocated subnets to me. IPv6 is a problem because pfSense has to handle NDP *and* do NAT and I can't find a way to make it do that properly Thoughts/opinions/brickbats welcome. -Adam P.S. I seem to not be receiving emails from the list reliably, kindly CC me if you don't mind... _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
