> Le 1 août 2017 à 23:09, Jon Copeland <[email protected]> a écrit : > > We have this exact setup. You are correct, you will need Virtual IP's for > each public WAN IP that OVH have assigned you. We have separate services > listening on x.x.x.1, x.x.x.2, x.x.x.3 etc, works like a charm. > > JC >
The real issue is that HA setup of a couple of pfSense is impossible with such an awkward IPv6 setup as OVH imposes to us. -- Best Regards, Meilleures salutations, Met vriendelijke groeten, Olivier Mascia > -----Original Message----- > From: List [mailto:[email protected]] On Behalf Of Adam Thompson > Sent: August-01-17 12:57 PM > To: [email protected] > Subject: [pfSense] IPv6 problem at OVH > > Wondering how anyone else manages (or would manage) this scenario: > > * Private Cloud at OVH. (Runs VMware, which isn't terribly relevant > AFAICT.) > * OVH provides a single VLAN that is connected directly to their router > * ALL public IP addresses are terminated on that VLAN (i.e. bound directly to > that interface on their router) including the entire IPv6 /56. > *** As a consequence, all IPv4 addresses must respond to ARP, and all > IPv6 addresses must respond to NDP, in order to be successfully publicly > routed. > (And yes, they gave me an entire /56 of IPv6... that isn't routed or broken > up in any way. And they won't subnet or route anything to me. > Yay.) > * Meanwhile, I have public services (multiple tenants) running on multiple > VLANs, each behind a single pfSense firewall with a WAN interface in the > massive public-address-space VLAN. > * I very much want the service address to be different from the firewall > address, i.e. the firewall WAN i/f might be bound to 1.2.3.4, then I want the > publicly-accessible service to live at 1.2.3.5, so that I can distinguish > based on reverse DNS whether outbound connections are coming from the > firewall or from the customer's server. This works great with IPv4, a Proxy > ARP VIP, and 1:1 NAT. > * I also need to provide IPv6 connectivity inbound AND outbound, ideally with > the same reverse-dns differentiation. > > I've tried 1:1 NAT, which seems to break IPv6 altogether every time I > configure it (although JimP can't reproduce it yet, so presumably it's > somehow environment-specific). I'm unclear whether this will work anyway > with the NDP adjacency requirement. > > I've tried NPt, which doesn't do NDP, and so doesn't work in this scenario. > > The next thing I can try (but haven't yet) is an IP Alias VIP with Port > Forwarding, and then... maybe a custom Outbound NAT rule? > > Am I missing something fundamental? I know what OVH is doing is stupid (NDP > for an entire /56? Fee fi fo fum, I smell a DoS attack...) , but they have > 2000+ other customers on this exact platform, surely ONE of them must have a > similar situation! I know IPv6 is new, but ... surely one them must run IPv6? > > Again: IPv4 isn't a problem because Proxy ARP works great and solves the > silliness of them not routing those allocated subnets to me. IPv6 is a > problem because pfSense has to handle NDP *and* do NAT and I can't find a way > to make it do that properly > > > Thoughts/opinions/brickbats welcome. > -Adam > > P.S. I seem to not be receiving emails from the list reliably, kindly CC me > if you don't mind... _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
