I've got IPv4 working, as I said, using the Proxy ARP (or IP Alias, both work) VIP. I still don't have IPv6 working, though.
I'm running into a situation where 1:1 NAT for IPv6 seems to either a) simply not work at all, or b) utterly kills all IPv6 on the firewall for reasons I don't understand yet. Before I dive into details, can anyone confirm that they have 1:1 NAT working for IPv6 in production? (Eh, I'll start a new thread anyway.) -Adam > -----Original Message----- > From: List [mailto:[email protected]] On Behalf Of Jon > Copeland > Sent: August 1, 2017 16:10 > To: pfSense Support and Discussion Mailing List <[email protected]> > Subject: Re: [pfSense] IPv6 problem at OVH > > We have this exact setup. You are correct, you will need Virtual IP's for > each public WAN IP that OVH have assigned you. We have separate > services listening on x.x.x.1, x.x.x.2, x.x.x.3 etc, works like a charm. > > JC > > -----Original Message----- > From: List [mailto:[email protected]] On Behalf Of Adam > Thompson > Sent: August-01-17 12:57 PM > To: [email protected] > Subject: [pfSense] IPv6 problem at OVH > > Wondering how anyone else manages (or would manage) this scenario: > > * Private Cloud at OVH. (Runs VMware, which isn't terribly relevant > AFAICT.) > * OVH provides a single VLAN that is connected directly to their router > * ALL public IP addresses are terminated on that VLAN (i.e. bound > directly to that interface on their router) including the entire IPv6 /56. > *** As a consequence, all IPv4 addresses must respond to ARP, and all > IPv6 addresses must respond to NDP, in order to be successfully publicly > routed. > (And yes, they gave me an entire /56 of IPv6... that isn't routed or > broken up in any way. And they won't subnet or route anything to me. > Yay.) > * Meanwhile, I have public services (multiple tenants) running on > multiple VLANs, each behind a single pfSense firewall with a WAN > interface in the massive public-address-space VLAN. > * I very much want the service address to be different from the firewall > address, i.e. the firewall WAN i/f might be bound to 1.2.3.4, then I want > the publicly-accessible service to live at 1.2.3.5, so that I can distinguish > based on reverse DNS whether outbound connections are coming from > the firewall or from the customer's server. This works great with IPv4, a > Proxy ARP VIP, and 1:1 NAT. > * I also need to provide IPv6 connectivity inbound AND outbound, ideally > with the same reverse-dns differentiation. > > I've tried 1:1 NAT, which seems to break IPv6 altogether every time I > configure it (although JimP can't reproduce it yet, so presumably it's > somehow environment-specific). I'm unclear whether this will work > anyway with the NDP adjacency requirement. > > I've tried NPt, which doesn't do NDP, and so doesn't work in this > scenario. > > The next thing I can try (but haven't yet) is an IP Alias VIP with Port > Forwarding, and then... maybe a custom Outbound NAT rule? > > Am I missing something fundamental? I know what OVH is doing is > stupid (NDP for an entire /56? Fee fi fo fum, I smell a DoS attack...) , but > they have 2000+ other customers on this exact platform, surely ONE of > them must have a similar situation! I know IPv6 is new, but ... surely one > them must run IPv6? > > Again: IPv4 isn't a problem because Proxy ARP works great and solves > the silliness of them not routing those allocated subnets to me. IPv6 is a > problem because pfSense has to handle NDP *and* do NAT and I can't > find a way to make it do that properly > > > Thoughts/opinions/brickbats welcome. > -Adam > > P.S. I seem to not be receiving emails from the list reliably, kindly CC me > if you don't mind... > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
