Re: [pfSense] IPv6 1:1 NAT problems
Yeah, I trudged all the way through it a while back. You're right, the time would've been better spent actually fixing the bug than arguing about it. I'm pretty sure there's even been a few attempted pull requests to fix it but they've all been rejected. On Thu, Aug 3, 2017 at 3:28 PM, Matthew Hall wrote: > This bug report is absolutely insane. It required more hours for people to > compose these replies than it would to compose the patch for the actual > bug. I couldn't even read it all because it was so violently toxic. > > Matthew Hall > > > On Aug 2, 2017, at 9:36 PM, Morgan Reed wrote: > > > > It's not "google" refusing to support it... It's one Lorenzo Colitti who > is > > the roadblock... > > https://issuetracker.google.com/issues/36949085 > > But yes, it's asinine. > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > -- "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Benjamin Franklin, 1759 ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IPv6 1:1 NAT problems
This bug report is absolutely insane. It required more hours for people to compose these replies than it would to compose the patch for the actual bug. I couldn't even read it all because it was so violently toxic. Matthew Hall > On Aug 2, 2017, at 9:36 PM, Morgan Reed wrote: > > It's not "google" refusing to support it... It's one Lorenzo Colitti who is > the roadblock... > https://issuetracker.google.com/issues/36949085 > But yes, it's asinine. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IPv6 1:1 NAT problems
It's not "google" refusing to support it... It's one Lorenzo Colitti who is the roadblock... https://issuetracker.google.com/issues/36949085 But yes, it's asinine. On Thu, Aug 3, 2017 at 1:00 PM, Adam Thompson wrote: > You could be right, I was writing from memory and ... tbh, I don't care > enough to go look it up again :). They shut down, that's a pain in the > butt, I was already on HE anyway, end of story for me. > I would do the same here, except that (IMHO) Google's refusal to support > DHCPv6 on Android is completely asinine. So my phone still doesn't get an > IPv6 address here at home :-(. > (Note: Apple products work perfectly.) > > It's interesting to speculate about what will happen at some future date > when HE turns off (or starts charging for) their tunnel service... I > haven't heard anything credible yet, but I assume it'll happen someday. > > -Adam > > > -Original Message- > > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Moshe > > Katz > > Sent: August 2, 2017 21:38 > > To: pfSense Support and Discussion Mailing List > > Subject: Re: [pfSense] IPv6 1:1 NAT problems > > > > Adam, > > > > Actually, the reason SIXXS shut down is exactly the opposite of what you > > said. SIXXS shut down because IPv6 adoption was going too slow and a > > number of ISPs were actually telling their customers "we don't plan to > > implement > > IPv6 because you can get it from SIXXS if you really want it." In effect, > > ISPs were using tunnels as a way of *reducing *IPv6 rollouts. > > > > Vick, > > > > I also have an HE tunnel at home because my ISP is dragging their feet > > about implementing IPv6. In fact, my main guest WiFi network runs > > *only* IPv6. > > Most of my guests only care about Gmail and YouTube, and those have > > been > > IPv6 enabled for ages. It's an experiment to see how many visitors can > > get away with not noticing that they have no IPv4 connectivity. > > > > Moshe > > > > -- > > Moshe Katz > > -- mo...@ymkatz.net > > -- +1(301)867-3732 <(301)%20867-3732> > > > > On Wed, Aug 2, 2017 at 10:32 PM, Adam Thompson > > > > wrote: > > > > > So? Neither do I. I don't have native IPv6 at the office either. > > > But both are fully IPv6-connected. > > > That's what Hurricane Electric tunnels are for. (And SIXXS, formerly, > > > but they've decided that IPv6 penetration has reached a point where > > > they're not needed anymore. Hahahaha...) > > > > > > http://www.tunnelbroker.net/ > > > > > > Disclaimer: my home situation is a bit of an anomaly - the nearest HE > > > IPv6 tunnel endpoint is <5msec away from my home router [wireless, > > not > > > DSL or cable], and my ISP has a 10Gbps connection to them. > > > Performance is VERY satisfactory. However, even my office, where the > > > nearest HE tunnel endpoint is 30+msec away gets perfectly acceptable > > performance on IPv6. > > > Largely because IPv6 paths tend to be shorter and transit fewer > > routers. > > > (There are a number of factors at play; sometimes IPv6 is tunneled > > > over IPv4, which means the path isn't *really* shorter.) > > > > > > -Adam > > > > > > > -Original Message- > > > > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Vick > > > > Khera > > > > Sent: August 2, 2017 21:28 > > > > To: pfSense Support and Discussion Mailing List > > > > > > > > Subject: Re: [pfSense] IPv6 1:1 NAT problems > > > > > > > > Nice. Thanks for the explanation. My IPv6 knowledge is slowly being > > > > built up. Not having IPv6 at my home router makes it hard to play > > > > with. I've not had the courage to bring "live" my direct allocation > > > > at the data > > > center > > > > yet. > > > > > > > > > ___ > > > pfSense mailing list > > > https://lists.pfsense.org/mailman/listinfo/list > > > Support the project with Gold! https://pfsense.org/gold > > > > > ___ > > pfSense mailing list > > https://lists.pfsense.org/mailman/listinfo/list > > Support the project with Gold! https://pfsense.org/gold > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > -- "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Benjamin Franklin, 1759 ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IPv6 1:1 NAT problems
If you put your network segment into Assisted Mode the clients will try SLAAC followed by DHCPv6 so that things can cooperate between both approaches. Matthew Hall > On Aug 2, 2017, at 8:00 PM, Adam Thompson wrote: > > You could be right, I was writing from memory and ... tbh, I don't care > enough to go look it up again :). They shut down, that's a pain in the butt, > I was already on HE anyway, end of story for me. > I would do the same here, except that (IMHO) Google's refusal to support > DHCPv6 on Android is completely asinine. So my phone still doesn't get an > IPv6 address here at home :-(. > (Note: Apple products work perfectly.) > > It's interesting to speculate about what will happen at some future date when > HE turns off (or starts charging for) their tunnel service... I haven't > heard anything credible yet, but I assume it'll happen someday. > > -Adam ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IPv6 1:1 NAT problems
You could be right, I was writing from memory and ... tbh, I don't care enough to go look it up again :). They shut down, that's a pain in the butt, I was already on HE anyway, end of story for me. I would do the same here, except that (IMHO) Google's refusal to support DHCPv6 on Android is completely asinine. So my phone still doesn't get an IPv6 address here at home :-(. (Note: Apple products work perfectly.) It's interesting to speculate about what will happen at some future date when HE turns off (or starts charging for) their tunnel service... I haven't heard anything credible yet, but I assume it'll happen someday. -Adam > -Original Message- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Moshe > Katz > Sent: August 2, 2017 21:38 > To: pfSense Support and Discussion Mailing List > Subject: Re: [pfSense] IPv6 1:1 NAT problems > > Adam, > > Actually, the reason SIXXS shut down is exactly the opposite of what you > said. SIXXS shut down because IPv6 adoption was going too slow and a > number of ISPs were actually telling their customers "we don't plan to > implement > IPv6 because you can get it from SIXXS if you really want it." In effect, > ISPs were using tunnels as a way of *reducing *IPv6 rollouts. > > Vick, > > I also have an HE tunnel at home because my ISP is dragging their feet > about implementing IPv6. In fact, my main guest WiFi network runs > *only* IPv6. > Most of my guests only care about Gmail and YouTube, and those have > been > IPv6 enabled for ages. It's an experiment to see how many visitors can > get away with not noticing that they have no IPv4 connectivity. > > Moshe > > -- > Moshe Katz > -- mo...@ymkatz.net > -- +1(301)867-3732 <(301)%20867-3732> > > On Wed, Aug 2, 2017 at 10:32 PM, Adam Thompson > > wrote: > > > So? Neither do I. I don't have native IPv6 at the office either. > > But both are fully IPv6-connected. > > That's what Hurricane Electric tunnels are for. (And SIXXS, formerly, > > but they've decided that IPv6 penetration has reached a point where > > they're not needed anymore. Hahahaha...) > > > > http://www.tunnelbroker.net/ > > > > Disclaimer: my home situation is a bit of an anomaly - the nearest HE > > IPv6 tunnel endpoint is <5msec away from my home router [wireless, > not > > DSL or cable], and my ISP has a 10Gbps connection to them. > > Performance is VERY satisfactory. However, even my office, where the > > nearest HE tunnel endpoint is 30+msec away gets perfectly acceptable > performance on IPv6. > > Largely because IPv6 paths tend to be shorter and transit fewer > routers. > > (There are a number of factors at play; sometimes IPv6 is tunneled > > over IPv4, which means the path isn't *really* shorter.) > > > > -Adam > > > > > -Original Message- > > > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Vick > > > Khera > > > Sent: August 2, 2017 21:28 > > > To: pfSense Support and Discussion Mailing List > > > > > > Subject: Re: [pfSense] IPv6 1:1 NAT problems > > > > > > Nice. Thanks for the explanation. My IPv6 knowledge is slowly being > > > built up. Not having IPv6 at my home router makes it hard to play > > > with. I've not had the courage to bring "live" my direct allocation > > > at the data > > center > > > yet. > > > > > > ___ > > pfSense mailing list > > https://lists.pfsense.org/mailman/listinfo/list > > Support the project with Gold! https://pfsense.org/gold > > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IPv6 1:1 NAT problems
Adam, Actually, the reason SIXXS shut down is exactly the opposite of what you said. SIXXS shut down because IPv6 adoption was going too slow and a number of ISPs were actually telling their customers "we don't plan to implement IPv6 because you can get it from SIXXS if you really want it." In effect, ISPs were using tunnels as a way of *reducing *IPv6 rollouts. Vick, I also have an HE tunnel at home because my ISP is dragging their feet about implementing IPv6. In fact, my main guest WiFi network runs *only* IPv6. Most of my guests only care about Gmail and YouTube, and those have been IPv6 enabled for ages. It's an experiment to see how many visitors can get away with not noticing that they have no IPv4 connectivity. Moshe -- Moshe Katz -- mo...@ymkatz.net -- +1(301)867-3732 <(301)%20867-3732> On Wed, Aug 2, 2017 at 10:32 PM, Adam Thompson wrote: > So? Neither do I. I don't have native IPv6 at the office either. But > both are fully IPv6-connected. > That's what Hurricane Electric tunnels are for. (And SIXXS, formerly, but > they've decided that IPv6 penetration has reached a point where they're not > needed anymore. Hahahaha...) > > http://www.tunnelbroker.net/ > > Disclaimer: my home situation is a bit of an anomaly - the nearest HE IPv6 > tunnel endpoint is <5msec away from my home router [wireless, not DSL or > cable], and my ISP has a 10Gbps connection to them. Performance is VERY > satisfactory. However, even my office, where the nearest HE tunnel > endpoint is 30+msec away gets perfectly acceptable performance on IPv6. > Largely because IPv6 paths tend to be shorter and transit fewer routers. > (There are a number of factors at play; sometimes IPv6 is tunneled over > IPv4, which means the path isn't *really* shorter.) > > -Adam > > > -Original Message- > > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Vick > > Khera > > Sent: August 2, 2017 21:28 > > To: pfSense Support and Discussion Mailing List > > Subject: Re: [pfSense] IPv6 1:1 NAT problems > > > > Nice. Thanks for the explanation. My IPv6 knowledge is slowly being built > > up. Not having IPv6 at my home router makes it hard to play with. I've > > not had the courage to bring "live" my direct allocation at the data > center > > yet. > > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IPv6 1:1 NAT problems
So? Neither do I. I don't have native IPv6 at the office either. But both are fully IPv6-connected. That's what Hurricane Electric tunnels are for. (And SIXXS, formerly, but they've decided that IPv6 penetration has reached a point where they're not needed anymore. Hahahaha...) http://www.tunnelbroker.net/ Disclaimer: my home situation is a bit of an anomaly - the nearest HE IPv6 tunnel endpoint is <5msec away from my home router [wireless, not DSL or cable], and my ISP has a 10Gbps connection to them. Performance is VERY satisfactory. However, even my office, where the nearest HE tunnel endpoint is 30+msec away gets perfectly acceptable performance on IPv6. Largely because IPv6 paths tend to be shorter and transit fewer routers. (There are a number of factors at play; sometimes IPv6 is tunneled over IPv4, which means the path isn't *really* shorter.) -Adam > -Original Message- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Vick > Khera > Sent: August 2, 2017 21:28 > To: pfSense Support and Discussion Mailing List > Subject: Re: [pfSense] IPv6 1:1 NAT problems > > Nice. Thanks for the explanation. My IPv6 knowledge is slowly being built > up. Not having IPv6 at my home router makes it hard to play with. I've > not had the courage to bring "live" my direct allocation at the data center > yet. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IPv6 1:1 NAT problems
Nice. Thanks for the explanation. My IPv6 knowledge is slowly being built up. Not having IPv6 at my home router makes it hard to play with. I've not had the courage to bring "live" my direct allocation at the data center yet. On Wed, Aug 2, 2017 at 10:22 PM, Adam Thompson wrote: > Sadly, yes. Partly due to providers like OVH who don't "get" prefix > delegation. > Also, how else do you multi-home without running BGP? (Keeping in mind > that the overwhelming majority of networks around the world have no access > to BGP.) That's one of the specific use cases for Network Prefix > Translation. (I don't have the RFC handy, sorry.) > -Adam > > > -Original Message- > > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Vick > > Khera > > Sent: August 2, 2017 21:20 > > To: pfSense Support and Discussion Mailing List > > Subject: Re: [pfSense] IPv6 1:1 NAT problems > > > > Is NAT even a thing with IPv6? > > ___ > > pfSense mailing list > > https://lists.pfsense.org/mailman/listinfo/list > > Support the project with Gold! https://pfsense.org/gold > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IPv6 1:1 NAT problems
Sadly, yes. Partly due to providers like OVH who don't "get" prefix delegation. Also, how else do you multi-home without running BGP? (Keeping in mind that the overwhelming majority of networks around the world have no access to BGP.) That's one of the specific use cases for Network Prefix Translation. (I don't have the RFC handy, sorry.) -Adam > -Original Message- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Vick > Khera > Sent: August 2, 2017 21:20 > To: pfSense Support and Discussion Mailing List > Subject: Re: [pfSense] IPv6 1:1 NAT problems > > Is NAT even a thing with IPv6? > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IPv6 1:1 NAT problems
https://tools.ietf.org/html/rfc6296 Matthew Hall > On Aug 2, 2017, at 7:19 PM, Vick Khera wrote: > > Is NAT even a thing with IPv6? > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IPv6 1:1 NAT problems
Is NAT even a thing with IPv6? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] IPv6 1:1 NAT problems
(If you work for Netgate – would a paid support subscription include helping me diagnose the problem here, and get this working? I’m not 100% clear if this is in scope or not.) I’ve encountered an – apparently – unusual problem when trying to enable 1:1 NAT for IPv6. I’m also having a similar problem with NPt, actually, and since they both seem to use the same pf(4) “binat” directive, I suspect they might be related. All IPs here are obfuscated because the list gets archived, but the last two octets/hextets[1] and subnet masks are all coped as-is. I’ll be happy to provide actual IP addresses in private emails, if you think that’s where my problem lies. Scenario: * OVH private cloud (so same non-delegated, NDP-only IPv6 address space I’ve mentioned previously) * pfSense VM was deployed from official OVA file * OVH has allocated 1:2:3:4::/56, 1.2.3.48/28 and a few more IPv4 subnets, all bound to the same router interface on their end, connected to the WAN VLAN on the pfSense VM. The IPv6 allocation is *NOT* delegated, it’s a simple interface binding on their router. * pfSense WAN address is 1.2.3.49/28 and 1:2:3:4::49/56. Default gateways are 1.2.3.62 and 1:2:3:4:::::. * pfSense LAN address is 10.1.1.1/24 and fd60::1/64. It is the default gateway. * One other VM exists on the “LAN” V(X)LAN[2], providing public services over tcp/80, tcp/443 and tcp/22. * Firewall rules are trivial for debugging purposes: Allow Any/Any/Any on WAN and Allow Any/Any/Any on LAN. * IPv4 Proxy ARP VIP exists for 1.2.3.50/28 * 1:1 NAT for 1.2.3.50/32 <- -> 10.1.1.2/32 exists, seems to work fine. Notes: * I have multiple tenants within my OVH private cloud. * I want them all on separate VLANs, both to slightly increase security (no sniffing/snooping/spoofing attacks) and also to simplify IPSec tunnel setup. * I can’t use NPt because OVH isn’t delegating or routing that /56 to me. (If they would just &^%$#@! *route* the blocks to me, I’d be done a month ago…) * I’m “allocating” /64s out of that /56 for each customer purely administratively, i.e. on paper What’s happening (that I think is a bug) * pfSense itself has IPv6 connectivity at this point, yay. * I create a VIP for 1:2:3:4::50/56. * If and only if the VIP type is “IP Alias”, then: * Other VMs on the same WAN segment can ping :50. * External nodes cannot ping :50, until I force a “gratuitous NDP” (that shouldn’t even be a thing…) by pinging the default gw with the source address set to :50. There might be a timer involved and I’m too impatient? Dunno, anyway this gets global traffic routing working. * The moment I create a 1:1 NAT entry for 1:2:3:4::50/128 <- -> fd60::2/128, all IPv6 on the WAN stops working. pfSense no longer replies to Neighbour Solicitations packets from the gateway, which… well… breaks IPv6 pretty thoroughly. I can still see the incoming NDP packets using tcpdump, but no responses. But: * If I do this with “Proxy ARP” VIP instead of “IP Alias” VIP, I can never ping :50, but creating the 1:1 NAT entry still breaks IPv6 on the WAN interface. * If I set the WAN interface address to something elsewhere in the range (e.g. 1:2:3:5::1/56) and then set up NPt between, say, 1:2:3:4:0/64 (WAN) and fd60::/64 (LAN), IPv6 from pfSense itself does not break, but pfSense also does not respond to Neighbour Solicitations for IPs in that range, so I don’t have functional IPv6 to or from the LAN. This is a documented limitation, and it’s not supposed to work. So I’m lost. Why on earth would *creating* a 1:1 NAT entry for a pair of /128s break IPv6 (NDP, anyway) for the firewall itself? Why does creating the equivalent NPt mapping *not* break the firewall? While I’m pissed at OVH for refusing to delegate or route the /56, it seems this should still be *possible*, even if awkward, to deploy. But my IPv6 breakage seems very weird – but what on earth could I be doing SO differently that it breaks for me but no-one else? Thanks, -Adam [1] https://en.wikipedia.org/wiki/Hextet - you got a better word? Let me know! [2] From pfSense’s perspective, it’s just another segment. Internally, OVH uses VMware NSX VXLANs to emulate VLANs to emulate broadcast domains. As far as I can tell, this “just works”. It doesn’t seem to be part of the problem, anyway. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold