Wondering how anyone else manages (or would manage) this scenario:
* Private Cloud at OVH. (Runs VMware, which isn't terribly relevant
AFAICT.)
* OVH provides a single VLAN that is connected directly to their router
* ALL public IP addresses are terminated on that VLAN (i.e. bound
directly to that interface on their router) including the entire IPv6
/56.
*** As a consequence, all IPv4 addresses must respond to ARP, and all
IPv6 addresses must respond to NDP, in order to be successfully publicly
routed.
(And yes, they gave me an entire /56 of IPv6... that isn't routed or
broken up in any way. And they won't subnet or route anything to me.
Yay.)
* Meanwhile, I have public services (multiple tenants) running on
multiple VLANs, each behind a single pfSense firewall with a WAN
interface in the massive public-address-space VLAN.
* I very much want the service address to be different from the firewall
address, i.e. the firewall WAN i/f might be bound to 1.2.3.4, then I
want the publicly-accessible service to live at 1.2.3.5, so that I can
distinguish based on reverse DNS whether outbound connections are coming
from the firewall or from the customer's server. This works great with
IPv4, a Proxy ARP VIP, and 1:1 NAT.
* I also need to provide IPv6 connectivity inbound AND outbound, ideally
with the same reverse-dns differentiation.
I've tried 1:1 NAT, which seems to break IPv6 altogether every time I
configure it (although JimP can't reproduce it yet, so presumably it's
somehow environment-specific). I'm unclear whether this will work
anyway with the NDP adjacency requirement.
I've tried NPt, which doesn't do NDP, and so doesn't work in this
scenario.
The next thing I can try (but haven't yet) is an IP Alias VIP with Port
Forwarding, and then... maybe a custom Outbound NAT rule?
Am I missing something fundamental? I know what OVH is doing is stupid
(NDP for an entire /56? Fee fi fo fum, I smell a DoS attack...) , but
they have 2000+ other customers on this exact platform, surely ONE of
them must have a similar situation! I know IPv6 is new, but ... surely
one them must run IPv6?
Again: IPv4 isn't a problem because Proxy ARP works great and solves the
silliness of them not routing those allocated subnets to me. IPv6 is a
problem because pfSense has to handle NDP *and* do NAT and I can't find
a way to make it do that properly
Thoughts/opinions/brickbats welcome.
-Adam
P.S. I seem to not be receiving emails from the list reliably, kindly CC
me if you don't mind...
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
