Project

General

Profile

Actions

Feature #4881

open

allow dynamic IPs-nets for NPt

Added by L J about 6 years ago. Updated 16 days ago.

Status:
Pull Request Review
Priority:
Normal
Assignee:
Category:
Rules / NAT
Target version:
Start date:
07/25/2015
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:

Description

It would be very helpful to allow NTp to be used with dynamic IPv6 connections.

Actions #1

Updated by Jim Thompson almost 6 years ago

  • Assignee set to Chris Buechler

assigned to cmb for eval.

Actions #2

Updated by Chris Buechler over 5 years ago

  • Category set to Interfaces
Actions #3

Updated by Chris Buechler over 5 years ago

  • Target version deleted (2.3)
Actions #4

Updated by Chris Buechler over 5 years ago

  • Assignee deleted (Chris Buechler)

NPT ought to allow specifying "LAN subnet", "OPT1 subnet", etc. like firewall rules and other NAT pages for source and destination.

Actions #5

Updated by Jim Thompson almost 5 years ago

  • Assignee set to Luiz Souza
  • Target version set to Future
Actions #6

Updated by Joshua Diamant over 2 years ago

This will be required for most consumer internet providers that give dynamic IPv6 addresses.

Verizon FiOS just enabled IPv6, but I will be unable to use this until dynamic NTp is enabled via pfSense.

Actions #7

Updated by Carsten F about 2 years ago

Any update here? We need dynamic Prefix support for IPv6 Multi WAN.

Actions #8

Updated by Jim Pingle about 2 years ago

  • Category changed from Interfaces to Rules / NAT
Actions #9

Updated by Csoban Kesmarki over 1 year ago

Does anybody aware of any preparation/planning or any other related work already done?

Actions #10

Updated by Csoban Kesmarki over 1 year ago

I think that these changes can basically do the job (take it as a high level plan):
1. Changing the /usr/local/www/firewall_nat_npt_[edit].php to let the user choose the "dynamic" destination which inserts <destination><network>wanip</network><destination> instead of <destination><address>[Manually entered IPv6 address]</address><destination>. (Probably needs a new wanipv6?!)
2. Calling filter_configure_sync() (located in filter.inc) from rc.newwanipv6 which will change the <network>wanip</network> to the last IPv6 provided by the ISP. (AFAIK)
Anyone any thoughs?
(I might just leave this here just for the records.)

Actions #11

Updated by Jim Pingle over 1 year ago

That alone wouldn't do anything useful -- it would have to be the entire network, not a single address. If it's the entire network, you'd need proxy NDP which does not exist on pfSense.

What it really needs is:

  • Code in the DHCP6 client which stores the current delegated prefix(es) somewhere accessible by pfSense, rather than writing them directly to interfaces and not allowing other parts of the system to see what they are without log scraping/guessing
  • A way to select a track interface and set a prefix ID to determine a delegated prefix to use for NPt
  • Code to use the track interface+prefix ID to setup NPt rules (which will work because the delegated prefixes are already routed to the firewall, no need for proxy NDP)

There are a number of issues that the first point will solve, but currently the DHCP6 client doesn't support that upstream. It needs the feature added there first. Someone in the community was working on that a while back, but I'm not sure that ever progressed to a point where it was usable.

Actions #12

Updated by Csoban Kesmarki over 1 year ago

Looks like the wanip is good enough if $rule['ipprotocol'] == "inet6". But the npt has no 'ipprotocol' attribute which should be worked around somehow.

Probably there can be 2 or 3 "dynamic" scenarios:
1. wanip = changing to/from the actual wan ipv6 address with npt. There should be an option (checkbox?) to do a "hidden" wanip-to-wanip NPt rule in case 2 to keep the wanipv6 as it is for e.g. PMTUDv6 packet too big messages.
2. wan = changing to/from the whole wan ipv6 subnet with npt.
3. wan + some subnet = changing just the subset of the ipv6 subnet. (This might needs further fileds on the NPt edit page.

Actions #13

Updated by Csoban Kesmarki over 1 year ago

Jim Pingle wrote:

...

Thank you!

I though much simpler at first by trying to follow my own manual steps when my IPv6 changed.
My WAN IPv6 is always made from the IPv6 "prefix" (it just /64 all the time) and the end of my Link-Local address (from my MAC).

Do you think that it is owe to think about a setting somewhere to have a manual/fixed "suffix" instead of LLA?

Does it really a valid case getting more then a single /64 prefix from the ISP when they provide dynamic IPv6 prefix? Reason of asking is that I always have /64 only from Telekom Hungary.

Actions #14

Updated by Jim Pingle over 1 year ago

NPt is "Network Prefix Translation" not "IPv6 outbound NAT", it is effectively "IPv6 1:1 NAT for single addresses or entire subnets". It does not translate many:1 (overload).

There is no potential use for the IPv6 WAN address alone in NPt. It must always be an entire prefix, and as I said, using the WAN prefix is not viable since it would require proxy NDP.

Using any kind of suffix has the same issues I also mentioned. You must be able to specify a track interface and prefix ID or it has no idea what to add that suffix to.

Actions #15

Updated by Csoban Kesmarki over 1 year ago

Got that point.

I did two things here with my NPt:
1. Now I have 4 networks (LAN, DMZ, GUEST, VPN), basically /80 each, which I 1-1 to the /64 I got from ISP. This works properly (however I have modify it in every 3-5 days when the /64 changes toghether with my IPv4 address). The pfSense's WAN uses automatically a single IPv6 address out of that /64 (by adding its LLA's end to the /64 prefix).
2. Previously I tried to 1-1 my internal networks as a whole /64 to the WAN /64 facing an issue where the Path Discovery MTU's "packet too big" ICMPv6 message got lost because a double NPt on a loop towards the WAN so I had to setup a "dummy" NPt for the pfSense WAN address to NPt it to the same address which overrides the /64 NPt.

These both works without proxy NDP as the ISP just sends me everything which belongs to my /64.

In case 1 I have to modify the ISP provided /64 to have my internal /80s by concatenate a fixed "suffix" to the /64.

In case 2 it is much easier but I have to do that dummy 1-1 trick for the GW used WAN IPv6. (This dummy is which I mentioned above as "hidden" wanip-to-wanip NPt trick which might be enabled/disabled with a checkbox.)

Actions #16

Updated by Holger Glemser over 1 year ago

Csoban Kesmarki, are you sure that you cannot get a "real" prefix from your ISP? The correct way would be that you get e.g. a /56 prefix and additionally a /64 for your router. That's the way e.g. the German Telekom does it. In my opinion, using /80 as a prefix is against the IPv6 specifications. In IPv6, the host past of the IP address is always the lower 64 bit and only the higher 64 bit shall be used for routing. What you are doing breaks e.g. SLAAC (Stateless Address Auto Configuration) and I don't know what else. It might work in some scenarios but I would definitely not recommend it.

I'm waiting for dynamic NPt, too, but for a different reason: I have 2 ISPs with dynamic prefixes. I need NPt so I can configure ULAs internally and map them via NPt to the two dynamic external prefixes. Unfortunately, https://redmine.pfsense.org/issues/6880 needs to be fixed for that, too, because currently, I cannot even get the prefix from my second ISP and use it for some of my VLANs without failover (wouldn't need NPt for that part, only for failover). With IPv4 and NAT it works perfectly: For some VLANs I use ISP1 with fallback to ISP2 and for other VLANs I use ISP2 with fallback to ISP1, using Gateway Groups.

Actions #17

Updated by Csoban Kesmarki over 1 year ago

Holger Glemser wrote:

CK, are you sure that you cannot get a "real" prefix from your ISP?...

Thanks Holger, now I did however I had to fully reconfigure my whole network moving the DHCP server from my ubuntu box to the pfSense. So basically it work however not as I planned but at least I got much closer to understand the concept of the dynamic NPT.

I got stacked at a point in my way to trace/investigate/understand/etc. :) the issue: the dhcp6c binary's source itself.
Am I understand it properly that the last source of the dhcp6-20080615.2 (which is included into pfSense 2.4.4p3) is either https://github.com/hrs-allbsd/wide-dhcpv6 or https://github.com/opnsense/dhcp6c or I compleatly wrong and should rely on the http://wide-dhcpv6.sourceforge.net/?

Thanks, CK

Actions #18

Updated by Caleb Carges 11 months ago

Well it took until late 2020 but I finally have two local ISPs providing native /56 IPv6 routes over DHCPv6. It would be great to use static internal prefixes and use NPt to track the dynamic external connections to allow failover between them. (Though I'm also running into https://redmine.pfsense.org/issues/6880 )

Actions #20

Updated by Renato Botelho 11 months ago

  • Status changed from New to Pull Request Review
  • Assignee changed from Luiz Souza to Viktor Gurov
  • Target version changed from Future to CE-Next
Actions #21

Updated by Marc Mapplebeck 24 days ago

I'm going to chime in to the usefulness of this. My use case is a little different, but the same principle. I have a 1Gbps Fiber connection(no IPv6), however, I do have IPv6 through work(2 datacenter sites), and a tunnel from my home pfSense to the office pfSense. I also have Starlink(IPv6 provided as /56 PD). I want currently have my work IPv6 through the tunnel, and set as my default IPv6 gateway. I would like to create a gateway group that includes P1 main office IPv6, and P2 as Starlink, and then use NPt to make everything work nice and happy. Just my 2 cents.

Actions #22

Updated by Jard Leex 23 days ago

I found this issue two days ago while I tried to provide internet access via IPv6 to my OpenVPN clients.

Right now my OpenVPN clients receive a ULA address (beside an IPv4 address out of RFC1918). Together with a redirect-gateway their IPv6 traffic goes through the tunnel. But this way they can't communicate with the internet as they have no GUA adress. Thus I set up NPt for my OpenVPN ULA prefix to of my GUA prefixes. This works as long the provides does not change the prefix. I'd like to live without the NPt, but for now it solves the problem.

OpenVPN currently does not support dynamic prefixes: https://community.openvpn.net/openvpn/ticket/498?__cf_chl_jschl_tk__=pmd_v8Dyom5dk81oCdajl79zwjGb76DEga0UAodRJMPtcA4-1632472768-0-gqNtZGzNAeWjcnBszQl9

Clean way's of doing this might be:
- fix of the OpenVPN issue - out of scope here
- Some kind of prefix delegation to OpenVPN via pfsense but I don't know if this would be possible. Any feature request know for that?
- others?

This fix here would remove the manual labor of updating the NPt, even it might not be a clean solution in the end, at least for my usecase I think.

My setup:
- pfsense 2.5.2
- provider: Deutsche Glasfaser
- connection: fibre with ds-lite (IPv4 with carrier grade NAT + native IPv6 with dynamic /56 prefixes)

Thanks.

Actions #23

Updated by Csoban Kesmarki 22 days ago

Hi,

I made a sort of workaround: I created two php scripts (checknpt and fixnpt) which checks all NPT settings and compare those which are on the WAN interface to the LAN's IPv6 prefix (using fix /56 in code, yet) and displays a message (checknpt) and fixes (fixnpt) to the correct prefix using the administered NPT's suffix (the 72 bits after the 56 bits prefix). Both scripts are located in the /etc/phpshellsessions folder and can be run with the command: 'pfSsh.php playback checknpt' and 'pfSsh.php playback fixnpt'. No GUI or configuration exists, yet.
Can be used by adding a system patch to pfSense by the URL: https://github.com/csobankesmarki/firewall/blob/master/NPTscripts.patch.
Tested and working with pfSense 2.4.x and 2.5.x. Also possible it can be run from cron, too (under testing).

If you are interested I made similar ones for CARP: https://github.com/csobankesmarki/firewall/blob/master/CARPscripts.patch
These ones does similiar check and fixes for CARP VIPs. Checks all IPv6 CARP VIPs whether the prefix (fix /64 here) is the same as the prefix of the interface it belongs to and displays a message (checkcarp) or fixes (fixcarp) to the correct prefix. It keeps the administered /64 suffix of the CARP VIP.

Regards,
CK

Actions #24

Updated by Csoban Kesmarki 16 days ago

Hi,

So the CARP fixing is broken as of yet: the script founds the old CARP address as interface address and fixes the everything (including the correct) back to the old prefix after the ISP changes the IPv6 /56 prefix to a new. I have to fix the script or manually delete the old CARP addresses (aliases) before running 'fixcarp' script.

However when looking around the issue I found the there is a way forward towards the dynamic NPt:
- DHCP6's dhcp6c needs to patched to be able to pass the IA_PD to the dhcp6c_wan_script.sh as an additional environment variable (besides e.g. dns servers and dns domain name, etc.) As far as I understand this is the actual source of WIDE-DHCP6 for FreeBSD: https://github.com/hrs-allbsd/wide-dhcpv6/tree/freebsd, somebody correct me if I'm wrong, here, please!
- The script can pass the IA_PD's value to the rc.newwanipv6 php script.
- The rc.newwanipv6 can load it to the config as a (new) value to store the ISP's IPv6 prefix.
- The firewall_virtual_ip.php and the firewall_virtual_ip_edit.php needs to be changed to add dynamic prefix as NPt possibility.
- "Couple" of additional functions needs to be created to get_wan_profix/set_wan_prefix and some refreshment process in the background to automate. "Easy". :D (I'm interested but don't see how much lot work it is, yet.)

CK

Actions

Also available in: Atom PDF