Currently setting up some VMs on an ESXi host on an OVH machine. I have two IPv4s on OVH including a virtual MAC address as needed by OVH. One IPv4 for the ESXi host itself, another one for the pfSense VM. IPv4 works great now on all the VMs using the pfSense NAT. However, I simply cannot get IPv6 to run.
OVH assigns one /64 block to me. However, this block is not routed to me whatsoever. OVH completely relies on machines to answer NDP requests. However, since all the VMs except for the pfSens are not hooked up to the "physical" network card, but only to the LAN (vSwitch), they don't receive these NDP beacons and therefore OVH doesn't know they exist. This is a problem that has been discussed in-depth in several OVH & pfSense forum posts already, however without an exact solution.
Most people say an NDP Proxy would be the way to go. However, pfSense doesn't integrate one within their software (as to not promote bad behavior I guess). So, what I did, was the following:
First, I spun up a FreeBSD 12.3 VM and compiled ndproxy there. Then, I uploaded the ndproxy.ko kernel module to the pfSense machine and put it in /boot/modules. Finally, put this shell script in /usr/local/etc/rc.d:
#!/bin/sh
# Provides: ndproxy
kldload ndproxy
ifconfig vmx0 promisc
sysctl net.inet6.ndproxyconf_uplink_interface=vmx0
sysctl net.inet6.ndproxyconf_downlink_mac_address=`ifconfig vmx0 ether | grep ether | awk '{print $2;}'`
sysctl net.inet6.ndproxyconf_uplink_ipv6_addresses=`route -n6 show :: | grep gateway: | sed 's/%vtnet0//g' | awk '{print $2;}'`
vmx0 is the uplink interface (the "physical one"). The last two lines tell ndproxy the MAC address of the pfSense machine (the machine ndproxy runs on itself) and the OVH IPv6 gateway address.
Conveniently, this gateway resides out of the /64 subnet, so I had to set up the pfSense WAN gateway with a /56 block instead.
For the LAN gateway, I chose an ULA prefix. Then, in "NAT" I added a NPt from a ULA sub-prefix to a WAN sub-prefix. So, say my WAN prefix is 2001:41d0:403:a11::/64 and my chosen ULA prefix fd00:dead:beef:dead::/64, I set-up a NPt from ULA fd00:dead:beef:dead:dead::/80 to WAN 2001:41d0:403:a11:beef::/80.
Made sure ndproxy was running, and - nothing! Didn't work whatsoever. The machines are still dead (given the ULA prefix on the VMs and trying to ping them on the WAN prefix set-up in the NPt).
In pfSense, I can ping the VMs on their LAN address (e.g. fd00:dead:beef:dead:dead::2), but not on their corresponding NPt WAN address (e.g. 2001:41d0:403:a11:beef::2).
Does anyone have an idea what I could still try?
