Why does DHCPv6 Prefix Delegation Size affect Track Interface Subnet Mask IPv6?

STS-134 · Sep 24, 2021, 3:22 PM

I'm having a very strange issue. My ISP gives me a /56 to use, so I can request different prefix delegation sizes. I have more than one pfSense device (one SG-3100 and two SG-1100) and all of them behave exactly the same way.

When I select a DHCPv6 Prefix Delegation Size of /59, they assign each of my 5 VLANs (which is selected to Track Interface and assigned an IPv6 Prefix ID between "0" and "f") a Subet Mask IPv6 of /64 from the delegated /59, and everything works fine. Of course, SLAAC requires a /64 to operate properly, so every internal interface should have a /64
If I select a DHCPv6 Prefix Delegation Size of /60, each VLAN interface gets a Subnet Mask IPv6 of /63, and nothing works correctly. Clients can't even auto generate their own address due to the Subnet Mask IPv6 being incorrect. This is what happens if I tell pfSense to ask for a /60:

login-to-view

The mapping between requested DHCPv6 Prefix Delegation Size and VLAN interface Subnet Mask IPv6 seems to be as follows:
/59 -> /64
/60 -> /63
/61 -> /62
Someone apparently documented similar behavior here https://forum.netgate.com/topic/101581/comcast-business-56-fails-60-works-but-delegates-63s but this was several years ago. I find it hard to believe that this issue wouldn't have been fixed by now.
Asking for a /60 should give me 16 IPv6 Prefix IDs (0x0 through 0xf) to play around with, assuming every VLAN gets a /64. This is easily more than enough to allocate 5 VLANs. But pfSense seems to insist in assigning /63s instead if I ask for a /60!

Why is this happening? Is there perhaps a simple setting somewhere that I need to toggle?

johnpoz · Sep 24, 2021, 3:32 PM

@sts-134 said in Why does DHCPv6 Prefix Delegation Size affect Track Interface Subnet Mask IPv6?:

My ISP gives me a /56 to use

Then why would you not request a /56 delegation.. Your sure when your asking for a /60 for example they actually give you a /60, or are they giving you a /56 anyway - even though pfsense thinks it should be getting a /60?

STS-134 · Sep 24, 2021, 3:48 PM

@johnpoz Actually if I request a /56, I don't get anything. I suspect that this is because my cable modem actually uses one of the /64s and I don't get access to the entire /56. Plus, it's possible for me to use multiple pfSense devices on the same cable modem -- I do have 5 static IPv4 addresses, after all.

But to answer your question, the sniffer logs show that pfSense requested a /60 but received a /59. However this shouldn't change the fact that if pfSense doesn't get what it asked for, it should work with what it gets, especially if what it gets is sufficient for its present configuration.

johnpoz · Sep 24, 2021, 4:01 PM

@sts-134 Not sure why your "cable" modem would be grabbing any of your prefix - its just a modem. Do you mean you have a gateway?

I don't have any easy way to try and duplicate your issue. My current isp has no IPv6 support and I get all my ipv6 via aHE tunnel, where I get a /48 but everything is static assigned.

What specific version of pfsense are you running. It seems you have done some testing, I would document with details, maybe even sniff of you getting your delegation and requesting, etc. And submit via redmine.. Or document it here and see if someone chimes in before you open the redmine..

I hear you - makes no sense that anything but a /64 should go on the track interface. No matter what the prefix you get is.. But it possible a regression or new sort of problem has come up that is causing problems when the prefix delegate doesn't match or isn't of specific size.

Your saying when you ask for /59 and get /59 it works and your track uses /64

So when you ask for /60 you get /60 - or are you getting only /61 or something?

STS-134 · Sep 24, 2021, 4:11 PM

@johnpoz Technically it's Comcast's Business Wireless Gateway (although I don't use the wireless and basically use it as a modem). So yes, it's a gateway, but IPv4 is done with static configuration and IPv6 is done with DHCPv6-PD. Per Comcast's instructions, if you have static IPv4 addresses, it cannot be put into bridge mode, which means it must use at least one /64 out of my /56.

Version of pfSense is 21.05-1-RELEASE (the latest available).

When I ask for a /60, I get a /59. When I ask for a /59, I get a /59. Seems like this cable modem/gateway likes assigning /59s and ignores the requested size, at least if it's smaller than /59. I didn't try requesting a /58.

johnpoz · Sep 24, 2021, 4:39 PM

@STS-134 Prob have the same device in one of location - thing is a monster in size.. Office is really closed to people.. I guess I could play with it remotely to see what happens via IPv6 - but its on a older version. Covid kind of put a niks my upgrade plans for that box, and a few others because nobody in the offices.

Never set up IPv6 on it - since that office has no need of it. And they switched out the isp device during covid because of issues - so I didn't get much play time with it... My pfsense came up with the static IPv4 it had before.. And made sure wireless was turned off on it. But other than that don't remember if it was bridge or some other weird comcast sort of setup. All I knew is pfsense had its public static IPv4 and stuff behind it was working to the internet.

STS-134 · Oct 1, 2021, 7:09 AM

Interesting observation: I tried this at another location, which has Comcast Business but without the static IP. That modem is in bridge mode. I asked for a /60 and got /61 subnet mask IPv6s on the different VLANs. Following the same pattern as before (increasing prefix delegation size decreases subnet mask IPv6 by the same amount), I changed pfSense to ask for a /56 and started getting /64s.

johnpoz · Oct 1, 2021, 12:13 PM

@sts-134 did you actually get /56? Maybe they only allow you to ask for specific sizes went doesn't give you what you ask for it confuses pfsense? Which I agree is no ideal.