WAN IPv6 prefix delegation to LAN interface

asdjklfjkdslfdsaklj

Did my best to search the forums and larger Internet, and didn't find a solution to the problem like I'm going to lay out.

I've been able to configure my WAN interface with a pd-hint /56, which my ISP (Cox) is happy to provide. The LAN interface is configured to track WAN, and as you'd expect a /64 is seen, and everything works just fine.

Now what I'm looking to accomplish is a bit of a change, where rather than clients directly connected to the pfSense box, they're connected to a downstream router:

pfSense <--->New Router<-->Various networks

What I'm after is using pfSense's "Advanced DHCP6 Client Configuration" on the WAN interface, with prefix delegation, but using the "Prefix Interface" setting within to "Select the interface on which to apply the prefix delegation."

Logic here is that pfSense will ask for /56 from ISP, but apply it to the LAN interface, and then within LAN DHCP6/RA config, I can hand out a /60 or two to the New Router.

New Router is configured with pd-hint /60, and expectation is it will hand out /64s to the "various networks" behind it.

tl;dr pfSenese pd /56 from ISP on WAN, applied on LAN, /60s to downstream router.

Before going into the specifics of the WAN advanced config, is my logic sound? Thanks!

@Derelict looking at your posts I'd welcome your thoughts in particular.

JKnott

@asdjklfjkdslfdsaklj said in WAN IPv6 prefix delegation to LAN interface:

pfSense <--->New Router<-->Various networks

If you want a 2nd router to distribute to other LANs, then you router the prefix you want to it. So, connect the 2nd router and route the prefix via that router's address. You can use either the ULA or link local address. While pfsense may support prefix delegation, I'm not sure you want to go that way.

BTW, I have done this with a Cisco router behind pfsense. Routing on IPv6 works just like on IPv4, with the addition of being able to use the link local address for the next hop.

asdjklfjkdslfdsaklj

@jknott Thanks for your reply. I'm exceedingly familiar with IPv6 routing and what you're suggesting. However, the goal here was use of PD end-to-end.

pfSense's WAN configuration allows an advanced config to apply PD to another interface. With that interface snagging the /56, it would be possible to use DHCP6 config on aforementioned interface to provide PD downstream, i.e.:

IAmTheDudeManBro

@jknott

I have the exact same goal. I'd like to ideally make use of PD down the stack. I have a similar physical topology as well.

Derelict

@asdjklfjkdslfdsaklj You can certainly do that, but there is no way for pfSense to know what the PD from upstream is so you have to add it to your DHCP6 server manually. And, if it changes, it needs to be updated manually. It cannot be updated dynamically.

Delegating /60s from a /56 is starting to get into the realm that led to the original RFC recommendation of a /48 for every "site." When you properly ignore the 64 host bits and start trying to allocate prefixes downstream, 8 bits becomes not a lot of interfaces.

With that interface snagging the /56

Interfaces don't "snag" the delegated /56. It is routed.

JKnott

@derelict said in WAN IPv6 prefix delegation to LAN interface:

And, if it changes, it needs to be updated manually. It cannot be updated dynamically.

This applies whether you use PD or not. My prefix is consistent but I understand not everyone is so fortunate.

Derelict

@jknott Why would it change if it is not a DHCP6 PD?

JKnott

@derelict

If the prefix from the ISP changes, then everything behind pfsense gets a new prefix. When you route to additional routers, they have to have addresses within what you get from the ISP. It doesn't matter how you provide IPv6 to those routers.

Derelict

@jknott It's either static or dynamic. An ISP changing a static routed prefix is a different problem.

JKnott

@derelict

Did the OP say they had static addresses? Or DHCPv6-PD? If his ISP is like mine, even with DHCPv6-PD, the addresses are virtually static. Mine even survived replacing the computer I run pfsense on, complete with new NICs. On the other hand, with IPv4, the new hardware caused my host name to change, as well as the address.

Derelict

@jknott said in WAN IPv6 prefix delegation to LAN interface:

This applies whether you use PD or not.

@jknott said in WAN IPv6 prefix delegation to LAN interface:

@derelict

Did the OP say they had static addresses? Or DHCPv6-PD?

Right. So why bring something other than PD up in the first place? It's either a PD or it's static.

A PD that rarely changes is still a PD.

JKnott

@derelict said in WAN IPv6 prefix delegation to LAN interface:

Right. So why bring something other than PD up in the first place? It's either a PD or it's static.
A PD that rarely changes is still a PD.

I thought we were talking about distributing a prefix to another router behind pfsense and the OP wanted to use PD for that. Then you mentioned the upstream prefix changing.

asdjklfjkdslfdsaklj

@derelict after thinking about this for a bit, I could have phrased my intent better.

I had made a leap that after sorting out WAN dhcp6.conf I'd be able to "apply" the PD to the LAN interface's DHCPv6 config in such a way that the "Prefix Delegation Range" could be automatically derived and populated.

Get /56 from ISP, make it available to the LAN DHCPv6 config, assign something from that as southbound PD, albeit partially automatically.

I learned you need to specify the entire address in the PD range, and couldn't populate any part of it automatically. Here I've taken a /57 range from aforementioned /56, for southbound PD:

A way to say "provide a PD on the interface, of /x size, from WAN PD space" would be a nice feature.

JKnott

@asdjklfjkdslfdsaklj said in WAN IPv6 prefix delegation to LAN interface:

A way to say "provide a PD on the interface, of /x size, from WAN PD space" would be a nice feature.

Does your prefix change? If not, then it's not an issue.

4920441 0

@jknott
That's problem... in good olde yurop many ISPs privide also a dynamic IPv6 prefix.... and not a small one either, many a /56 or /48 - but dynamically assigned....

Derelict

@4920441-0 But if they honor the DUID and give you the same prefix every time it should change very rarely, but I agree some tracking of the dynamically-assigned prefix would be nice.

It would also be nice if ISPs would give static IPv6 addressing, /48s, etc.

4920441 0

@derelict

No they don't - the prefix changes every reconnect and nothing can be kept as it was - not even coincidentially....

Some want to sell the more expensive business accounts, others are simlply ingnorant:-)

Cheers

4920441

asdjklfjkdslfdsaklj

@derelict well said, and sums up my thoughts.

Respective DUID state is nice, and it would be even nicer to track and adjust relatively on the pfSense side.

Thanks for your time.