WAN IPv6 prefix delegation to LAN interface
-
@asdjklfjkdslfdsaklj said in WAN IPv6 prefix delegation to LAN interface:
pfSense <--->New Router<-->Various networks
If you want a 2nd router to distribute to other LANs, then you router the prefix you want to it. So, connect the 2nd router and route the prefix via that router's address. You can use either the ULA or link local address. While pfsense may support prefix delegation, I'm not sure you want to go that way.
BTW, I have done this with a Cisco router behind pfsense. Routing on IPv6 works just like on IPv4, with the addition of being able to use the link local address for the next hop.
-
@jknott Thanks for your reply. I'm exceedingly familiar with IPv6 routing and what you're suggesting. However, the goal here was use of PD end-to-end.
pfSense's WAN configuration allows an advanced config to apply PD to another interface. With that interface snagging the /56, it would be possible to use DHCP6 config on aforementioned interface to provide PD downstream, i.e.:
-
I have the exact same goal. I'd like to ideally make use of PD down the stack. I have a similar physical topology as well.
-
@asdjklfjkdslfdsaklj You can certainly do that, but there is no way for pfSense to know what the PD from upstream is so you have to add it to your DHCP6 server manually. And, if it changes, it needs to be updated manually. It cannot be updated dynamically.
Delegating /60s from a /56 is starting to get into the realm that led to the original RFC recommendation of a /48 for every "site." When you properly ignore the 64 host bits and start trying to allocate prefixes downstream, 8 bits becomes not a lot of interfaces.
With that interface snagging the /56
Interfaces don't "snag" the delegated /56. It is routed.
Chattanooga, Tennessee, USA
A comprehensive network diagram is worth 10,000 words and 15 conference calls.
DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
Do Not Chat For Help! NO_WAN_EGRESS(TM) -
@derelict said in WAN IPv6 prefix delegation to LAN interface:
And, if it changes, it needs to be updated manually. It cannot be updated dynamically.
This applies whether you use PD or not. My prefix is consistent but I understand not everyone is so fortunate.
PfSense running on Qotom mini PC
i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
UniFi AC-Lite access pointI haven't lost my mind. It's around here...somewhere...
-
@jknott Why would it change if it is not a DHCP6 PD?
-
If the prefix from the ISP changes, then everything behind pfsense gets a new prefix. When you route to additional routers, they have to have addresses within what you get from the ISP. It doesn't matter how you provide IPv6 to those routers.
-
@jknott It's either static or dynamic. An ISP changing a static routed prefix is a different problem.
-
Did the OP say they had static addresses? Or DHCPv6-PD? If his ISP is like mine, even with DHCPv6-PD, the addresses are virtually static. Mine even survived replacing the computer I run pfsense on, complete with new NICs. On the other hand, with IPv4, the new hardware caused my host name to change, as well as the address.
-
@jknott said in WAN IPv6 prefix delegation to LAN interface:
This applies whether you use PD or not.
@jknott said in WAN IPv6 prefix delegation to LAN interface:
Did the OP say they had static addresses? Or DHCPv6-PD?
Right. So why bring something other than PD up in the first place? It's either a PD or it's static.
A PD that rarely changes is still a PD.
-
@derelict said in WAN IPv6 prefix delegation to LAN interface:
Right. So why bring something other than PD up in the first place? It's either a PD or it's static.
A PD that rarely changes is still a PD.I thought we were talking about distributing a prefix to another router behind pfsense and the OP wanted to use PD for that. Then you mentioned the upstream prefix changing.
-
@derelict after thinking about this for a bit, I could have phrased my intent better.
I had made a leap that after sorting out WAN dhcp6.conf I'd be able to "apply" the PD to the LAN interface's DHCPv6 config in such a way that the "Prefix Delegation Range" could be automatically derived and populated.
Get /56 from ISP, make it available to the LAN DHCPv6 config, assign something from that as southbound PD, albeit partially automatically.
I learned you need to specify the entire address in the PD range, and couldn't populate any part of it automatically. Here I've taken a /57 range from aforementioned /56, for southbound PD:
A way to say "provide a PD on the interface, of /x size, from WAN PD space" would be a nice feature.
-
@asdjklfjkdslfdsaklj said in WAN IPv6 prefix delegation to LAN interface:
A way to say "provide a PD on the interface, of /x size, from WAN PD space" would be a nice feature.
Does your prefix change? If not, then it's not an issue.
-
@jknott
That's problem... in good olde yurop many ISPs privide also a dynamic IPv6 prefix.... and not a small one either, many a /56 or /48 - but dynamically assigned.... -
@4920441-0 But if they honor the DUID and give you the same prefix every time it should change very rarely, but I agree some tracking of the dynamically-assigned prefix would be nice.
It would also be nice if ISPs would give static IPv6 addressing, /48s, etc.
-
No they don't - the prefix changes every reconnect and nothing can be kept as it was - not even coincidentially....
Some want to sell the more expensive business accounts, others are simlply ingnorant:-)
Cheers
4920441
-
@derelict well said, and sums up my thoughts.
Respective DUID state is nice, and it would be even nicer to track and adjust relatively on the pfSense side.
Thanks for your time.
-
O oliver.netgate referenced this topic on
