Routing IPv6 and Prefix Delegation

mloiterman · Aug 22, 2022, 9:16 PM

I'm using a layer 3 switch to do intra-vlan routing behind a pfSense box that only serves as a firewall and WAN router.

All Lan side IPv4 subnets exist as Vlans on the layer 3 switch and are routed via static routes to pfSense with a /30 network. pfSense has similar static routes back through its side of the /30 network.

For IPv4, it looks like this and things work as expected. Lan side RFC1918 networks can all ping back and forth, obtain DNS, DHCP, and reach the internet.

WAN (76.xxx.xxx.1)
|
|
(76.xxx.xxx.2)
pfSense 
(172.16.0.1/30)
|
|
switch (172.16.0.2/30)---------------------------------
|  |                      |   |                    |
|  |                      |   |                    |
|  Unbound DNS            |   Kea DHCP             |
|                         |                        |
VLAN 1 (192.168.1.0/24)   |                        |
                          VLAN 2 (192.168.2.0/24)  |
                                                   VLAN 3 (192.168.3.0/24)

I want my IPv6 network to more or less look and work the same way, just with GUA addresses.

I have Comcast which used to give /60 in my area, but that doesn't seem to the be case any more as I'm only getting a /64.

So, I would like to take the /64 and either dedicate it to one of my LANs OR, use it across the three LANs I want to have IPv6. But, I can't figure out how to configure pfSense to pass through the /64 delegation to the switch and then have the switch provide the router advertisements to the local subnet or subnets. No matter what I try, I cannot get any IPv6 to route to pfSense via the transit link.

The transit link is the only thing physically connected to pfSense, which makes me think that there is no way for the other local subnets to receive pfSense's router advertisements. The switch can be configured for RA, DHCP, etc, but no amount of configuration has been able to get any devices that live in the IPv4 192.168.0.0/24 space to receive an IPv6 GUA from either pfSense or the switch and route correctly.

Hope this makes sense. Thanks for the help.

JKnott · Aug 23, 2022, 1:17 AM

@mloiterman

If I read this right, you want to split a singe /64 among the VLANs. Bad idea as that will break things like RAs. LANs are supposed to be /64 only.

Maybe you should be calling Comcast to find out what happened to your /60.

mloiterman · Aug 23, 2022, 1:17 AM

@jknott

At this point, I'd be happy if I could just allocate the one /64 I do have to just one VLAN, but I cannot get that to work through the transit network. The VLAN I want put IPv6 on (192.168.1.0/24) isn't connected to pfSense, aside from the transit network. I can't figure out a way to make that work.

JKnott · Aug 23, 2022, 2:00 PM

@mloiterman

Are they providing that /64 to the WAN interface? Or LAN? It's possible to provide it only to the LAN, but not if the WAN gets it. It sounds like you may have an issue with prefix delegation. Also, you have to specify which prefix size you want with DHCPv6 Prefix Delegation size on the WAN page.

Maybe you could capture the full DHCPv6 sequence and post the file here.

mloiterman · Aug 23, 2022, 8:49 PM

@jknott

The /64 is being assigned to my LAN interface.

I have selected /60 for the DHCPv6 Prefix Delegation size in my WAN interface.

For LAN, I have IPv6 set to Track the WAN interface and selected 1 for my IPv6 Prefix ID. The LAN is connected to the transit network back to the switch.

For the LAN /64, I do get my prefix with a 1 at the end and if I add additional pfSense LAN interfaces and change their PD to 2, 3, etc. those are correctly assigned. But I don't want to create a bunch of stub interfaces and even if I did, I still can't seem to get even a single subnet to work with one of the VLAN subnets on my switch.

So, maybe they assign the /60 to the modem somehow? My WAN IPv6 address is in the 2001 network and my LAN is in the 2601 network, so that doesn't seem right.

In my packet captures, I see four prefixes the RA - all /64s and pfsense seemed to grab one of them.

In the past the turning on Debug for dhcpv6 showed the prefix allocation, but it doesn't seem to show it anymore.

I know I'm doing something wrong here, but I just cannot figure this out and it shouldn't be this hard!

JKnott · Aug 23, 2022, 11:55 PM

@mloiterman said in Routing IPv6 and Prefix Delegation:

For the LAN /64, I do get my prefix with a 1 at the end and if I add additional pfSense LAN interfaces and change their PD to 2, 3, etc. those are correctly assigned. But I don't want to create a bunch of stub interfaces and even if I did, I still can't seem to get even a single subnet to work with one of the VLAN subnets on my switch.

Are you saying you are getting more than one /64? If so, you just assign them to an interface, either physical or VLAN. Are you choosing a unique prefix ID for each interface? With a /60, your choices are 0 - f.

Derelict · Aug 24, 2022, 1:05 PM

@mloiterman Trying to do anything like route a single /64 delegation south is pretty much folly. Get with your ISP and get a real prefix delegation like a /56 or use a hurricane electric GIF tunnel and the free, static /48 you can get there. Route a /56 out of that to the switch and enjoy.

JKnott · Aug 24, 2022, 2:29 PM

@derelict

Or just route within pfSense, instead of the L3 switch. Otherwise you get into routing the entire /60, after pulling off a single /64 for the pfsense box. While stingy, a /60 will do what he wants. However, with the enormous IPv6 address space, I don't know why they limit customers to a /60.

mloiterman · Aug 25, 2022, 4:15 AM

@jknott

I think what they're doing is allocating the /60 to the modem and then distributing the /64s from the modem "upon request."

I say this because if I create an additional VLAN, or assign another additional physical port to a new network, and increment the Prefix IDs, I will get new and additional /64's. And, there is absolutely NO trace of any mention of any kind of /60 delegation in any of the dozens of packet captures I've done. If they were allocating a /60 to my LAN address, wouldn't that show up in the logs, in the pfSense DHCPv6 page, a packet capture on the WAN side, a capture on the LAN side...somewhere?!

I would really love to know two things:

What exactly they're doing.
How this, coupled with their refusal to issue static addresses, is any better, simpler, more efficient, or most cost effective than simply allocating a static /60 to everyone.

Maybe I'm just not understanding how this is supposed to work.

I don't really want to create 6 VLANS in pfsense just to pull in additional IPs to pass through, but I guess that may be the only way to get IPv6 on my LAN.

I also don't understand why I can't route at least 1 of the /64 to my switch for distribution to one of my local subnets. I can't get that to work either.

JKnott · Aug 25, 2022, 2:24 PM

@mloiterman

ISPs generally use DHCPv6-PD to provide a prefix to a customer. In this case, pfSense is what receives the /60 and then makes the /64s available to the interfaces. That is how it works here with my /56. As for routing a /64, yes you can do that. I've done that here with a /64 provded to my Cisco router. You just have to create a static route, as you would with IPv4.

Where are you doing the packet captures? Where you'd see your prefix size mentioned is in your DHCPv6-PD packets. Here's an example:

login-to-view

In this you can see the prefix length is 56 and the base prefix.

I suspect your problems are due to not fully understanding how DHCPv6-PD works as it's apparently working the way it's supposed to.

mloiterman · Aug 25, 2022, 2:24 PM

@jknott

Thanks for your post. This was really helpful and I've got it now.

Now that I know where to look, I see that they are giving me a /60.

This was captured from my WAN interface (these are modified versions of the real IPs).

Internet Protocol Version 6, Src: fe80::201:5cff:feb3:8046, Dst: fe80::d884:d9ff:fe8a:ab74
User Datagram Protocol, Src Port: dhcpv6-server (547), Dst Port: dhcpv6-client (546)
DHCPv6
    Message type: Reply (7)
    Transaction ID: 0x108d6e
    Client Identifier
    Server Identifier
    Identity Association for Non-temporary Address
    Identity Association for Prefix Delegation
        Option: Identity Association for Prefix Delegation (25)
        Length: 41
        IAID: 00000000
        T1: 24280
        T2: 127960
        IA Prefix
            Option: IA Prefix (26)
            Length: 25
            Preferred lifetime: 197080
            Valid lifetime: 197080
            Prefix length: 60
            Prefix address: 2601:248:340:2200:: (2601:248:340:2200::)
    DNS recursive name server

My LAN interface is, as expected, picking up ID 1 and pfSense has assigned it

2601:248:340:2201:2b12:abee:efc2:2c8f

Now, my question is how to take this /60 and give the remaining (pfSense LAN took 1) /64s to my switch for assignment to each of the subnets configured to my switch.

I guess I'll use RA?

JKnott · Aug 25, 2022, 4:19 PM

@mloiterman

Once pfS.ense has the /60, you then assign a static route. I don't currently have the one I mentioned to my Cisco router, but info on creating the routes, etc. is in the pfSense manual. The examples are for IPv4, but the same principles apply. I trust you're familiar with longest match routing, where you can split off part of a larger prefix, by specifying a longer address match.

Derelict · Aug 27, 2022, 1:57 AM

@mloiterman Make a /128 Virtual IP address on your WAN in on of the /64s you want to route downstream. Make a WAN rule passing ICMP6 to that address. Ping it from the outside. Until that works you're not going to be able to route it downstream.

pfSense is doing what it's supposed to be doing with the /64s on a tracked inside interface. That doesn't mean it's a new delegation. Just that dhcpd is adding that prefix to that interface from the delegation.

Go to System > Advanced, Networking and enable the debug on dhcp6c. Then edit/save WAN. Then go to Status > System Logs, DHCP and filter on Process: dhcp6c. See what is there. That should show you the prefix that was assigned.