Routing IPv6 and Prefix Delegation
-
Are they providing that /64 to the WAN interface? Or LAN? It's possible to provide it only to the LAN, but not if the WAN gets it. It sounds like you may have an issue with prefix delegation. Also, you have to specify which prefix size you want with DHCPv6 Prefix Delegation size on the WAN page.
Maybe you could capture the full DHCPv6 sequence and post the file here.
-
The /64 is being assigned to my LAN interface.
I have selected /60 for the DHCPv6 Prefix Delegation size in my WAN interface.
For LAN, I have IPv6 set to Track the WAN interface and selected 1 for my IPv6 Prefix ID. The LAN is connected to the transit network back to the switch.
For the LAN /64, I do get my prefix with a 1 at the end and if I add additional pfSense LAN interfaces and change their PD to 2, 3, etc. those are correctly assigned. But I don't want to create a bunch of stub interfaces and even if I did, I still can't seem to get even a single subnet to work with one of the VLAN subnets on my switch.
So, maybe they assign the /60 to the modem somehow? My WAN IPv6 address is in the 2001 network and my LAN is in the 2601 network, so that doesn't seem right.
In my packet captures, I see four prefixes the RA - all /64s and pfsense seemed to grab one of them.
In the past the turning on Debug for dhcpv6 showed the prefix allocation, but it doesn't seem to show it anymore.
I know I'm doing something wrong here, but I just cannot figure this out and it shouldn't be this hard!
-
@mloiterman said in Routing IPv6 and Prefix Delegation:
For the LAN /64, I do get my prefix with a 1 at the end and if I add additional pfSense LAN interfaces and change their PD to 2, 3, etc. those are correctly assigned. But I don't want to create a bunch of stub interfaces and even if I did, I still can't seem to get even a single subnet to work with one of the VLAN subnets on my switch.
Are you saying you are getting more than one /64? If so, you just assign them to an interface, either physical or VLAN. Are you choosing a unique prefix ID for each interface? With a /60, your choices are 0 - f.
-
@mloiterman Trying to do anything like route a single /64 delegation south is pretty much folly. Get with your ISP and get a real prefix delegation like a /56 or use a hurricane electric GIF tunnel and the free, static /48 you can get there. Route a /56 out of that to the switch and enjoy.
-
Or just route within pfSense, instead of the L3 switch. Otherwise you get into routing the entire /60, after pulling off a single /64 for the pfsense box. While stingy, a /60 will do what he wants. However, with the enormous IPv6 address space, I don't know why they limit customers to a /60.
-
I think what they're doing is allocating the /60 to the modem and then distributing the /64s from the modem "upon request."
I say this because if I create an additional VLAN, or assign another additional physical port to a new network, and increment the Prefix IDs, I will get new and additional /64's. And, there is absolutely NO trace of any mention of any kind of /60 delegation in any of the dozens of packet captures I've done. If they were allocating a /60 to my LAN address, wouldn't that show up in the logs, in the pfSense DHCPv6 page, a packet capture on the WAN side, a capture on the LAN side...somewhere?!
I would really love to know two things:
- What exactly they're doing.
- How this, coupled with their refusal to issue static addresses, is any better, simpler, more efficient, or most cost effective than simply allocating a static /60 to everyone.
Maybe I'm just not understanding how this is supposed to work.
I don't really want to create 6 VLANS in pfsense just to pull in additional IPs to pass through, but I guess that may be the only way to get IPv6 on my LAN.
I also don't understand why I can't route at least 1 of the /64 to my switch for distribution to one of my local subnets. I can't get that to work either.
-
ISPs generally use DHCPv6-PD to provide a prefix to a customer. In this case, pfSense is what receives the /60 and then makes the /64s available to the interfaces. That is how it works here with my /56. As for routing a /64, yes you can do that. I've done that here with a /64 provded to my Cisco router. You just have to create a static route, as you would with IPv4.
Where are you doing the packet captures? Where you'd see your prefix size mentioned is in your DHCPv6-PD packets. Here's an example:
In this you can see the prefix length is 56 and the base prefix.
I suspect your problems are due to not fully understanding how DHCPv6-PD works as it's apparently working the way it's supposed to.
-
Thanks for your post. This was really helpful and I've got it now.
Now that I know where to look, I see that they are giving me a /60.
This was captured from my WAN interface (these are modified versions of the real IPs).
Internet Protocol Version 6, Src: fe80::201:5cff:feb3:8046, Dst: fe80::d884:d9ff:fe8a:ab74 User Datagram Protocol, Src Port: dhcpv6-server (547), Dst Port: dhcpv6-client (546) DHCPv6 Message type: Reply (7) Transaction ID: 0x108d6e Client Identifier Server Identifier Identity Association for Non-temporary Address Identity Association for Prefix Delegation Option: Identity Association for Prefix Delegation (25) Length: 41 IAID: 00000000 T1: 24280 T2: 127960 IA Prefix Option: IA Prefix (26) Length: 25 Preferred lifetime: 197080 Valid lifetime: 197080 Prefix length: 60 Prefix address: 2601:248:340:2200:: (2601:248:340:2200::) DNS recursive name serverMy LAN interface is, as expected, picking up ID 1 and pfSense has assigned it
2601:248:340:2201:2b12:abee:efc2:2c8fNow, my question is how to take this /60 and give the remaining (pfSense LAN took 1) /64s to my switch for assignment to each of the subnets configured to my switch.
I guess I'll use RA?
-
Once pfS.ense has the /60, you then assign a static route. I don't currently have the one I mentioned to my Cisco router, but info on creating the routes, etc. is in the pfSense manual. The examples are for IPv4, but the same principles apply. I trust you're familiar with longest match routing, where you can split off part of a larger prefix, by specifying a longer address match.
-
@mloiterman Make a /128 Virtual IP address on your WAN in on of the /64s you want to route downstream. Make a WAN rule passing ICMP6 to that address. Ping it from the outside. Until that works you're not going to be able to route it downstream.
pfSense is doing what it's supposed to be doing with the /64s on a tracked inside interface. That doesn't mean it's a new delegation. Just that dhcpd is adding that prefix to that interface from the delegation.
Go to System > Advanced, Networking and enable the debug on dhcp6c. Then edit/save WAN. Then go to Status > System Logs, DHCP and filter on Process: dhcp6c. See what is there. That should show you the prefix that was assigned.
