Site to Site ipv6 best practice GUA vs ULA
-
I have functioning site to site setup with pfsense on both ends using a wireguard tunnel, connecting 3 VLANS on one with 3 VLANS on the other, all IPv4.
For education purposes, I'm trying to have the devices communicate over IPv6.
According to Jim Pingle's netgate hangout on Ipv6 (2015), he said that most professionals address devices across a VPN using the GUA's. ULAs are used rarely, and something about NPt which I didn't understand.
Since I don't trust my ISP not to change my GUA prefixes, I don't see an alternative to using ULAs.
It wouldn't be an issue, except I can't get BGP to accept the routes to share them across the wireguard tunnel.
The question for this forum is whether I should use GUA vs ULA. The other details I can post on either dynamic routing or wireguard.
Thanks,
Devan
There's probably a routing error I'm making...
-
@ddbnj said in Site to Site ipv6 best practice GUA vs ULA:
According to Jim Pingle's netgate hangout on Ipv6 (2015), he said that most professionals address devices across a VPN using the GUA's. ULAs are used rarely, and something about NPt which I didn't understand.
The VPN end point addresses have to be GUA IPv6 or public IPv4. As for the VPN internal addresses, they can be ULA or GUA, as you're only routing over them. But if you have enough /64s, no reason why you can't use one of them. I assume the network at the other end has GUA addresses.
-
As always, thanks for the help.
The wireguard tunnel is created with two IPv4 endpoints. From there, I added a static IPV6 in a different ULA range than my VLANs. I then created IPv6 gateways pointing to each other across the tunnel.
-
@ddbnj said in Site to Site ipv6 best practice GUA vs ULA:
Since I don't trust my ISP not to change my GUA prefixes
Have you set Do not allow PD/Address release on the WAN page? My prefix has been stable for years and has survived replacing both my firewall and cable modem. It's rock solid as far as I can see.
-
I found the problem.
The wireguard tunnel address was in the same IPv6 subnet as the VLAN ULAs. Once I fixed that, and set the appropriate policy based firewall rules, it worked.
I'm still using IPv4 tunnels but am transmitting IPv6 packets across.
Take care,
Devan
-
@ddbnj said in Site to Site ipv6 best practice GUA vs ULA:
I'm still using IPv4 tunnels but am transmitting IPv6 packets across.
I do the same. I don't run the tunnel over IPv6 due to DNS issues. My IPv4 address is an alias that points to the ISP provided host name. Using the alias prevents the DNS server from returning the IPv6 address, which is a regular AAAA record. However, pfSense is configured to allow either IPv4 or IPv6.
