What If ISP can only provide a /64

RobbieTT · Apr 29, 2023, 9:32 AM

@bob-dig I'm still confused. The /64 refers to the first part of the 128-bit address (half in this example) aka 'the prefix'. The rest of it can be farmed-out as you like.

pfSense has no issue in doing this, using the first part as the prefix and then allowing you to subnet the rest, usually adding a simple addition after the prefix address to signify which address range belongs on any given interface. In my case a ':1' for management, ':2' for main LAN, ':3' for first VLAN etc.

️

RobbieTT · Apr 29, 2023, 9:42 AM

An example from a VLAN on my home network (plus the handy hints from pfSense):

login-to-view

️

Bob.Dig · Apr 29, 2023, 9:49 AM

@robbiett But you got more then one /64 from your ISP, that is the point. Maybe you got a /56 or what not, which is more than only one /64.

Bob.Dig · Apr 29, 2023, 10:03 AM

@robbiett Also I don't think that you have active subrouters, do you? I think this only can be used with a fixed prefix and not a dynamic one, which would be another limitation on pfSense side regarding dynamic IPv6.

RobbieTT · Apr 29, 2023, 10:03 AM

@bob-dig

The point is that you can subnet a /64. It is massive (in the scheme of what we have in IPv4 land). You just subnet it into a range, effectively identify it as a given subnet by adding an identifier (a :2 in the example above) and assign that address space to an interface / LAN / VLAN etc.

️

Bob.Dig · Apr 29, 2023, 10:09 AM

@robbiett You can do that but this will not work without problems because of that:

In IPv6, the address space is deemed large enough for the foreseeable future, and a local area subnet always uses 64 bits for the host portion of the address, designated as the interface identifier, while the most-significant 64 bits are used as the routing prefix.

https://en.wikipedia.org/wiki/IPv6#Addressing

You screen does show something different anyways, because there the prefix is a /64 and not less. The field below isn't used because I bet you don't have any subrouters.

GrumpyOldCoalMiner · Apr 29, 2023, 10:15 AM

Thanks, helpful discussion. So far.

I was (still am) confused because after setting up one LAN interface to "Track Interface" and point to the one and only WAN interface to use for tracking I get usable IPv6 addresses on hosts on that LAN.

But when trying to configure this same thing (Track Interface) on a interface for LAN #2 a message says can't do that, WAN interface already used for tracking on WAN1. I don't have exact message in front of me, that's me going from memory form a few days ago.

Bob.Dig · Apr 29, 2023, 10:26 AM

@grumpyoldcoalminer Because one /64 is only good for one LAN. So this is expected behavior. Check with your ISP if they really only give out a /64. You have to put in the real delegation size manually on the WAN-page yourself with pfSense.

Mine is giving me a /56 which the first router (Fritzbox) will take some off so I configured pfSense to only demand a /60.
login-to-view

RobbieTT · Apr 29, 2023, 10:22 AM

@bob-dig
This is my home example (it's Saturday!), so no sub-routers needed.

The only thing notable about a /64 is that most (all?) auto-configurations do not subnet below a /64. You can actually subnet all the way down to tiny subnets. For example, you could subnet down to say a /124, giving you just 16 IPv6 addresses for that LAN/VLAN.

There are many subnet calculators out there that give you all the options if you want to get really wacky.

️

Bob.Dig · Apr 29, 2023, 10:30 AM

@robbiett said in What If ISP can only provide a /64:

There are many subnet calculators out there that give you all the options if you want to get really wacky.

True, but there are many devices that will not work with a subnets smaller than /64, so it is no good advise. But sure, try for yourself, if it would work for you, but you can't and shouldn't count on this at all.

RobbieTT · Apr 29, 2023, 10:35 AM

@bob-dig

The IETF didn't really imagine that an ISP would be as stingy as handing out a /64, expecting /56 or a /48 address space to be commonplace. Things didn't work out that way but the /64 address space is still massive and I've not run into a case where a client cared about its address space.

Bob.Dig · Apr 29, 2023, 10:39 AM

@robbiett I once had such an ISP and I tried splitting up the /64. If I remember correct, my dell printer and my android phone didn't liked it, Windows and Linux were fine though.

RobbieTT · Apr 29, 2023, 10:44 AM

@bob-dig Yeah, some ISPs are just mean. Yours is the first example I have heard of a device rejecting its subnet. That's some really bad coding!

For the OP the Negate manual has some words on the subject and the address ranges possible:

The prefix length denotes how many bits of the address define the network in which it exists. Most commonly the prefixes used with IPv6 are multiples of four, as seen in Table IPv6 Subnet Table, but they can be any number between 0 and 128.

Netgate Docs - IPv6 Subnetting

️

Bob.Dig · Apr 29, 2023, 10:47 AM

@robbiett At this time, everything not being /64 is just wrong. And with dynamic prefixes via track interface you also can't go below /64, even in pfSense.

RobbieTT · Apr 29, 2023, 10:56 AM

@bob-dig said in What If ISP can only provide a /64:

@robbiett ...my android phone didn't liked it, Windows and Linux were fine though.

Just thinking about the Android bit and I guess this would be due to Android pretending that DHCPv6 does not exist?

️

Bob.Dig · Apr 29, 2023, 11:05 AM

@robbiett Would make sense, but I don't think that was the case with the printer. And I am just a home user...

RobbieTT · Apr 29, 2023, 12:23 PM

@bob-dig
Clearly I don't know about the printer specifics; but If I had to guess (and it is a guess) it could be its inbuilt NIC not handling privacy or assigned addresses and is reliant on the 48-bit MAC derived address and that the subnet defined had crossed into the MAC address space.

Of course, in all things networking there is always one-more-way to screw something up.

Anyway, we should beat-up ISPs that don't give a static /48 (or /56 at least) address block to their customers. I'm in the UK and even the 'managed' monopoly of BT gives a /56 away (and they would eat your first-born if you let them).

️

marcg · Apr 29, 2023, 7:58 PM

A 64 bit host part (or "interface identifier") is baked into the v6 specs in a number of ways. Here's a good summary.

It may be possible to assign and use longer prefixes with DHCP, but SLAAC, hence Android, will definitely break.

Anyway, we should beat-up ISPs that don't give a static /48 (or /56 at least) address block to their customers. I'm in the UK and even the 'managed' monopoly of BT gives a /56 away (and they would eat your first-born if you let them).

+1 on this. Here's RIPE's view on best practices for prefix assignment. In particular,

Assigning a /64 or longer prefix does not conform to IPv6 standards and will break functionality in customer LANs

JKnott · Apr 29, 2023, 8:47 PM

@robbiett said in What If ISP can only provide a /64:

Just thinking about the Android bit and I guess this would be due to Android pretending that DHCPv6 does not exist?

Yep, you can thank some genius at Google for that.

mfld · Apr 30, 2023, 4:38 AM

@robbiett said in What If ISP can only provide a /64:

@bob-dig I'm still confused. The /64 refers to the first part of the 128-bit address (half in this example) aka 'the prefix'. The rest of it can be farmed-out as you like.

pfSense has no issue in doing this, using the first part as the prefix and then allowing you to subnet the rest, usually adding a simple addition after the prefix address to signify which address range belongs on any given interface. In my case a ':1' for management, ':2' for main LAN, ':3' for first VLAN etc.

️

How can Android devices on your LAN SLAAC like this ?

Issuing a single /64 is nonsense and indicative of a half-hearted rollout by the residential ISP. See this BCOP RIPE-690 for many pros and cons

https://www.ripe.net/publications/docs/ripe-690