Static IPv6 /48 trying to give /64 to firewall to hand out
-
I expect to see the ISP route the /48 to you at that site via something else. Either some /64 that's outside that subnet or via the link-local IPv6 addresses.
How is the WAN configured there? All static?
Did the ISP supply any sort of documentation describing the IPv6 connection?
Try sending some traffic to anything inside that /48. Does it appear on the pfSense WAN in a packet capture?
Steve
-
@stephenw10 I think they want me to ROUTE all that traffic for my ARIN-assigned block to THEIR gateway so they have a documented gateway and they give me a /112. So then I need to get a core-router and route the entire /48, where I have 70 firewalls behind it. I am not set up for that. I have my internet line vlaned and I assign that to the wan port of virtual firewalls and I assign the IP and a gateway, that's the way I would expect to use it. Like they give me a /24 for the same line, I have a gateway that is .1 and I can use .2-.254 and I can directly assign them as the wan addresses to my firewalls.
I think they want me to put a proper router in-front. I'm working with them on what we can do, because I am not wired for that yet.
Alternatively, I guess I could use the /112 and make that the wan but then assign a part of my block as the LAN? Not sure that would work, because how would that routing table work?
-
I mean, yes, the /40 would need to be routed to them in order for them to route /48s from it to you. That would have to be at some higher level, I don't really expect pfSense to play any part there.
But it sounds like they gave you a small transport subnet, the /112. I expect them to be routing the /48 to you via that.
So your WAN interface should be in the /112 and you can then use the /48 however you wish.
-
@stephenw10 Yes, so then I would need a 10gbps capable box or VM to handle that routing, where it would take the /112 and route the /48 to internal pfSense firewalls. I have a company building that, but they want me to use FS.com and Mikrotik, they engineer I guess doesn't like pfSense and TNSR. I mean at that point you would be talking TNSR rather than pfSense. pfSense is really built for NAT, and while you can use it non-NAT - you have TNSR for the real routing. Realistically I would want to assign an entire /64 per firewall to have direct externally routable IP's per individual lan machine, but still have pfblockerng and a firewall protecting that while still handling ipv4 as NAT if possible.
Actually it would be nice to give a /96 per machine internally so I can have MULTIPLE ips per machine.
-
Hmm, maybe I've not understood the physical setup here then. I'm assuming your provider here is a datacenter somewhere? What exactly is your 'line'?
-
@stephenw10 I have a 10Gig Cogent fiber line per datacenter, of which I currently have three. All three are in "carrier neutral" datacenters, so I get a cage of a few racks in each where I have a vmware cluster, that cluster has at least 60+ clients, each client which is a small business gets a pfSense virtual firewall, with 1+ windows/linux or whatever VMs that run their applications. Then I have netgate firewalls I install at each client's office and make an IPSEC tunnel to that virtual firewall. So they may have a Windows terminal server running Quickbooks.
That line is a single fiber optic line that I dump into a switch where I turn into a vlan say 100. I then give the pfsene firewall's wan port vlan 100 and then each client gets it own vlan say 700, 701, 702 and so on for their internal networks where they have have a 10.80.71.1/24 for the lan with DHCP. Then with ipsec, from their office they can reach a server like a fileserver or domain controller direct from their office at 10.80.71.2 or whatever it is.
-
Ok I see. And the datacenter can route the /48 via the /112 to whatever's on that fiber.
So is that switch layer3 capable? Can it route the IPv6 traffic?
You're going to need something to route smaller subnets to each pfSense instance there.
-
@PhlMike No BGP?
- You establish BGP with upstream.
- You make sure everything is in place so they accept your route and they announce it into the ether.
- You check looking glasses making sure it's being accepted where it needs to be accepted.
- You route it south however you want.
-
@Derelict eventually I am working towards that. I hired a network engineering company to design a BGP routing setup as well as support and manage it 24/7/365.
This started with a single supermicro server, a freenas server, some Ubiquiti switches and a Verizon FIOS line with 16 IPs.
Things grew rather quickly. I recently just got an ASN, a /24 and a /40 from ARIN and even full voting membership in ARIN.
Cogent is running me L2 lines between my data centers in February. Then we are using a mix of Microtik and FS switches and routers to have fully routed BGP. We are hoping by June 2024 we would have it up.
Until then I have a client that wants IPv6 so I thought I could use it.
Right now I run Mikrotik switches for my data network which runs my trunas scale setup and I still have UBNT XG16's running my internet side on hacked controllers to allow more than 70 vlans.
Stage 1 is replace all the UBNT with Mikrotiks. Stage 2 is get basic BGP working with my 3 /24 ipv4 ranges so I can move clients between each data center.
Then stage 3 is full redundant routing fully monitored and managed by a 3rd party NOC.But it's getting expensive. I have to wait for the bank to give me what is looking to be nearly 7 figures.
-
I mean if you just need something, short term, you should be able to set an interface at the remote side of that /112 and see the /48 routed to it.
Then do whatever you need to with that.
-
@PhlMike said in Static IPv6 /48 trying to give /64 to firewall to hand out:
even full voting membership in ARIN.
hahah - that doesn't mean much really other than they will actually call you to make sure you cast your vote when stuff comes up.. And mostly that is voting for new officers that really have no clue about or have ever heard of..
I wish you all the best in your endeavors..
So you got this /48 from some other LIR I would think, I thought arin would only give out /32s - wonder if they have changed that, or there might of been ability for /48 for special application use? A previous company that worked for where I handled all the IP space with arin, when we got our IPv6 block it was a 32..
-
@stephenw10 I might just give that one client 4 ips from the /112 and NAT it to a fc00 range internally and call it a day for now. I don't want to work myself in a corner and find out I used the wrong section of range and now I need to change it and whatnot.
-
@johnpoz they gave it to me direct. I classified as a "x-small" network. Yes, I don't expect much from membership. At the very least they could get me a discount on hotel stays like my AAA membership! :)
Anyway, proper path forward would be to route the entire /40 myself with BGP and use the /112 ranges the ISP gave me to facilitate that.
-
@PhlMike said in Static IPv6 /48 trying to give /64 to firewall to hand out:
At the very least they could get me a discount on hotel stays like my AAA membership! :)
hahaha - that would be awesome, maybe some discounts for car rentals too..
But I wasn't kidding - they will actually call you as it gets close to vote, and you haven't submitted yours.. ;)
-
@PhlMike said in Static IPv6 /48 trying to give /64 to firewall to hand out:
@stephenw10 I might just give that one client 4 ips from the /112 and NAT it to a fc00 range internally and call it a day for now. I don't want to work myself in a corner and find out I used the wrong section of range and now I need to change it and whatnot.
No.
Don't do that. The bare minimum you should be giving anything south is a /48 or, maybe if you want to be backward-thinking and stingy, a /56.
Don't NAT. There is no reason to.
If you are dealing with address space larger than /48, your concern is how many /48s you have. If you have a /48 you have 65536 /64s. /56 is 256 /64s and so on. The “Addresses” do. not. matter. Every /64 interface has 18 billion billion of them.
Think about things in terms of /64 interfaces, not addresses. The last 64 bits of an IPv6 address do not matter to a network administrator where network design is concerned.
-
@PhlMike said in Static IPv6 /48 trying to give /64 to firewall to hand out:
@stephenw10 I might just give that one client 4 ips from the /112 and NAT it to a fc00 range internally and call it a day for now. I don't want to work myself in a corner and find out I used the wrong section of range and now I need to change it and whatnot.
And, to add on, fc00::/7 is an undefined range. If you want to use ULA you should use fd00::/8. And see RFC4193 for a method of choosing a ULA /48 for a site to hopefully avoid future collisions.
-
@Derelict I just have the /112 that is workable. I can't give anything bigger than that right now. The /48's that Cogent allowed out of my /40 are not working.
I have to route those and I need to make sure the network design company and I are on the same page because I just got as of two hours ago the $ to spend on SOME of the networking to get BGP working. We are using CCR2116-12G-4S+, CRS326-24S+2Q+RM and then 2x Xeon E3-1225v6 servers with VMWare and directly attached 10Gb SFP+ intel cards with a single Mikrotik instance (temporarily) to handle the bulk of the weight. I have 2x dual E5-2667v4's also with a bunch of networking incase the E3-1225v6's choke. We aren't getting the FS 5860-20SQ units yet. $10 per VM on free servers or $15k of switches on a stale fiscal year.
-
@PhlMike where did you get a /112 who gave you that?
-
@johnpoz Cogent gives me that free with every line. Just like they give me a /29 ipv4. I lease 2x /24 ipv4s from Cogent and I have ARIN that gave me another /24. Then ARIN also gave me the /40.
-
@PhlMike you got a IPv4 /24 from Arin - recently?
Why would they give you a /112, that is not really a valid use case prefix.. Why would not give you a /64, or better yet delegate a /60 or /56 to use so you could subnet some /64s out of that.