Static IPv6 /48 trying to give /64 to firewall to hand out
-
@PhlMike No BGP?
- You establish BGP with upstream.
- You make sure everything is in place so they accept your route and they announce it into the ether.
- You check looking glasses making sure it's being accepted where it needs to be accepted.
- You route it south however you want.
-
@Derelict eventually I am working towards that. I hired a network engineering company to design a BGP routing setup as well as support and manage it 24/7/365.
This started with a single supermicro server, a freenas server, some Ubiquiti switches and a Verizon FIOS line with 16 IPs.
Things grew rather quickly. I recently just got an ASN, a /24 and a /40 from ARIN and even full voting membership in ARIN.
Cogent is running me L2 lines between my data centers in February. Then we are using a mix of Microtik and FS switches and routers to have fully routed BGP. We are hoping by June 2024 we would have it up.
Until then I have a client that wants IPv6 so I thought I could use it.
Right now I run Mikrotik switches for my data network which runs my trunas scale setup and I still have UBNT XG16's running my internet side on hacked controllers to allow more than 70 vlans.
Stage 1 is replace all the UBNT with Mikrotiks. Stage 2 is get basic BGP working with my 3 /24 ipv4 ranges so I can move clients between each data center.
Then stage 3 is full redundant routing fully monitored and managed by a 3rd party NOC.But it's getting expensive. I have to wait for the bank to give me what is looking to be nearly 7 figures.
-
I mean if you just need something, short term, you should be able to set an interface at the remote side of that /112 and see the /48 routed to it.
Then do whatever you need to with that.
-
@PhlMike said in Static IPv6 /48 trying to give /64 to firewall to hand out:
even full voting membership in ARIN.
hahah - that doesn't mean much really other than they will actually call you to make sure you cast your vote when stuff comes up.. And mostly that is voting for new officers that really have no clue about or have ever heard of..
I wish you all the best in your endeavors..
So you got this /48 from some other LIR I would think, I thought arin would only give out /32s - wonder if they have changed that, or there might of been ability for /48 for special application use? A previous company that worked for where I handled all the IP space with arin, when we got our IPv6 block it was a 32..
-
@stephenw10 I might just give that one client 4 ips from the /112 and NAT it to a fc00 range internally and call it a day for now. I don't want to work myself in a corner and find out I used the wrong section of range and now I need to change it and whatnot.
-
@johnpoz they gave it to me direct. I classified as a "x-small" network. Yes, I don't expect much from membership. At the very least they could get me a discount on hotel stays like my AAA membership! :)
Anyway, proper path forward would be to route the entire /40 myself with BGP and use the /112 ranges the ISP gave me to facilitate that.
-
@PhlMike said in Static IPv6 /48 trying to give /64 to firewall to hand out:
At the very least they could get me a discount on hotel stays like my AAA membership! :)
hahaha - that would be awesome, maybe some discounts for car rentals too..
But I wasn't kidding - they will actually call you as it gets close to vote, and you haven't submitted yours.. ;)
-
@PhlMike said in Static IPv6 /48 trying to give /64 to firewall to hand out:
@stephenw10 I might just give that one client 4 ips from the /112 and NAT it to a fc00 range internally and call it a day for now. I don't want to work myself in a corner and find out I used the wrong section of range and now I need to change it and whatnot.
No.
Don't do that. The bare minimum you should be giving anything south is a /48 or, maybe if you want to be backward-thinking and stingy, a /56.
Don't NAT. There is no reason to.
If you are dealing with address space larger than /48, your concern is how many /48s you have. If you have a /48 you have 65536 /64s. /56 is 256 /64s and so on. The “Addresses” do. not. matter. Every /64 interface has 18 billion billion of them.
Think about things in terms of /64 interfaces, not addresses. The last 64 bits of an IPv6 address do not matter to a network administrator where network design is concerned.
Chattanooga, Tennessee, USA
A comprehensive network diagram is worth 10,000 words and 15 conference calls.
DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
Do Not Chat For Help! NO_WAN_EGRESS(TM) -
@PhlMike said in Static IPv6 /48 trying to give /64 to firewall to hand out:
@stephenw10 I might just give that one client 4 ips from the /112 and NAT it to a fc00 range internally and call it a day for now. I don't want to work myself in a corner and find out I used the wrong section of range and now I need to change it and whatnot.
And, to add on, fc00::/7 is an undefined range. If you want to use ULA you should use fd00::/8. And see RFC4193 for a method of choosing a ULA /48 for a site to hopefully avoid future collisions.
-
@Derelict I just have the /112 that is workable. I can't give anything bigger than that right now. The /48's that Cogent allowed out of my /40 are not working.
I have to route those and I need to make sure the network design company and I are on the same page because I just got as of two hours ago the $ to spend on SOME of the networking to get BGP working. We are using CCR2116-12G-4S+, CRS326-24S+2Q+RM and then 2x Xeon E3-1225v6 servers with VMWare and directly attached 10Gb SFP+ intel cards with a single Mikrotik instance (temporarily) to handle the bulk of the weight. I have 2x dual E5-2667v4's also with a bunch of networking incase the E3-1225v6's choke. We aren't getting the FS 5860-20SQ units yet. $10 per VM on free servers or $15k of switches on a stale fiscal year.
-
@PhlMike where did you get a /112 who gave you that?
-
@johnpoz Cogent gives me that free with every line. Just like they give me a /29 ipv4. I lease 2x /24 ipv4s from Cogent and I have ARIN that gave me another /24. Then ARIN also gave me the /40.
-
@PhlMike you got a IPv4 /24 from Arin - recently?
Why would they give you a /112, that is not really a valid use case prefix.. Why would not give you a /64, or better yet delegate a /60 or /56 to use so you could subnet some /64s out of that.
-
It's the 'wrong' way to do it for sure. But I would expect to be able to use some IPs from the /112 as a temporary setup.
As you say, by not using anything from the /48 you are free to add that 'correctly' when you can.
-
@johnpoz Yes, but its for NAT64 purposes. So ultimately its temporary. I had been in talks with a company that is willing to do lease to own or financing of /20 IPv4s. But I have to wait until 2024 to expend any extra debt.
-
@stephenw10 Yeah, it's weird for a Teir1 ISP to do. Ultimately they want you to user the /29 and /112 to ROUTE your own IP ranges.
-
A /112 seems valid as a transport subnet.
-
@PhlMike said in Static IPv6 /48 trying to give /64 to firewall to hand out:
@Derelict I just have the /112 that is workable. I can't give anything bigger than that right now. The /48's that Cogent allowed out of my /40 are not working.
I would, personally, not waste any time on a patchwork, temporary setup. I would concentrate on doing it correctly, as in getting BGP working.
-
@Derelict said in Static IPv6 /48 trying to give /64 to firewall to hand out:
I would, personally, not waste any time on a patchwork, temporary setup. I would concentrate on doing it correctly, as in getting BGP working.
You buying? I need 6 FS S5860-20SQ's at about $9,600, I also need 3 Mikrotik CCR2116-12G-4S+ (which are on backorder) and another 3 Mikrotik CRS326-24S+2Q+RM for another $3,800. Not to mention another $2,500 in network engineers time. Including hour+ long meetings with my ISP's engineers where I am literally paying everyone on that Zoom call over $300/hr. Unlike my stupid car dealership, I accept American Express....
Then there is also the possibility of downtime, network packets may drop. Which means I need to send out no fewer than 3 email blasts at least a month in advance and then inevitably delay because "it's too close to tax season" or they have "deadlines" so they expect to be working at 1:30am on a weekend.
Which then means I need to reschedule another 3 months down the road when all the engineers and consultants are all available at the same time.You ever build a house? You try getting a plumber, an electrician and the framer all in at the same time to literally discuss a washer and dryer placement on short notice.
My customer would like IPv6 sooner for testing, not production.
-
@PhlMike said in Static IPv6 /48 trying to give /64 to firewall to hand out:
My customer would like IPv6 sooner for testing, not production.
Whats the old saying good, fast, cheap - pick two..
IPv6 isn't going anywhere fast that is for sure.. if he has a public IPv4, does he need more Ipv4 that you can not provide? What is their hurry for IPv6.. Its been round for almost 25 years already.. And many isps don't even yet provide it. Or if they do - its a shit deployment..
To be honest I wouldn't be in a "hurry".. A few years back company I worked for finally pulled the trigger and we got /32 from arin.. Sure I created the routing objects and got it being advertised out of some locations. Did any of the customers have any desire - not a one!
I am with Derelict here - do it correctly, if it takes more time - so be it. Not like your the last guy to get IPv6.. And the worlds been waiting for you to actually start using it ;)
