Subneting my /56 prefix to multiple internal LANs

Dough29

As I can see I'm missing the "prefix-interface" statements in "id-assoc pd"...

Looks like when you check the "Advanced configuration" you are loosing the "Track Interface" configuration from all LAN interfaces...

With my ISP I can't do without using the "Advanced" option...

Gertjan

@Dough29 said in Subneting my /56 prefix to multiple internal LANs:

ISP is Orange (France) giving me a /56 prefix.

Oh, men, you have my attention here.

I tell you up front that the most persistent phrase in this thread is, up until now :

@JKnott said in Subneting my /56 prefix to multiple internal LANs:

It sounds like there may be something weird with Orange.

@JKnott : you're not even close. But heading in the right direction.

First things first : I'm not an IPv6 expert.

I 'own and maintain' 2 Orange Internet connections in France, using a Livebox Pro v4 at work, and a Livebox 4 at home.

The Pro box is really pro : no IPv6 what so ever.
The only pro thing about it that my IPv4 is static (I guess, it never changes). The pro is more expensive. Dono why.
I do not use TV or phone equipment. Neither the build in Wifi.
Just the VDSL (modem) part.

At home, because if live in the middle of no-where : just ADSL. I don't use the (VOIP) phone neither TV neither Wifi of this Livebox v4 router.
This one has IPv6 capabilities.
From what I know : they do somewhat reserve a /56 or even a /48 (?) for the connection/livebox but they only assign the first /64 to the LAN.
No other /64 blocks can be accessed / routed / passed on to a more qualified downstream router (pfSense).

edit : I think they allocate a /56 for everybody, which is fine, although a /48 is more standard. Still, they only support a (one !) routed /64.

I have a privileged access to their support system but even after a decade or two ( !!) of asking, they still consider that a single /64 is - I quote :
" more then enough as 2^64 is huge".
Don't laugh.

When I explain I have multiple LANs, things get quiet.
I already understood, for a home set-up, I'm asking to much.
But wait : they sell also "professional connections" - I use one of those. These are 'one LAN' only, also. Just put a router behind our router, this is where pfSense comes into play here, and "you'll be fine !"
Me : "Right, guys, that IPv4 question - more then one network - has been solved at the end of the last century. Now I'm talking about multiple IPv6 networks ...."

@Dough29 said in Subneting my /56 prefix to multiple internal LANs:

What is the "best practice" for delegating a /56 subnet on a pfSense router ?

As said, I'm using right now a /48.
Works as the books stated : cut out a /64, assign it to an LAN type interface - set up a DHCPD IPv6 pool and done.
At least, tunnel.he.net works that way. he.net, as they said, uses the related RFCs, no other things have to be invented.

Ones in a while I 'scan' the news the french blogs/messages/forums about IPv6 in France, and how to do it will Orange (I know others like Free are doing more for IPv6)
For that matter : The Openone (cloned from pfSense years ago), being based in Europe, is more aware of this subject.
It is possible to use the IPv6 from Orange using pfSense, with the "send raw-option" stuff you mentioned above.
What I understood : start a vanilla FreeBSD 11.2 VM, install the tools for make / compile / link and patch dhcp6d. Use this binary to replace the existing one.
As far as I know, thing won't go better as obtaining a single /64 out of Orange.
It's a 'prefix 0', and that's it.

Don't forget that the Orange boxes (Livebox) have only one physical LAN port (and a 5 port switch put in front of it), thus using one IPv4 network.
Asking for more then one /64 doesn't make sense for that box.

Using your own modem ? That was accepted back then. Totally not supported to day.
I also think their VDSL is proprietary (partially RFC).
And look at the way they handle DHCP6 ! ( I guess they have their reasons).

@Dough29 said in Subneting my /56 prefix to multiple internal LANs:

WAN : to my bridged modem

What is this device ?
I could consider to go back to a modem type - pppoe is crap, but all I need, as long as fibre isn't there yet.

Btw : I'm really hoping that I'm completely wrong here.

Dough29

@Gertjan thank you for all these informations !

I also don't use the TV or Voice over IP services.

My line is VDSL2 (Sosh), I have fixed IPv4 (for now it never changed / DHCPv4 in pfSense) behind a Netgear DM200 modem in bridge mode, custom firmware : https://github.com/dough29/openwrt-netgear-dm200-bridge

I can use the whole /56 prefix Orange gives me (see DHCP6C log / 2a01:aaaa:bbbb:0::/64 to 2a01:aaaa:bbbb:ff::/64) and expose services without any problem....

Gertjan

It's me thanking you !

So, I can put that ISP router (livebox) where it belongs : in it's box - and use some other device like the "Netgear DM200" that supports VDSL2 - Orange - Sosh is for me the same thing as Orange btw.
Good news !

@Dough29 said in Subneting my /56 prefix to multiple internal LANs:

I can use the whole /56 prefix Orange gives me

But you have to hard code the LAB's with /64 networks.
What happens if Orange decides to change the IPv6 prefix ?? (answer : all your IPv6 will break and you have to redo the static settings. That would be a definite show stopper).

I understand why you want tracking to work.

Dough29

Yep the Livebox is in it's box since the day I received it, never opened the parcel

For now, from pfSense WEB UI, I have to put each LAN in "Static IPv6" and give it a 2a01:aaaa:bbbb:<prefix ID>::/64 subnet by hand...

So you are right, tomorrow if the prefix changes... everything will break !

To solve that I was thinking the "Track Interface" feature will do the job but it seems to be broken when using DHCP6C in "Advanced Configuration" on the WAN side...

Dough29

Hello there.

I gave a try again on using my ::/56 prefix with the option "Track interface" on my LAN interfaces.

This time I got through the code and the answer is simple : when you have "Advanced Configuration" checked (so we can add send options for example) there is no code that could handle the LAN interfaces using "Track interface" for IPv6.

In interfaces.inc we come in function interface_dhcpv6_configure and go to subfunction DHCP6_Config_File_Advanced that doesn't handle the "Track interface" option.

Is it something missing ? Or is this related to a RFC or other thing ?

For now I'm still using the "Configuration Override" option so I have to handle the config file by myself...

Gertjan

@Dough29

What Livebox are you using ?
I'm using the "6" - firmware Version SG60-fr-G03.R00.C01_02.

pfSense Interface WAN : I've set the "IPv6 Configuration Type" to "DHCP6".
My DHCP6 client (on WAN interface) settings :

The LAN interface "IPv6 Configuration Type" is set to "Tracking".

You see the "(hexadecimal from 0 to 0)" ?
This doesn't mean 'nothing or zero' but there is one prefix available.
And that's the first part of the issue right now.
AFAIK : You can do what you want with the (dhcp6c) settings, the Livebox will only give ONE prefix to a downstream router (pfSense) that asks for one or more prefix.

On the Livebox side :

It says - what I make of it - that it has a /56 available. That's 256 prefixes of /64 - great.
It gave prefix number "0xdc" to the device called pfSense, the MAC shwon is the MAC of y pfSense WAN interface.
So, my prefix isn't number zero, but number "0xdc" or 220 decimal.
Note : whatever I do : I always get that prefix - my Orange Ipv6 never changed since I joined the fiber, end of last year.

The "2a01:cb19:xxx:a6dc::/64" is mapped to my LAN interface, and the DHCP6 server on the LAN page can use a IPv6 pool from this prefix to hand over IPv6 to LAN clients.

This part works : outgoing IPv6 traffic is ok. Most LAN initiated traffic is now IPv6, it was already the case for local traffic, but now also for outgoing traffic.
For example : I'm posting on this forum for years now using only IPv6.

What doesn't work :
The Livebox firewall : whatever I do, I can't set up IPv6 rule so I can contact a LAN based device using 2a01:cb19:xxx:a6dc::/64, for example 2a01:cb19:xxx:a6dc::88 (a NAS).

pfSense only obtains one (1) prefix with the size of a /64, not more.
edit : I'm not an dhcp6v expert - I've tried to craft my own dhcp6c config file .....
The Livebox can probably give another /64 to another router attached to it's LAN ports .... but that doesn't make sense. I'm not going to add another pfSense to my Livebox so I can make available to a second LAN .....

edit : my conclusion : IPv6 works for classic home IPv6 usage : just one LAN. And you can't reach these IPv6 from the Internet, as I could do with IPv4 (that still works).
And no, I'm not going to even try "NAT" IPV6 ......

Dough29

@Gertjan I'm not using the Livebox, it's left in its box

I'm using a NetGear DM200 Modem in bridge mode to give pfSense the full control of the line.

Gertjan

@Dough29

Interesting.
You are using the phone ?
TV ?

Dough29

@Gertjan I have no need for phone or TV but some are doing well on this. You can check on forum lafibre.info for this

Gertjan

@Dough29 said in Subneting my /56 prefix to multiple internal LANs:

forum lafibre.info

That's where I go to check if any progress exists