Configure IPv6 on multiple LAN interfaces
-
@DrPhil they don't actually all pay attention to what you request, they might just hand you a /60 even though you requested a /56 for example.. Or if you only requested a /64 they might still hand you a /60 or /56 say..
Nice to see they are paying attention to what you requested. Wonder if you could get a /48 from them ;) To be honest the min prefix that should be given to any site is a /48.. Its not like there is really any concern of running out of IPv6 space.. For a home or smb then ok a /56 should be enough.. But a /60 is just being stingy ;)
A min allocation for a company from arin is like a /32 - which has 65k /48s in it.. A ISP should be prob getting something bigger, but I believe /32 is the smallest, or I think if your really small isp you can get a /34..
If they are handing out even /56 a /32 gives them like 16.7 million /56s they could hand out.
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.7.2, 24.11 -
@johnpoz said in Configure IPv6 on multiple LAN interfaces:
To be honest the min prefix that should be given to any site is a /48.. Its not like there is really any concern of running out of IPv6 space..
I trust you understand there are only enough addresses available to give over 4000 /48s to every person on earth!
-
@JKnott yeah only 4k each.. Its going to run out fast ;) heheh
Keep in mind that is only using the small portion of Ipv6 that has actually been allocated for use..
But then we have ISP being stingy and only giving users either only a single /64 or small /56..
A /56 can have 256 /64's so it is for sure large enough for pretty much any home or smb.. But its the principle of the thing ;) heheh
-
Looks like my celebration was a bit premature.
I requested a /60, and I assumed I got it because pfSense let me pick a different IPv6 Prefix ID for my DMZ interface. I picked 0 for LAN and 1 for DMZ, and was happy.
However, I was still having issues on DMZ. My linux server was not getting a v6 IP assigned dynamically, and when I tried to "force" the client to get one
sudo dhclient -6 -v eno1I got a v6 IP, which was labelled "scope global" vs. "scope global dynamic". But the bigger issue I think is that the prefix is the same as what I have on LAN.
I suspect it's because my ISP is only giving me a /64 prefix even though I am requesting a /60.
PS: I've been on the phone with Verizon now for more than an hour, having been transferred a few times. Still haven't found a person who understands what I am asking for.
-
@DrPhil prefixes can be a bit harder to spot with IPv6.. do you mind posting what you got on your lan and dmz? You can PM them too me.
The guy to ask most likely would be @JKnott he is our resident IPv6 fan boy ;) and expert.. I run IPv6, but my isp doesn't even have it so I run a HE tunnel. which is a static /48 they assign to me.. But you could for sure watch your dhcp traffic from your isp and see what they are handing you for delegation be it a /60 or /56 or a /64, etc.
How are you trying to hand your clients on your dmz IPv6, dhcpv6? just SLAAC?
-
@DrPhil said in Configure IPv6 on multiple LAN interfaces:
I suspect it's because my ISP is only giving me a /64 prefix even though I am requesting a /60.
Do a packet capture of the full DHCPv6 sequence and post the capture file here.
-
@DrPhil prefixes can be a bit harder to spot with IPv6.. do you mind posting what you got on your lan and dmz? You can PM them too me.
Just PMed those over to you.
How are you trying to hand your clients on your dmz IPv6, dhcpv6? just SLAAC?
dhcpv6.
-
@DrPhil said in Configure IPv6 on multiple LAN interfaces:
Just PMed those over to you.
I don't see anything.
Just post it in the thread, so it will be available to others.
-
@DrPhil said in Configure IPv6 on multiple LAN interfaces:
Just PMed those over to you.
Yeah those are not right if they have a /128 on them..
@JKnott he sent me the IPs he has on lan and dmz, but they show a /128
-
@johnpoz said in Configure IPv6 on multiple LAN interfaces:
he sent me the IPs he has on lan and dmz, but they show a /128
That's fine for the WAN, but not a prefix. I have a /128 for my WAN too.
I guess he sent the file to you but not me.
-
@JKnott no he didn't send any file, just the ips with /128 on them.
Those sure can not work for a lan side network - sure as a transit on the wan no problem..
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.7.2, 24.11 -
Just to clarify, what I sent to @johnpoz were not prefixes but v6 IPs that clients on my LAN and DMZ got assigned by the respective DHCPv6 servers.
Here is the output line from
ip addresson each network (for a single client).
On LAN (client 1)
inet6 2600:4040:a30c:8801::2d83/128 scope global dynamicOn DMZ (client2)
inet6 2600:4040:a30c:8801::23ec/128 scope globalI am just reading the first 16 hex characters and calling it the same prefix (not sure that's a technically sound conclusion).
-
@DrPhil they are not the "same" prefix with the /128 on them..
if they had a /64 on them - then they would yeah be the same network/prefix
a /128 in IPv6 land, is the same as a /32 in IPv4.. Its a single IP.. There is no "network" if you will. Its just that IP..
-
a /128 in IPv6 land, is the same as a /32 in IPv4.. Its a single IP.. There is no "network" if you will. Its just that IP..
That much I figured. What I provided are IP addresses assigned to individual client machines (one on each network).
I am looking at the first 16 characters on each:
2600:4040:a30c:8801They're identical. Which is why I was saying that both networks are getting the same prefix (I don't have any confidence in my observation though).
-
@DrPhil said in Configure IPv6 on multiple LAN interfaces:
hey're identical. Which is why I was saying that both networks are getting the same prefix
They are not on the same network, because with a /128 there is no network.
Like saying 192.168.0.1/32 is on the same network as 192.168.0.2/32 - there is no network with a /128
Now if the mask was say /30 then those 192.168.0.x address would be on the same network, since /30 would be
192.168.0.0 - 192.168.0.3Where .0 is the wire, and 3 is the broadcast for that network.
if your client shows /128 on it - there is no "network"
-
@johnpoz said in Configure IPv6 on multiple LAN interfaces:
sure as a transit on the wan no problem
Actually, it's not a transit. It's just a target for VPNs, etc.. The transit network is through the link local address.
-
@JKnott said in Configure IPv6 on multiple LAN interfaces:
he transit network is through the link local address.
ok - its still an IP on the transit connection, be it you want to call it a loopback or whatever..
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.7.2, 24.11 -
@DrPhil said in Configure IPv6 on multiple LAN interfaces:
I am looking at the first 16 characters on each:
2600:4040:a30c:8801
They're identical. Which is why I was saying that both networks are getting the same prefix (I don't have any confidence in my observation though).With a /128, the entire address is prefix. With IPv6, the number after the / tells how many of the address bits are prefix, with the remainder being the host portion. Typically, a LAN would have a /64 prefix, the ISP can provide a range of sizes, typically /56 or /48 and a point to point link, such as a VPN can be a /127
Anyway, I asked for the capture file, so that I could see what size prefix you're asking for and getting back.
-
@johnpoz said in Configure IPv6 on multiple LAN interfaces:
ok - its still an IP on the transit connection, be it you want to call it a loopback or whatever..
I think you're still stuck on the IPv4 way of thinking. It's just an address that identifies an interface, nothing more. Loop back is ::1. You don't have a block of loopback addresses, as on IPv4. All traffic from the WAN goes through the link local address and you don't even need a global WAN address. This is why, in another thread, I mentioned the LAN interface IPv6 address could be used for a VPN, when a WAN address isn't available. The packet comes in via the link local address and pfSense sees it's for one of it's own interfaces and handles it appropriately. The link local is usually used for routing, as a router only has to know how to reach the next hop and that can be specified with the link local address or even just the interface name, on a point to point link.
-
Here's what I got from the packet capture.
23:43:31.108177 IP6 fe80::290:bfe:fe8c:d94a.546 > ff02::1:2.547: UDP, length 68 23:43:31.114808 IP6 fe80::f6b5:2ff3:fe05:71bc.547 > fe80::290:bfe:fe8c:d94a.546: UDP, length 160 23:43:32.110114 IP6 fe80::290:bfe:fe8c:d94a.546 > ff02::1:2.547: UDP, length 133 23:43:32.116112 IP6 fe80::f6b5:2ff3:fe05:71bc.547 > fe80::290:bfe:fe8c:d94a.546: UDP, length 160 23:43:32.177601 IP6 fe80::290:bfe:fe8c:d94a.546 > ff02::1:2.547: UDP, length 52 23:43:32.188806 IP6 fe80::f6b5:2ff3:fe05:71bc.547 > fe80::290:bfe:fe8c:d94a.546: UDP, length 115 23:43:33.213495 IP6 fe80::290:bfe:fe8c:d94a.546 > ff02::1:2.547: UDP, length 52 23:43:33.227805 IP6 fe80::f6b5:2ff3:fe05:71bc.547 > fe80::290:bfe:fe8c:d94a.546: UDP, length 115 23:43:35.178384 IP6 fe80::290:bfe:fe8c:d94a.546 > ff02::1:2.547: UDP, length 52 23:43:35.184419 IP6 fe80::f6b5:2ff3:fe05:71bc.547 > fe80::290:bfe:fe8c:d94a.546: UDP, length 115 23:43:39.142830 IP6 fe80::290:bfe:fe8c:d94a.546 > ff02::1:2.547: UDP, length 52 23:43:39.154548 IP6 fe80::f6b5:2ff3:fe05:71bc.547 > fe80::290:bfe:fe8c:d94a.546: UDP, length 115 23:43:46.871171 IP6 fe80::290:bfe:fe8c:d94a.546 > ff02::1:2.547: UDP, length 52 23:43:46.886915 IP6 fe80::f6b5:2ff3:fe05:71bc.547 > fe80::290:bfe:fe8c:d94a.546: UDP, length 115 23:44:01.359117 IP6 fe80::290:bfe:fe8c:d94a.546 > ff02::1:2.547: UDP, length 52 23:44:01.368737 IP6 fe80::f6b5:2ff3:fe05:71bc.547 > fe80::290:bfe:fe8c:d94a.546: UDP, length 115 23:44:30.227734 IP6 fe80::290:bfe:fe8c:d94a.546 > ff02::1:2.547: UDP, length 52 23:44:30.237568 IP6 fe80::f6b5:2ff3:fe05:71bc.547 > fe80::290:bfe:fe8c:d94a.546: UDP, length 115 23:45:27.693592 IP6 fe80::290:bfe:fe8c:d94a.546 > ff02::1:2.547: UDP, length 52 23:45:27.699768 IP6 fe80::f6b5:2ff3:fe05:71bc.547 > fe80::290:bfe:fe8c:d94a.546: UDP, length 115 23:47:17.062566 IP6 fe80::290:bfe:fe8c:d94a.546 > ff02::1:2.547: UDP, length 52 23:47:17.070276 IP6 fe80::f6b5:2ff3:fe05:71bc.547 > fe80::290:bfe:fe8c:d94a.546: UDP, length 115 23:49:26.790775 IP6 fe80::290:bfe:fe8c:d94a.546 > ff02::1:2.547: UDP, length 52 23:49:26.801422 IP6 fe80::f6b5:2ff3:fe05:71bc.547 > fe80::290:bfe:fe8c:d94a.546: UDP, length 115
