ISP Delegates /64 Multiple Times But No /56 or /60

vader9000

Hello,

I have a residential contract and so we don’t get bridge mode and it’s not possible to get static ip.
In my country all isp are the same thing for residential clients and there is no way they are going to change that.

I have pfsense behind the isp router and with ipv4 all my vlans and Wireguard and openvpn are working perfectly
My problems start with ipv6.

I can get ipv6 on my LAN and everything works fine ir passes all the test sites all green but I can’t get it to work on any other interface nor the vlans.

As far as I understand the way it works is we request a /56 or /60 in the WAN and split it /64 or /60 but because the ISP doesn’t allow anything above /64 I just can get it to work on the LAN. But I can get 256 /64s

Is there a way around this limitation and get ipv6 to the vlans / vpns / etc

Thanks

Bob.Dig

@vader9000 said in ISP Delegates /64 Multiple Times But No /56 or /60:

In my country all isp are the same thing for residential clients and there is no way they are going to change that.

What country, what ISP?

As far as I understand the way it works is we request a /56 or /60 in the WAN and split it /64 or /60 but because the ISP doesn’t allow anything above /64

You don't split to /60, only to /64.

vader9000

@Bob-Dig Thank you for replying.

I know you don't split /64 because it start to break stuff (I read some post where they elaborate how it can be dome but it causes many other problems)

my question is because i can have 256 times /64 i just need 8 for my vlans / vpns etc is there some way i can do this??

I can connect 4 routers to my isp router and request a /64 DP and then assign 2001:XXXX:XXXX:XXX1:aaaa:aaaa:aaaa:aaaa For 1 Router + 2001:XXXX:XXXX:XXX2:aaaa:aaaa:aaaa:aaaa For 2 Router and so on.

they dont let us have nothing above /64 but we can ha as many /64 as we want ..... until 256 that is.

Country Portugal
ISP Vodafone
But the Most Important thing is : Residential Contract Not Corporate/Business

Thanks

Bob.Dig

@vader9000 said in ISP Delegates /64 Multiple Times But No /56 or /60:

I can get ipv6 on my LAN and everything works fine ir passes all the test sites all green

You can try, it depends on your Modem/Router and ISP and so on. So what have you done so far to your pfSense config that it is working for your pfSense LAN?

vader9000

@Bob-Dig Thank you for replying.

Yes on the lan side everything is working fine and it passes all the ipv6 test sites.
the clients connected to the lan get the right ips ipv4 and ipv6 but as soon as i try to set up another interface it doesn't work or it works on the new interface and stops working on the LAN

so on the LAN i get a 2001:XXXX:XXXX:XXX1:aaaa:aaaa:aaaa:aaaa and clients get 2001:XXXX:XXXX:XXX1:aaaa:aaaa:aaaa:aaa1 & 2001:XXXX:XXXX:XXX1:aaaa:aaaa:aaaa:aaa2 & 2001:XXXX:XXXX:XXX1:aaaa:aaaa:aaaa:aaa3 which is how it shoud be.

and i still can connect 3 routers to the isp router and duplicate the results with the diferen /64 prefix 2001:XXXX:XXXX:XXX2:aaaa:aaaa:aaaa:aaaa & 2001:XXXX:XXXX:XXX3:aaaa:aaaa:aaaa:aaaa

IN The LAN
I HAve Tried with TRACK Interface WAN with and without DHCP6 and depending when i try with or without RA unmanaged / Assisted / managed no matter what i try wen i set any other interface this stops working or the other doesnt work

my question is : can i make the isp router detect my internal interfaces like its detecting the router i connect directly to the other isp router ports?

thanks

vader9000

@Bob-Dig
Don know if helps or not but ..

Router IS - HUAWEI OptiXstar HG8247X6-8N

NO BRIDGE MODE is available for residential contacts and NO STATIC IP

Bob.Dig

@vader9000 said in ISP Delegates /64 Multiple Times But No /56 or /60:

IN The LAN
I HAve Tried with TRACK Interface WAN with and without DHCP6 and depending when i try with or without RA unmanaged / Assisted / managed

What is the "DHCPv6 Prefix Delegation size" in your WAN-settings?

vader9000

@Bob-Dig

The only one it works is /64
wen i go /63 / 62 /60 /56 it doesn't work

Bob.Dig

@vader9000 said in ISP Delegates /64 Multiple Times But No /56 or /60:

The only one it works is /64
wen i go /63 / 62 /60 /56 it doesn't work

Then your out of luck I think.

vader9000

@Bob-Dig

Thank You

I was hoping that maybe could be possible to make the requests coming from the other interfaces look like different devices ... maybe vlans on the wan side ... i don't know that's beyond my abilities.

Thanks just the same
FC

Bob.Dig

@vader9000 Now what you can do is trying NAT with NPt. This will work ok with outbound connections but only partially with unsolicited inbound connections.

vader9000

@Bob-Dig

Can you please explain how i can do that on the pfsense so i can give it a try.

thks

Bob.Dig

@vader9000 Check the docs.
You have to roll out ULAs on all other Interfaces but the LAN, which still gets the one /64 that is working for you.

One example:

You have to create these rules for every other interface than LAN and change the Source accordingly.

vader9000

@Bob-Dig

Thank You Im Going to Try it

vader9000

@Bob-Dig

On The Interface Lets call it TEST(igb1.5) VLAN tag 5 i Set the interface as STATIC IPV6?
If so wen the ISP changes the ips for the router this will stop working correct?

Bob.Dig

@vader9000 said in ISP Delegates /64 Multiple Times But No /56 or /60:

On The Interface Lets call it TEST(igb1.5) VLAN tag 5 i Set the interface as STATIC IPV6?

Yes and you give it an ULA with /64 like shown above.

If so wen the ISP changes the ips for the router this will stop working correct?

No, LAN is still handled via Track Interface so in general it should work.

JKnott

@Bob-Dig said in ISP Delegates /64 Multiple Times But No /56 or /60:

You have to roll out ULAs on all other Interfaces but the LAN, which still gets the one /64 that is working for you.

Actually, you can add ULA to the LAN, along with GUA. In fact, I don't think ULA is allowed to route to GUA addresses.

Using Unique Local Addresses

vader9000

@Bob-Dig

Hello,

Thank you for the help, I managed to get it working on my test box so I will be setting up my live box.

Best regards,
FC

Bob.Dig

@JKnott said in ISP Delegates /64 Multiple Times But No /56 or /60:

Actually, you can add ULA to the LAN, along with GUA.

True but at least with Track Interface you need a patch for pfsense and this patch is only working partially.

In fact, I don't think ULA is allowed to route to GUA addresses.

Someone has to test this. I ditched my ULAs because of the mentioned problems, so it won't be me.

JKnott

@Bob-Dig said in ISP Delegates /64 Multiple Times But No /56 or /60:

Someone has to test this.

RFC 6724 describes priority when you have multiple addresses to choose from, but doesn't appear to get into the GUA <> ULA situation. However, I seem to recall reading elsewhere that it wasn't allowed. Can't say for certain though.

Anyway, I have both GUA and ULA on my subnets.