IPv6 subnet lan vs wan

bebewold

I'm new to IPv6, the only time i used it is with the default config of my ISP's router.
I just set up pfsense with a IPv4 and a IPv6 dualstack and there's something i don't understand.

My ISP is giving me a /64 IP, let's say 2606:XXXX:XXXX:XXX2::1 so my subnet should be between
2606:XXXX:XXXX:XXX2:: and 2606:XXXX:XXXX:XXX2:ffff:ffff:ffff:ffff
but all my LAN device has 2606:XXXX:XXXX:XXX3::/64 IP, to my understanding i should have my IP in the same subnet as my WAN interface?

Is there something I am not understanding? I can ping IPv6 adresses with this config so i suppose this is normal, I'm just tring to find out what I am missing.

bmeeks

@bebewold said in IPv6 subnet lan vs wan:

my LAN device has 2606:XXXX:XXXX:XXX3::/64 IP, to my understanding i should have my IP in the same subnet as my WAN interface?

No, the subnets must be different on LAN and WAN or else pfSense cannot (will not) route the traffic. Same rules for IPv6 as for IPv4. Each interface on your firewall must have its own unique IP subnet for routing to work properly.

You appear to be somewhat fortunate with how your ISP dishes out IPv6 addresses. They appear to be providing you a public WAN IPv6 address and then another block for your LAN.

Many ISPs provide only a public prefix delegation for the LAN and depend on the link-local address for the WAN connectivity back to the ISP's gateway. In that scenario your WAN would not have a public IPv6 address.

bebewold

@bmeeks Okay that makes a bit more sense, so i get two /64 subnet from my ISP? one for my LAN devices, and another for pfsense WAN interface

Bob.Dig

@bebewold Maybe name your ISP...

bmeeks

@bebewold said in IPv6 subnet lan vs wan:

@bmeeks Okay that makes a bit more sense, so i get two /64 subnet from my ISP? one for my LAN devices, and another for pfsense WAN interface

Yes, that is what appears to be the case based on what you posted.

But it really does not matter whether your WAN has a public IPv6 address or not so long as your LAN clients have public IPv6 addresses. Your ISP is going to route any inbound traffic from the Internet that is destined for one of your public IPv6 LAN addresses directly to your WAN. From there, pfSense will realize that the destination IPv6 address is reachable via your LAN interface and will route the traffic there. So, your LAN clients will "appear" to be sitting directly on the Internet. That's why it's important that you put the proper inbound IPv6 firewall rules in place on your WAN interface so that LAN clients are protected. They would no longer be sort of hidden by NAT as they typically are using IPv4 addresses.

JKnott

@bebewold said in IPv6 subnet lan vs wan:

to my understanding i should have my IP in the same subnet as my WAN interface?

No, it's different, just like in IPv4. Do they provide only a single /64? Many provide /60, /56 or even /48. Also, as mentioned, you don't even need a public address on the WAN port, as link local addresses are often used for routing.

eagle61

@bebewold said in IPv6 subnet lan vs wan:

My ISP is giving me a /64

Well you don't explain what ISP and where you are located.
But in my country almost all ISP will deliver also a IPv6-Prefix (here mostly a /56 one), not only a single /64-Adress.

But, and that's the point, you must make sure your pfsense asks the ISP to deliver you such a Prefix. Out of the box pfsense don't ask for the Prefix.

General information about asking for such a /56 or /60 Prefix you can find here: https://docs.opnsense.org/manual/how-tos/ipv6_dsl.html It does not matter that this is the OPNsense manual. Its very similar to whats to do on a pfsense.

So if your ISP deliver you a Prefix and the pfsense got one, the local networks, like LAN, WIFI will create on base of the Prefix public /64-Adresse for LAN and WIFI, etc.

JKnott

@eagle61 said in IPv6 subnet lan vs wan:

Well you don't explain what ISP and where you are located.

Another issue might be how he's connected. My ISP provides a /56 via cable modem, but only a /64 on the cell network.

eagle61

@JKnott said in IPv6 subnet lan vs wan:

Another issue might be how he's connected.

Correct. And also it is an issue what device manage the connection between pfsense and ISP. A device in modem mode or one in router mode. A device in router mode must also support the prefix delegation to devices in its subnet. Not all do provide that. For example the Draytek Vigor 167 provide router mode and modem mode. But the router mode does not support prefix delegation to devices in the subnet. So for prefix delegation the Vigor 167 needs to be in modem mode then the pfsense will manage the prefix delegation, or it wont work.