Divide IPv6 prefix among multiple independent routers
-
@CZvacko In a simple scenario, our data center gave us a WAN IP with a /125 mask so we could set up one IP (with HA/CARP it's 3 but that's not important for the story). Our /64 is routed to that one WAN IP. We then use that /64 on LAN. pfSense knows where its defined subnets are and the data center knows the /64 is routed to that one WAN IP.
In our office we have a /56. Our ISP router LAN gets a /64 so the WAN IP of an internal router is in that /64. The internal router's LAN can have multiple subnets. Each router can request a subnet or prefix from the router in front of it. The ISP knows to route the entire /56 to their router's WAN IP and the ISP router knows to route the requested block to the internal router.
So when you say you tried to use a different WAN IP is that on that same router? Are you trying to set up multiple routers in parallel, next to each other? Because I think you'd either need multiple routers (your outside router with WAN and LAN, then multiple inside) or one router with multiple interfaces (WAN, and LAN1-8 or whatever, each with their own /64).
IPv6 normally doesn't do NAT but the routers need to know where to route each subnet/prefix. Basically, it's the same as IPv4 without NAT.
-
Sorry, my mistake. I hadn't had my morning beer yet.
The comments about 8 subnets misled me, when I wasn't fully awake. Yeah, you should be able to split it.
One thing to check is your prefix IDs, They have to be appropriate for the various subnets.
-
@SteveITS said in Divide IPv6 prefix among multiple independent routers:
multiple routers in parallel
I want to achieve this scenario, which is not a problem with IPv4 and NAT (each router have its own WAN IP). If one router dies, others are not affected.
But it seems that it can't work when NAT is not used, in my initial post I wasn't sure if IPv6 brings some new feature that might solve this. Actually, ISP support seems to have confused me, when I called them they said I can select a different WAN IP for other routers, but it seems that I can't.
And it doesn't matter whether I use GUA or LUA in the ISP line, right? And there is no other way to achieve it, just put an extra "master" router before the others ? Or pfSenseA can become master, but then need use some OPT interface to connect with others...
-
@CZvacko And these Clients are all separate networks?
If you want multiple routers then you need multiple WAN IPs and the ISP will need to forward the subnet to each of the three routers' WAN IP so it gets to the correct place.
Otherwise you'll need to add a fourth router to split your /53. Something like:
pfSense OUTER WAN: use the IP your ISP tells you
pfSense OUTER LAN: use one /64 from your /53pfSense A WAN: IP from that same /64 so the two routers can communicate, ask for prefix delegation of a /60
pfSense A LAN1: its own unique /64 from that /60 (Track Interface)
pfSense A LAN2: its own unique /64 from that /60 (Track Interface)etc.
Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
Upvote ๐ helpful posts! -
First off, I haven't tried what you want. However, I mentioned prefix IDs. You have to divide up that /53. You'd be using ID 0 for that and the /53 subnet size. Then, on each of the local networks you have to send a /56 (I assume), so you then have to split up that /53 into 8 /56s. How are you doing that? Are you using DHCPv6-PD, as you receive from your ISP? Or are you doing a manual configuration? Once that's done, the 1st router will know about the 8 next level routers and so should have routes to them. But what about what's beyond? You have to start mapping out addresses and where they are. And yes, you can use ULA between router levels, if you don't want to use GUA. However, the WAN port to the ISP will be GUA, if it has an address assigned. However, that's not needed, as link local addresses are normally used for routing.
I would suggest starting small and get 1 LAN going before working on the other 7.
You've just demonstrated a real big problem with NAT in that people don't learn how to properly route. Splitting big address blocks into smaller ones is how the Internet has always worked. This is just more of the same.
-
@SteveITS said in Divide IPv6 prefix among multiple independent routers:
and the ISP will need to forward the subnet to each of the three routers' WAN IP so it gets to the correct place.
Nonsense. The ISP sends the entire /53 to him and everything within it. It is then his responsibility to split up the /53 and deal with the internal routing.
I have a /56 here, with a few /64s. I don't have to tell my ISP when I set up a network, as everything for my /56 is received by pfSense. When I add a subnet, pfSense knows what address each one is and forwards appropriately. His complication is he's adding another layer of routers, which adds to the routing he has to manage.
-
@JKnott if the ISP router is receiving the /53 then sure. I interpreted that as external/upstream.
In your example it sounds like you have one router not 3. I think OP wants 3 in parallel.
OP could use HA and two routers for redundancy and max uptime but each would need 7 interfaces, plus one for pfsync.
-
@SteveITS said in Divide IPv6 prefix among multiple independent routers:
In your example it sounds like you have one router not 3. I think OP wants 3 in parallel.
His diagram isn't clear on what's happening. First off his ISPs gateway has to provide more than a /64, which means it's not a typical consumer level device. What is it? Maybe he should be using bridge mode and do everything himself. We simply don't have enough detail to do much more than guess. I have set up several systems, where the connection is via fibre, to a media converted and then a Cisco router and that router is capable of what the OP wants. Again though, we don't know enough.
As for that ISP line, what is that? A switch with multiple routers connected? If that's the case, he has to set up the routing to describe how to reach LAN, etc..
-
The ISP gives me the prefix as a static configuration, so /53 is routed to us. Now when the confusion about WAN IPs was resolved, I'm thinking to ask ISP for do other setup (split on their side?).
Yes, ISP line = switchAll this happens because I need to keep the current IPv4 setup (have static /29 routed to us) and run dual-stack. Currently there are not only pfSense routers on my internet line, but also others that have stricter security policies (corporate), so they need to run independently.
HA setup for pfSense may be my next action, also dual WAN setup, for which I may raise another topic to ask what will be the best strategy to do it.
-
Does the ISP router provide the entire /53 in one block? Or does it split the block with individual /64s sent to each pfSense? In that case, there would have to be routes from the ISP router to each pfSense router configured in the ISP's router If one block, then you need a router in there to split it. What hardware is the ISP's router?
BTW, IPv6 routing works pretty much the same as IPv4, so what would use do with IPv4, assuming you weren't using NAT? Same problem.
If you're splitting the block in the router and then routing to the pfSense routers, you'd have to have an address on each router, such as X:Y:Z:1 on the ISP, :2 on the first pfSense, :3 on the 2nd. etc. Then you'd have to route the /64s to each of those addresses.
-
@JKnott said in Divide IPv6 prefix among multiple independent routers:
one block
Yes, currently only one block, if they can change it to multiple blocks, it may solve the problem? I do not know what router they use, they supplies us with a 1000BASE-T cable (in my diagram I drew the ISP router, but it is somewhere on their side). In curent IPv4 setup we use NAT.
-
As I mentioned, you have to split into /64s. I suspect the ISP won't do that, as it's generally the customers responsibility. I'd suggest you put another pfSense between the ISP's gateway and your other pfSense boxes. That way it can split the /53 into 8 /56s, assuming that's what you want. You could use different addresses, as I suggested, to get to the right pfSense.
My question about IPv4 was assuming you didn't use NAT. If you can solve for that, you've got it solved for IPv6.
Do you have much experience with routers?
