Divide IPv6 prefix among multiple independent routers
-
@CZvacko And these Clients are all separate networks?
If you want multiple routers then you need multiple WAN IPs and the ISP will need to forward the subnet to each of the three routers' WAN IP so it gets to the correct place.
Otherwise you'll need to add a fourth router to split your /53. Something like:
pfSense OUTER WAN: use the IP your ISP tells you
pfSense OUTER LAN: use one /64 from your /53pfSense A WAN: IP from that same /64 so the two routers can communicate, ask for prefix delegation of a /60
pfSense A LAN1: its own unique /64 from that /60 (Track Interface)
pfSense A LAN2: its own unique /64 from that /60 (Track Interface)etc.
Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
Upvote ๐ helpful posts! -
First off, I haven't tried what you want. However, I mentioned prefix IDs. You have to divide up that /53. You'd be using ID 0 for that and the /53 subnet size. Then, on each of the local networks you have to send a /56 (I assume), so you then have to split up that /53 into 8 /56s. How are you doing that? Are you using DHCPv6-PD, as you receive from your ISP? Or are you doing a manual configuration? Once that's done, the 1st router will know about the 8 next level routers and so should have routes to them. But what about what's beyond? You have to start mapping out addresses and where they are. And yes, you can use ULA between router levels, if you don't want to use GUA. However, the WAN port to the ISP will be GUA, if it has an address assigned. However, that's not needed, as link local addresses are normally used for routing.
I would suggest starting small and get 1 LAN going before working on the other 7.
You've just demonstrated a real big problem with NAT in that people don't learn how to properly route. Splitting big address blocks into smaller ones is how the Internet has always worked. This is just more of the same.
-
@SteveITS said in Divide IPv6 prefix among multiple independent routers:
and the ISP will need to forward the subnet to each of the three routers' WAN IP so it gets to the correct place.
Nonsense. The ISP sends the entire /53 to him and everything within it. It is then his responsibility to split up the /53 and deal with the internal routing.
I have a /56 here, with a few /64s. I don't have to tell my ISP when I set up a network, as everything for my /56 is received by pfSense. When I add a subnet, pfSense knows what address each one is and forwards appropriately. His complication is he's adding another layer of routers, which adds to the routing he has to manage.
-
@JKnott if the ISP router is receiving the /53 then sure. I interpreted that as external/upstream.
In your example it sounds like you have one router not 3. I think OP wants 3 in parallel.
OP could use HA and two routers for redundancy and max uptime but each would need 7 interfaces, plus one for pfsync.
-
@SteveITS said in Divide IPv6 prefix among multiple independent routers:
In your example it sounds like you have one router not 3. I think OP wants 3 in parallel.
His diagram isn't clear on what's happening. First off his ISPs gateway has to provide more than a /64, which means it's not a typical consumer level device. What is it? Maybe he should be using bridge mode and do everything himself. We simply don't have enough detail to do much more than guess. I have set up several systems, where the connection is via fibre, to a media converted and then a Cisco router and that router is capable of what the OP wants. Again though, we don't know enough.
As for that ISP line, what is that? A switch with multiple routers connected? If that's the case, he has to set up the routing to describe how to reach LAN, etc..
-
The ISP gives me the prefix as a static configuration, so /53 is routed to us. Now when the confusion about WAN IPs was resolved, I'm thinking to ask ISP for do other setup (split on their side?).
Yes, ISP line = switchAll this happens because I need to keep the current IPv4 setup (have static /29 routed to us) and run dual-stack. Currently there are not only pfSense routers on my internet line, but also others that have stricter security policies (corporate), so they need to run independently.
HA setup for pfSense may be my next action, also dual WAN setup, for which I may raise another topic to ask what will be the best strategy to do it.
-
Does the ISP router provide the entire /53 in one block? Or does it split the block with individual /64s sent to each pfSense? In that case, there would have to be routes from the ISP router to each pfSense router configured in the ISP's router If one block, then you need a router in there to split it. What hardware is the ISP's router?
BTW, IPv6 routing works pretty much the same as IPv4, so what would use do with IPv4, assuming you weren't using NAT? Same problem.
If you're splitting the block in the router and then routing to the pfSense routers, you'd have to have an address on each router, such as X:Y:Z:1 on the ISP, :2 on the first pfSense, :3 on the 2nd. etc. Then you'd have to route the /64s to each of those addresses.
-
@JKnott said in Divide IPv6 prefix among multiple independent routers:
one block
Yes, currently only one block, if they can change it to multiple blocks, it may solve the problem? I do not know what router they use, they supplies us with a 1000BASE-T cable (in my diagram I drew the ISP router, but it is somewhere on their side). In curent IPv4 setup we use NAT.
-
As I mentioned, you have to split into /64s. I suspect the ISP won't do that, as it's generally the customers responsibility. I'd suggest you put another pfSense between the ISP's gateway and your other pfSense boxes. That way it can split the /53 into 8 /56s, assuming that's what you want. You could use different addresses, as I suggested, to get to the right pfSense.
My question about IPv4 was assuming you didn't use NAT. If you can solve for that, you've got it solved for IPv6.
Do you have much experience with routers?
-
Last week I discussed with the ISP about splitting the prefix on their side, but as you predicted, the ISP won't do that.
So the conclusion is: multiple independent routers cannot be used with IPv6 unless NAT is used.I'd suggest you put another pfSense between the ISP's gateway and your other pfSense boxes.
I will do that in the future. For now, I need to keep the current setup where the (parallel) routers are independent. Since I'm using a dual WAN for IPv4, I'll also have to ask the second ISP for an IPv6 setup on their side, but I assume they'll do a similar setup as the first ISP (and face the same problem).
Due to the dual wan requirement, it seems that the best strategy is to use ULA on the LAN side and perform outbound NAT. I have set this up in my LAB router and it seems to work as expected.
I also tried define a virtual IP (GUA block) on the WAN (use Proxy ARP) and set NPt to translate the ULA to the related GUA block, but it doesn't seem to work that way. Maybe because the Proxy ARP only applies to IPv4 ?
