Split a /60 between interfaces on pfSense and downstream L3 switch
-
I am receiving a /60 from Comcast. I'd like to split those 16 /64 subnets between 4 interfaces on pfSense, and a layer 3 switch downstream. I'm using OSPFv4 for routing between the devices now. pfSense has these interfaces and my preferred assigned prefix HEX character:
pfSense:
Home Automation (D)
Guest (E)
OpenVPN & Wireguard (F)
LAN (0)The LAN interface is connected to a L3 switch that has several more VLANs requiring IPv6 /64 subnets..
L3 Switch:
MGMT to pfSense (0)
MGMT to ACC switch (1)
WiredLAN (2)
VoIP (3)
WirelessLAN (4)
Media (5)
Server (6)I'm not sure how I can segregate the /60 between pfSense and L3 switch. Because I have a PD, Comcast could change it so I'd like to avoid any static GUA addressing. I've been looking at this document from Cisco. That would help me with the L3 switch side, but I'm not sure how to tell the L3 switch what prefixes it can use. Or am I out of luck? I'd really like to keep the L3 switch as it can do 10Gb routing much faster than pfSense. I guess I could assign a /61 (which is 8 /64 subnets) but that seems like it's a non-traditional configuration. If I do this, would I want to switch to the KEA DHCP backend? Thanks!
pfSense 2.7.2-RELEASE
Dell R210 II
Intel E3-1340 v2
8GB RAM
SSD ZFS Mirror
Intel X520-DA2, RJ45 SFP+ (WAN) and 10Gb SFP+ DAC (LAN)
1 x Cisco 3850 12XS-S (Core Switch)
2 x Cisco 3750X PoE Gig Switch (Access Stack)
3 x Cisco 2802i APs (Mobility Express) -
@CNLiberal I don't know how Comcast does things, but your prefix might essentially be static. I'm on Rogers and have had the same prefix for over 6 years, despite changing both my cable modem and the computer I run pfSense on. However, I am aware some ISPs don't do that.
-
@CNLiberal Last I looked at clients' Comcast (business) accounts the IPv6 was labeled as "static" but a /56. So, one gets a block but it isn't supposed to change.
That said I cannot manage to get a consistent address block in our setup. I've written elsewhere but the short version is when the Comcast router reboots it assigns a different block even with a fixed DUID set (hint: required if using a RAM disk). I suspect it might work if just using DHCP/RA but because of our unique setup we can't. So overall, YMMV. :)
Also, time to upgrade from v2.4...?
-
@SteveITS Way to call me out on not updating my sig!
I just updated.Based on the Cisco doc I linked, it looks like they use DHCPv6 only. I don't see anything about RAs. Then on the switch VLAN interfaces, I setup RAs (managed?) and DHCPv6 using the prefix-from-pfSense and a "static IP" (prefix + /64 subnet ID). But the question I have still remains. How do I hand out a /61 to the downstream Cisco CORE switch? I'm looking at the DHCPv6 Server config in pfSense 2.7.2, and I'm seeing:
If I'm understanding IPv6 "subnetting" correctly, a /61 gives me eight /64 subnets. With the screenshot above, how do I define that I want the 0-7 subnets and not 8-f? Do I also keep the "Prefix Delegation Size" at 61? The documentation around these fields is not very descriptive. Thanks!!
pfSense 2.7.2-RELEASE
Dell R210 II
Intel E3-1340 v2
8GB RAM
SSD ZFS Mirror
Intel X520-DA2, RJ45 SFP+ (WAN) and 10Gb SFP+ DAC (LAN)
1 x Cisco 3850 12XS-S (Core Switch)
2 x Cisco 3750X PoE Gig Switch (Access Stack)
3 x Cisco 2802i APs (Mobility Express) -
@CNLiberal Watching as I've not been able to make PD work on an Cisco SG-350X core switch with only a L3 transit network connecting it and pfSense. (I have been able to make RA work by manually defining /64's on switch-defined VLANs however.)
-
@CNLiberal said in Split a /60 between interfaces on pfSense and downstream L3 switch:
With the screenshot above, how do I define that I want the 0-7 subnets and not 8-f?
When you configure an interface, you can select whatever prefix ID you want. Just make sure each one is unique.
-
@JKnott I think that only applies if the interface I need to address is on pfSense. My situation is that I have a transit network between pfSense and a dowstream L3 switch. The L3 switch has all the VLAN interfaces on it and performs the routing. There's an OSPF adjacency between pfSense and that L3 switch so each subnet knows how to talk to each other and the internet (via pfSense). So as I said, on my pfSense box, I have the following interfaces and their associated IPv6 subnet (/60 gives me sixteen /64s, labeled 0-F):
Home Automation (D)
Guest (E)
OpenVPN & Wireguard (F)
Transit (0)Then on the 3850 L3 switch, I have these VLAN interfaces and what I'd like to be their IPv6 PD ranges:
Transit to pfSense (0)
MGMT to ACC switch (1)
WiredLAN (2)
VoIP (3)
WirelessLAN (4)
Media (5)
Server (6)So I need to know how to get those PD subnets advertised to the L3 switch across the transit network. I hope this helps, and I appreciate the responses!!
-
@CNLiberal said in Split a /60 between interfaces on pfSense and downstream L3 switch:
There's an OSPF adjacency between pfSense and that L3 switch so each subnet knows how to talk to each other and the internet (via pfSense).
I'm not sure what you're referring to. If you have OSPF running, the routing should be done automatically. If you're talking about the link between pfSense and the Cisco switch, then all you need is the link local addresses, which are normally used for routing. This differs from IPv4, where you have to provide routeable IP addresses for the link.
If you want to split the prefix on the Cisco, that's beyond what you can do in pfSense.
If you want to tell the switch what prefixes are available you can set up a DHCPv6-PD server on pfSense to pass on the prefix.
-
@JKnott Let's ignore OSPF for now (since it's OSPFv4). I shouldn't have mentioned that as it muddies the waters.
It sounds like you're agreeing with me that I need to "tell the switch what prefixes are available." I'm asking how do I do that. I'm assuming from pfSense > Services > DHCPv6 Server. In the screenshot I provided, I don't know what to put in the PREFIX DELEGATION "FROM" and "TO" fields. I've tried:
::0/61 ::7/61
:0::0/61 :7:ffff:ffff:ffff:ffff/61
and othersI can't seem to figure out what to enter in these fields. I think these fields would distribute the PDs that are available to the L3 switch (Xfinity PD 0-7). Do you or anyone else know? Thanks!
pfSense 2.7.2-RELEASE
Dell R210 II
Intel E3-1340 v2
8GB RAM
SSD ZFS Mirror
Intel X520-DA2, RJ45 SFP+ (WAN) and 10Gb SFP+ DAC (LAN)
1 x Cisco 3850 12XS-S (Core Switch)
2 x Cisco 3750X PoE Gig Switch (Access Stack)
3 x Cisco 2802i APs (Mobility Express) -
So this might be the answer. Since I want to assign a /61 with 0 as the starting address and 7 as the ending, I put in:
From:
::0
To:
::0Prefix Delegation Size: /61
I was able to save with no issues. Hopefully tomorrow I'll get to see if the switch likes that.
-
@CNLiberal I have never set up a DHCPv6-PD server, so I can't help with that.
