Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Prefix delegation to second router.

    Scheduled Pinned Locked Moved 2.4 Development Snapshots
    32 Posts 4 Posters 7.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      Guest
      last edited by

      Yes, i've found that out.  :)

      As i said, the ping goes all the way out to the wan as router 2 knows where to forward the packets to. On the reply,  router 1 receives  the packet but does not know to forward it to the 2nd router.

      For now I've added a static route and gateway and it's working. Its not a configuration I intend to use often, but I'm playing with dibbler and needed it configured that way for testing.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        A proper PD from the first router should also create a route for that PD to the downstream router's WAN interface.

        My DHCP6 server is 2.3.2_1, however. Should be 2.4 real soon now. In fact. This is as good a time as any.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • ?
          Guest
          last edited by

          @Derelict:

          A proper PD from the first router should also create a route for that PD to the downstream router's WAN interface.

          My DHCP6 server is 2.3.2_1, however. Should be 2.4 real soon now. In fact. This is as good a time as any.

          Running 2.4 on both routers, not there yet or if it is, mine doesnt work!

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Haven't gotten there yet but also have not heard oany problems there so it's probably something you've done.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • ?
              Guest
              last edited by

              @marjohn did you get to the bottom of this ?

              1 Reply Last reply Reply Quote 0
              • ?
                Guest
                last edited by

                Nix…

                1 Reply Last reply Reply Quote 0
                • MikeV7896M
                  MikeV7896
                  last edited by

                  It should be noted that if router 1 gets its IPv6 prefix from your ISP via DHCPv6-PD, pfSense is not set up to subdelegate parts of that prefix to downstream routers (unless this has changed in 2.4; it doesn't work in 2.3.2).

                  For example… if you get a /56 or /60 from your ISP via DHCPv6-PD, you can't sub-delegate /64's to downstream routers on your network.

                  The S in IOT stands for Security

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    I don't see why you couldn't slice out a piece of the delegated prefix for dhcpv6 downstream PD.

                    You would need at least one interface outside that set as track interface or the PD will not happen.

                    You would also have to manually change the DHCPv6 PD config if the ISP gave you a different PD.

                    Haven't tested though. All my DHCPv6 server PDs are from a static /48 here. (HE)

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • ?
                      Guest
                      last edited by

                      @Derelict:

                      I don't see why you couldn't slice out a piece of the delegated prefix for dhcpv6 downstream PD.

                      You would need at least one interface outside that set as track interface or the PD will not happen.

                      You would also have to manually change the DHCPv6 PD config if the ISP gave you a different PD.

                      Haven't tested though. All my DHCPv6 server PDs are from a static /48 here. (HE)

                      And indeed you can, but you'll need to manually set that route and gateway up. I've been through 2.4's code and I cannot see anywhere where DHCPD or any hooks from dhcpd will set up that route and gateway for you.

                      As I said, not a major issue or me anyway, and I know for a fact that the ISP's supplied routers are not capable of anything like that at present. Maybe down the road it will happen.

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        Not a problem in 2.4.

                        Just routed a /56 to a 2.4 VM and set up /60 PDs behind it. Client is also 2.4.

                        Routing table:
                        2001:470:xxxx:7df0::/60 2001:470:xxxx:7e01::32a2 UGS 0 1500 xn0

                        DHCPv6 leases:
                        2001:470:xxxx:7df0::/60
                        Routed To: 2001:470:xxxx:7e01::32a2

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • ?
                          Guest
                          last edited by

                          I take it back :)

                          The question is then, what I am I doing wrong that you are doing right, or maybe it just won't work were LAN IPv6 tracks the WAN interface.

                          1 Reply Last reply Reply Quote 0
                          • DerelictD
                            Derelict LAYER 8 Netgate
                            last edited by

                            The client VM there is a default config with DHCPv6 on WAN and tracking LAN.

                            Chattanooga, Tennessee, USA
                            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                            1 Reply Last reply Reply Quote 0
                            • ?
                              Guest
                              last edited by

                              So what does your prefix delegation range entry look like on the dhcp6 server and RA when you have selected /60 as the prefix delegation size?

                              1 Reply Last reply Reply Quote 0
                              • DerelictD
                                Derelict LAYER 8 Netgate
                                last edited by

                                Routed subnet: 2001:470:xxxx:7d00::/56

                                Prefix delegation range:
                                From: 2001:470:xxxx:7d00:: To: 2001:470:xxxx:7df0::
                                Prefix delegation size: 60

                                Chattanooga, Tennessee, USA
                                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                1 Reply Last reply Reply Quote 0
                                • ?
                                  Guest
                                  last edited by

                                  Ah, I think I see the error of my ways.

                                  I'll confirm that shortly.

                                  1 Reply Last reply Reply Quote 0
                                  • ?
                                    Guest
                                    last edited by

                                    Indeed yes… Thank you Derelict. Simple error on my part.

                                    1 Reply Last reply Reply Quote 0
                                    • ?
                                      Guest
                                      last edited by

                                      Care to share your settings in the GUI ?

                                      1 Reply Last reply Reply Quote 0
                                      • ?
                                        Guest
                                        last edited by

                                        What for IPv6? or are you still trying to get v4 to work arse backwards? :P

                                        1 Reply Last reply Reply Quote 0
                                        • ?
                                          Guest
                                          last edited by

                                          IPv6

                                          I realised after your tutoring that my IPv4 looback idea would just stupid :-)

                                          1 Reply Last reply Reply Quote 0
                                          • ?
                                            Guest
                                            last edited by

                                            Not too difficult though. You could  forward  port 80 on the Wan of the  second router to the lan address of the 2nd router, you'll need to create the relevent rules.

                                            Why you would want to do it is what i am unsure about.

                                            I can think of a more secure way of doing it though. Port forward 'x' port on the primary to 'x' port on the secondary and have openvpn listen on that 'x' port on the secondary, then you'll have a vpn to the secondary LAN side and can do whatever you like.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.