Prefix delegation to second router.
-
Yes, i've found that out. :)
As i said, the ping goes all the way out to the wan as router 2 knows where to forward the packets to. On the reply, router 1 receives the packet but does not know to forward it to the 2nd router.
For now I've added a static route and gateway and it's working. Its not a configuration I intend to use often, but I'm playing with dibbler and needed it configured that way for testing.
-
A proper PD from the first router should also create a route for that PD to the downstream router's WAN interface.
My DHCP6 server is 2.3.2_1, however. Should be 2.4 real soon now. In fact. This is as good a time as any.
-
A proper PD from the first router should also create a route for that PD to the downstream router's WAN interface.
My DHCP6 server is 2.3.2_1, however. Should be 2.4 real soon now. In fact. This is as good a time as any.
Running 2.4 on both routers, not there yet or if it is, mine doesnt work!
-
Haven't gotten there yet but also have not heard oany problems there so it's probably something you've done.
-
@marjohn did you get to the bottom of this ?
-
Nix…
-
It should be noted that if router 1 gets its IPv6 prefix from your ISP via DHCPv6-PD, pfSense is not set up to subdelegate parts of that prefix to downstream routers (unless this has changed in 2.4; it doesn't work in 2.3.2).
For example… if you get a /56 or /60 from your ISP via DHCPv6-PD, you can't sub-delegate /64's to downstream routers on your network.
-
I don't see why you couldn't slice out a piece of the delegated prefix for dhcpv6 downstream PD.
You would need at least one interface outside that set as track interface or the PD will not happen.
You would also have to manually change the DHCPv6 PD config if the ISP gave you a different PD.
Haven't tested though. All my DHCPv6 server PDs are from a static /48 here. (HE)
-
I don't see why you couldn't slice out a piece of the delegated prefix for dhcpv6 downstream PD.
You would need at least one interface outside that set as track interface or the PD will not happen.
You would also have to manually change the DHCPv6 PD config if the ISP gave you a different PD.
Haven't tested though. All my DHCPv6 server PDs are from a static /48 here. (HE)
And indeed you can, but you'll need to manually set that route and gateway up. I've been through 2.4's code and I cannot see anywhere where DHCPD or any hooks from dhcpd will set up that route and gateway for you.
As I said, not a major issue or me anyway, and I know for a fact that the ISP's supplied routers are not capable of anything like that at present. Maybe down the road it will happen.
-
Not a problem in 2.4.
Just routed a /56 to a 2.4 VM and set up /60 PDs behind it. Client is also 2.4.
Routing table:
2001:470:xxxx:7df0::/60 2001:470:xxxx:7e01::32a2 UGS 0 1500 xn0DHCPv6 leases:
2001:470:xxxx:7df0::/60
Routed To: 2001:470:xxxx:7e01::32a2 -
I take it back :)
The question is then, what I am I doing wrong that you are doing right, or maybe it just won't work were LAN IPv6 tracks the WAN interface.
-
The client VM there is a default config with DHCPv6 on WAN and tracking LAN.
-
So what does your prefix delegation range entry look like on the dhcp6 server and RA when you have selected /60 as the prefix delegation size?
-
Routed subnet: 2001:470:xxxx:7d00::/56
Prefix delegation range:
From: 2001:470:xxxx:7d00:: To: 2001:470:xxxx:7df0::
Prefix delegation size: 60 -
Ah, I think I see the error of my ways.
I'll confirm that shortly.
-
Indeed yes… Thank you Derelict. Simple error on my part.
-
Care to share your settings in the GUI ?
-
What for IPv6? or are you still trying to get v4 to work arse backwards? :P
-
IPv6
I realised after your tutoring that my IPv4 looback idea would just stupid :-)
-
Not too difficult though. You could forward port 80 on the Wan of the second router to the lan address of the 2nd router, you'll need to create the relevent rules.
Why you would want to do it is what i am unsure about.
I can think of a more secure way of doing it though. Port forward 'x' port on the primary to 'x' port on the secondary and have openvpn listen on that 'x' port on the secondary, then you'll have a vpn to the secondary LAN side and can do whatever you like.
