What is the one true way of using or configuring a single /64 IPv6 prefix?

JKnott

Fact: it is universally accepted here and everywhere else on the web that an ISP (or even worse, a datacenter host) providing only a single /64 is wrong, incorrect, hard-to-work-with, breaks SLAAC, and doesn't work correctly with RAs.

SLAAC most definitely works with /64.  In fact, it's the only prefix it works with.  Shorter prefixes are simply multiple /64s, which must be split up by a router.  The standard for IPv6 local networks is /64.

BTW, my ISP, which recently started providing IPv6, currently hands out only a /64, but plans to move to larger blocks later.  SLAAC and RA work fine here.

and:  limit to  6 the number of macs the router will connect with

That is a bit much, given IPv6 has such a huge address space.  In fact, there are enough /48s to give every person on earth over 4000 of them and that's with 3/4 of the entire IPv6 address space unallocated for any purpose.

I have my cable modem in bridge mode, providing my own firewall/router running pfSense.  I have at least 6-7 devices here, each with it's own global unicast address.  It's beyond me how an ISP can be so miserly with IPv6 addresses.  Perhaps some public shaming is in order.

enodeb

@hcoin:

It gets even worse… what about the ISP's happy to charge you for a /64... the most you can get...

I don't really see a big issue with that when it comes to home Internet service. Most home users do not run multiple subnets on their local network. That's more for business users and geeks like us.  ;) Of course I'm still happy that providers like Comcast provide at least a /60 for home users that want it.

It's a different story for those ISPs who give their users a single /128. That's completely missing the point of v6, of course.

and:  limit to  6 the number of macs the router will connect with.

Never heard of such a thing. Are you sure that's not referring to MAC bindings on the WAN side?

JKnott

It's a different story for those ISPs who give their users a single /128

A /128 is completely useless.  It's only used as an interface identifier.  A point to point link requires a /127 or /126

enodeb

@JKnott:

It's a different story for those ISPs who give their users a single /128

A /128 is completely useless.  It's only used as an interface identifier.  A point to point link requires a /127 or /126

Some ISPs actually do this. It's basically the same as v4 home Internet service. They give you a single address for your WAN interface, and you're expected to use NAT6 for internal hosts. Of course this completely negates the advantages that v6 brings.

JKnott

They give you a single address for your WAN interface

You still need one address for the other end of the connection.  My ISP, on IPv4, uses a /23 subnet mask, which allows up to 510 devices, plus their router.  You can do the same with IPv6, where they could have all the customers assigned a single address out a a prefix.  The /127 prefix or /31 on IPv4 is the smallest usable block, with one address available for use on each end of a point to point link.

Still, it's beyond belief that an ISP could be so stingy.  It's like going to the beach and being allowed one grain of sand to sit on.  ;)

enodeb

@JKnott:

You still need one address for the other end of the connection.

You're talking about two different things. Of course the ISP has a bigger inter-router subnet, but you as the user still get only a single address, which is a /128. It's just DHCP without PD. A /127 PD is also possible and would allow you to use two addresses in addition to the one assigned to the WAN interface via DHCP.

Still, it's beyond belief that an ISP could be so stingy.  It's like going to the beach and being allowed one grain of sand to sit on.  ;)

I don't think it's necessarily stinginess, but simply that they haven't bothered to learn about v6 and just apply what they understand from v4. That should hopefully go away once v6 becomes more common.

bimmerdriver

OP, either change to another ISP or bide time for them to see the light by using a tunnel. I've been using an HE tunnel for several years and it's been rock solid. The performance isn't quite as fast as native, but it's okay and even better, it's free.

JKnott

I also used a tunnel for about 6 years, before my ISP provided IPv6.  Worked well, though there were occasional issues.

As far as the number of available addresses go, there are currently enough /48s to given every person on earth over 4000 of them.  This is even with 3/4 of the IPv6 address space not currently assigned for anything.  At my count, the unicast address range could be 6x what's currently available.

mqudsi

I actually came across this thread while searching for /64 workarounds once more, all these years later (another ISP, this time).

I never did post back with what happened. I managed to get up and running by bridging WAN and LAN in a very ugly fashion while continuing to fight with the ISP, insisting that I was decidedly not asking for too much and that /64 was simply not enough. In the end they gave in and gave me a separate /112 for my WAN, so I'm happy :)

Now I'm fighting with another situation where an ISP is dynamically assigning a /64 to a business internet account…

(btw, protip: if you're ever playing around with the IPv6 configuration and at any point enable DHCPv6 on WAN, make sure you always delete /var/db/dhcp6c_duid
when changing it to something else)

JKnott

@mqudsi:

Hello all,

Fact: it is universally accepted here and everywhere else on the web that an ISP (or even worse, a datacenter host) providing only a single /64 is wrong, incorrect, hard-to-work-with, breaks SLAAC, and doesn't work correctly with RAs.

That said, if one finds themselves in such a situation where they have been assigned a single /64 and can neither obtain a /60 or a /56 or a second /64, or even a point-to-point /126 or /128, what is the correct way of configuring pfSense so that it can correctly route and distribute traffic in a dual IPv4/IPv6 environment?

Given a static IPv6 /64 prefix, with one address already taken by the gateway (and another by the multicast), a single WAN interface, and a single LAN interface, what is the correct way of having pfSense sit in between the WAN and LAN and correctly route traffic between the two, using NAT for IPv4 and native IPv6 address assignment for PCs on the LAN? Also, what upstream changes (if any) have to be made in order for incoming requests to the /64 prefix to be correctly routed through the router's WAN IPv6 address?

Thank you kindly,

Ignoring the fact this thread is so old it's gone mouldy, there is nothing wrong with a single /64, other than a stingy ISP.  A /64 is the smallest prefix that supposed to be assigned.  No matter how big your prefix is, your gateway will normally get one.  I know that with only 18.4 billion, billion addresses, you don't have any to spare.  ;)

To answer your question, place your modem in bridge mode, so that pfSense is the gateway, not the modem.  That's what I have here.

JKnott

Shouldn't it be possible to use SLAAC for a link-local WAN connection with the ISP router

If you take a peek with Wireshark or packet capture, you'll find routers normally use the link local address.  It doesn't need a public address to be able to route traffic.