Setup Dual Stack with NAT on v4
-
A /48 is the minimum allocation for such a thing. If someone in a datacenter asks for it, they should immediately get it. Maybe he's subdividing it into /56s over VPN. There are only 256 of those. There is zero reason for the ISP to care. A "X-Small" ISP allocation is a /32, or 64K /48s.
Again, if it is "here's a /64 for your VPS web server. Have fun," then it is the wrong product for the use case.
There is zero reason not to do it.
It is only 64K interfaces.
 -
I asked the datacenter provider.
I can get oen /56 IPv6 Subnet. But not more.
So how would I need to setup the pfsense to get public v6 to my VMs.
Because there is no DHCP I need to do this static -
I can get oen /56 IPv6 Subnet. But not more.
How they're handing out IPv6 address space is borked.
https://www.ripe.net/support/training/material/lir-training-course/LIR-Training-Handbook-Appendices/IPv6Chart_2015.pdf
-
While they should prob just give a /48 a /56 will work just fine - as long as it is actually ROUTED to you and not just putting the /56 on their interface connected to you… Have seen that a lot around here..
You should get a /64 that you use as transit.. That you would put on your wan interface of pfsense, then just break that /56 into /64's that you put on your interfaces/vlans for your networks behind pfsense.
-
You should get a /64 that you use as transit.
On IPv6, the "transit" network is normally link local. The global is used to access the router WAN interface for management, but nothing else. If you don't enable remote management via the WAN interface, that address serves no useful purpose. Unlike IPv4, link local addresses are normally used for routing on IPv6.
-
While I agree that sure you can use link local for your transit.. I don't agree with that being a good option. There is ZERO reason not to make it a actual viable address. For starters so that your traceroute is valid.
I can use rfc1918 as my transit to route public IPv4 as well - doesn't make it a good idea.
-
On IPv6 a link-local gateway address is what you get more often than not and it's completely valid and according to the specifications.
This is on my Mac:
route -n get -inet6 default route to: :: destination: :: mask: default gateway: fe80::21b:21ff:fea6:4244%en0 interface: en0 flags: <up,gateway,done,prcloning>recvpipe sendpipe ssthresh rtt,msec rttvar hopcount mtu expire 0 0 0 0 0 0 1500 0</up,gateway,done,prcloning>That's configured with plain SLAAC.
-
Again I hear you… So? Read https://tools.ietf.org/html/rfc7404
It clearly goes over the advantages and disadvantages to doing it that way.. There are many ways to skin a cat, I don't like skinning the cat that way because it has issues that I would rather not deal with...
Its not like you have to worry about running out of space by using up a /64 for your transit..
-
While I agree that sure you can use link local for your transit.. I don't agree with that being a good option.
Take a look at your routing table. You'll see it uses link local, not routeable addresses In fact, on point to point links, you don't even need an IP address at all, just the link. On IPv6, routing via link local addresses is the default, not an option.
-
Again I hear you… So? Read https://tools.ietf.org/html/rfc7404
It clearly goes over the advantages and disadvantages to doing it that way.. There are many ways to skin a cat, I don't like skinning the cat that way because it has issues that I would rather not deal with...
Its not like you have to worry about running out of space by using up a /64 for your transit..
Unless you specifically configure using otherwise, you will normally be using link local. It happens with pfSense and it happens with routing protocols such as OSPF. The only purpose of the interface IP address in routing is to determine which link is used. When you look through the routing table, you will see the IP address will resolve to an interface, which is how routing takes place.
Now, there is nothing wrong with assigning a routeable address to an interface, for things like remote managment, ping, traceroute etc., but it normally will not have any purpose in the routing function.
-
Again I hear you… So? Read https://tools.ietf.org/html/rfc7404
I just did. That article points out why you'd need a routeable address for management purposes, not routing. Given that any interface that has a routeable address would also have a link local address (even my OpenVPN tunnel has a link local address), it's not an either/or situation. Use a routeable address for management and link local for routing. Regardless, a routeable address is not necessary for routing in IPv6. Incidentally, some of the things in that article might make a case for using ULA and not global addresses. ULA provides a routeable address that's not exposed externally.
