sub-delegation of WAN PD for DHCPv6 server

dlasher

@greywolfe said in sub-delegation of WAN PD for DHCPv6 server:

I'm sorry, but you are mistaken. Currently only allows to use a single /64 from the delegation as the subnet for the interface. It does not allow you to sub-delegate a portion of the PD to be delegated downstream to another device, ie, to be populated into the dhcpv6 server which currently only uses manual entries.

yes and no.

You can assign multiple interfaces to TRACK the parent interface, and give each one a unique IPv6 Prefix ID. I have interfaces for indexes 1, 2, 3, and 4 on LAN interfaces.

You are right however, that once that's accomplished, and the LAN interfaces have IP's, you have to go manually assign the DHCPv6 blocks, so if the delegation changes, so must the scope.

greywolfe

Well that's why the need to be able to do a delegation downstream. One inside lan interface with routing to hundreds of inside subnets with SVIs on the core router running 10 and 40Gbps. pfSense is nice, but turning it into a router on a stick is rather crippling at that scale. pfSense is a great little firewall, but its not a datacenter core.

jimp

IIRC we tried this at one time during the initial IPv6 code push. I recall one of the developers testing a PD scenario where it was ISP -> pfSense 1 -> pfSense 2 -> Clients. Though I don't see any sign of the code currently or any indication that it was added/removed. It's possible it was a local test that had problems and never made it in.

It's rare enough as a requirement that I don't see it getting much traction to be added, however, unless someone were to submit it as a PR.

JKnott

I could be wrong, but you still have the full prefix available to split up as you wish. It just takes routing. I though DHCPv6-PD was intended to provide addresses to end users on a /64 prefix.

jimp

@jknott said in sub-delegation of WAN PD for DHCPv6 server:

I could be wrong, but you still have the full prefix available to split up as you wish. It just takes routing. I though DHCPv6-PD was intended to provide addresses to end users on a /64 prefix.

Prefix Delegation can be either. An upstream DHCPv6 server delegates you a block. If it's big enough, you can take one subnet, use it, and delegate the rest downstream to others, on and on until you don't have a block large enough to delegate end user devices properly (e.g. only able to delegate one client a /64).

JKnott

@jimp

Routers, used to split up large address blocks, don't generally run DHCP. In fact, on IPv6, you don't even have to assign any address to a router, other than link local.

jimp

@jknott said in sub-delegation of WAN PD for DHCPv6 server:

@jimp

Routers, used to split up large address blocks, don't generally run DHCP. In fact, on IPv6, you don't even have to assign any address to a router, other than link local.

But pfSense does :-)

Sub-delegations may happen at the ISP level, but few people are in a position to confirm that.

JKnott

@jimp said in sub-delegation of WAN PD for DHCPv6 server:

But pfSense does

Yep, because we are end users. I can pick any of my /64s and use DHCPv6-PD to assign addresses. However, if I was splitting into larger blocks, I wouldn't use DHCP. In fact, if I assigned routeable addresses to routers, I might use Unique Local addresses, instead of something out of my /56.

JKnott

@jimp said in sub-delegation of WAN PD for DHCPv6 server:

But pfSense does

One other thing. The "PD" stands for prefix deligation, which is used to provide a prefix for a network, to be used typically with SLAAC, where the prefix provides the first 64 bits of an address and the MAC or random number provides the rest. How would that work with any other prefix size?

jimp

@jknott said in sub-delegation of WAN PD for DHCPv6 server:

Yep, because we are end users. I can pick any of my /64s and use DHCPv6-PD to assign addresses. However, if I was splitting into larger blocks, I wouldn't use DHCP. In fact, if I assigned routeable addresses to routers, I might use Unique Local addresses, instead of something out of my /56.

That's your choice, but it can work either way.

@jknott said in sub-delegation of WAN PD for DHCPv6 server:

One other thing. The "PD" stands for prefix deligation, which is used to provide a prefix for a network, to be used typically with SLAAC, where the prefix provides the first 64 bits of an address and the MAC or random number provides the rest. How would that work with any other prefix size?

"Prefix" doesn't mean /64, it means "IPv6 subnet", the /64 is a prefix length, not actually a "mask". A /64 is a prefix, a /60 is a prefix, so is /56, /48, whatever. SLAAC and DHCPv6 for end users only works with a /64, but a DHCPv6 client can request a prefix delegation which comes from a separate range. So the interface itself doles out addresses from a /64 but it could take whatever is left of what was delegated and send that to a client in the /64 if it asked.

I have a /48 from HE.net. My lab interface uses one /64 off that. I also take a different chunk of my /48 (2001:xxxx:xxxx:F000:: though 2001:xxxx:xxxx:FF00::) and provide /60 prefix delegations to other firewalls in my lab. They in turn can use them as they wish (LAN, DMZ, etc). If automatic sub-delegation was supported, they could technically re-delegate a chunk of that to something else behind them. Or I could allocate them larger chunks if need be, as long as the math lines up. The routers in my lab get a WAN address in the /64 on that interface, and then get allocated a /60 chunk from the delegation range. That delegated prefix is then routed to the address it pulled on its WAN.

It was all designed that way to make dynamic allocation and routing fairly easy to accomplish. I would not be surprised to find ISPs using it that way inside their own infrastructure.

JKnott

@jimp said in sub-delegation of WAN PD for DHCPv6 server:

“Prefix” doesn’t mean /64, it means “IPv6 subnet”

"PD" means prefix delegation, part of the process that creates addresses for devices. The prefix, with PD, is 64 bits and the other 64 bits are determined by some other means such as SLAAC or DHCPv6.

jimp

@jknott said in sub-delegation of WAN PD for DHCPv6 server:

@jimp said in sub-delegation of WAN PD for DHCPv6 server:

“Prefix” doesn’t mean /64, it means “IPv6 subnet”

"PD" means prefix delegation, part of the process that creates addresses for devices. The prefix, with PD, is 64 bits and the other 64 bits are determined by some other means such as SLAAC or DHCPv6.

PD does mean prefix delegation, but I think you might be confusing a couple terms. Normal DHCPv6 doesn't involve PD. If a client just wants an address it requests one from the interface which is inside the /64 subnet. If that client also happens to be a router, then it kicks in PD to request a delegation. This is an additional block of addresses that get routed to the client.

PD is not locked to /64. You can delegate whatever size blocks you want depending on what you have available. PD is frequently larger than /64, that's how an ISP will assign multiple /64's to a single customer, by delegating them a /60, /56, or whatever they choose.

The firewall will take individual /64 networks out of that block and assign them locally. When you set an interface in pfSense to "Track Interface" for IPv6, you can then set an IPv6 Prefix ID which controls how it chooses a network to put on the interface.

If your ISP uses PD to delegate you a /60, then you can choose from 16 different IDs for /64 networks inside that block (id 0 through f), so you can delegate ID 0 to your LAN, 1 to a guest network, 2 to a DMZ, and so on.

In OPs scenario, they want to take some of that, say IDs 8-F, and use that to delegate to some other router. For example, ID 0 would be on LAN, a client gets an address in the 0 network, and then the firewall would route prefix ID 8 to that address.