Prefix Delegation to subrouter requires hard-coding subnets when Track Interface enabled

tobiasm

I set up and successfully obtained a /56 from my ISP via DHCP6 on my WAN interface.

I understand from these docs that I should be able to set aside a portion of that /56 to be further delegated by a subrouter: https://www.netgate.com/docs/pfsense/dhcp/dhcpv6-server.html#prefix-delegation

However, only a /64 is made available on the LAN interface, so prefix delegation is impossible.

I can get it working OK if I scour the logs for my /56, then create that statically on my LAN. Then, when I navigate to /services_dhcpv6.php in pfSense, I see "Subnet Mask: 56 bits" rather than "Subnet Mask 64 bits", and I can assign a portion of that as a Range and another portion as a Prefix Delegation Range without issue. My subrouter obtains a /59 and successfully routes 3 /64s within that /59 to different networks it manages. Everyone is happy, except me because I need to watch for changes to the IPv6 range my ISP delegates, and update the static address on my LAN interface accordingly.

Please, is there a way to assign more than a single /64 to a LAN interface when Track Interface is enabled?

JKnott

You can get a /64 for each interface or VLAN. When you configure them, you select the IPv6 prefix ID you want to use. With a /56 the available prefix IDs range from 0 to ff.

MikeV7896

The LAN only needs a /64. Your subrouter would pick up one address from that /64 as its WAN address, then would use DHCPv6 to request its own prefix from your main router's DHCPv6 server. You would configure the address range(s) to delegate to your subrouter in the DHCPv6 server settings. For example, if your prefix were 2520:abde:1234:fe00::/56, you could specify in your DHCPv6 server settings to delegate out 2520:abde:1234:fef0:: through ...feff:ffff:ffff:ffff:ffff (essentially a /60) in /64 blocks, giving you 16 /64's to allocate to subrouters on your network.

The only real issue with prefix delegation on a track interface is that if your ISP changes your prefix, you'll have to manually change your DHCPv6 prefix delegation settings before your subrouter(s) will function again... but otherwise it should work just fine.

tobiasm

@virgiliomi Interesting, that seems to work. I re-enable Track Interface for LAN, and services_dhcpv6.php reports only 64 bits available. This seems to apply only to the 'Range' setting, however, not the 'Prefix Delegation Range'.

But as you said I still need to specify the delegation range manually...it seems like pfSense should allow delegating a portion of the subnet obtained, without needing to hardcode the full prefix and adjust it when it changes...

For anyone else who comes across this thread, note that you (confusingly) need to set both the "From" and "To" to a valid start for IPv6 subnets. For example, if:

• my ISP delegates 2606:aaaa:aaaa:a000::/56
• I configure subnet 0 to be used on the LAN
• I want to delegate 7 /59 subnets to subrouters

I need to set "Prefix Delegation Range" From to 2606:aaaa:aaaa:a020:: and To to 2606:aaaa:aaaa:a0e0:: (NOT 2606:aaaa:aaaa:a0ff:ffff:ffff:ffff:ffff as one might expect).

The docs state this with the example, but unless you're reading carefully you might miss it, especially because the Range field immediately above this one works the other way around.

MikeV7896

I'm not using it myself, so I was just assuming on the "To" box... but I think I had asked about having the prefix portion be automatically adjustable based on what's received from the ISP and was denied, at least by pfSense devs (nothing saying someone couldn't contribute such a feature though).

Given the many different combinations one might want to sub-delegate, I think it would take a good bit of coding to make such a setting work properly. It would need to take into account the various networks that you have and prefixes that are in use by those networks, among other things.

But I was pretty sure that it could be done manually, as long as things are entered properly.

tobiasm

I take that back. While everyone appears to get an IP properly (subrouter and its clients) if I do the above, I can't ping the pfSense box on IPv6 and I can't route traffic to the internet. Only if I statically configure the LAN on pfSense with a /56 instead of a /64 can I route traffic properly.

Do I need to add a route somewhere as well?

MikeV7896

That I don't know then... I would've thought any routing needed would be done automatically behind the scenes... but I just don't know. I'm not using it and don't have any routers I could use as a sub to give it a try.

tobiasm

pfSense is adding an identical route, automatically, to the delegated /59 in both cases (Static IPv6 and Track Interface), so yes I don't know what the problem is...the ipv6 routing table on my sub also looks identical in both cases.

The only difference in the routing table is on pfSense as you might expect, where the entry for the LAN interface is either a /56 or a /64 depending on what's configured. But that doesn't seem like it should be needed anyways since there's another route to the /59.

With Track Interface (one /64 automatically assigned to LAN):

2606:aaaa:aaaa:b000::/64          link#2                        U             6   1500      re1
2606:aaaa:aaaa:b000:2e0:4cff:fe24:2f13 link#2                   UHS           0  16384      lo0
2606:aaaa:aaaa:b0e0::/59          2606:aaaa:aaaa:a000::6000     UGS           6   1500      re1

With Static IPv6, with /56 assigned to LAN:

2606:aaaa:aaaa:b000::/56          link#2                        U             0   1500      re1
2606:aaaa:aaaa:b000::1            link#2                        UHS           0  16384      lo0
2606:aaaa:aaaa:b0e0::/59          2606:aaaa:aaaa:b000::6000     UGS           6   1500      re1

Derelict

@tobiasm Are you passing the proper traffic on the interface rules? You will not be able to only pass from LAN Network there. You will also have to pass traffic from the delegated prefix range.

Interfaces should always be /64. Always. Anything else is wrong except perhaps small (long) prefixes on statically numbered transit interfaces. ::1/125 or something.

tobiasm

@Derelict That was it. Thanks! I figured the firewall was interface-based, not subnet-based, but looking more closely at the rules I see my error.

So in summary, to get Prefix Delegation Range working with Track Interface, one needs to:

• Set "Prefix Delegation Range" From to start of first subnet you want to delegate
• Set "Prefix Delegation Range" To to start of last subnet you want to delegate
• Add Firewall rule to allow IPv6 traffic from each delegated subnet (or a range of them, I suppose)

Each of these settings needs to be updated manually if/when the prefix delegated by one's ISP changes.

Thanks again @virgiliomi and @Derelict for your fast responses and assistance!

JKnott

@tobiasm said in Prefix Delegation to subrouter requires hard-coding subnets when Track Interface enabled:

@virgiliomi Interesting, that seems to work. I re-enable Track Interface for LAN, and services_dhcpv6.php reports only 64 bits available. This seems to apply only to the 'Range' setting, however, not the 'Prefix Delegation Range'.
But as you said I still need to specify the delegation range manually...it seems like pfSense should allow delegating a portion of the subnet obtained, without needing to hardcode the full prefix and adjust it when it changes...

You just select the prefix you want. Also, you don't want to just automatically delegate a prefix. The network admin shoud be able to decide what goes where. You're not supposed to delegate a portion of the subnet. On IPv6, local networks are supposed to be /64, for SLAAC to work. A major consideration in the design of IPv6 was getting rid of the variable lenth subnetwork addresses. So, everying is now /64. The only exception would be things like point to point links.

JKnott

@tobiasm said in Prefix Delegation to subrouter requires hard-coding subnets when Track Interface enabled:

I want to delegate 7 /59 subnets to subrouters

You could do that, but not by using SLAAC. SLAAC is used to assign addresses to devices on the local LAN. What you want to do is just configuring a router to pass blocks of addresses to another router.

tobiasm

This post is deleted!

tobiasm

@jknott said in Prefix Delegation to subrouter requires hard-coding subnets when Track Interface enabled:

You just select the prefix you want. Also, you don't want to just automatically delegate a prefix. The network admin shoud be able to decide what goes where. You're not supposed to delegate a portion of the subnet. On IPv6, local networks are supposed to be /64, for SLAAC to work. A major consideration in the design of IPv6 was getting rid of the variable lenth subnetwork addresses. So, everying is now /64. The only exception would be things like point to point links.

My point is that you should be able to do this without hard-coding the part of the prefix that might change, just as you can with a DHCP range or the Track Interface setting generally. But, I fully understand based on what @virgiliomi said that it's probably a non-trivial effort.

@jknott said in Prefix Delegation to subrouter requires hard-coding subnets when Track Interface enabled:

You could do that, but not by using SLAAC. SLAAC is used to assign addresses to devices on the local LAN. What you want to do is just configuring a router to pass blocks of addresses to another router.

The subrouters don't assign a whole /59 to a single interface. They assign one /64 for each network they manage, selected from the /59.

Derelict

@tobiasm Note that even the firewall rules you hadn't added would also need to be changed.

The real take home is ISPs need to honor the DUID from the client and not change the delegated prefix. Ever. That is better than a whole lot of code to cover for them not doing what they are supposed to do.

Even better would be a static assignment from the ISP.

You can use an alias in most places for the delegation to help minimize the changes that need to be made.

MikeV7896

@derelict said in Prefix Delegation to subrouter requires hard-coding subnets when Track Interface enabled:

The real take home is ISPs need to honor the DUID from the client and not change the delegated prefix. Ever. That is better than a whole lot of code to cover for them not doing what they are supposed to do.

And for most ISPs, this isn't likely an issue. I know I've had the same prefix for over a year now, across reboots and reloads... as long as my pfSense config is reloaded, since the DUID is part of the config now, it doesn't change.

Of course, if I were ever offline for a week, which is the expiration time my ISP has for the delegation, then I'd be getting a new prefix when I get back online. But I can't expect them to have an indefinite delegation time... that wouldn't be too practical.

And I like the suggestion to use an alias to reduce changes needing to be made in terms of firewall settings... just change the alias and the DHCPv6 delegation settings... done.

JKnott

@derelict said in Prefix Delegation to subrouter requires hard-coding subnets when Track Interface enabled:

Even better would be a static assignment from the ISP.

That is common for larger businesses, but small business and home users generally don't get it. For them, the ISP generally wants something that's just plug 'n go. Assigning static addresses requires configuration on their part. Also, when I first started using pfSense, my prefix could change for something as minor as disconnecting/reconnecting the Ethernet cable.