Prefix Delegation to subrouter requires hard-coding subnets when Track Interface enabled
-
pfSense is adding an identical route, automatically, to the delegated /59 in both cases (Static IPv6 and Track Interface), so yes I don't know what the problem is...the ipv6 routing table on my sub also looks identical in both cases.
The only difference in the routing table is on pfSense as you might expect, where the entry for the LAN interface is either a /56 or a /64 depending on what's configured. But that doesn't seem like it should be needed anyways since there's another route to the /59.
With Track Interface (one /64 automatically assigned to LAN):
2606:aaaa:aaaa:b000::/64 link#2 U 6 1500 re1 2606:aaaa:aaaa:b000:2e0:4cff:fe24:2f13 link#2 UHS 0 16384 lo0 2606:aaaa:aaaa:b0e0::/59 2606:aaaa:aaaa:a000::6000 UGS 6 1500 re1
With Static IPv6, with /56 assigned to LAN:
2606:aaaa:aaaa:b000::/56 link#2 U 0 1500 re1 2606:aaaa:aaaa:b000::1 link#2 UHS 0 16384 lo0 2606:aaaa:aaaa:b0e0::/59 2606:aaaa:aaaa:b000::6000 UGS 6 1500 re1
-
@tobiasm Are you passing the proper traffic on the interface rules? You will not be able to only pass from LAN Network there. You will also have to pass traffic from the delegated prefix range.
Interfaces should always be /64. Always. Anything else is wrong except perhaps small (long) prefixes on statically numbered transit interfaces. ::1/125 or something.
-
@Derelict That was it. Thanks! I figured the firewall was interface-based, not subnet-based, but looking more closely at the rules I see my error.
So in summary, to get Prefix Delegation Range working with Track Interface, one needs to:
- Set "Prefix Delegation Range" From to start of first subnet you want to delegate
- Set "Prefix Delegation Range" To to start of last subnet you want to delegate
- Add Firewall rule to allow IPv6 traffic from each delegated subnet (or a range of them, I suppose)
Each of these settings needs to be updated manually if/when the prefix delegated by one's ISP changes.
Thanks again @virgiliomi and @Derelict for your fast responses and assistance!
-
@tobiasm said in Prefix Delegation to subrouter requires hard-coding subnets when Track Interface enabled:
@virgiliomi Interesting, that seems to work. I re-enable Track Interface for LAN, and services_dhcpv6.php reports only 64 bits available. This seems to apply only to the 'Range' setting, however, not the 'Prefix Delegation Range'.
But as you said I still need to specify the delegation range manually...it seems like pfSense should allow delegating a portion of the subnet obtained, without needing to hardcode the full prefix and adjust it when it changes...You just select the prefix you want. Also, you don't want to just automatically delegate a prefix. The network admin shoud be able to decide what goes where. You're not supposed to delegate a portion of the subnet. On IPv6, local networks are supposed to be /64, for SLAAC to work. A major consideration in the design of IPv6 was getting rid of the variable lenth subnetwork addresses. So, everying is now /64. The only exception would be things like point to point links.
-
@tobiasm said in Prefix Delegation to subrouter requires hard-coding subnets when Track Interface enabled:
I want to delegate 7 /59 subnets to subrouters
You could do that, but not by using SLAAC. SLAAC is used to assign addresses to devices on the local LAN. What you want to do is just configuring a router to pass blocks of addresses to another router.
-
This post is deleted! -
@jknott said in Prefix Delegation to subrouter requires hard-coding subnets when Track Interface enabled:
You just select the prefix you want. Also, you don't want to just automatically delegate a prefix. The network admin shoud be able to decide what goes where. You're not supposed to delegate a portion of the subnet. On IPv6, local networks are supposed to be /64, for SLAAC to work. A major consideration in the design of IPv6 was getting rid of the variable lenth subnetwork addresses. So, everying is now /64. The only exception would be things like point to point links.
My point is that you should be able to do this without hard-coding the part of the prefix that might change, just as you can with a DHCP range or the Track Interface setting generally. But, I fully understand based on what @virgiliomi said that it's probably a non-trivial effort.
@jknott said in Prefix Delegation to subrouter requires hard-coding subnets when Track Interface enabled:
You could do that, but not by using SLAAC. SLAAC is used to assign addresses to devices on the local LAN. What you want to do is just configuring a router to pass blocks of addresses to another router.
The subrouters don't assign a whole /59 to a single interface. They assign one /64 for each network they manage, selected from the /59.
-
@tobiasm Note that even the firewall rules you hadn't added would also need to be changed.
The real take home is ISPs need to honor the DUID from the client and not change the delegated prefix. Ever. That is better than a whole lot of code to cover for them not doing what they are supposed to do.
Even better would be a static assignment from the ISP.
You can use an alias in most places for the delegation to help minimize the changes that need to be made.
-
@derelict said in Prefix Delegation to subrouter requires hard-coding subnets when Track Interface enabled:
The real take home is ISPs need to honor the DUID from the client and not change the delegated prefix. Ever. That is better than a whole lot of code to cover for them not doing what they are supposed to do.
And for most ISPs, this isn't likely an issue. I know I've had the same prefix for over a year now, across reboots and reloads... as long as my pfSense config is reloaded, since the DUID is part of the config now, it doesn't change.
Of course, if I were ever offline for a week, which is the expiration time my ISP has for the delegation, then I'd be getting a new prefix when I get back online. But I can't expect them to have an indefinite delegation time... that wouldn't be too practical.
And I like the suggestion to use an alias to reduce changes needing to be made in terms of firewall settings... just change the alias and the DHCPv6 delegation settings... done.
-
@derelict said in Prefix Delegation to subrouter requires hard-coding subnets when Track Interface enabled:
Even better would be a static assignment from the ISP.
That is common for larger businesses, but small business and home users generally don't get it. For them, the ISP generally wants something that's just plug 'n go. Assigning static addresses requires configuration on their part. Also, when I first started using pfSense, my prefix could change for something as minor as disconnecting/reconnecting the Ethernet cable.