Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ipv6 prefix delegation to second pfsense

    Scheduled Pinned Locked Moved IPv6
    3 Posts 2 Posters 1.7k Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T Offline
      tyn
      last edited by

      Hi,
      ipv6 really does seem to be more challenging than ipv4. I'm sorry to have to ask for help again but I'm stuck and I'm either misunderstanding the other posts I've read (probably) or the other posts aren't touching on the problem I am having. I really appreciate any help you can give. The problem I am having is my second pfsense isn't getting an address; just a link local.

      I have 2 pfsense devices; one that connects to my ISP (lets call it edge-pf) and another that provides my internal networks (lets call it internal-pf). With some very generous help from this forum I configured edge-pf to get a static /56 delegation from my ISP. edge-pf has it's LAN configured to track the WAN and gets prefix ID 0. It's address looks like this, 2001:F234:5678:C900::1

      edge-pf LAN physically connects to the internal-pf WAN.

      internal-pf WAN is configured like this:
      General Configuration, IPv6 Configuration Type = DHCP6
      DHCP6 Client Configuration, Prefix Delegation Size = 64
      DHCP6 Client Configuration, Send IPv6 prefix hint = enabled
      DHCP6 Client Configuration, Debug = enabled
      DHCP6 Client Configuration (everything else) = disabled

      edge-pf has router advertisements enabled in Managed mode with a high priority on LAN; with all the other settings left empty. the DHCPv6 server is configured like this:
      subnet = prefix delegation
      subnet mask = :: to ::ffff:ffff:ffff:ffff
      range = ::0000 to ::00FF
      prefix delegation range = 2001:F234:5678:C901:: to 2001:F234:5678:C9FF::
      prefix delegation size = 64
      all other settings are empty

      I'm trying to tell edge-pf to delegate 255 /64 subnets (C901 to C90FF). I'm not sure if this is the correct way to do break up a /56 delegation for a 2nd router to administer. However I'm not even getting to step 1; internal-pf isn't getting an address assignment from edge-pf. I was expecting internal-pf to get an address something like this, 2001:F234:5678:C900::2 Instead it gets a link local address.

      Any help/advice/guidance would be great.

      btw. I have temporarily created firewall rules to enable all traffic on the edge-pf LAN and internal-pf WAN interfaces. So I'm hoping there isn't anything hidden that would disrupt the traffic between the devices.

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        This is what I do to assign an interface address and a /56 prefix delegation to downstream lab routers:

        Screen Shot 2019-04-25 at 12.51.15 AM.png

        This is covered here:

        https://docs.netgate.com/pfsense/en/latest/book/services/ipv6-dhcp-server-and-router-advertisements.html

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • T Offline
          tyn
          last edited by

          Thanks @Derelict I think I have it working now. I had a couple of problems with the way I was trying to do it.

          I ended up having edge-pf delegate /60 subnets so that internal-pf could use /64 subnets on its lans. The biggest catch, that had me scratching my head for ages, is the dhcpd service seems to need to be restarted; or a reboot. I'm not exactly sure which situation requires which but just saving a new configuration or restarting an interface isn't enough.

          After I have all this working I'll post my config to help the next novice like me.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.