CISCO and PFsense IPv6 Prefix Delegation

sparkplug3522

This is my setup guys. My IPv6 prefix that was given by my ISP is 2001:dead:400::/56 for my LAN as they stated. My setup is consist of CISCO 2921 in the Edge (Delegating Router) and Pfsense (requesting Router). Here's my config in my DR.

ipv6 unicast-routing
ipv6 local pool LOCAL-POOL 2001:dead:400::/52 56

ipv6 dhcp pool DHCP-POOL
prefix-delegation pool LOCAL-POOL
dns-server 2001:XXXX:8888
domain-name mydomain.net

interface gigabitethernet 0/1
ipv6 address 2001:dead:400::1/64
ipv6 address fe80::feed:1 link-
ipv6 dhcp server DHCP-POOL
exit

In my RR (Pfsense)

I allow the IPv6, im using track interface and I checked all prefix delegations option in both wan and lan. however, the configuration is working but in the local area side. the problem the pfsense side cant retrieve connection from internet.

Derelict

You can't take a /56 and just make it a /52.

If you want to route the /56 downstream to pfSense just route it. No need to mess with DHCP6 PD that I can see. I don't think you even need to bother burning a /64 on the transit network. Just use link-local addresses there.

sparkplug3522

@Derelict Thanks for the inputs. Before I configured PD in my cisco. My first config was the DHCP6 stateful. DHCP configured in gig0/0 and its connected to wan int of pfsense. Its totally working and my pfsense box connected to the ipv6 internet. but my problem in the lan side the pc cant get the internet.

Derelict

How is your IPv6 WAN to the ISP configured?

I still don't see any reason to be messing around with DHCP6 on that router at all. If it's a static /56, just route it to pfSense WAN. Use /64s from that on pfSense inside interfaces.

sparkplug3522

My ISP gave me this address

WAN - 2001:feed::1/127
GW - 2001:feed::/127

LAN - 2001:feed:400::/56

In cisco

i configured the wan and gw to gig 0/1 to have internet connection. in gig 0/0 i configured a dhcp6 statefull with the prefix 2001:feed:400::/64 and i connect the gigi0/0 to pfsense wan eth and my pfsense retireve a ipv6 ip to the cisco using dhcp6. Again, pfsense received ipv6 address and has a connection to the internet but my LAN in the pfsense eth (im using dhcp with RA) no internet at all.

JKnott

@sparkplug3522 said in CISCO and PFsense IPv6 Prefix Delegation:

Again, pfsense received ipv6 address and has a connection to the internet but my LAN in the pfsense eth (im using dhcp with RA) no internet at all.

As I mentioned above, only the Cisco router gets DHCPv6-PD from the ISP. This means it's LAN interfaces will get a /64 prefix, which is what pfSense is using, just as though it were an ordinary computer. If you want to use the rest of the /56 on pfSense, you'll have to manually configure it, as DHCPv6-PD is not available to it, unless you bought the server option from Cisco.

You'll have to manually configure the various LAN prefixes on pfSense and then configure the routing to support them. You can route through the GUA or link local address on the pfSense box.

sparkplug3522

@JKnott Thanks for the input sir. I hope i will fix this as soo as i can. :) Hoghly appreciated.

Derelict

What is the configuration of your Cisco WAN Interface?

I find it hard to believe that it is configured for DHCP6 + PD considering they gave you a /127 transit network.

I maintain there is NO REASON to use DHCP6 AT ALL on the router - as a client or a server.

JKnott

@Derelict said in CISCO and PFsense IPv6 Prefix Delegation:

What is the configuration of your Cisco WAN Interface?

I find it hard to believe that it is configured for DHCP6 + PD considering they gave you a /127 transit network.

I maintain there is NO REASON to use DHCP6 AT ALL on the router - as a client or a server.

Technically speeking, how is a /127 different from the /64 transit network I have with my ISP, other than prefix size and routeable vs link local address? They both work exactly the same way. However, it isn't necessary to have that /127. On my pfSense box, there's a /128 prefix, but that's only to provided an interface address. It's not used for routing.

You can't take a /56 and just make it a /52.

Actually, given that longest match routing is used, it is possible to peel off 16 /64s and route the rest to the pfSense box. The entire /56 prefix would be routed to pfSense, but anything that has the longer match, such as those 16 /64s, would not be routed to it. They'd go wherever the Cisco routing table sends them.

Derelict

My point is it is not assigned to him via DHCP. And there is zero reason to use DHCP to assign it to pfSense.

Just route it.