Getting /56 prefix but WAN uses another one?
-
Hi!
I get some strange Firewall logs where a DNS server is answering queries to an IPv6 address inside my subnet that doesn't exist. It seems that these queries were sent from another person.
Now I discovered that my WAN interface doesn't use an IPv6 address out of my deligated /56 prefix. How is this possible?
Also what does TCP:SAE mean?
-
Well, this is typical behavior.
I see it on my connections too.
The wan gets a /64 allocation and then, if I request a /56 and have say 6 lan interfaces
I would get a different /56 with incremental /64 assigned on each of the lans, typically starting with 00 (and most probably incrementing to FF)
Even disabling and re enabling ipv6 on lans without touching the wan, gets new /56 assignemensts.
I'm seeing this with use v4 to request v6 and track wan interface for ipv6.
Wan uses dhcp. -
But the WAN and LAN must be two different /56 or one /40. Both is impossible.
-
Wan and Lan is different, at least from your posted photo 2a02:8071:800 versus 8c4
-
Yes. So these are two different /56 but I‘m only getting one /56. So where is the second coming from?
-
It is not clear that you have a /56 for the wan, the mask is not seen.
But even if you did, its quite possible to get a /56 on the wan and another /56 for your lan interface(s)
What does ifconfig on cli say? autoconf 64? -
@netblues said in Getting /56 prefix but WAN uses another one?:
Even disabling and re enabling ipv6 on lans without touching the wan, gets new /56 assignemensts.
Normally, the /56 should not be changing.
-
@netblues said in Getting /56 prefix but WAN uses another one?:
But even if you did, its quite possible to get a /56 on the wan and another /56 for your lan interface(s)
Where would that LAN /56 be coming from? You get a /56 from the ISP and split off individual /64s as needed.
-
-
That shows you're using a link local address for routing and a /128 WAN address. There's nothing in there about prefixes. You'd find out what prefix you're assigned by examining a packet capture of the DHCPv6 packets.
BTW, why are you hiding the link local address? It's completely irrelevant outside the link between you and the ISP. Same with the MAC address.
-
But the /128 should be in the same deligated subnet? It's clearly not. I don't get it why.
Netgate 6100 MAX
-
There is no reason for the wan ip6 to be on the same delegated /56 prefix
Your isp is savvy and uses /128 for the wan.
Mine is not so much and uses /64The wan "public" ip doesn't work as in ipv4.
It is only used for the wan device to have its own internet ipv6 access
Otherwise is not needed.
Your /56 prefixes are routed via link local (fe80)
And if you don't have a static delegation, hiding ipv6 addreses isn't worth the trouble.
It will change soon. -
OK thanks for the clearup. But it's still strange that I get so many responses to addresses that doesn't exist on my network.
My prefix is the same since over a year. So I stay with that to hide what is not needed to show :)
Netgate 6100 MAX
-
I believe what you see is RFC4941 privacy extensions. Have a look on your ethernet status.
It might list them as temporary addresses.
Temporary addresses are not connectable/pingable, but remain active for live session when ipv6 address change so as not to disrupt connectivity.
And they expire usually after 24 hours. -
I don't use PE because there is no SLAAC in my network. I prefer DHCPv6. I captured the incoming traffic and it shows me that this is definately not my traffic what is coming "back".
Netgate 6100 MAX
-
@mrsunfire said in Getting /56 prefix but WAN uses another one?:
But the /128 should be in the same deligated subnet? It's clearly not. I don't get it why.
No it shouldn't. It has absolutely nothing to do with the assigned prefix. It's not even used in routing. It's sole purpose is to provide an address for the WAN port, so that you can connect to it with a VPN, SSH, etc., or use ping & traceroute. Your routing is over the link local address, not the public address.
-
@netblues said in Getting /56 prefix but WAN uses another one?:
And if you don't have a static delegation, hiding ipv6 addreses isn't worth the trouble.
It will change soon.The prefix should not normally change. In fact, there's a setting to keep it from changing.
-
@JKnott Do not allow PD/Address releasedhcp6c will send a release to the ISP on exit, some ISPs then release the allocated address or prefix. This option prevents that signal ever being sent
This one?
-
@mrsunfire said in Getting /56 prefix but WAN uses another one?:
OK thanks for the clearup. But it's still strange that I get so many responses to addresses that doesn't exist on my network.
My prefix is the same since over a year. So I stay with that to hide what is not needed to show :)
What prefix do those addresses have? If it's your assigned prefix, then those devices likely exist on your network somewhere. Privacy addresses were mentioned above. These addresses use random numbers for the suffix and you get a new one every day. After a week they expire. This is in addition to the consistent address (often MAC based). So, each device could have up to 8 global addresses.
As for hiding your prefix, you do understand that each /64 contains 18.4 billion, billion addresses, which means it would be somewhat difficult for anyone to find a working address in that space. That address space is more than 4 billion times the entire IPv4 address space.
-
@netblues said in Getting /56 prefix but WAN uses another one?:
Temporary addresses are not connectable/pingable
They most certainly are. Any address that has your network's prefix is reachable. However, your firewall will block any access, unless specifically allowed. So, if you wanted to run a server that could be reached from elsewhere, you'd use the consistent IPv6 address and open the ports for that address only. All outgoing connections normally use the privacy addresses, so even if someone collects the address, they'd still be up against the firewall not letting them in.
