IPv6 Help / tutorial / something please!
-
@maverickws Stop thinking about the number of addresses on a subnet. You never have to think about that again. They are all /64 and it is impossible (Yes, I said impossible) to put that many devices on a single network segment.
Think about an IPv6 assignment as the number of /64 networks you can service so:
/64-/56 = 8 bits or 256 /64 networks
/64-/48 = 16 bits or 65536 /64 networksTo extend:
/64 - /64 = 0 bits or 0 /64 networks, which is where you find yourself.Your ISP needs to assign a WAN address to you in some fashion and route a /56, /48, etc to you there. You can then further assign /64s out of that or do whatever you want. (To appease @JKnott, Yes, they can just route to your link-local WAN address if they can get it all provisioned correctly. And, in this case, they would have to if you are going to be putting the single /64 you have on the inside.)
Your service is provisioned to provide one /64. That is OK if you are a home user who only wants to run one inside network, but is incompatible with assigning /64s to multiple networks and might be incompatible for putting behind a router at all depending on how they actually provision things.
The absolute MINIMUM any ISP should be assigning to even residential users is a /56.
-
https://www.ripe.net/publications/docs/ripe-690
"Assigning a /64 or longer prefix does not conform to IPv6 standards and will break functionality in customer LANs. With a single /64, the end customer CPE will have just one possible network on the LAN side and it will not be possible to subnet, assign VLANs, alternative SSIDs, or have several chained routers in the same customer network, etc."
-
It's not pfsense that has to be configured for bridge mode, it's your modem. Users have some device that connects to the ISP for the local network. It is often in gateway mode, where it provides DHCP, NAT, etc. You don't want that with pfsense. In bridge mode, pfsense does all that gateway mode does and lots more.
As for the /64s, that's simply the way it was designed. It was the same way, at one time, with IPv4, before address classes were created and also with Novell's IPX, which used to be popular years ago or IBM's SNA. This variable size subnet is a "feature" of IPv4, necessitated by stretching out IPv4 addresses. When IPv6 was created, they decided to have such a huge address space that you'd never run out, whether in network or host addresses. As mentioned above, it's unbelievable that some ISPs only provide a single /64. My gives me a /56 and some even a /48. You can get a /48 for free from he.net.
So, determine what your ISP offers, if you're in bridge mode. As I mentioned, I get a /56 from mine, but I'd only get a single /64 in gateway mode.
-
@derelict said in IPv6 Help / tutorial / something please!:
The absolute MINIMUM any ISP should be assigning to even residential users is a /56.
Yes!
Using HE is straight forward, you get a static /48. What's not to like.
-
BTW, the IPv6 address space is so huge, that even with only 1/8 of it allocated for Global Unique Addresses (GUA), there are enough to give every single person on earth over 4000 /48s. So, there's no need for an ISP to be so stingy as to provide only a single /64.
Incidentally, my cell phone gets a /64, which I can share with tethering.
-
@jwj What's not to like.
It could be successfully argued that GIF tunneling to get IPv6 is an ugly hack.
That said, due to ISP idiocy HE is currently my IPv6 provisioning strategy.
-
Well I'd like to thank all for this very interesting discussion.
I'd like to say regarding the comment about not accounting for the number of possible hosts in any given subnet, well ok I get that, its just that each of these networks is so huge I feel other subnetting options made standard could be effective and I felt like commenting that. But ok, lets disregard that and it is how it is so moving on! :)
I have HE at home, its nice to have IPv6 connectivity where your ISP doesn't provide it, but its still v6 over v4 and I was looking for a leaner solution for service machines hosted on a datacenter.
I'm touching base with them and looking forward to see their reply.
I still have kind of a question tho, about @JKnott remark "pfsense requires bridge mode to work properly" does this mean if I get a /56 or /48 I'd still have to add a bridge for IPv6 to work?
-
@maverickws said in IPv6 Help / tutorial / something please!:
does this mean if I get a /56 or /48 I'd still have to add a bridge for IPv6 to work?
The bridge vs gateway mode refers to the device your ISP uses to provide your connection. I have a cable modem. Others have ADSL or even fibre. You're thinking of LAN bridges, which are essentially a 2 port switch and has nothing to do with this discussion. What piece of hardware do you connect to for your Internet access? That's where you would have the bridge/gateway choice. This has nothing to do specifically with pfsense. You'd do the same thing for any firewall/router.
-
@jknott so basically I have a virtual switch to which my servers are connected to, and the both the IPv4 and IPv6 subnets are delivered via VLAN, and they give me an upstream gateway for the /64 network which belongs to said subnet.
I don't think they'll be assigning anything else other than a /64. They say they can provide /56 networks but that would be routed through an host (server) which is the contrary of what we have being it delivered through a switch.
-
@maverickws A router is a router. A switch is a switch. A /64 is insufficient for anything other than the most basic, single-segment home network behind the ISP device. Make them provide a /56.
You should also probably paste EXACTLY what they are telling you instead of your interpretation of the same.
-
@derelict lol man I read your reply 5 times and all them 5 it felt like you're calling me stupid. Do you think or have you felt in the previous interactions that I have some interpretation problem or something?
Here's the "paste EXACTLY" instead of "interpretation"
Dear Client,
for your server you can have an additional /56 if you want but this is not possible on vswitch feature due of technical reasons.
Unfortunately on the vswitch it is only possible to have /64 prefix.
Kind regards
Please let me know if you feel my interpretation is correct or should I take some classes.
-
@maverickws Get them to route the /56 to you.
As soon as they are doing that you can worry about how it's routed internally.
An ISP giving advice on configuring a vswitch? I wouldn't even try to explain to them what you are trying to do on the inside. Just get the /56 routed to you.
-
@derelict I must say I don't see any way of "forcing" them to give me a /56. They can simply refuse and rely on bureaucracy to never do it.
They're not very good with vSwitches actually. I've had a problem with CARP they sent me a link to Junipers documentation lol, when the switches are on their side and I have nothing to do with their config. I documented a problem with their switches ignoring Gratuitous ARP requests, the only solution to have the service working was to configure the CARP on the pfSenses, then migrating the existing VLAN to a new vSwtich, so the VRRP mac's would stick.
I think some perks of the service are beyond ridiculous, but truth be told I have to juggle with price/performance and service offering, and so far this has been the ... least bad.
Some are worse on the hardware, other on hardware specs, these guys are bad at networking ... or parts of it.
-
@maverickws Then get another ISP I guess.
-
@maverickws said in IPv6 Help / tutorial / something please!:
so basically I have a virtual switch to which my servers are connected to, and the both the IPv4 and IPv6 subnets are delivered via VLAN, and they give me an upstream gateway for the /64 network which belongs to said subnet.
This is the first time you've mentioned HOW you're getting your connection and it appears they are providing you with only a single /64. As for @Derelict, I can feel his frustration, which may cause your thinking he's calling you stupid, as we've been trying to find out how you're connected and you haven't been very forthcoming. You say you're a "noob", well if you want help, you have to help us help you.
Based on what you've now told us, you have a single /64, which cannot be split without breaking things. You'll have to arrange with whoever to provide what you need to meet your requirements. It also appears you're in a data centre, which I don't believe was mentioned before, where a /64 may be suitable, if all you're doing is providing some servers. Much of what I said above was based on the assumption you were a stand alone customer, getting your own connection from some ISP. If you need more /64s you have to arrange for them, not try to squeeze them out of a /64 by breaking how it's designed.
-
@maverickws I did not call you stupid. In about 8 years of experience helping people on this forum I have found it is just best to get the words from the ISP's mouth. As @JKnott observed, you insisted that you were a "noob" in your OP. If nothing else it establishes that we are actually working from guidance from the ISP and not just trying random things (which happens - a lot).
-
@JKnott ok sorry.
Noob more in regard of IPv6 itself. I'm not a networking guy, I got a fair understanding of IPv4, but not so much about IPv6. And to that I must say: still a noob, and looking to learn.About the HOW, I'm sorry if that wasn't clear and I didn't get the hints to explain that part better, but its out in the clear now I guess. I may have missed mentioning it was a Datacenter I just said "provider" my bad and I'm sorry for the confusion.
I have 4 dedis with 2 pfSense routers. WAN is only connected to the pfSenses via vSwitch. All vm's get their connectivity through pfSense and are not host-bound.
@Derelict I didn't mean to offend probably as much as you meant me. I already explained the "noob" part, but consider saying to someone:
You should also probably paste EXACTLY what they are telling you instead of your interpretation of the same.
Its like people (or me in this case) are stupid and can't interpret what were told. Your comment was specifically about one's ability to understand a message and pass it on. People who can't understand a simple message and repeat it fall in such categories. Maybe you could have phrased better. Anyway, please note I said it seemed, I am sure that's not what you meant, yet I felt the remark was due. I have been working with IT and customers for 14 years and I never made such a remark to any, despite how dumb I may think they are sometimes.
Anyway I don't want to derail the topic to this, was just a comment.
I'm still insisting with the DC so they give me a bigger prefix.
