Got a /112, can't use it on WAN but SLAAC works and I do get routed /112 packets

  • Hi there,

    I have a native IPv6 connection with a /112 of addresses (not a /56 or /48 or /64) and a gateway outside the subnet. I can't put one of the /112 addresses on the WAN because then it can't find the gateway, but when I set WAN to SLAAC I get a random local address which works, and then I can ping the gateway as well. Putting an address on LAN then doesn't work because it thinks it's conflicting with the WAN address (which it's not). When I ping one of the /112 IP's I can see them appear on the WAN interface (using tcpdump), so I know the connection is good.

    It seems to me that I got handed a IPv6 setup that is arranged in the IPv4 way with no prefix delegation in mind… does that make sense?

  • Does your ISP use DHCPv6?  If so, configure pfSense for DHCPv6 on the WAN side and set up the LAN side to track the WAN interface.

  • That is strange.  With a /112, SLAAC will not work.  You're limited to DHCPv6 or static configuration.  Incidentally, a /64 is the smallest network an ISP is supposed to hand out.  Perhaps you could tell your ISP they're violating the specs (RFC 7421 among others).

    "As a result, RFC 4291 describes a method of forming interface
      identifiers from IEEE EUI-64 hardware addresses [IEEE802], and this
      specifies that such interface identifiers are 64 bits long.  Various
      other methods of forming interface identifiers also specify a length
      of 64 bits.  The addressing architecture, as modified by [RFC7136],
      states that:

    For all unicast addresses, except those that start with the binary
          value 000, Interface IDs are required to be 64 bits long.  If
          derived from an IEEE MAC-layer address, they must be constructed
          in Modified EUI-64 format."

    Since the interface ID is 64 bits, the local network prefix can only be /64.

  • LAYER 8 Global Moderator

    use of /112 is borked and not valid.. If isp is handing out /112 they are doing it wrong!!

  • Wow.  I have done a lot of work in data centres and colo sites and never heard of that.  Normally, a customer would get their own fibre & IP address blocks from the ISP.  IPv6 addresses are so plentiful there's absolutely no reason to share a /64.  It's so easy to get a /48.  Get one of those and split it up.

  • "give us a technical reason why, as this is non-standard".

    Well, there's RFC 7421 as I mentioned above, where it states the interface ID is supposed to be 64 bits.

    I'd set it up with NAT and IP aliases if needed, but I never had to do that nor do I really want to.

    No, you don't want NAT.  It's a hack to get around the IPv4 address shortage.

    Maybe I should just come up with a technically sound story on why this /122 is crap and I'd like a /48 instead

    How are they delivering that /112 to you?  Is it actually routed from their main block?  Or is it just a block of addresses, which you are allowed to use.  If so, then you don't want a router, just a firewall.

    I suppose, if all else fails, you can get your own /48 from Hurricane Electric and run a 6in4 tunnel via IPv4.

    Perhaps you should ask them why they're so stingy with something as plentiful as IPv6 addresses.  After all, Hurricane Electric will give you a /48 for free.  I had a free /56 via tunnel for 6 years from another tunnel broker.

    BTW, there are enough /48s to give every person on earth well over 4000 each.  There's absolutely no reason why a /64 has to be split, other than gross incompetence.

  • LAYER 8 Global Moderator

    without a /64 stuff like nd and whole bunch of other stuff breaks.. While sure you can use smaller prefixes in routing.. Hosts need /64 so why if they want to use /112 as a transit between their routers fine.  But you as a end user that will have hosts on an IPv6 network you need to be able to use /64's

    Using a subnet prefix length other than a /64 will break many
      features of IPv6, including Neighbor Discovery (ND), Secure Neighbor
      Discovery (SEND) [RFC3971], privacy extensions [RFC4941], parts of
      Mobile IPv6 [RFC4866], Protocol Independent Multicast - Sparse Mode
      (PIM-SM) with Embedded-RP [RFC3956], and Site Multihoming by IPv6
      Intermediation (SHIM6) [SHIM6], among others.  A number of other
      features currently in development, or being proposed, also rely on
      /64 subnet prefixes.

    So they say /112 is their standard??  What moron came up with that??  Clearly they do not understand how ipv6 works even at a basic level and are trying to apply ipv4 thinking to ipv6 space..  All you should have to do is point to the freaking rfcs on why assigning you a /112 is just broken from every single technical aspect.. There is no freaking reason to not adhere to the rfc's when it comes to breaking up the ipv6 prefix's..  More then likely they should of gotten atleast a /32 which is the default block an isp would of gotten from their regional address registry, ARIN for example..  that is default block and your talking 64K /48's they could use..  For what possible reason would thy have to use /112's???  Other than their network architect is an idiot? If they did not get enough ipv6 space to provide proper prefixes to their customers and to use within their dc then they need to get more..

    If your desire is to use ipv6 and this location/dc can not provide with the proper way to do it - then I would be looking to move elsewhere to be honest. If they can not get some as basic as ipv6 assignment correct what else are they just doing all F'd up??

  • LAYER 8 Netgate

    I would not waste one minute trying to get that nonsense to work.

    I would get a properly-routed /48 or move.

    Nobody needs to "justify" a need for a /64 on an interface, or a /48 (OK, fine, a /56) in a datacenter. It just is.

  • Nobody needs to "justify" a need for a /64 on an interface, or a /48 (OK, fine, a /56) in a datacenter. It just is.

    Depending on his needs, a /64 may be plenty.  However, that site has no business splitting a /64.  SLAAC requires a /64 to function.

  • If there's only one host, then perhaps they should just let you use one address of a /64 that's shared with others.  Unless you have multiple devices, there's no real need for an address block.  Once you have an address, you just have to configure the DNS to point to it.  Either way, this /112 nonsense is causing problems.

  • LAYER 8 Global Moderator

    So I have a few 15$ a year vpses.. And they give me a full /64 on each of them..  They are in the same data center..  So does not matter if its 1 box with 1 connection or not.. Now on 2 of them only use 1 ipv6, since all that I need for that.. But I can assign as many ipv6 out of that /64 that I need, etc..

    I would take a guess that your paying more than $45 a year for this single server??  So for these 3 vps that cost me all of $45 a year I have 3 different /64s – I can see no freaking reason why they want to give you only a /112..  Now agreed that is more than enough IPs for anyone..  But that is not the point - ipv6 is /64 or you break shit!!!  And while yes coming from a ipv4 mindset it seems to be beyond wasteful.. I too when first starting out with ipv6 was like wtf... That is a lot of IPs for every l2 network your going to have..  And it does seem crazy..  But its just nuts how big the space really is..

    They should of gotten /32.. if not multiples of them.. With a /32 your talking 16 Million /56's do they possible have 16 million customers in this DC?  For /64s your talking 4G.. With that many networks available why would you want/need or desire to break shit when going against the rfcs..

    For gosh sake they could go and get a /48 from HE and bring it into their DC and they would have 64K /64's to hand out to their users.. That they are breaking shit up into /112 makes NO sense no matter how you look at it..

  • Yeah, and even then, a shared /64 makes less sense than a dedicated /64 per host.

    But that is not the point - ipv6 is /64 or you break shit!!!

    Yep, that's why I said a shared /64, if they won't give a unique /64.  Either will work fine, but a /112 won't.

  • Because that /112 (which isn't a real /112, it's a shared /64 where i'm simply only allowed to use /112 without it being an actual subnet) is the dynamic standard for single-server-single-link in their provisioning system,

    That makes more sense.  They give you a 65K block of addresses and you're supposed to do a static config or possibly mapped DHCP for your systems.  That means there could be 2^48 other systems in there sharing that /64.  ;)

Log in to reply