Pre-setup questions

BiloxiGeek

I'm starting to look into setting up OpenVPN so my mobile devices can connect back to my home network when I'm at work or bouncing around town, but I'm not sure I understand it all quite enough yet.

I have a routed /64 and a routed /48 from he.net and everything seems to be working fine so far.  For IPv4 I have a cable modem connection with CableOne, 200M down, 10M up. My intention is to be able to access home network stuff as if I were connected over my WiFi.  This'll let me take advantage of my piHole ad blocking and a few other things I've set up.

Mobile devices are iOS on Verizon so they get an IPv6 address.  My routed /48 is 2001:aaaa:bbbb::/48, I've set up clients behind the pfSense box to use 2001:aaaa:bbbb::X:X:X:X with the X's pretty much matching their internal IPv4 addresses.  Did that just to make my life easier, the two addresses match up as much as possible.

So that means (and I'm going by my limited but growing IPv6 knowledge here) my internal subnet is basically a /48 using 2001:aaaa:bbbb::0:X:X:X:X.  With OpenVPN can I continue to use that or do I need to set up another subnet using for instance 2001:aaaa:bbbb:1:X:X:X:X? Would I need to adjust the current settings so the network is configured as 2001:aaaa:bbbb:0::/64 and then add a 2001:aaaa:bbbb:1::/64 for the OpenVPN clients?

I know getting this setup means I'll be putting extra load on my cable modem connection, and that could be an issue, but I do plan sometime soon to upgrade it to a 1000M down, 50M up with a 1.1T data cap/month connection so it would get better.  I haven't really decided yet whether this is worth the time and effort, just curious to figure it out and see what I can get away with.

doktornotor

Uhm… You should use an /64 from the /48 per interface, not waste a /48 on your LAN.

BiloxiGeek

That's what I was thinking when I first set this up but I'm real new to IPv6 and pfSense so I'm still figuring it out as I go.  Been doing SysAdmin work for quite a few years but I haven't had opportunity to get into this stuff up until now.

So I'm thinking now I should change my internal IPv6 to use something like  2001:aaaa:bbbb:cccc::/64.  Then when I start to setup OpenVPN I can define that as  2001:aaaa:bbbb:dddd::/64.

I'm sure there's routing issues and rules I'll have to figure out unless setting up the OpenVPN will automatically do that so the mobile clients coming in through OpenVPN will by default be able to talk to the internal network devices.

doktornotor

Erm, nope. You need some IPv6 subnet calc. You are flipping the wrong bits. Those are outside the /48 and not at your disposal.

2001:0000:0000:0000:0000:0000:0000:0001
XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX
      ||| |||| |||| |||| |||| |||| ||||
      ||| |||| |||| |||| |||| |||| |||128
      ||| |||| |||| |||| |||| |||| ||124
      ||| |||| |||| |||| |||| |||| |120
      ||| |||| |||| |||| |||| |||| 116
      ||| |||| |||| |||| |||| |||112
      ||| |||| |||| |||| |||| ||108
      ||| |||| |||| |||| |||| |104
      ||| |||| |||| |||| |||| 100
      ||| |||| |||| |||| |||96
      ||| |||| |||| |||| ||92
      ||| |||| |||| |||| |88
      ||| |||| |||| |||| 84
      ||| |||| |||| |||80
      ||| |||| |||| ||76
      ||| |||| |||| |72
      ||| |||| |||| 68
      ||| |||| |||64
      ||| |||| ||60
      ||| |||| |56
      ||| |||| 52
      ||| |||48
      ||| ||44
      ||| |40
      ||| 36
      ||32
      |28
      24

BiloxiGeek

I already looked that up and on the random subnet calculator I found I got this:

Compressed Address:	2001:aaaa:bbbb::/48
Expanded Address:	2001:aaaa:bbbb:0000:0000:0000:0000:0000/48
Prefix:	ffff:ffff:ffff:0000:0000:0000:0000:0000
Range:	2001:aaaa:bbbb:0:0:0:0:0
	2001:aaaa:bbbb:ffff:ffff:ffff:ffff:ffff
Number of /64s:	65536

I admit to being new to this, but I don't see how my previous thought was wrong and I'm real curious where I went wrong.

doktornotor

See the ASCII "art" above. (Or I'm getting confused by your obfuscation. Simply, those aaaa:bbbb bits should not change.)

BiloxiGeek

Ok, maybe it is the obfuscation, didn't think it wise to advertise my network addresses publically.

If he.net assigns me 2001:aaaa:bbbb::/48, I get everything from 2001:aaaa:bbbb:0:0:0:0:0 through 2001:aaaa:bbbb:ffff:ffff:ffff:ffff:ffff routed to my pfSense system.  The 2001:aaaa:bbbb is the 48 bit prefix, I can't change that but I can assign anything in the remaining 80 bits as I see fit right?

So my internal LAN could be set to 2001:aaaa:bbbb:CCCC::/64
OpenVPN network could be set to 2001:aaaa:bbbb:DDDD::/64

I'm not changing the /48 prefix at all, just trying to get an idea of how to plan for a separate subnet within the 80 bits I have at my disposal.

doktornotor

Ah OK, yeah. Perhaps keeping things less chaotic is desirable - like using 2001:aaaa:bbbb:0001::/64, 2001:aaaa:bbbb:0002::/64, … doesn't matter though.

BiloxiGeek

Whew,  :) thought maybe I was losing my mind for a moment and somehow what I thought was 48 bits had changed.