IPv6 Lan Mask / Prefix Delegation
-
Hello Everyone
I might be building a big network in the future and in my search I didn't find routers/firewalls powerful enough to make what I wanted, so I decided to use PFsense to build one of mine, but in my tests I've ran into a problem.
My ISP offers me a dual-stack connection with both IPv4 and IPv6 (with a /56 prefix mask).
IPv4 works perfectly, and after PFsense receives a prefix trough prefix delegation and broadcasts it in the LAN trough R.A. IPv6 it works too, but I would like to enable prefix delegation for at least a /60 on the LAN so that a second router can broadcast adresses, but for some reason it only assigns a /64 and I don't know how to change it.Thanks in advance and sorry my English and if I sound confusing. :D
-
Do you really need a /60, how big is the IPv4 subnet ?
A /64 is 18 quintillion IPv6 addresses.
Off the top of my head isn't a /60 is 16 /64 subnets !
-
Thanks for your reply.
I need a /60 because I want to delegate a /64 prefix to a second router after PFsense.
My setup is:ISP<–---> PFsense <-----> TPLink router
And the TPLink router needs to receive a /64 trough prefix delegation.
-
Do you really need a /60, how big is the IPv4 subnet ?
A /64 is 18 quintillion IPv6 addresses.
Off the top of my head isn't a /60 is 16 /64 subnets !
A /64 is the standard prefix for a single network segment in IPv6 because it's the only one that works with SLAAC. It sure is hell a lot addresses and only a handful of them ever used but it doesn't matter with so many /48s available for breaking them down to smaller prefixes.
-
I need a /60 because I want to delegate a /64 prefix to a second router after PFsense.
Use a 2nd LAN interface or VLAN, though I suppose you could route a /64 via a router connected on the main LAN.
Regardless, you don't want anything other than a /64 on a network.
-
Ok, I see your points, maybe I'm doing this wrong.
I know that SLAAC needs a /64 prefix to work, I wanted to do that because that's how it worked in OpenWRT. Please help me then to make prefix delegation work in LAN, cause I can't seem to make it work because it asks for a begining and an end to the prefixes it can delegate, and as I have a dynamic prefix I don't know what to write there.Thanks
-
Because that is not really a viable option - the smallest segment with ipv6 is designed to be a /64.. Even a transit network would be a /64 by design…
Why do you have a dynamic prefix? PfSense supports the DUID, which reserves the prefix for your use. Just make sure you're running a recent version, which has a setting that enables it. Once that's done, your prefix should essentially be static. As i mentioned, you can set up pfSense as a router that sends some prefixes elsewhere. All I've done in that regard is just use a 2nd /64 prefix for a VLAN. Perhaps someone else here can help, once you let us know what it is exactly you're doing.
BTW, why do you need a 2nd router?. With pfSense, you can easily assign prefixes to multiple interfaces or VLANs.
-
I don't know why but for some reason my ISP renews my prefix once in a while so I have to assume that my prefix is dynamic.
For my tests I just wanted to make prefix delegation work, i wanted to have a second router after PFsense delegating prefixes, for now I'm just testing PFsense and learning how everything works.
I've covered most off it but I'm new at IPv6 and as it is "the future of the internet" I want to learn how it works and be able to do everything I want with it, even in PFsense.
If you guys could help me to fill the DHCPv6 parameters to make prefix delegation work I'd be very happy :DI'm sorry I'm making stupid things like have a second router after PFsense but it's just for me to learn, test, and see how it works.
-
The bare minimum PD/static allocation any ISP who has a clue should be delegating/routing is a /56 to residential and a /48 to a business.
If you want to delegate to a downstream router, you need to route a /64 per interface/subnet. That would probably mean a /60, which is 16 available /64s.
Just forget about the 18 billion billion host addresses in a /64. They do not exist in network planning/design (except you do not need to use a whole /64 on networks such as point-to-point or transit networks to other routers, etc). You simply never have to be concerned about what the subnet size should be ever again or if it will be big enough. You assign all interfaces a /64 and you will never, ever have to be concerned with having "enough" addresses there.
Think of your IPv6 needs in terms of how many subnets/interfaces you will need, including any sites you will be delegating IPv6 networks to internally (other routers, spoke sites, VPNs, etc.)
/48 = 65536 /64 subnets
/56 = 256 /64 subnets
/60 = 16 /64 subnetsAny ISP that gives a different PD despite getting the proper DUID is broken and deserves to go bankrupt. Whack them with a clue bat or get a new one.
-
So, what I was thinking was:
(I'll use x as fixed and v as variable)
PFsense should delegate a /60, which means a xxxx:xxxx:xxxx:xxxv::/60 prefix to the LANthen it should reserve a /64, for example xxxx:xxxx:xxxx:xxx1/64 to the R.A. on the LAN so devices by auto configuration made their ow IP
and then reserve the rest, for example from xxxx:xxxx:xxxx:xxx2 to xxxx:xxxx:xxxx:xxxf for prefix delegation
Am I wrong? how does it work then? and how do I configure it in PFsense
PS: I forgot to mention that when i plugged in the second router to PFsense, in the PFsense logs i could see an entry that said somethink like "PD request by xxxx" "Couldn't delegate PD: No prefixes to delegate in pool"
-
Well, it depends. You (almost) never set an interface to be anything other than a /64. The routers on that interface will communicate with pfSense using that.
What you do from there is up to you. ALL of this is made harder when the allocation to you is dynamic, not just a static route.
This is how I configured the DHCPv6 server in my lab. It gives every host there an address out of the /64 AND makes available a /60 prefix delegation.
That is really too small but for my testing purposes works fine. I statically route the /64 for the interface (2001:470:beef:7e01::/64) and a /56 (2001:470:beef:7e00::/56) from my HE.Net /48 downstream to this firewall. It doles out /60s (2001:470:beef:7e00::/60 - 2001:470:beef:7ef0::/60) from that.
 -
OMG Thanks!!!
I'll try to make it work based on that picture.
If I have any problems, and if you don't mind I'll come back here to ask for help.
Thanks :D
