Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    IPv6 Lan Mask / Prefix Delegation

    IPv6
    5
    12
    2149
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tiagogaspar8 last edited by

      Hello Everyone

      I might be building a big network in the future and in my search I didn't find routers/firewalls powerful enough to make what I wanted, so I decided to use PFsense to build one of mine, but in my tests I've ran into a problem.
      My ISP offers me a dual-stack connection with both IPv4 and IPv6 (with a /56 prefix mask).
      IPv4 works perfectly, and after PFsense receives a prefix trough prefix delegation and broadcasts it in the LAN trough R.A. IPv6 it works too, but I would like to enable prefix delegation for at least a /60 on the LAN so that a second router can broadcast adresses, but for some reason it only assigns a /64 and I don't know how to change it.

      Thanks in advance and sorry my English and if I sound confusing. :D

      1 Reply Last reply Reply Quote 0
      • NogBadTheBad
        NogBadTheBad Galactic Empire last edited by

        Do you really need a /60, how big is the IPv4 subnet ?

        A /64 is 18 quintillion IPv6 addresses.

        Off the top of my head isn't a /60 is 16 /64 subnets !

        1 Reply Last reply Reply Quote 0
        • T
          tiagogaspar8 last edited by

          Thanks for your reply.
          I need a /60 because I want to delegate a /64 prefix to a second router after PFsense.
          My setup is:

          ISP<–---> PFsense <-----> TPLink router

          And the TPLink router needs to receive a /64 trough prefix delegation.

          1 Reply Last reply Reply Quote 0
          • K
            kpa last edited by

            @NogBadTheBad:

            Do you really need a /60, how big is the IPv4 subnet ?

            A /64 is 18 quintillion IPv6 addresses.

            Off the top of my head isn't a /60 is 16 /64 subnets !

            A /64 is the standard prefix for a single network segment in IPv6 because it's the only one that works with SLAAC. It sure is hell a lot addresses and only a handful of them ever used but it doesn't matter with so many /48s available for breaking them down to smaller prefixes.

            1 Reply Last reply Reply Quote 0
            • JKnott
              JKnott last edited by

              I need a /60 because I want to delegate a /64 prefix to a second router after PFsense.

              Use a 2nd LAN interface or VLAN, though I suppose you could route a /64 via a router connected on the main LAN.

              Regardless, you don't want anything other than a /64 on a network.

              1 Reply Last reply Reply Quote 0
              • T
                tiagogaspar8 last edited by

                Ok, I see your points, maybe I'm doing this wrong.
                I know that SLAAC needs a /64 prefix to work, I wanted to do that because that's how it worked in OpenWRT. Please help me then to make prefix delegation work in LAN, cause I can't seem to make it work because it asks for a begining and an end to the prefixes it can delegate, and as I have a dynamic prefix I don't know what to write there.

                Thanks

                1 Reply Last reply Reply Quote 0
                • JKnott
                  JKnott last edited by

                  Because that is not really a viable option - the smallest segment with ipv6 is designed to be a /64..  Even a transit network would be a /64 by design…

                  Why do you have a dynamic prefix?  PfSense supports the DUID, which reserves the prefix for your use.  Just make sure you're running a recent version, which has a setting that enables it.  Once that's done, your prefix should essentially be static.  As i mentioned, you can set up pfSense as a router that sends some prefixes elsewhere.  All I've done in that regard is just use a 2nd /64 prefix for a VLAN.  Perhaps someone else here can help, once you let us know what it is exactly you're doing.

                  BTW, why do you need a 2nd router?.  With pfSense, you can easily assign prefixes to multiple interfaces or VLANs.

                  1 Reply Last reply Reply Quote 0
                  • T
                    tiagogaspar8 last edited by

                    I don't know why but for some reason my ISP renews my prefix once in a while so I have to assume that my prefix is dynamic.
                    For my tests I just wanted to make prefix delegation work, i wanted to have a second router after PFsense delegating prefixes, for now I'm just testing PFsense and learning how everything works.
                    I've covered most off it but I'm new at IPv6 and as it is "the future of the internet" I want to learn how it works and be able to do everything I want with it, even in PFsense.
                    If you guys could help me to fill the DHCPv6 parameters to make prefix delegation work I'd be very happy :D

                    I'm sorry I'm making stupid things like have a second router after PFsense but it's just for me to learn, test, and see how it works.

                    1 Reply Last reply Reply Quote 0
                    • Derelict
                      Derelict LAYER 8 Netgate last edited by

                      The bare minimum PD/static allocation any ISP who has a clue should be delegating/routing is a /56 to residential and a /48 to a business.

                      If you want to delegate to a downstream router, you need to route a /64 per interface/subnet. That would probably mean a /60, which is 16 available /64s.

                      Just forget about the 18 billion billion host addresses in a /64. They do not exist in network planning/design (except you do not need to use a whole /64 on networks such as point-to-point or transit networks to other routers, etc). You simply never have to be concerned about what the subnet size should be ever again or if it will be big enough.  You assign all interfaces a /64 and you will never, ever have to be concerned with having "enough" addresses there.

                      Think of your IPv6 needs in terms of how many subnets/interfaces you will need, including any sites you will be delegating IPv6 networks to internally (other routers, spoke sites, VPNs, etc.)

                      /48 = 65536 /64 subnets
                      /56 = 256 /64 subnets
                      /60 = 16 /64 subnets

                      Any ISP that gives a different PD despite getting the proper DUID is broken and deserves to go bankrupt. Whack them with a clue bat or get a new one.

                      1 Reply Last reply Reply Quote 0
                      • T
                        tiagogaspar8 last edited by

                        So, what I was thinking was:
                        (I'll use x as fixed and v as variable)
                        PFsense should delegate a /60, which means a xxxx:xxxx:xxxx:xxxv::/60 prefix to the LAN

                        then it should reserve a /64, for example xxxx:xxxx:xxxx:xxx1/64 to the R.A. on the LAN so devices by auto configuration made their ow IP

                        and then reserve  the rest, for example from xxxx:xxxx:xxxx:xxx2 to xxxx:xxxx:xxxx:xxxf for prefix delegation

                        Am I wrong? how does it work then? and how do I configure it in PFsense

                        PS: I forgot to mention that when i plugged in the second router to PFsense, in the PFsense logs i could see an entry that said somethink like "PD request by xxxx" "Couldn't delegate PD: No prefixes to delegate in pool"

                        1 Reply Last reply Reply Quote 0
                        • Derelict
                          Derelict LAYER 8 Netgate last edited by

                          Well, it depends. You (almost) never set an interface to be anything other than a /64. The routers on that interface will communicate with pfSense using that.

                          What you do from there is up to you. ALL of this is made harder when the allocation to you is dynamic, not just a static route.

                          This is how I configured the DHCPv6 server in my lab. It gives every host there an address out of the /64 AND makes available a /60 prefix delegation.

                          That is really too small but for my testing purposes works fine. I statically route the /64 for the interface (2001:470:beef:7e01::/64) and a /56 (2001:470:beef:7e00::/56) from my HE.Net /48 downstream to this firewall. It doles out /60s (2001:470:beef:7e00::/60 - 2001:470:beef:7ef0::/60) from that.

                          ![Screen Shot 2017-06-03 at 10.46.20 AM.png](/public/imported_attachments/1/Screen Shot 2017-06-03 at 10.46.20 AM.png)
                          ![Screen Shot 2017-06-03 at 10.46.20 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-06-03 at 10.46.20 AM.png_thumb)

                          1 Reply Last reply Reply Quote 0
                          • T
                            tiagogaspar8 last edited by

                            OMG Thanks!!!
                            I'll try to make it work based on that picture.
                            If I have any problems, and if you don't mind I'll come back here to ask for help.
                            Thanks :D

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post

                            Products

                            • Platform Overview
                            • TNSR
                            • pfSense
                            • Appliances

                            Services

                            • Training
                            • Professional Services

                            Support

                            • Subscription Plans
                            • Contact Support
                            • Product Lifecycle
                            • Documentation

                            News

                            • Media Coverage
                            • Press
                            • Events

                            Resources

                            • Blog
                            • FAQ
                            • Find a Partner
                            • Resource Library
                            • Security Information

                            Company

                            • About Us
                            • Careers
                            • Partners
                            • Contact Us
                            • Legal
                            Our Mission

                            We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                            Subscribe to our Newsletter

                            Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                            © 2021 Rubicon Communications, LLC | Privacy Policy