IPv6 questions

  • Hello,

    just recently i finally got my fibre 100/100 connection from "Deutsche Glasfaser" (translates to german glasfaser^^)
    There is quite a lot i still have to learn about IPv6 but as far as i know Deutsche Glasfaser provides a dual stack implementation where they hand out a private IPv4 adress that
    will be translated to a public IPv4 on the carrier side. (CGN)

    Obviously i can`t provide any services from this IP to the outside world directly, so i thought why not try to use an IPv6 adress for that.
    I talked to my provider and they said they hand out IPv6 with a 56 prefix and a usable 64 subnet to customers.
    So i configured DHCP6 for my WAN interface in pfsense, set prefix delegation size to 56, enabled Send IPv6 prefix hint and do not wait for a RA.
    Most of the time this is a success and i get a IPv6 adress but if i ssh to my machine and type ifconfig in the shell it says prefixlen 128 for WAN even though it should be 56, right?

    The other thing i don`t understand yet is the "Track Interface" setting to get an IPv6 adress for my other interfaces.
    Can you tell me what it exactly does? Cause it seems to copy over the first 32Bits of my WAN IPv6, sets 11fa as the next 16bit and from there on just increases one bit according to what i set in IPv6 prefix ID.

    Thank you in advance for helping me to understand this a little bit better.

  • LAYER 8 Global Moderator

    your not going to see a /56 mask on your wan - they are just delegating a /56 to you - so you can use /64 out of that /56 behind.  When you set the track interface on your lan side you will get that subnet or /64 prefix out of the /56 that has been delegated to you.

    The address your getting on your wan is just going to be transit.

  • I still don`t fully understand i think.
    Lets say i get the following IPv6 from my ISP: (just an example)


    I would assume that my ISP gets a /32 assigned by the RIR or some other authority, according to the IP from above that would be


    So every customer of my ISP should have the the first 32Bits of their IPv6 started with 2001:0db8, is that correct?

    If my provider assigns a /56 to me the prefix would be then


    Furthermore if my ISP says my usable subnet is /64 that would give me (in theory) the possbility to create 256 /64 subnets out of that 2001:0db8:85a3:0800::,  is that also correct?

    What i don`t understand now is if i set my LAN and OPT1… interfaces in pfsense to Track interface (WAN) shouldnt it give me the same network prefix
    (2001:0db8:85a3:0800) and creates my subnets underneath that network?

    In fact it gives me an IP of 2001:0db8:11fa.....

    I am sure my way of thinking is just wrong here, maybe you can shed some light on this for me.

    Thank you.

  • If your isp provides a /56, the first 56 bits are set by the delegated prefix. The prefix id provides the rest of the 8 bits for the subnet. Addresses are allocated within the /64.

  • LAYER 8 Global Moderator

    "What i don`t understand now is if i set my LAN and OPT1… interfaces in pfsense to Track interface (WAN) shouldnt it give me the same network prefix
    (2001:0db8:85a3:0800) and creates my subnets underneath that network?"

    No the /56 they delegate to you does not have to be in the same prefix that you get on your wan.  While if your ISP only has 1 /32 then yes all the prefixes they delegate would have to fall into their /32.. But more likely than not any isp would have more than just 1 /32..  A /32 would be the MINIMUM prefix assigned to an ISP.. More likely than not they could have multiples of /32.

    All of the /64's you assign via tracking would have to fall under the /56 that is delegated to you..

    The IP your wan gets and the prefix/subnet it falls under would be just be a transit network.  Has nothing to do with the delegated network.

  • What i don`t understand now is if i set my LAN and OPT1… interfaces in pfsense to Track interface (WAN) shouldnt it give me the same network prefix
    (2001:0db8:85a3:0800) and creates my subnets underneath that network?

    This keeps coming up over and over again, so I'll take a crack at demystifying it…
    First thing to remember. and its been said previously, so just reinforcing it; any IPv6 network to which hosts will connect will always be /64 period, full-stop, fini.  That's 2^64 addresses, you'll never run out of addresses on a LAN segment, consequently there is no point ever thinking about bigger subnets, EXCEPT when talking about prefix delegations.  Hosts don't connect to delegated prefixes, they connect to a single /64 from inside the delegated prefix.  With that out of the way, let's move on to some nuts and bolts…

    What happens under the covers is that during the DHCP6 exchange between pfSense and the ISP, is that it pfSense's DHCP6 client says "give me an IPv6 address AND a prefix of size x".  The "of size x" part can be honored or ignored by the ISP as they see fit.  This is configured on the WAN interface under the DHCP Client Configuration DHCPv6 Prefix Delegation size. 
    The response comes back from the ISP with "here is your IPv6 address", let's say this ISP allocates their clients in the 2001:db8:1:1::/64 network, so they give the pfSense  2001:db8:1:1::100.  This becomes the IP address that pfSense will use on the WAN interface.  This is the only place you'll see that address, and the only time it will be used is when pfSense sends out locally generated traffic like DNS requests.
    The ISP also gives out a prefix, and let's say it gives out 2001:db8:85a3:800::/56.  This means you have 256 /64 subnets inside ranging from 2001:db8:85a3:800:: thru 2001:db8:85a3:8ff::
    The thing you don't see happen is that once the DHCP6 server receives acknowledgment of the prefix allocation, the ISP's router sets up a route to 2001:db8:85a3:800::/56 via 2001:db8:1:1::100, so all the traffic to any subnet inside the delegated prefix 2001:db8:85a3:800::/56 will arrive at pfSense's WAN interface.  I've seen lots of issues where this doesn't happen because the ISP didn't configure their equipment correctly.

    Back to your initial question; you control which /64 subnet you want to use inside the delegated prefix by entering a value from the IPv6 Prefix ID under the Track IPv6 Interface section of the LAN, or OPTx interface.
    If you put 0 in the Prefix ID on your LAN inteface, you'd get 2001:db8:85a3:800❌x❌x/64 (where x❌x:x = interface EUI-64).  It will start a DHCPv6 server that will allocate 2001:db8:85a3:800::1000 thru 2001:db8:85a3:800::2000 to clients that request an IPv6 address on the LAN interface.
    Router advertisements are enabled by default so clients can find the IPv6 default gateway since that isn't part of DHCPv6.  (Be careful with this when integrating pfSense into an existing network).
    Next, in the OPT1 interface, if you put 1 in the Prefix ID, and you'd get an OPT1 IPv6 address of 2001:db8:85a3:801:EUI-64/64.
    Similarly you can enable DHCP6 and RA as needed.
    In fact you can put anything from 0 to 255 in the prefix ID and you get that single /64  out of the /56 that was delegated to you on the interface in question.
    Likewise, if you were delegated a /52 the valid values for Prefix ID would be 0 to 4095.
    Lastly, you can't put the same prefix ID in multiple interfaces because you can't have the same subnet exist in more than one place at-a-time.

    YMMV, but I hope this clarifies how the IPv6 DHCP6 client interacts with the rest of pfSense.

  • LAYER 8 Global Moderator

    Pretty it up a bit, and ready for the wiki - nice job awebster

  • Thank you for your explanations.
    I think my way of thinking is still to much connected to terms like NAT where the IP of you wan interface is probably the most important one.
    Will take some time for me to change that way of thinking i guess. ^^

    Thank you.

Log in to reply