Static /56, /64s to LANs
-
IPv6 rookie here. Still can't fully grasp my head around how it works.
I'm provided a static /56 in a datacenter. pfSense is my main firewall. For Example: 2009:19f0:0:700::/56
Their gateway is at 2009:19f0:0:700::1The first /64 in that /56 is assigned on the WAN with the first usable address set. I can now ping the WAN v6 address over the WAN. WAN IP: 2009:19f0:0:700::100
Now on my LAN/s, I believe I should be choosing another /64 here and assigning the LAN an address. I set my LAN IP to 2009:19f0:0:701:100/64. This is where I'm completely stalled. I've enabled DHCPv6 and set it to assisted. Internal devices seem to be getting a valid IP in the /64 but obviously no traffic makes it beyond the LAN IP and no traffic makes it in.
Am I in need of a route here?
Where do I go from here? I haven't been able to find a single guide that explains a I presume simple scenario like this.
-
I'm provided a static /56 in a datacenter. pfSense is my main firewall. For Example: 2009:19f0:0:700::/56
Their gateway is at 2009:19f0:0:700::1You need to know what they are actually putting on your WAN interface and what they are routing to you. Or if your connection to the upstream is link-local and they route the /56 to you on your link-local address.
You would never, ever put a /56 on the WAN interface. Only a hosting company like OVH would do something moronic like that. Is it OVH?
If your provider knows what they are doing, they will put your WAN interface on something like a /64 then ROUTE that /56 to you on that address.
You would then have 2009:19f0:0:700::/56 to play with, which would be 256 /64 networks for 256 inside interfaces.
You would statically assign them 2009:19f0:0:700::/64, 2009:19f0:0:701::/64, 2009:19f0:0:702::/64 … 2009:19f0:0:7ff::/64
A colo should not be giving you anything less than a /48 but colos/ISPs are stupid.
It is OK if they are using the first /64 as the WAN though it is just a touch strange it should work. You need to find out what address on WAN they are routing the /56 to and set that as your WAN address. Then quickly put a VIP out of another /64 on localhost, pass ICMPv6 into WAN for that address, and see if you can ping6 that from the outside.
-
I wouldn't put it past the colo/isp to assign a /56 to the interface vs actual route of it..
"colos/ISPs are stupid."
Yeah they are ;)
That they gave you the gateway ::1 of the /56 kind of points to they assigned it to their interface vs routing it to you. What they should of said hey we routed /56 to YOUR wan IP xyz…
-
A colo should not be giving you anything less than a /48 but colos/ISPs are stupid.
I think that would depend on the type of co-lo. If providing an IP prefix for further distribution, yes. If providing server space, no. I've worked in both. The OP mentioned data centre. That would imply server space.
-
Even if providing server space assigning a single /56 or /60, etc on a specific interface is just plain MORONIC!!
If they are giving the client space hosted on their networks then it would be /64s.. There is never a reason that you would actually assign an interface a /56 address.. If so your doing it WRONG!!! If they have multiple layer 2 networks assigned to the user that is hosting stuff, then they would assign multiple /64s
Inside a network a /56 or /60 could be used as a routing summary or a firewall rule, etc. But assigning it to an actual interface is borked…
Here is example of some VPSs I have in DC - each vps gets its own /64 that I can assign as many of those IPv6 addresses I want to use on that server out of that /64..
-
If they are giving the client space hosted on their networks then it would be /64s..
A single /64 should be adequate for any data centre, where they're providing the IP addresses. I don't think there are many with more than 18.4 billion, billion servers in them. Of course, customers may choose to bring in their own Internet access, but then the data centre wouldn't be providing them with addresses.
-
It's not about the number of addresses. It is about the number of interfaces.
A /64 and any sort of firewall/router does not mix. If it is just a /64 to, say, a single VPS then OK. But this thread is about someone trying to put pfSense there.
If it is not a /64 it should be a /48 minimum.
This is the real world not the fantasyland of residential cable internet.
-
Hey Guys,
Thanks for the responses. I've currently got a message out to them asking for clarifications on the above mentioned items. I originally asked for a /56 since I figured a /48 was too much. If there's a limitation I'm going to hit here with a /56 besides the number of subnets I can break it up into might as well know this now. 256 networks should be more than enough for me.
However what I think I'm struggling to understand here is the basic concept of the IPv6 routing vs. how its typically done in IPv4. I guess because of lack of NAT and that we are forwarding public addresses through pfsense?
Assuming I get closer to this working, I'd need to run a DHCPv6 server on each internal interface to hand out v6 addresses correct? or would I let pfSense go to the SLAAC route?
Finally this isn't OVH. I wouldn't even post to this forum if I was dealing with that nightmare. ;D
-
I would just get SLAAC working before messing about with DHCPv6.
Just set the RA to unmanaged. As far as I know there are several devices that do not support DHCPv6 but can't think of any that don't support SLAAC.
If you're dealing with servers, they are going to be static anyway most likely.
The bits between your routed prefix and /64 are available to use on inside interfaces and for inside uses. I agree that 256 ought to be enough. I advocate a /48 because then, if you want, you can route /56 or /60 to VPN endpoints, etc. You can really start to blow through a /56 if you do anything like that.
There is simply zero reason to ration IPv6 addresses. The sooner everyone gets onboard with that the more better it will all be for everyone.
-
Last time I looked at the math every person on the planet, lets call it 8 Billion could have like 4000 /48's and still wouldn't even scratch the surface of the currently allocated space.
Let alone all the space out of the total space that is just sitting there not allocated for anything.
A site, be it your house, be it a building in a company. Be it a RACK in a DC should get a /48 to work with..
This /48 should be routed to you so you can use it how you want. Directly assigning a /48 to an interface connected to some specific L2 is just utterly pointless…
These companies be it an ISP or a DC dicking around with directly attaching /56 doesn't get it....
-
Last time I looked at the math every person on the planet, lets call it 8 Billion could have like 4000 /48's and still wouldn't even scratch the surface of the currently allocated space.
It's over 4000, with the 1/8th of the IPv6 address space allocated to global unique addresses. However, that's not the issue. What use would a server have with anything bigger than a /64? A bigger prefix will not work with SLAAC. Assigning anything more than a /64 to a server is simply throwing away a huge block of addresses, to no useful purpose. On the other hand, a larger prefix is useful for supporting multiple networks,VLANs etc.. How many servers do that? As I mentioned, in some data centres, they provide addresses from their own pool A single /64 could handle every single server that you're likely to find in a real data centre.
-
I would argue that any "server" should have a single interface address on the provider's public subnet and a /64 routed to that.
You could then use that /64 as you see fit for IP aliases, virtual hosts, etc.
But if that's the service you bought, you shouldn't try to shove a router in there and try to do router stuff, though that configuration would allow you to do one inside interface.
-
I would argue that any "server" should have a single interface address on the provider's public subnet and a /64 routed to that.
I have worked on several jobs, where the server had it's own direct Internet connection over fibre. Sometimes the address is provided by the carrier, others by the customer. It all depends on what the customer wants and is willing to pay for.
Incidentally, a couple of months ago, I was doing some work for a cell carrier at the main Toronto Internet exchange point. I spent 17 years working in that building, back when it housed a major Canadian telecom. It felt weird to look around and think that over there was… ;-)
-
My point is people should not try to shoehorn a router into a service that is not designed for it and expect acceptable results.
But people try every day.
-
Ok got a /64 IP and Gateway assigned on the WAN now we're good there. Along with the original /56 routed to me on that /64 address that is assigned on pfSense's WAN. Looks like SLAAC is working internally. I have 2009:19f0:0:701::100/64 assigned statically on the LAN interface and my internal devices are automatically grabbing an address in that /64. Still can't get out though. What else needs to get done here?
DHCPv6 has been disabled and Router Advertisement set to Unmanaged.
IPv6 default allow rule is in place in the LAN rules.
Made a VIP to the 2009:19f0:0:701::1/64 block on the WAN interface as an IP Alias as well and made a rule on the WAN to forward ICMPv6 all to the LAN address aka (2009:19f0:0:701::100). No external ping as of now.
Am I even on track?
-
Made a VIP to the 2009:19f0:0:701::1/64 block on the WAN interface as an IP Alias as well and made a rule on the WAN to forward ICMPv6 all to the LAN address aka (2009:19f0:0:701::100). No external ping as of now.
Why the VIP?
You just need to pass traffic on WAN to the /56 (or just part of it). No VIPs necessary.
-
You had previously mentioned it in your first response to test inbound ping to the LAN address. aka 2009:19f0:0:701::100
-
Right. That was just for a quick test to see if the prefix was actually routed by the ISP.
If you have that prefix assigned to an interface and a host on that address all you have to do is pass the traffic. If it doesn't respond then make sure that host actually WILL respond (no local firewalls, etc. Default gateway properly set, etc)
-
Ok, well that netted me nothing before so I guess something still isn't working. I have no in/outbound traffic at this time.
Just to confirm,
WAN IPv6 address set to the new /64 address that the /56 is routed to. LAN has an IP of 2009:19f0:0:701::100Created a rule on the WAN rules to allow src any to dest 2009:19f0:0:700::/56 no change in condition. LAN has default v6 all rule out. What should my gateway out on the devices on the LAN be after they receive their SLAAC configuration?
-
Probably fe80::1:1%local_interface_name
I cannot ping6 any of the addresses you have mentioned including their gateway address.