Static /56, /64s to LANs



  • IPv6 rookie here. Still can't fully grasp my head around how it works.

    I'm provided a static /56 in a datacenter. pfSense is my main firewall. For Example: 2009:19f0:0:700::/56
    Their gateway is at 2009:19f0:0:700::1

    The first /64 in that /56 is assigned on the WAN with the first usable address set. I can now ping the WAN v6 address over the WAN. WAN IP: 2009:19f0:0:700::100

    Now on my LAN/s, I believe I should be choosing another /64 here and assigning the LAN an address. I set my LAN IP to 2009:19f0:0:701:100/64. This is where I'm completely stalled. I've enabled DHCPv6 and set it to assisted. Internal devices seem to be getting a valid IP in the /64 but obviously no traffic makes it beyond the LAN IP and no traffic makes it in.

    Am I in need of a route here?

    Where do I go from here? I haven't been able to find a single guide that explains a I presume simple scenario like this.


  • Netgate

    I'm provided a static /56 in a datacenter. pfSense is my main firewall. For Example: 2009:19f0:0:700::/56
    Their gateway is at 2009:19f0:0:700::1

    You need to know what they are actually putting on your WAN interface and what they are routing to you. Or if your connection to the upstream is link-local and they route the /56 to you on your link-local address.

    You would never, ever put a /56 on the WAN interface. Only a hosting company like OVH would do something moronic like that. Is it OVH?

    If your provider knows what they are doing, they will put your WAN interface on something like a /64 then ROUTE that /56 to you on that address.

    You would then have 2009:19f0:0:700::/56 to play with, which would be 256 /64 networks for 256 inside interfaces.

    You would statically assign them 2009:19f0:0:700::/64, 2009:19f0:0:701::/64, 2009:19f0:0:702::/64 … 2009:19f0:0:7ff::/64

    A colo should not be giving you anything less than a /48 but colos/ISPs are stupid.

    It is OK if they are using the first /64 as the WAN though it is just a touch strange it should work. You need to find out what address on WAN they are routing the /56 to and set that as your WAN address. Then quickly put a VIP out of another /64 on localhost, pass ICMPv6 into WAN for that address, and see if you can ping6 that from the outside.


  • Rebel Alliance Global Moderator

    I wouldn't put it past the colo/isp to assign a /56 to the interface vs actual route of it..

    "colos/ISPs are stupid."

    Yeah they are ;)

    That they gave you the gateway ::1 of the /56 kind of points to they assigned it to their interface vs routing it to you.  What they should of said hey we routed /56 to YOUR wan IP xyz…



  • A colo should not be giving you anything less than a /48 but colos/ISPs are stupid.

    I think that would depend on the type of co-lo.  If providing an IP prefix for further distribution, yes.  If providing server space, no.  I've worked in both.  The OP mentioned data centre.  That would imply server space.


  • Rebel Alliance Global Moderator

    Even if providing server space assigning a single /56 or /60, etc on a specific interface is just plain MORONIC!!

    If they are giving the client space hosted on their networks then it would be /64s.. There is never a reason that you would actually assign an interface a /56 address.. If so your doing it WRONG!!!  If they have multiple layer 2 networks assigned to the user that is hosting stuff, then they would assign multiple /64s

    Inside a network a /56 or /60 could be used as a routing summary or a firewall rule, etc.  But assigning it to an actual interface is borked…

    Here is example of some VPSs I have in DC - each vps gets its own /64 that I can assign as many of those IPv6 addresses I want to use on that server out of that /64..




  • If they are giving the client space hosted on their networks then it would be /64s..

    A single /64 should be adequate for any data centre, where they're providing the IP addresses.  I don't think there are many with more than 18.4 billion, billion servers in them.  Of course, customers may choose to bring in their own Internet access, but then the data centre wouldn't be providing them with addresses.


  • Netgate

    It's not about the number of addresses. It is about the number of interfaces.

    A /64 and any sort of firewall/router does not mix. If it is just a /64 to, say, a single VPS then OK. But this thread is about someone trying to put pfSense there.

    If it is not a /64 it should be a /48 minimum.

    This is the real world not the fantasyland of residential cable internet.



  • Hey Guys,

    Thanks for the responses. I've currently got a message out to them asking for clarifications on the above mentioned items. I originally asked for a /56 since I figured a /48 was too much. If there's a limitation I'm going to hit here with a /56 besides the number of subnets I can break it up into might as well know this now. 256 networks should be more than enough for me.

    However what I think I'm struggling to understand here is the basic concept of the IPv6 routing vs. how its typically done in IPv4. I guess because of lack of NAT and that we are forwarding public addresses through pfsense?

    Assuming I get closer to this working, I'd need to run a DHCPv6 server on each internal interface to hand out v6 addresses correct? or would I let pfSense go to the SLAAC route?

    Finally this isn't OVH. I wouldn't even post to this forum if I was dealing with that nightmare.  ;D


  • Netgate

    I would just get SLAAC working before messing about with DHCPv6.

    Just set the RA to unmanaged. As far as I know there are several devices that do not support DHCPv6 but can't think of any that don't support SLAAC.

    If you're dealing with servers, they are going to be static anyway most likely.

    The bits between your routed prefix and /64 are available to use on inside interfaces and for inside uses. I agree that 256 ought to be enough. I advocate a /48 because then, if you want, you can route /56 or /60 to VPN endpoints, etc. You can really start to blow through a /56 if you do anything like that.

    There is simply zero reason to ration IPv6 addresses. The sooner everyone gets onboard with that the more better it will all be for everyone.


  • Rebel Alliance Global Moderator

    Last time I looked at the math every person on the planet, lets call it 8 Billion could have like 4000 /48's and still wouldn't even scratch the surface of the currently allocated space.

    Let alone all the space out of the total space that is just sitting there not allocated for anything.

    A site, be it your house, be it a building in a company.  Be it a RACK in a DC should get a /48 to work with..

    This /48 should be routed to you so you can use it how you want.  Directly assigning a /48 to an interface connected to some specific L2 is just utterly pointless…

    These companies be it an ISP or a DC dicking around with directly attaching /56 doesn't get it....



  • Last time I looked at the math every person on the planet, lets call it 8 Billion could have like 4000 /48's and still wouldn't even scratch the surface of the currently allocated space.

    It's over 4000, with the 1/8th of the IPv6 address space allocated to global unique addresses.  However, that's not the issue.  What use would a server have with anything bigger than a /64?  A bigger prefix will not work with SLAAC.  Assigning anything more than a /64 to a server is simply throwing away a huge block of addresses, to no useful purpose.  On the other hand, a larger prefix is useful for supporting multiple networks,VLANs etc..  How many servers do that?  As I mentioned, in some data centres, they provide addresses from their own pool  A single /64 could handle every single server that you're likely to find in a real data centre.


  • Netgate

    I would argue that any "server" should have a single interface address on the provider's public subnet and a /64 routed to that.

    You could then use that /64 as you see fit for IP aliases, virtual hosts, etc.

    But if that's the service you bought, you shouldn't try to shove a router in there and try to do router stuff, though that configuration would allow you to do one inside interface.



  • I would argue that any "server" should have a single interface address on the provider's public subnet and a /64 routed to that.

    I have worked on several jobs, where the server had it's own direct Internet connection over fibre.  Sometimes the address is provided by the carrier, others by the customer.  It all depends on what the customer wants and is willing to pay for.

    Incidentally, a couple of months ago, I was doing some work for a cell carrier at the main Toronto Internet exchange point.  I spent 17 years working in that building, back when it housed a major Canadian telecom.  It felt weird to look around and think that over there was…  ;-)


  • Netgate

    My point is people should not try to shoehorn a router into a service that is not designed for it and expect acceptable results.

    But people try every day.



  • Ok got a /64 IP and Gateway assigned on the WAN now we're good there. Along with the original /56 routed to me on that /64 address that is assigned on pfSense's WAN. Looks like SLAAC is working internally. I have 2009:19f0:0:701::100/64 assigned statically on the LAN interface and my internal devices are automatically grabbing an address in that /64. Still can't get out though. What else needs to get done here?

    DHCPv6 has been disabled and Router Advertisement set to Unmanaged.

    IPv6 default allow rule is in place in the LAN rules.

    Made a VIP to the 2009:19f0:0:701::1/64 block on the WAN interface as an IP Alias as well and made a rule on the WAN to forward ICMPv6 all to the LAN address aka (2009:19f0:0:701::100). No external ping as of now.

    Am I even on track?


  • Netgate

    Made a VIP to the 2009:19f0:0:701::1/64 block on the WAN interface as an IP Alias as well and made a rule on the WAN to forward ICMPv6 all to the LAN address aka (2009:19f0:0:701::100). No external ping as of now.

    Why the VIP?

    You just need to pass traffic on WAN to the /56 (or just part of it). No VIPs necessary.



  • You had previously mentioned it in your first response to test inbound ping to the LAN address. aka 2009:19f0:0:701::100


  • Netgate

    Right. That was just for a quick test to see if the prefix was actually routed by the ISP.

    If you have that prefix assigned to an interface and a host on that address all you have to do is pass the traffic. If it doesn't respond then make sure that host actually WILL respond (no local firewalls, etc. Default gateway properly set, etc)



  • Ok, well that netted me nothing before so I guess something still isn't working. I have no in/outbound traffic at this time.

    Just to confirm,
    WAN IPv6 address set to the new /64 address that the /56 is routed to. LAN has an IP of 2009:19f0:0:701::100

    Created a rule on the WAN rules to allow src any to dest 2009:19f0:0:700::/56 no change in condition. LAN has default v6 all rule out. What should my gateway out on the devices on the LAN be after they receive their SLAAC configuration?


  • Netgate

    Probably fe80::1:1%local_interface_name

    I cannot ping6 any of the addresses you have mentioned including their gateway address.


  • Netgate

    Packet capture on WAN

    ping6 your interface address. Does the traffic even show up? Capture for NDP. do they even try to locate your MAC address  to associate it with that v6 address?

    If you can do that, move on to the routed subnet:

    ping6 one of the addresses in the routed /56

    the traffic should arrive on WAN. If it doesn't, there is nothing you can do to fix it. Go back upstream and make them fix it.

    I have seen this be ISP stupidity COUNTLESS times.



  • However what I think I'm struggling to understand here is the basic concept of the IPv6 routing vs. how its typically done in IPv4. I guess because of lack of NAT and that we are forwarding public addresses through pfsense?

    The main difference is that on IPv6, routing is normaly done using the link local addresses, not routeable addresses.  Otherwise, things work pretty much the same.  You have a prefix, same as subnet mask, that splits the address into network and host portions.  The LAN is usually a /64, as that's what's required for SLAAC.  You could go with DHCPv6, but SLAAC is very easy to work with.



  • Hey all, I have some good news. Finally got it running! All my VM's now receiving both v4 and v6 addresses. Off topic add to this, is it feasible to create my own 6to4 tunnel or some sort of VPN hackery with pfsense? Let's say I have another site with only v4 connectivity and wanted to extend the v6 at this site to that site using pfsense. Is something like that feasible?



  • @nh5:

    Off topic add to this, is it feasible to create my own 6to4 tunnel or some sort of VPN hackery with pfsense? Let's say I have another site with only v4 connectivity and wanted to extend the v6 at this site to that site using pfsense. Is something like that feasible?

    Yes, I do that with OpenVPN.  I assign one of my /64s to the VPN.  BTW, it's not hackery.  It's normal networking.  It works the same with any means to connect sites and with either IPv4 or IPv6.


  • Netgate

    Right. You can tunnel both IPv6 and IPv4 over OpenVPN or IPsec.

    OpenVPN would probably be more flexible for what it sounds like you want.

    The outer tunnel can be either v4 or v6 - doesn't matter.



  • @Derelict:

    The outer tunnel can be either v4 or v6 - doesn't matter.

    Other than at the moment, IPv4 is more likely to be available.



  • Thanks for the continued answers everyone. Hopefully one final thing, when running SLAAC is there a way for me to define my DNS servers manually still? Or is DHCPv6 required to accomplish this? All my devices seem to be getting the DNS on pfsense. Would like to point them to a different internal host.



  • @nh5:

    Thanks for the continued answers everyone. Hopefully one final thing, when running SLAAC is there a way for me to define my DNS servers manually still? Or is DHCPv6 required to accomplish this? All my devices seem to be getting the DNS on pfsense. Would like to point them to a different internal host.

    With SLAAC, DNS servers are advertised in the router advertisements, using RDNSS.

    https://tools.ietf.org/html/rfc6106


  • Netgate

    What he said