Splitting a static /48 from Mediacom into subnets

alankeny

I had my pfSense configured for dynamic IPv6 from Mediacom for quite a while, but my /64 prefix delegation on my LAN kept changing. I was already paying for a static /30 IPv4 address, so I asked Mediacom for a static IPv6 address.

Eventually they sent me this:

  IP v6 scope 2604:2e80:XXXX::/48
  Gateway 2604:2e80:XXXX::1
  Start Range: 2604:2e80:XXXX:0:0:0:0:0
  End Range: 2604:2e80:XXXX:ffff:ffff:ffff:ffff:ffff
  No. of host: 1,208,925,819,614,629,174,706,176

My firewall only has two interfaces: WAN and LAN, so I think I want to use one /64 on the WAN and another /64 on the LAN side. I configured the WAN as:

  Static WAN IPv6 address:  2604:2e80:XXXX::2   /64
  Static WAN IPv6 gateway:  2604:2e80:XXXX::1

The WAN works OK. I can ping IPv6 addresses on the Internet from the WAN interface of the firewall, and I get replies.

I configured the LAN as:

  Static LAN IPv6 address:  2604:2e80:XXXX:1::1 /64

I can ping the firewall's LAN and WAN interfaces from machines on my LAN OK, but I can't ping IPv6 addresses on the Internet from the LAN, not even the gateway at 2604:2e80:XXXX::1. I can see the echo request go out the WAN interface, but the reply never comes back. I suspect it's a routing issue, because Mediacom doesn't know to send IPv6 for the 2604:2e80:XXXX:1::/64 subnet back to 2604:2e80:XXXX::2.

My plan was to use subnet 0 on the WAN and subnet 1 on the LAN. Assuming the XXXX are the hex digits I was allocated by Mediacom, did write the IPv6 addresses for the two subnets correctly?

What additional services do I need to configure to properly use two /64 subnets from the /48 I was allocated? Mediacom says it will "just work", and they don't have any other information for me. I'm concerned that by putting the default gateway IP of my allocated IPv6 scope on their head-end, Mediacom has effectively prevented me from subnetting the /48, but I'm hoping I just missed something really basic.

johnpoz

Did they actually route it to you.. if so then there should be a transit network called out.. Or they should of said you can use the first subnet as your transit.

My "guess" is they directly attached it.. If you put that /48 on your wan can you ping the gateway that they gave you

Gateway 2604:2e80:XXXX::1

When you put Gateway 2604:2e80:XXXX::2/48 on your wan

alankeny

@johnpoz said in Splitting a static /48 from Mediacom into subnets:

Did they actually route it to you.. if so then there should be a transit network called out.. Or they should of said you can use the first subnet as your transit.

I asked about this several times several different ways. They were never able to answer the questions. They just kept saying, "We gave you everything you need".

My "guess" is they directly attached it.. If you put that /48 on your wan can you ping the gateway that they gave you

Gateway 2604:2e80:XXXX::1

Yes, if I put my allocated /48 on the WAN, pfSense can ping6 the gateway and even www.google.com as long as I specify the WAN as the source interface for the ping6. I suspect too that they directly attached the /48.

If they directly attached the entire /48 on my WAN, is there any way for me to pick off a subnet for my LAN?

johnpoz

Not really no... That ISPs can be this stupid is just beyond me..

Moronic shit like this is why its just easier to get a tunnel from HE.. They will give you a /48 and you can use it on any ISP..

NogBadTheBad

Maybe they haven't mentioned what your PD is.

What happens if you set the WAN interface to DHCP6 ?

Here's the email I got from my ISP:-

ND Prefix: 2a02:8011:xxxxx:d8::/64
PD Prefix: 2a02:8010:xxxxx::/48

The two prefixes are described below, along with some further information on the Zen IPv6 service:

/64 Neighbour Discovery (ND) Prefix. This is used to automatically address the WAN interface of your Router, or if you are directly connected without a router, the WAN interface of that device.

/48 Delegation Prefix. This is usually provided over DHCPv6, and requires that your router acts as a requesting router for the purpose of IPv6 delegation RFC3633 - (https://tools.ietf.org/html/rfc3633). Subnets of this prefix are used by the CPE to address devices on the LAN. If prefix delegation is not supported on the router, a suggested interface ID and static route is available, which should allow routing to take place.

johnpoz

Why would they not just tell him that then?

Or better yet link him to doc on their site on using their IPv6 deployment, etc. etc.

alankeny

@johnpoz said in Splitting a static /48 from Mediacom into subnets:

Not really no... That ISPs can be this stupid is just beyond me.

Thanks for confirming my fears. At least I won't waste any more time on this.

When Mediacom hands out dynamic IPv6 addresses, they give a /128 on my WAN and a single /64 on my LAN. I've read that neither of these should done that way either. Is that right?

Moronic shit like this is why its just easier to get a tunnel from HE.. They will give you a /48 and you can use it on any ISP..

That makes a lot of sense. I should avoid anything from Mediacom I can get from someone else.

NogBadTheBad

It's an old post but yuck:-

https://forum.netgate.com/topic/102856/fyi-mediacom-ipv6/17

johnpoz

So clearly they are just stupid ;)

alankeny

@johnpoz said in Splitting a static /48 from Mediacom into subnets:

So clearly they are just stupid ;)

And a monopoly.

JKnott

How are they delivering that /48? I get a /56 from my ISP and get a WAN address and prefix via DHCPv6-PD. pfSense then takes that /56 prefix and splits off one (usually first) /64 for the LAN. I can then assign other /64s to other interfaces as I choose. This results in a WAN address outside of my /56 prefix. Do you get anything like that? Also, on IPv6, routing is normally done via the link local addresses, so a routable address is not needed on the WAN interface, though it is useful for testing, management, etc..

JKnott

@alankeny said in Splitting a static /48 from Mediacom into subnets:

When Mediacom hands out dynamic IPv6 addresses, they give a /128 on my WAN and a single /64 on my LAN. I've read that neither of these should done that way either. Is that right?

No. It's entirely normal to get a /128 on the WAN interface. It's used only for identifying the interface and not for routing. The prefix size depends on what they offer and what you're configure for. For example, I have a /56, but could have configured pfSense to request anything from /64 to /56. If I was using my ISPs modem in gateway mode, I'd only get a single /64.

alankeny

Mediacom business support staff have not been able to answer any questions about how they are delivering the /48. Their only response has been, "You configure the gateway and it will just work." Through experimentation, and feedback from this thread, I've determined that the /48 is "directly attached" to their head-end, so there's no hope of subnetting the /48. With their static IPv6 allocation, the WAN side is basically a bridged network that can have 1,208,925,819,614,629,174,706,176 IPv6 hosts on it, and that's the only configuration option available.

DHCPv6 can only be set to request a /64 or no subnet will be assigned. Requesting a /64 returns a dynamic PD that changes regularly. I also tried setting the WAN to SLAAC and putting the /48 on my LAN. I got a link local address, but no traffic would go anywhere from either pfSense interface.

I've dropped the dynamic and static IPv6 addresses from Mediacon and configured a tunnel from HE. It took a little time to clean up the mess I made earlier while testing the static addresses, but everything is working now.

Derelict

You can tell exactly what they are doing with a packet capture.

Capture for IPv6 on the WAN interface.

Use something to ping6 an address in the /48. Any address that isn't one they gave you for the WAN. Anything in any of the /64s not in 2604:2e80:XXXX::/64

You can use this site. There are probably others but that's the first one I found and it seems to work.

https://www.subnetonline.com/pages/ipv6-network-tools/online-ipv6-ping.php

If upstream doesn't send anything to you, they haven't configured it correctly and nothing will ever work. They need to route it to you properly.

If upstream just routes the packets to you with the destination address that you are pinging, it is routed to you and should work.

If upstream sends a neighbor discovery for a different address, try using that as your WAN address on the corresponding /64.

If upstream sends a neighbor discovery for the pinged address on WAN, they have put the /48 on WAN and are card-carrying members of the Stupid ISP Club. I find it hard to believe they are that dumb. It's not like we're talking about OVH.

The fact that they gave you this Gateway 2604:2e80:XXXX::1 implies that you should use the :0000::/64 on your WAN interface as you have done and set a default IPv6 gateway to the specified ::1 address. That should leave you with 2604:2e80:XXXX:1::/64 through 2604:2e80:XXXX:ffff::/64 to use on the inside interfaces.

Have you tried setting the interface for DHCP6 and asking for a /48 PD? Perhaps they just nailed that /48 to you.

They really should be able to answer these questions for you. It's 2019.

JKnott

@alankeny said in Splitting a static /48 from Mediacom into subnets:

With their static IPv6 allocation, the WAN side is basically a bridged network that can have 1,208,925,819,614,629,174,706,176 IPv6 hosts on it, and that's the only configuration option available.

That's nonsense. A /48 is not usable in that manner. It's supposed to be split up into /64s, which are what is used on a LAN. For example, I have a /56. One /64 is used for my main LAN, a 2nd for a test interface and a 3rd for my VPN. MY ISP uses DHCPv6-PD to provide my prefix and WAN interface address. As Derelict mentions, take a look at what's on the wire. You might want to see if you can talk to 2nd level support. Maybe they might have a clue about how IPv6 works.