IPv6 subneting and DHCP PD how to

ssjoco85 · May 4, 2019, 1:55 PM

Hi!
After a hard work the IPv6 is working on pfsense. WAN is PPPoE, LAN is Tranking Interface mode. Now the hard question is how do I implement IPv6 on the subnets?
In IPv4 I have 192.168.0.0/24 as a core network, and several routers with smaller /27 subnets. I set DHCPv6 with prefix delegation in this routers, but I only have IPv6 on the pfsense side. I found "Unable to pick client prefix: no IPv6 pools on this shared network" message on the pfsense's log. I think something is missing.
If I'm right I receive /56 prefix from my ISP. Now I'm using /64 on the pfsense LAN side. I don't have a clue how to allocate prefixes in the second routers. I can't find any releated topic or guide.

johnpoz · May 4, 2019, 1:23 PM

@ssjoco85 said in IPv6 subneting and DHCP PD how to:

If I'm right I receive /56 prefix from my ISP

But are they delegating that to you, or did they just freaking attach all your pfsense wan with a /56 prefix?

JKnott · May 4, 2019, 1:55 PM

@ssjoco85 said in IPv6 subneting and DHCP PD how to:

If I'm right I receive /56 prefix from my ISP. Now I'm using /64 on the pfsense LAN side.

Assuming the ISP is using DHCPv6-PD to assign you a /56, you choose which /64 of that /56 you want to use on an interface with the IPv6 Prefix ID setting on the interface config. Your choices would range from 0 - ff. Normally, the first network is 0.

As for other routers behind pfSense, you have to set things up the way you would with IPv4, but with a few differences. For example, you don't need a routeable address for the router. Link local addresses are often used. You'd pick one of your /64s and configure is on the router for use on the next router and then configure routing to get to it. When I set up a test LAN here, I just connected the router to another NIC on my firewall and went from there though, as always, you can also connect a router to the existing LAN. Bottom line, think about how you'd do it in IPv4 and then do the same in IPv6. There's no difference in the way routing works.

ssjoco85 · May 5, 2019, 7:34 PM

When I use the ISP router I get /64 address, but the setup said I had /56 prefix. I read that I should set the DHCP prefix delegation size to /56 on pfsense. My ISP router set to bridge, pfsense is the main router. I understand that with Tracking Interface on LAN I can set the first available /64 from the /56 to the LAN. Main question is how can I use the rest of the 255 pcs /64 subnet from the /56 prefix?

My first problem is the LAN IPv6 address. If I set the DHCP delegation size to /56 on WAN, I don't have IPv6 address on LAN. If I set /60 prefix, then I get /60 on LAN address. If I set /64 prefix I get /56 mask on LAN. Why? Something is broken.

If I'm right I should have a /64 subnet on LAN. Second, How can I delegate the unused /64 prefixes to the other internal routers? And how can I set the routing? If I set the prefix range manually in the pfsense DHCPv6 the sub routers will receive an unique IPv6 subnet from pfsense. The main issue that prefix is dynamic range.

Correct me If I'm wrong but I imagine the following. I receive 2000:xxxx:xx00:/56 prefix from my ISP. I can have 256 /64 subnets.
pfsense LAN address should be 2000:xxxx:xx01:/64.
My second router WAN side use 2000:xxxx:xx01:/64 subnet, LAN side receive a prefix from pfsense 2000:xxxx:xx02:/64. Third router LAN would be 2000:xxxx:xx03:/64.
How the hell should I achive this?

ssjoco85 · May 7, 2019, 3:29 PM

Now pfsense have some big IPv6 limitation. If Wan has dynamic prefix you can't use private IPv6 addresses or DHCP PD. Both service require static WAN address. Until then pfsense can't handle IPv6 subnetworks.

JKnott · May 7, 2019, 4:01 PM

@ssjoco85

????

I have set up interfaces with both GUA and ULA addresses. I use DHCPv6-PD to get my prefixes. Here is my ULA prefix, on the same interface as my GUA:

fd48:1a37:2160:0::

ssjoco85 · May 7, 2019, 7:57 PM

@JKnott Your GUA address is fix? My is dynamic. You can't use ULA because NPt alias NAT66 address has to be set manually.
I can receive prefix with DHCP PD but I want to send the unused prefixes in DHCP PD to an another router.

JKnott · May 8, 2019, 12:50 AM

@ssjoco85

Why are you using NAT? There's no need for it with all the addresses available with IPv6. NAT is a hack to get around the IPv4 address shortage. My GUA is obtained via DHCPv6-PD and SLAAC.

ssjoco85 · May 8, 2019, 4:54 PM

As I mentioned neither DHCPv6 PD nor NAT66 not working in a complex network. I'm not talking about one or two IPv6 network on pfsense's LAN port. Yes, I have IPv6 on pfsense. DHCPv6 PD client work perfectly on WAN, but I need a DHCP server on the LAN side! DHCPv6 server can't use dynamixc prefixes, only fix. I need that the pfsense send the unused prefixes to another routers. Inn my case. I receive /56 from my ISP, pfsense use 2 /64 prefixes on LAN1 and LAN2. The unused 254 pcs /64 prefix will be available in the DHCPv6 server, and other routers on LAN also can request one-one prefix from pfsense.
I tried NAT66 as a last resort, but it has the same limitation. Therefore I have to wait until pfsense can handle dynamic DHCPv6 Server prefixes, or NAT66 can use dynamic WAN address.

JKnott · May 8, 2019, 5:11 PM

@ssjoco85

How often do your prefixes change? They normally shouldn't change at all.

johnpoz · May 8, 2019, 5:46 PM

@ssjoco85 said in IPv6 subneting and DHCP PD how to:

can handle dynamic DHCPv6 Server prefixes

And exactly what box can do that now? That seems like something with no real world use case.. And who says you have to use dhcpv6 anyway for your clients?

If you have need of your prefix not changing - then go get your IPv6 block from Arin or your region of the worlds RIR and do whatever you want with your space.

Or just get a free tunnel from HE and now your /48 doesn't change and you can do whatever you want with it... Or get your ISP to actually assign you /xx that doesn't change so you don't have to go tracking shit via PD from your isp, etc.

ssjoco85 · May 8, 2019, 5:48 PM

Always when my WAN reconnect. I have PPPoE on WAN. Most of the ISPs use dynamic IPv6 prefixes on consumer lines.

johnpoz · May 8, 2019, 6:14 PM

@ssjoco85 said in IPv6 subneting and DHCP PD how to:

IPv6 prefixes on consumer lines.

Then don't use a consumer line - duh!!! Your trying to do business shit with user connection..

If your going to use consumer level connections, and you want to do fancy shit with IPv6 then just get your free /48 from HE and you can do whatever you want with that /48 - and it never changes... I have had my /48 since 2011..

With multiple isp over that period - just take my /48 with me no matter what ISP I use, etc. etc.

JKnott · May 8, 2019, 6:20 PM

@ssjoco85 said in IPv6 subneting and DHCP PD how to:

Always when my WAN reconnect. I have PPPoE on WAN. Most of the ISPs use dynamic IPv6 prefixes on consumer lines.

I'm on a consumer service and my prefixes are solid, ever since the "Do not allow PD/Address release" option was added to pfSense. DHCPv6-PD uses something called "Device Unique IDentifier" (DUID) to lock the prefix to the customer.