IPv6 prefix delegation size (/56) vs available range


  • I noticed my IPv6 connection to Comcast was configured with a /60 in the WAN interface, and /48 in the Services/DHCPv6 Server & RA. Additionally I have had problems with pfSense acquiring a WAN address from the cable modem on restart. It seems to require a dance of rebooting the cable modem, and rebooting pfSense. I have not been able to figure out any reason why this is so difficult.

    So this combination of /60 and /48 in WAN and Services/DHCPv6 Server & RA seems suspicious. So I reconfigured to /56 in both:
    Interfaces/WAN (igb0)
    69f72ccd-9c96-487b-b769-540fb02eda39-image.png

    Services/DHCPv6 Server & RA/LAN/DHCPv6 Server
    68166d52-981e-4e01-ad5e-f5c5db752a11-image.png

    My question is, does this affect the correct "range", currently set at ::1000 ::2000?

    I am no longer getting an IPv6 for my PC on the LAN, which I did get before when WAN (igb0) was set to /60, and DHCPv6 Server was set at /48.


  • @lifespeed

    The 2 values should be the same. So, if they're giving you a /60 then the LAN side should also be a /60. This will give you 16 /64s to use. As for the range, that those numbers represent the last 16 bits of the address and will fit within a single /64, so your hosts will be somewhere within that range. The :: represents as many "0" bits as needed to fill out the leftmost part of the 128 bits. So, with 16 bits used in that range that :: would be 112 bits long. With IPv6, the LAN portion of the address is always 64 bits, leaving 64 for the network address.

    BTW, any reason you're using DHCPv6, rather than SLAAC on the LAN side?


  • @JKnott I believe you're correct I should be using SLAAC. I'm not sure why I'm not, other than it probably didn't work when I initially tried. I thought I was using prefix delegation. But as you can probably tell, I am far from an expert on this. Where do I configure it to use SLAAC?


  • I see that I had it set to "track interface" instead of SLAAC in the LAN interface config. There may have been a reason related to having VLANs, which I gave up on as being too complicated for my level of knowledge at the moment.

    I don't appear to be getting an IPv6 for pfSense WAN or for the PC on the network using SLAAC for the LAN.


  • @lifespeed

    I use track interface and I have used VLANs. It works fine for me and it uses the prefix obtained from the ISP, though you have to choose 1 of the /64s with IPv6 Prefix ID. With a /60, your choices would be between 0 - f.


  • @JKnott So far Track Interface is the only thing that has worked to get an IPv6 both for the pfSense box, as well as devices on the network. I read in the Netgate docs SLAAC tries to get the IPv6 prefix from Router Advertisements.

    Anyway, I'm concerned with less-than-reliable address assignment to pfSense after internet outages or pfSense reboots, and it appears I don't have DHCPv6 correctly configured as shown above. It seems something must be relatively correct with prefix-hinting /60 to Comcast, but we know that can't coincide with /48 in the Services/DHCPv6 Server & RA page.

    This must seem like an incredibly dumb question, but what does /60 correspond to in the range of the Services/DHCPv6 Server & RA page?

    Edit: OK, I ran an IP calculator, and see that /60 indicates 4 bits (subtracted from 64), 2^4 is 16. Which coincides with your response above. Will try this and reboot.


  • Didn't work. Do I need to add three more colons to the IPv6 range so that the 0-f range is the least significant bits?
    6a24c03d-be44-4e3b-b8ec-aad4a8fcfd38-image.png


  • hi,I think this are different things! The config in DHCPv6 is for delegating behind a second router. nothing to do with the prefix from ISP, only that it has to be a smaler subnet. If you get an /56 Prefix for your LAN site, you need one /64 out of this for your LAN and then you can delegate yourself a /64 via DHCPv6 Options.

    Your MODEM if it is a MODEM, then it nothing knows about IP! So check if it is a MODEM (or bridge mode), try the different options in DHCP6 Client Configuration as Only request an IPv6 prefix, Send an IPv6 prefix hint and use /48 if your ISP tells you so. Or /56 if that is what your ISP sends.

    pfadmin


  • @lifespeed said in IPv6 prefix delegation size (/56) vs available range:

    Didn't work. Do I need to add three more colons to the IPv6 range so that the 0-f range is the least significant bits?

    :: always represents a string of "0" necessary to fill out 128 bits. You can use it once and only once in an address. For example, ::1 is the IPv6 loop back address. That's 127 0 bits and a single 1.


  • @pfadmin said in IPv6 prefix delegation size (/56) vs available range:

    The config in DHCPv6 is for delegating behind a second router.

    There are 2 ways to automagically assign host addresses in IPv6, SLAAC and DHCPv6. pfSense provides both. If there were another router behind the first, then pfSense would have to support DHCPv6-PD on the LAN side as a server, but it doesn't.

    Yes, the modem has to be in bridge mode, not gateway.


  • @JKnott said in IPv6 prefix delegation size (/56) vs available range:

    t DHCPv6-PD on the LAN side as a server, but it doesn't.

    Maybe it does'nt, but under DHCPv6 Server, the field which is filled with "60", this is for sub networks as it is discribed below "...This allows for assigning networks to subrouters..." So it has nothing to do directly with the /56 or /48 from ISP. It has to be only "within". So I missunderstood your discussion or you talk about the wrong options. The Prefix ID is in "Interface", not DHCPv6 Server. @livespeed you show it in your pictures. first you have /56 in "Prefix delegation Size" and then you have "/60". This is not the right place because this is for subnets you don't have. The right place is in Interfaces/LAN, there is a free choice between "0" to "ff" if you got a Prefix of /56 from your ISP. In DHCPv6 Server take ::1000 to ::3000 or so. Under Router Advertisements use assisted for DHCPv6 and SLAAC


  • @pfadmin said in IPv6 prefix delegation size (/56) vs available range:

    Maybe it does'nt, but under DHCPv6 Server, the field which is filled with "60", this is for sub networks as it is discribed below "

    This refers to the size of the prefix assigned by the ISP, just like with SLAAC. You can use any size up to whatever is provided. So, with a /56, you could configure for /60 or /63 or whatever, so long as it isn't a larger prefix than what's provided. On the LAN side, pfSense only hands out /64s. The prefix ID is used to select which of the available /64s is used. For example, I have a /56. That allows me up to 256 /64s. I use prefix ID 0 for my main LAN, 4 for a test LAN and ff for OpenVPN. I have also used others with a VLAN or assigning to a Cisco router I have here. If Comcast is only providing a /60, then @lifespeed has only 16 /64s to choose from.

    Perhaps someone with Comcast experience can speak up. I'm on Rogers.


  • I am pretty sure Comcast gives out a /60. It sounds like for each LAN (currently I have only one, no VLANs) it must be /64. So this would be 16 possible ranges. So the range on the DHCPv6 Server page should be ::0 to ::f, with prefix delegation size /64? No, that doesn't make sense, /64 is a single prefix (not a single address)? Should Prefix Delegation Range be filled out?

    Edit: I have a Netgear CM1000 DOCSIS 3.1 cable modem, it is not a router.


  • @lifespeed said in IPv6 prefix delegation size (/56) vs available range:

    I am pretty sure Comcast gives out a /60. It sounds like for each LAN (currently I have only one, no VLANs) it must be /64. So this would be 16 possible ranges. So the range on the DHCPv6 Server page should be ::0 to ::f, with prefix delegation size /64? No, that doesn't make sense, /64 is a single prefix (not a single address)? Should Prefix Delegation Range be filled out?

    The Prefix id is set at Interface Page from 0 to f, your resulting LAN Prefix (first 64 Bit) is xxxx:xxxx:xxxx:xxxx:xxx[0-f]:: Each LAN Interface gets a unique Number from 0 to f. Now at DHCPv6 Server Page you can give every LAN Interface a Range between ::0000:0000:0000:0000 to ::ffff:ffff:ffff:ffff for a /64 for example ::ffff:0000:ffff:0000 to ::ffff:0000:ffff:ffff or somthing like this. Nothing more. No Prefix delegation stuff, because this sends one part of the /60 prefix to a router in your network for the net behind it - which you dont have and JKnow said it doesn't work.

    JKnow said it too, but I think your on different Options.

    Again:

    At Interfaces/LAN choose Track Interface as Type and then WAN as IPv6 Interface and then 0 as Prefix ID. At DHCPv6 Server options choose ::ffff:1000 to ::ffff:3000 thats it.

    But maybe pfsense has a problem with /60 ? Anyone?


  • @lifespeed said in IPv6 prefix delegation size (/56) vs available range:

    Comcast

    https://blog.barclayhowe.com/16-ipv6-subnets-pfsense-and-comcast

    there is a user who runs pfsense with comcast. On WAN use DHCP6 and Send IPv6 prefix hint and 60 as DHCPv6 Prefix. It should be the solution


  • @pfadmin thank you for the advice. I will try this tonight. Working from home today, so no need to monkey with the router during business hours.


  • @lifespeed

    If you have a /60, you indeed have 16 /64s to choose from. Which one you pick is entirely your decision. If you add a VLAN or another interface, then you'd choose another. You can keep doing this, until you've used all 16.

    As I mentioned, I have 256 /64s. I don't use anywhere near that many.


  • @pfadmin said in IPv6 prefix delegation size (/56) vs available range:

    At Interfaces/LAN choose Track Interface as Type and then WAN as IPv6 Interface and then 0 as Prefix ID. At DHCPv6 Server options choose ::ffff:1000 to ::ffff:3000 thats it.

    Correctly specifying the range may have been where I got it wrong.


  • I reconfigured the DHCPv6 server address range as suggested. So far it seems to be more reliable at getting an IPv6 address from the cable modem after a reboot of pfSense, but only experience over a number of weeks will tell for sure.

    I have noticed that pfSense boots up and receives an IPv4 address immediately. The IPv6 addresses for the WAN, LAN, and devices on the LAN take a good 3 - 4 minutes to appear. Which has confused me at times, but I do think this is the correct configuration.

    I saw the prefix delegation option does not have a "not used" selection in the drop down menu, so there will always be a number there, in my case I left it at /48. I think without a prefix delegation range specified, it is unused.

    b1622cdd-5328-4f27-9e53-93e16e300b63-image.png