Routed ipv6 and Carp cluster
-
Hi, so I have a pair of ha pfsense boxes that work quite well with ipv4. I am trying to setup ipv6 but I am a little unsure on how to set it up correctly. Let me explain how the ipv6 is being delivered.
On my Wan interface (same interface as ipv4 wan) have assigned 1 up address from /125. I did this on both firewalls so 2 Addresses 1 for each wan per firewall. I created a carp vip on the master unit as the 3rd ipv6 address also from the /125. This part is simple to me, essentially the same exact thing as with ipv4.
Now the ISP is routing a /48 to the carp vip for us to use on our "lan". Again straightforward but after this point I get a little confused.
I don't want to use the whole /48 for a given interface I want to break it into a bunch of /64's. The goal here is say vlan 11 gets 1 /64 from the /48. Vlan 12 gets a /64 from the /48 etc etc. I guess the part were I'm lost at is do I need to create an interface and put the /48 onto it before I can start breaking it up into /64's . Or can I just go straight into creating the vlans and interfaces and assigning /64's from the /48?
Another thing I don't understand is if I break the /48 into /64's what do I then use for those /64's as a gateway? An address in the /64? The 48? The gateway of the /125?
Any help is appreciated I've watched 3 of the hangouts and still don't understand it and I can't really find an documentation or videos showing this specific situation however I feel like it's probably not uncommon.
-
@banman24 said in Routed ipv6 and Carp cluster:
I don't want to use the whole /48 for a given interface I want to break it into a bunch of /64's. The goal here is say vlan 11 gets 1 /64 from the /48. Vlan 12 gets a /64 from the /48 etc etc. I guess the part were I'm lost at is do I need to create an interface and put the /48 onto it before I can start breaking it up into /64's . Or can I just go straight into creating the vlans and interfaces and assigning /64's from the /48?
When you configure an interface or VLAN, choose a prefix. With a /48, you have 65536 to choose from.
-
@JKnott said in Routed ipv6 and Carp cluster:
@banman24 said in Routed ipv6 and Carp cluster:
I don't want to use the whole /48 for a given interface I want to break it into a bunch of /64's. The goal here is say vlan 11 gets 1 /64 from the /48. Vlan 12 gets a /64 from the /48 etc etc. I guess the part were I'm lost at is do I need to create an interface and put the /48 onto it before I can start breaking it up into /64's . Or can I just go straight into creating the vlans and interfaces and assigning /64's from the /48?
When you configure an interface or VLAN, choose a prefix. With a /48, you have 65536 to choose from.
Ok I've got that part down already. Is there no need to use a gateway since the whole /48 is routed to me?
Also on a side note, I can ping the ipv6 address that's assigned to each firewalls wan interface however I cannot ping the ipv6 wan carp IP. I created it the same exact way I've created the v4 carp ips. Is this an indication something is wrong and not working correctly?
-
By gateway, I assume you mean the modem in gateway mode. No, you want it in bridge mode, as pfSense is acting as your gateway. I haven't worked with CARP, so I can't help with that, other than my understanding is it would have it's own address, rather than the individual interfaces. Regardless, that address might not be used for routing, as often the link local address is used. Can you reach the Internet with IPv6?
-
@JKnott said in Routed ipv6 and Carp cluster:
By gateway, I assume you mean the modem in gateway mode. No, you want it in bridge mode, as pfSense is acting as your gateway. I haven't worked with CARP, so I can't help with that, other than my understanding is it would have it's own address, rather than the individual interfaces. Regardless, that address might not be used for routing, as often the link local address is used. Can you reach the Internet with IPv6?
Ok so i have ran into an issue and i'm concerned this is a code bug. doing a packet capture on the wan interface has shown the gateway pings but also shows this line.
09:53:39.169199 IP6 fe80:8b80:2:201::1 > ff02::1:ff00:4: ICMP6,
neighbor solicitation, who has 2606:8b80:x:xxx::4, length 32
The ::4 is the VIP address and it seems as if pfsense doesn't know what its own VIP is.
here is an output of ifconfig -a
igb0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=6400bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
ether 0c:c4:7a:XX:XX:94
hwaddr 0c:c4:7a:XX:XX:94
inet6 fe80::ec4:XXXX:XXXX:8694%igb0 prefixlen 64 scopeid 0x1
inet6 2606:8b80:X:XXX::2 prefixlen 125
inet6 2606:8b80:X:XXX::4 prefixlen 125 vhid 5
inet 208.XXX.XXX.2 netmask 0xfffffff8 broadcast 208.XXX.XXX.7
inet 208.XXX.XXX.4 netmask 0xfffffff8 broadcast 208.XXX.XXX.7 vhid 2
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
carp: MASTER vhid 5 advbase 1 advskew 0
carp: MASTER vhid 2 advbase 1 advskew 0 -
Found the issue and all is working well.
If anyone else runs into the same problem I did here is the fix.
If you are running HA units and your creating a wan ipv6 carp address you must leave leading 0's on. So you cant take the leading 0's off to shorten the address. :0001 cannot be :1 shortening works fine everywhere else but with the carp IP for some reason you cannot do this. I found a thread from 4 years ago on redmine that was very similar to this issue and there was some activity on it from a few weeks ago so I'm wondering if the issue has resurfaced. Either way I'm glad i got it working now :)
If anyone from netgate sees this I am running the current stable version as of today. 5/15/20