IPv6 Layer 8 Error
-
As the topic suggest, I clearly understand that this is not strictly a pfSense issue.... it is more about IP6/OpenVPN/User understanding.
I'm currently using HENET for IP6, tutorials here were more than sufficient to get that working.
OK, so what I was hoping to do, and failing miserably, is have pfSense connected via OpenVPN to an OpenVPN server running on a VPS and to get my IP6 from the VPS, rather than HENET.
The VPS states that I get allocated a /64 IP block...
OpenVPN talks about splitting that into two /65s:
https://community.openvpn.net/openvpn/wiki/IPv6But obviously I want the IP6 addresses to go over to my LAN, not just be in the tunnel...
IP6s changed in these examples to the IP6 document addresses to protect personal info:
So, the server starts off having 2001:db8:0000:0000::1/64
If I read this right, server now moves to 2001:0db8:0000:0000::1/65
OpenVPN gets the 2nd /65 - it gets the whole block - ie: 2001:0db8:0000:8000::/65In pfSense, I configure the OpenVPN client, assign it an interface (OPT4) for example.. Into routing, set OPT4 interface as default route for ipv6
The question is: what do I do for my LAN?
The 2 main questions are:
Which IP6 should Ibe using as my static IP6 for the LAN interface(?) or have I got this wrong?
I believe I need to configure RADVD to allocate the rest of the block on the LAN - so I head to Services/DHCPv6 Server & RA - but should I be configuring it via DHCPv6 or should it pick it up from RA?I'm really sorry, but I'm still grasping the fundamental concepts of IP6. There are apparently 18,446,744,073,709,551,616 usable addresses in a /64 block - surely that's enough for my small requirements?
I understand IP4 much better, so a /64 is half network, half host - equivalent to 255.255.0.0
Despite as much reading as I've tried to do, I'm just not getting it :(
Your help would be most appreciated.
-
First off, what size prefix are you getting from he.net? You can get a /48, which means you can use an entire /64 for the tunnel network. You don't want to go about splitting /64s, if you can avoid it. With a /48 you will have 65536 /64s to choose from.
-
Sorry, perhaps I wasn't clear... I'm actually looking at moving away from HENET and using my own VPS.
I do have both a routed /48 and a routed /64 which work fine at the moment, but if I could get the VPS solution working, I would know if I would get better speeds, and also it's a good learning experience so that I can say I have a better understanding of IPv6
-
afaik there is no way to do that, you need at least a /56
/128
1 IPv6 address
A network interface
/64
1 IPv6 subnet
18,446,744,073,709,551,616 IPv6 addresses
/56
256 LAN segments
Popular prefix size for one subscriber site
/48
65,536 LAN segments
Popular prefix size for one subscriber site
/32
65,536 /48 subscriber sites
Minimum IPv6 allocation
/24
16,777,216 subscriber sites
256 times larger than the minimum IPv6 allocation -
I just found it a bit odd that the OpenVPN site mentioned splitting it into 2*65s but with caveats:
Quote:
Avoid this setup if you are using any of:
SLAAC. If you are using SLAAC and have no way around, ask your ISP for permission to use static address assignment on your VPN server.
IPv6 Multicast - RFC3306
Cryptographically Generated Address - CGA - RFC3972
NAT64 - RFC6052
IPv6-to-IPv6 Network Prefix Translation - NPTv6 - RFC6296
Identifier-Locator Network Protocol - ILNP - RFC6741
Multihoming Shim Protocol for IPv6 - shim6 - RFC5533I really need a better understanding of IP6 fundamentals :( I guess I can't get around the idea that there are so many usable addresses in a /64 block and I can't take some from that for what I want to do....
-
I think the solution is true: need more than a /64
Reading about NDP on Wikipedia made some sense and I managed to find a document on RIPE.NET that explained about the importance of being a /64 or more..
I consider my question answered :(