Planning for IPv6 /48 allocation
-
My isp has advised they will be giving me an IPv6 /48 allocation shortly and I'm starting to plan how best to implement it on my current network. For the purpose of this thread I'm used 2001:db8:1001::/48 as being my allocation.
My network currently has currently has 3 VLANS configured on pfSense:
- VLAN1 - 192.168.1.0/24 (Primary VLAN with internal servers and user devices)
- VLAN2 - 192.168.20.0/24 (Guest VLAN for visitor devices)
- VLAN3 - 192.168.30.0/24 (IOT VLAN for consumer devices that I don't trust)
I also have an OpenVPN server setup on pfSense to allow me to remotely connect to my network via my mobile and laptop. The IPv4 Tunnel Network is configured as 10.0.1.0/24.
Finally i have a docker host in VLAN1 which is has several bridged networks on the subnets 172.17.0.0/16, 172,18.0.0/16, etc.
I'm assuming for the three different VLANs I could configure each of the static IPv6 addresses in pfSense as follows:
- VLAN1 - 2001:db8:1001:1::/64
- VLAN2 - 2001:db8:1001:20::/64
- VLAN3 - 2001:db8:1001:30::/64
For the IPv6 Tunnel Network in OpenVPN can I assign either a GUA or ULA depending on whether I want clients connecting through my VPN sever to be able to access the internet through the VPN or only my local network?
- GUA - 2001:db8:1001:50::/64
- ULA - fc00:1::/64
If I assign a ULA to the VPN can clients connect to VLAN's 1-3 which are assigned a GUA?
What do I assign to my docker bridged networks?
-
Well, with a /48, you'll have only 65536 /64s to work with.
What I do is have the prefix ID match the IPv4 subnet. I have a /56 for 256 /64s. My main LAN is 172.16.0.0 /24 and prefix ID 0. I have a test LAN on 172.16.4.0 and prefix ID 4. For my VPN, I use 172.16.255.0 and ff. This keeps things simple. I'd say use a ULA for the VPN, so that remote devices can access the Internet.
The nice thing about IPv6 is you have addresses to waste, so you configure for what's most suitable for your needs and not have to worry about saving addresses, as you do with IPv4.
-
@kesawi said in Planning for IPv6 /48 allocation:
If I assign a ULA to the VPN can clients connect to VLAN's 1-3 which are assigned a GUA?
Yes, you can route between them or even provide both ULA and GUA on the same LAN, as I have here.
-
@JKnott said in Planning for IPv6 /48 allocation:
Yes, you can route between them or even provide both ULA and GUA on the same LAN, as I have here.
How do I provide both ULA and GUA on the same LAN? I can only find instructions for pfSense to provide one or the other. The interface configuration only seems to be able to accept one IP address.
I'd previously set up a ULA on my VLANs using Windows AD DHCP server on my primary VLAN, with pfSense RA configured to Managed. On my guest and IOT VLAN I am currently using DHCPv6 and RA on pfSense.
So far I've been able to set up IPv6 on the WAN and can ping external addresses from pfsense, but haven't progressed to setting up the GUA on my VLANs,
-
@kesawi said in Planning for IPv6 /48 allocation:
How do I provide both ULA and GUA on the same LAN? I can only find instructions for pfSense to provide one or the other. The interface configuration only seems to be able to accept one IP address.
On the Router Advertisements page, you can add subnets. That is where you add the ULA. However, if you do that, you will also have to do it for the global prefix. For some reason, pfSense won't automagically do that, if you have added another prefix. That looks like a bug to me as I can't understand why it doesn't work.
-
@JKnott so I currently have a static ULA assigned to each of my VLAN interfaces on pfsense. I also have static ULA on my Windows AD DNS and DHCP servers.
If I understand correctly I will need to
- List both the corresponding ULA and GUA subnets in the RA on pfsense for each VLAN
- Add the GUA subnet scope to my Windows AD DHCP server for my LAN (it already has the ULA scope)
- Once I've done this, the pfsense LAN interface and hosts within the LAN should receive a GUA?
For the other two VLANs which use DHCPv6 on pfsense, it only appears that I can only specify the one subnet in DHCPv6?
-
I haven't used DHCPv6 on the LAN or worked with Active Directory, so I can't help you with those. However, adding ULA is as I described. You will then have both GUA and ULA addresses on the various devices. In fact, you will have as many as 8 each GUA & ULA addresses, if privacy addresses are enabled.
-
I have configured Managed router mode in the LAN RA settings in pfSense and the Windows DHCPv6 scope for the ULA is being successfully applied to client devices on the LAN.
I have been able to add my GUA to the pfSense LAN interface by using a Virtual IP, and the corresponding subnet within the RA LAN settings. However, it appears that my Windows DHCPv6 scope for the GUA is being ignored by client devices on the LAN.
If I set the router mode to one which allows stateless autoconfig, such as assisted, then as expected my devices obtain a GUA via SLAAC.
My question for anyone who may know, is it possible to have two separate concurrent DHCPv6 scopes with pfSense and Windows? If so what do I need to do to get it to work?
I wish to retain both GUA and ULA within my network as I have internal servers that only need to be accessible internally. My preference is to retain DHCPv6 as I can integrate it with DNS.
I assume if I give up on DHCPv6 and just go to SLAAC for both then ULA and GUA will still co exist?
I have two internal DNS severs. Do I need to specify both their respective ULA and GUA addresses in the RA settings, or can I just specify the ULA addresses?
If I need to specify both is there anyway to increase the number of DNS servers that can be configured in the RA settings above three?
-
@kesawi said in Planning for IPv6 /48 allocation:
My question for anyone who may know, is it possible to have two separate concurrent DHCPv6 scopes with pfSense and Windows? If so what do I need to do to get it to work?
I doubt it, as there would be no way to determine which DHCPv6 server was desired.
I assume if I give up on DHCPv6 and just go to SLAAC for both then ULA and GUA will still co exist?
That's what I have. Also, if you have Android devices, you don't want to use DHCPv6. For some idiotic reason, Android doesn't support it.
I have two internal DNS severs. Do I need to specify both their respective ULA and GUA addresses in the RA settings, or can I just specify the ULA addresses?
You can use either GUA or ULA address. However, you don't have to specify an address as pfSense does that by default. It uses it's own address, unless you specify otherwise.