IPv6 Router behind router

matthewgcampbell

@abuttino yeah you need to setup a DHCPv6 server on pfsense as that is the only *current implementation that the UDM Pro supports without hacking around. Other than that the specifics would need to be tuned to your environment, ie how big of a IPv6 block is delegated to you from your isp, how often it changes, mine hasn’t changed for 5 years, etc.

abuttino

@matthewgcampbell How did you set up the wan/lan on the UDM? WAN DHCPV6, but, who issues the DHCPV6 on the UDM? pfSense? Unifi? ID#? PD subnet?

Do you have any anonymized screenshots (black out subnet data) you can provide?

I'm just lost here.

matthewgcampbell

@abuttino I’ll have to put some screenshots and examples together, what exactly does your typology look like? how big is the subnet delegated to you by your isp?

abuttino

@matthewgcampbell my ISP gives me a /56. Using the DHCP v6 from pfsense, it would only give the USG a /128, no matter what I used on pfSense.

JKnott

@abuttino

I assume that /128 is your WAN address. That's entirely normal, as it's not used for routing. With IPv6, the link local address is often used for routing.

abuttino

@JKnott Unfortunately, I couldn't end up getting the lan dhcpv6 on the USG to give addresses out. I tried for a solid week.

JKnott

@abuttino

Try capturing the DHCPv6-PD sequence from your ISP.

To do that, shut pfsense down and disconnect the WAN port. Then reboot and run Packet Capture on the WAN port, filtering on DHCPv6. You can filter port 546 or 547. Then reconnect the WAN port. Post the capture here.

abuttino

@jknott

I would like to see @matthewgcampbell 's setup on pfSense DHCPv6 and RA so I can just figure it out from his settings. I am pretty astute.

JKnott

@abuttino

The reason I asked for the capture was to see what the ISP is sending you. A couple of years ago I had a problem that was caused by my ISP. By examining the capture, I was not only able to verify the problem was at the ISP, but also able to identify the failing system by host name.

abuttino

@jknott

Unfortunately, what you are asking, I cannot do. The system is in AZ and I'm visiting NY for another week.

I can definitely tell you pfSense is getting an /56 IPv6. Then turning on pfSense's DHCPv6 server I get a /128 on my Unifi USG WAN port.

What I was hoping is, pfSense would issue a /64 to the downstream router, which the pfSense's DHCP server is configured to give.

This concept is quite new to me, obviously :)

Falling short of screenshots which would give routable IP addresses..

IP Supplied by ISP on WAN
aaaa:bbbb:cccc:92ef:eeee:fffff:fffff:fffff
LAN Track Interface:
aaaa:bbbb:cccc:1300:eeee:ffff:ffff:fffff

From what I remember /56 is:
aaaa:bbbb:cccc::/56
(first 3)

DHCP Prefix delegation From:
aaaa:bbbb:cccc:1300:eeee:ffff:ffff:fffff
To:
aaaa:bbbb:cccc:1400:eeee:ffff:ffff:fffff
RA: Stateless

USG gets:
aaaa:bbbb:cccc:1300:eeee:ffff:ffff:7d1/128

JKnott

@abuttino

Pfsense will create a /64 on the LAN interface. It will not provide anything to a downstream router unless you configure that. You'd then have to configure the downstream router to do something with it. So, your first step would be to configure pfsense to route 1 or more /64s to the downstream router.

abuttino

@JKnott Could have sworn I already did that in the DHCPV6.

JKnott

@abuttino

All DHCPv6 does is provide some addresses to the clients. DHCPv6-PD provides your /56 prefix to Pfsense. Pfsense provides indiviual /64s from your /56 to individual interfaces. Anything beyond that, such has a downstream router, has to be configured in one way or another. One possibility is to configure DHCPv6-PD the LAN or other interface to provide a prefix to the downstream router. The other way is to manually configure routes, unless you want to get into OSPF. Then you have to configure the downstream router. It doesn't just happen automagically.

abuttino

@jknott What it looks to me like you are saying is disable IPv6 on the wan USG and use a port forward for the PD to get it to the LAN side of the USG.

JKnott

@abuttino

No, that is not what I'm saying. What I am saying is that if you want to do what you want, you have to learn about routing. I have done what you want. I have an old Cisco router here. A while ago, I configured pfsense to pass an IPv6 /64 to it. This involved setting up IPv6 routing on both pfsense and the Cisco router to do that. I likewise did the same for IPv4, but in that case, I was just passing on RFC1918 addresses, instead of public addresses from my /56 prefix. Regardless, the principal is the same. If you have a /56, you have the spare prefixes to route to another router. If you wanted, you could do it again to a further downstream router. That's the way network routing works.

BTW, while I did that with manual configuration, I plan to try it with OSPF, as soon as I get a round tuit.

With OSPF or other routing protocols, instead of using manual configuration, routers advertise the networks they know about and also learn about other networks from routers they're connected to. In this case, you'd configure the downstream router to be on whatever part of your /56 you choose and then use OSPF to communicate that to the upstream router. The 2 routers will then work out all the details.

Also, using port forward and NAT is a bad habit resulting from years of IPv4 address shortage. No need for it with IPv6, with the huge address space.

abuttino

@jknott without something tangible (screenshots), and with the amount of time I've already put into it, I feel all this talking is just pissing upwind. I am pretty sure know what to do, but just need to see it.

JKnott

@abuttino

Unfortunately I no longer have that configuration set up, so I can't show you what I did. However, suppose you want to assign your 2nd prefix to the downstream router. First off, you have to manually configure that router on that address with a /64 prefix size. Then you have to go to System/Routing/Static routes to tell pfsense where to send packets for that prefix. You will then have to configure the other router with it's default route pointing back to pfsense. This is basic routing. Why not start with this and see how far you get and come back with more questions. The way I learn best is to try different things. There is also this section of the pfsense book.

BTW, I just checked and I still have the gateway portion. Here it is.

In this example I used Unique Local Addresses (ULA) for the IPv6 route, but Global Unique Addresses (GUA) could be used as well. In fact Link Local addresses could also be used. Your choice. TEST refers to a spare interface on my firewall.

abuttino

@jknott

I need GUA for servers.

JKnott

@abuttino

Don't confuse the end point address with transit addresses. While the end point has to be GUA, the transit networks can be anything.

abuttino

@jknott

Ok, maybe back to the drawing board...

The WAN /56 Prefix:
IPv6 Address
fe80::2222:4444:ffff:dddd%em0
Gateway IPv6
fe80::bbbb:7777:ffff:7777

The LAN Track IP is:
IPv6 Address
2001:579:8144:1111:9999:bbbb:ffff:fxxx
Subnet mask IPv6
64

The DHCPv6 Delegation From:
2001:579:8144:1111::
To:
2001:579:8144:2222::

The USG WAN is getting:
2001:579:8144:1111::771

(obviously anonymized)

So,
What I need to do is add a static route (in pfSense) for the LAN which won't distribute v6 addresses. to the GW address 2001:579:8144:1111::771...

However, that is getting ahead of myself because USG LAN won't delve out a single address on a stateless RA.

Any guesses of what I am obviously doing wrong here? Because ping6 on the usg wan doesn't have internet.