IPv6 Router behind router

abuttino · Mar 22, 2021, 1:16 PM

@JKnott Unfortunately, I couldn't end up getting the lan dhcpv6 on the USG to give addresses out. I tried for a solid week.

JKnott · Mar 22, 2021, 3:58 PM

@abuttino

Try capturing the DHCPv6-PD sequence from your ISP.

To do that, shut pfsense down and disconnect the WAN port. Then reboot and run Packet Capture on the WAN port, filtering on DHCPv6. You can filter port 546 or 547. Then reconnect the WAN port. Post the capture here.

abuttino · Mar 23, 2021, 1:10 AM

@jknott

I would like to see @matthewgcampbell 's setup on pfSense DHCPv6 and RA so I can just figure it out from his settings. I am pretty astute.

JKnott · Mar 23, 2021, 1:10 AM

@abuttino

The reason I asked for the capture was to see what the ISP is sending you. A couple of years ago I had a problem that was caused by my ISP. By examining the capture, I was not only able to verify the problem was at the ISP, but also able to identify the failing system by host name.

abuttino · Mar 23, 2021, 7:29 AM

@jknott

Unfortunately, what you are asking, I cannot do. The system is in AZ and I'm visiting NY for another week.

I can definitely tell you pfSense is getting an /56 IPv6. Then turning on pfSense's DHCPv6 server I get a /128 on my Unifi USG WAN port.

What I was hoping is, pfSense would issue a /64 to the downstream router, which the pfSense's DHCP server is configured to give.

This concept is quite new to me, obviously :)

Falling short of screenshots which would give routable IP addresses..

IP Supplied by ISP on WAN
aaaa:bbbb:cccc:92ef:eeee:fffff:fffff:fffff
LAN Track Interface:
aaaa:bbbb:cccc:1300:eeee:ffff:ffff:fffff

From what I remember /56 is:
aaaa:bbbb:cccc::/56
(first 3)

DHCP Prefix delegation From:
aaaa:bbbb:cccc:1300:eeee:ffff:ffff:fffff
To:
aaaa:bbbb:cccc:1400:eeee:ffff:ffff:fffff
RA: Stateless

USG gets:
aaaa:bbbb:cccc:1300:eeee:ffff:ffff:7d1/128

JKnott · Mar 23, 2021, 10:43 AM

@abuttino

Pfsense will create a /64 on the LAN interface. It will not provide anything to a downstream router unless you configure that. You'd then have to configure the downstream router to do something with it. So, your first step would be to configure pfsense to route 1 or more /64s to the downstream router.

abuttino · Mar 23, 2021, 11:04 AM

@JKnott Could have sworn I already did that in the DHCPV6.

JKnott · Mar 23, 2021, 1:35 PM

@abuttino

All DHCPv6 does is provide some addresses to the clients. DHCPv6-PD provides your /56 prefix to Pfsense. Pfsense provides indiviual /64s from your /56 to individual interfaces. Anything beyond that, such has a downstream router, has to be configured in one way or another. One possibility is to configure DHCPv6-PD the LAN or other interface to provide a prefix to the downstream router. The other way is to manually configure routes, unless you want to get into OSPF. Then you have to configure the downstream router. It doesn't just happen automagically.

abuttino · Mar 23, 2021, 1:35 PM

@jknott What it looks to me like you are saying is disable IPv6 on the wan USG and use a port forward for the PD to get it to the LAN side of the USG.

JKnott · Mar 23, 2021, 5:25 PM

@abuttino

No, that is not what I'm saying. What I am saying is that if you want to do what you want, you have to learn about routing. I have done what you want. I have an old Cisco router here. A while ago, I configured pfsense to pass an IPv6 /64 to it. This involved setting up IPv6 routing on both pfsense and the Cisco router to do that. I likewise did the same for IPv4, but in that case, I was just passing on RFC1918 addresses, instead of public addresses from my /56 prefix. Regardless, the principal is the same. If you have a /56, you have the spare prefixes to route to another router. If you wanted, you could do it again to a further downstream router. That's the way network routing works.

BTW, while I did that with manual configuration, I plan to try it with OSPF, as soon as I get a round tuit.

With OSPF or other routing protocols, instead of using manual configuration, routers advertise the networks they know about and also learn about other networks from routers they're connected to. In this case, you'd configure the downstream router to be on whatever part of your /56 you choose and then use OSPF to communicate that to the upstream router. The 2 routers will then work out all the details.

Also, using port forward and NAT is a bad habit resulting from years of IPv4 address shortage. No need for it with IPv6, with the huge address space.

abuttino · Mar 23, 2021, 6:45 PM

@jknott without something tangible (screenshots), and with the amount of time I've already put into it, I feel all this talking is just pissing upwind. I am pretty sure know what to do, but just need to see it.

JKnott · Mar 23, 2021, 7:20 PM

@abuttino

Unfortunately I no longer have that configuration set up, so I can't show you what I did. However, suppose you want to assign your 2nd prefix to the downstream router. First off, you have to manually configure that router on that address with a /64 prefix size. Then you have to go to System/Routing/Static routes to tell pfsense where to send packets for that prefix. You will then have to configure the other router with it's default route pointing back to pfsense. This is basic routing. Why not start with this and see how far you get and come back with more questions. The way I learn best is to try different things. There is also this section of the pfsense book.

BTW, I just checked and I still have the gateway portion. Here it is.

In this example I used Unique Local Addresses (ULA) for the IPv6 route, but Global Unique Addresses (GUA) could be used as well. In fact Link Local addresses could also be used. Your choice. TEST refers to a spare interface on my firewall.

abuttino · Mar 23, 2021, 8:37 PM

@jknott

I need GUA for servers.

JKnott · Mar 24, 2021, 1:09 AM

@abuttino

Don't confuse the end point address with transit addresses. While the end point has to be GUA, the transit networks can be anything.

abuttino · Mar 24, 2021, 5:01 AM

@jknott

Ok, maybe back to the drawing board...

The WAN /56 Prefix:
IPv6 Address
fe80::2222:4444:ffff:dddd%em0
Gateway IPv6
fe80::bbbb:7777:ffff:7777

The LAN Track IP is:
IPv6 Address
2001:579:8144:1111:9999:bbbb:ffff:fxxx
Subnet mask IPv6
64

The DHCPv6 Delegation From:
2001:579:8144:1111::
To:
2001:579:8144:2222::

The USG WAN is getting:
2001:579:8144:1111::771

(obviously anonymized)

So,
What I need to do is add a static route (in pfSense) for the LAN which won't distribute v6 addresses. to the GW address 2001:579:8144:1111::771...

However, that is getting ahead of myself because USG LAN won't delve out a single address on a stateless RA.

Any guesses of what I am obviously doing wrong here? Because ping6 on the usg wan doesn't have internet.

JKnott · Mar 24, 2021, 6:13 PM

@abuttino

You have to plan how you want your network. Start with your /56 prefix and all the /64s. What I did was use 172.16.0.0 /16 for my IPv4 addresses. I then match the 3rd octet with the prefix ID for each local interface. So, my main LAN has 0 for the prefix ID and also the 3rd IPv4 octet. Then decide what you want on the downstream router. For example how many /64s? Next you have to consider how that router is connected to pfsense. I used a separate transit network, with it's own IPv4 and IPv6 prefixes, though you should also be able to just connect it to the main LAN or other interface. My transit network was on my 3rd Ethernet port. Once you have all the addresses figured out, you then have to specify the routes. This means for any address on the downstream router you have to provide a route from pfsense.

Here is what I have just set up on IPv4:

CISCO is the 4th Ethernet port on my Qotom computer. The two lines show the route to two networks on the Cisco router are reachable via gateway 192.168.37.0. Since this is a point to point connection, it has a /31 mask and the Cisco end is 192.168.37.1. This is my transit network to the Cisco router. I also have routing back from the Cisco to pfsense. However, I'm not familiar with your USG router, so I can't help with it. With this, I can ping from a computer (172.16.2.7) on the LAN side of my Cisco router to pfsense on 192.168.37.0.

Once you have IPv4 working, you can do IPv6 (I haven't yet this time, though I had done previously) using the same principles as with IPv4. Since I used 37 for my IPv4 transit network, I'd pick prefix ID 25 on IPv6 to be consistent with my pattern, though any other unused prefix could have been used. I could have also used ULA or link local addresses.

This is something I tossed together to demonstrate what you have to do to get started. I still have to do IPv6 and check the routing fully for IPv4.

Here's what routing looks like from the Cisco end:

Router>en
Router#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

 172.16.0.0/24 is subnetted, 1 subnets

C 172.16.2.0 is directly connected, FastEthernet0/0
192.168.37.0/31 is subnetted, 1 subnets
C 192.168.37.0 is directly connected, FastEthernet1/0

BTW, I have no idea why that 172.16.0.0 line is highlighted. It's not in the terminal app. I'm using Minicom on Linux.

abuttino · Mar 24, 2021, 7:12 PM

@jknott IPv4 never has been a problem. It's just IPv6

JKnott · Mar 24, 2021, 8:04 PM

@abuttino

If you have a /56, configuring the interfaces and routing is exactly the same process. The only difference is the address length. So, get what you want going with IPv4 and duplicate with IPv6, allowing for differences such as SLAAC instead of configuring addresses. As I mentioned, you may want to have the prefix ID match up with the IPv4 subnet to keep things consistent. Another example where I do that is with my guest WiFi/VLAN, where I use prefix ID 3, 3 in the 3rd octet, on VLAN 3. As you work through this and get stuck, I or someone else can offer advice. One other area to watch is in filter rules. Some you can use the same rule for both IPv4 and IPv6. Others, you need separate rules for each. So, plan your networks, do what you need in IPv4 and replicate in IPv6. That should get you started.

Here are some examples. Your /56 is aaa:bbbb:cccc:1300:: to aaaa:bbbb:cccc:13ff:ffff:ffff:ffff:fffff (Not 1400 since you have 256 prefixes, not 257. Also, the :: represents all 0s.). You could match that up with 172.16.0.0 - 172.16.255.255. Then when you set up your networks, you could have 172.16.4.0 /24 and aaa:bbbb:cccc:1304:eeee::/64 on one interface. It's as simple as that when working with IPv4 & IPv6.

matthewgcampbell · Mar 24, 2021, 9:00 PM

My tips for figuring out your IPv6 setup.

Figure out how much is delegated to you by your ISP in my case a /48 (LAB) (ignore the other checked boxes as that only applies to my system)
make sure "start DHCP client in debug mode" is checked
go to status > system logs > DHCP

find this entry
Mar 24 12:04:02 dhcp6c 22277 update a prefix 2001:db8:1::/48 pltime=3600, vltime=3600
I use this website to split my address and I don't fully understand how to do so myself
Divide it into something bigger than /64 as a /64 only allows for one subnet, if that applies to you (if you want more that one IPv6 network behind the USG
So something like this
than spin up a dhcpv6 server with two of those addresses in the "Prefix Delegation Range" section
make sure your router mode is properly set!

and this is unchecked
leases should show up here:

Maybe @JKnott can assist if my tutorial had any errors?

JKnott · Mar 24, 2021, 9:19 PM

@matthewgcampbell

He has a /56, so no need for a calculator. The only variable is the last 8 bits of the prefix, which range from 0 to ff. Very simple. In fact far simpler than IPv4, where the divider can move according to subnet mask.

As I mentioned earlier, the best way to learn is to do. If he has problems, he can ask more questions.