Subneting my /56 prefix to multiple internal LANs

Dough29

Hello,

I'm facing some issues on getting IPv6 working as I want it to work.

pfSense v2.4.5-p1 virtualized (2 x Intel NIC passthrough from) on a Proxmox v6.2-16 host.

ISP is Orange (France) giving me a /56 prefix.

What I've done :

• WAN : to my bridged modem

  • General Configuration
    • IPv6 Configuration Type: DHCP6 (adv_dhcp6_config_advanced)
  • DHCP6 Client Configuration
    • Options
      • Advanced Configuration (I have to send raw-option 11 to authenticate with the ISP)
    • By reading the code in /etc/inc/interfaces.inc it looks like the 2 next options are useless since the Advanced Configuration option is checked
      • Request only an IPv6 prefix : yes (dhcp6prefixonly)
      • DHCPv6 Prefix Delegation size : 56 (dhcp6-ia-pd-len = 8)
  • Advanced DHCP6 Client Configuration
    • Send options
      • ia-pd 0
      • raw-option 15 (user class)
      • raw-option 16 (vendor class)
      • raw-option 6 (option request 11 - authentication, 17 - vendor-specific information, 23 - DNS recursive name server, 24 - domain search list)
      • raw-option 11 (authenticate with ISP)
    • Identity Association Statement
      • Prefix Delegation : yes (adv_dhcp6_id_assoc_statement_prefix_enable)
      • id-assoc pd ID : 0 (adv_dhcp6_id_assoc_statement_prefix_id)
      • IPv6 prefix : ::/56 (adv_dhcp6_id_assoc_statement_prefix)
      • pltime : infinity (adv_dhcp6_id_assoc_statement_prefix_pltime)
    • Prefix interface statement
      • Prefix Interface sla-id : 0 (adv_dhcp6_prefix_interface_statement_sla_id)
      • sla-len : 8 (adv_dhcp6_prefix_interface_statement_sla_len)
    • Prefix Interface : WAN (adv_dhcp6_prefix_selected_interface)

• LAN1

  • General Configuration
    • IPv6 Configuration Type : Static IPv6 (type6)
  • Static IPv6 Configuration
    • IPv6 address : 2a01:aaaa:bbbb:1::1/64 (ipaddrv6/subnetv6)

• LAN2

  • General Configuration
    • IPv6 Configuration Type : Static IPv6 (type6)
  • Static IPv6 Configuration
    • IPv6 address : 2a01:aaaa:bbbb:2::1/64 (ipaddrv6/subnetv6)

With this, clients on the LAN1, LAN2, ... side are given their IPv6 address with SLAAC : fine !

Subnets can be from 2a01:aaaa:bbbb:0000::/64 to 2a01:aaaa:bbbb:00ff::/64 without any issue.

My issues come when I wanted to get rid of writing down the prefix for each LAN interfaces : I tried to switch IPv6 Configuration Type to Track Interface WAN.

I was thinking the WAN interface was getting the full /56 prefix and then each internal interfaces will be getting it's own /64 subnet from it (just have to set prefix ID between 0 and FF) : wrong, my clients wont get an IP anymore

There is something I do wrong... but what ?

I've read the code for the Track Interface option and I've seen that, if the WAN interface is not itself setup with the option "track6-interface" nothing will happen.

function interface_track6_configure($interface = "lan", $wancfg, $linkupevent = false) {
	[...]
	/* If the interface is not configured via another, exit */
	if (empty($wancfg['track6-interface'])) {
		return;
	}
	[...]
}

The interface_track6_configure function is called each time you set an interface as "track6" and it looks like it's checking if the WAN interface is also tracking another interface

Do I have to set the /56 prefix on another interface than WAN and then make the WAN interface track it ?

What would be the configuration like if I want to give each of my LANs a /64 prefix that can feed their clients with SLAAC ?

Thanks for reading me, sorry if something is not clear enough, maybe someone can help me getting this to work

JKnott

I have my prefix size on the WAN interface as /56 and I set the LAN interfaces to the prefix ID and IPv6 interface to WAN. However, I think your problem is you selected static for IPv6 configuration type, when you should be using track interface. This tells pfsense to use the selected /64 for that LAN. Also, I don't use the DHCP6 client advanced options at all. Do you need them for your ISP?

Dough29

@JKnott said in Subneting my /56 prefix to multiple internal LANs:

I have my prefix size on the WAN interface as /56 and I set the LAN interfaces to the prefix ID and IPv6 interface to WAN. However, I think your problem is you selected static for IPv6 configuration type, when you should be using track interface. This tells pfsense to use the selected /64 for that LAN.

I can't get it to work when selecting "Track Interface" on the LAN interfaces...

@JKnott said in Subneting my /56 prefix to multiple internal LANs:

Also, I don't use the DHCP6 client advanced options at all. Do you need them for your ISP?

Yes I need to send some raw-options to authenticate with the ISP so I need to use Advanced Configuration.

But it looks like using Advanced Configuration get to some features ignored.

Dough29

What is the "best practice" for delegating a /56 subnet on a pfSense router ?

The WAN interface is the one doing the DHCP6C stuff to retrieve the /56 prefix from ISP. Can we say "the /56 prefix is on the WAN interface (without assigning it any IPv6 as it would burn out a /64 for nothing...)" ?

Does DHCP6C needs to know how to give /64 subnets to each LAN side interfaces ?

Does DHCP6C knows how to give a /64 prefix to an interface because that interface is in "Configuration type" = "Track Interface WAN + <prefix ID>" ?

If yes then pfSense might add to the "/var/etc/dhcp6c_<iface>.conf" file something like :

prefix-interface <iface> {
        sla-id 0;
        sla-len 8;
};

in the "id-assoc pd" statement ?

JKnott

@Dough29

Actually, the WAN address likely has nothing to do with the prefix. When pfsense receives the prefix it's available for use on the LANs. This is done with the prefix ID on each LAN interface. With a /56, the choices range from 0 to ff, with each being used only once. I try to arrange things so that numbers match up. For example my IPv4 NAT addresses are in the 172.16.0.0 block, with the 3 octet matching the prefix ID. So, my main LAN has prefix ID 0 and 3rd octet 0. My guest WiFi is on ID 3 and octet 3. Further since it uses a VLAN to carry the 2nd SSID to the AP, it uses VLAN 3. Etc..

Dough29

Ok, by the way how do we know pfSense successfully received to prefix on the WAN interface ?

Doesn't pfSense have to write something in the "/var/etc/dhcp6c_wan.conf" file ?

In this file for now I have :

interface em0 {
	send ia-pd 0;
	send raw-option 15 00:2b:46:53:56:44:53:4c:5f:6c:69:76:65:62:6f:78:2e:49:6e:74:65:72:6e:65:74:2e:73:6f:66:74:61:74:68:6f:6d:65:2e:6c:69:76:65:62:6f:78:33;
	send raw-option 16 00:00:04:0e:00:05:73:61:67:65:6d;
	send raw-option 6 00:0b:00:11:00:17:00:18;
	send raw-option 11 00:00:00:00:[...]:00:00:00:00;
	script "/var/etc/dhcp6c_wan_script.sh";
};
id-assoc pd 0 { 
	prefix ::/56 infinity;
};

• em0 is my WAN interface
• option 15 is user class (Livebox Internet for Orange french ISP)
• option 16 is vendor class (Sagem for Orange french ISP)
• option 6 is option request
  • 11 authentication
  • 17 vendor-specific information
  • 23 DNS recursive name server
  • 24 domaine search list
• option 11 is authentication

With this I have IPv6 working ONLY if I manually set a static IPv6 /64 subnet on the LAN interfaces... If I set it to "Track - WAN - Interface" the LAN interfaces never get an IPv6 /64 subnet...

JKnott

@Dough29 said in Subneting my /56 prefix to multiple internal LANs:

With this I have IPv6 working ONLY if I manually set a static IPv6 /64 subnet on the LAN interfaces... If I set it to "Track - WAN - Interface" the LAN interfaces never get an IPv6 /64 subnet...

It sounds like there may be something weird with Orange. I have no experience with them.

Dough29

Does the content of file "/var/etc/dhcp6c_wan.conf" looks good for you if I have :

• WAN (em0) in DHCP6 mode
• LAN (em1) in Track Interface WAN prefix ID 1
• OP1 (em1.10) in Track Interface WAN prefix ID 10
• OPT2 (em1.20) in Track Interface WAN prefix ID 20

?

In DHCP6C logs I can the the prefix retrieved :

Dec 1 21:07:14 	dhcp6c 	23909 	send solicit to ff02::1:2%em0
Dec 1 21:07:14 	dhcp6c 	23909 	freeing op data at 0x800e732d0
Dec 1 21:07:14 	dhcp6c 	23909 	freeing op data at 0x800e1f040
Dec 1 21:07:14 	dhcp6c 	23909 	freeing op data at 0x800e15048
Dec 1 21:07:14 	dhcp6c 	23909 	freeing op data at 0x800e28050
Dec 1 21:07:14 	dhcp6c 	23909 	reset a timer on em0, state=SOLICIT, timeo=0, retrans=1004
Dec 1 21:07:15 	dhcp6c 	23909 	receive advertise from fe80::ba0:bab%em0 on em0
Dec 1 21:07:15 	dhcp6c 	23909 	get DHCP option IA_PD, len 41
Dec 1 21:07:15 	dhcp6c 	23909 	IA_PD: ID=0, T1=89310, T2=207360
Dec 1 21:07:15 	dhcp6c 	23909 	get DHCP option IA_PD prefix, len 25
Dec 1 21:07:15 	dhcp6c 	23909 	IA_PD prefix: 2a01:aaaa:bbbb::/56 pltime=259200 vltime=259200
Dec 1 21:07:15 	dhcp6c 	23909 	get DHCP option server ID, len 20
Dec 1 21:07:15 	dhcp6c 	23909 	DUID: 00:02:00:00:05:58:44:45:53:48:41:59:45:53:53:55:44:52:4f:54
Dec 1 21:07:15 	dhcp6c 	23909 	get DHCP option client ID, len 14
Dec 1 21:07:15 	dhcp6c 	23909 	DUID: 00:01:00:01:27:56:36:8a:00:1b:21:32:24:45
Dec 1 21:07:15 	dhcp6c 	23909 	get DHCP option authentication, len 27
Dec 1 21:07:15 	dhcp6c 	23909 	proto: unknown(0), alg: unknown(0), RDM: mono counter, RD: 0000 0000 0000 0000
Dec 1 21:07:15 	dhcp6c 	23909 	Discarding null authentication
Dec 1 21:07:15 	dhcp6c 	23909 	get DHCP option preference, len 1
Dec 1 21:07:15 	dhcp6c 	23909 	preference: 255
Dec 1 21:07:15 	dhcp6c 	23909 	server ID: 00:02:00:00:05:58:44:45:53:48:41:59:45:53:53:55:44:52:4f:54, pref=255
Dec 1 21:07:15 	dhcp6c 	23909 	Sending Request
Dec 1 21:07:15 	dhcp6c 	23909 	a new XID (b2fff3) is generated
Dec 1 21:07:15 	dhcp6c 	23909 	set client ID (len 14)
Dec 1 21:07:15 	dhcp6c 	23909 	set server ID (len 20)
Dec 1 21:07:15 	dhcp6c 	23909 	set elapsed time (len 2)
Dec 1 21:07:15 	dhcp6c 	23909 	set IA_PD prefix
Dec 1 21:07:15 	dhcp6c 	23909 	set IA_PD
Dec 1 21:07:15 	dhcp6c 	23909 	raw option 15 length 45 at 0x800e73240
Dec 1 21:07:15 	dhcp6c 	23909 	set user class (len 45)
Dec 1 21:07:15 	dhcp6c 	23909 	raw option 16 length 11 at 0x800e73270
Dec 1 21:07:15 	dhcp6c 	23909 	set vendor class (len 11)
Dec 1 21:07:15 	dhcp6c 	23909 	raw option 6 length 8 at 0x800e732a0
Dec 1 21:07:15 	dhcp6c 	23909 	set option request (len 8)
Dec 1 21:07:15 	dhcp6c 	23909 	raw option 11 length 70 at 0x800e732d0
Dec 1 21:07:15 	dhcp6c 	23909 	set authentication (len 70)
Dec 1 21:07:15 	dhcp6c 	23909 	send request to ff02::1:2%em0
Dec 1 21:07:15 	dhcp6c 	23909 	freeing op data at 0x800e73210
Dec 1 21:07:15 	dhcp6c 	23909 	freeing op data at 0x800e1f060
Dec 1 21:07:15 	dhcp6c 	23909 	freeing op data at 0x800e15048
Dec 1 21:07:15 	dhcp6c 	23909 	freeing op data at 0x800e28320
Dec 1 21:07:15 	dhcp6c 	23909 	reset a timer on em0, state=REQUEST, timeo=0, retrans=924
Dec 1 21:07:15 	dhcp6c 	23909 	receive reply from fe80::ba0:bab%em0 on em0
Dec 1 21:07:15 	dhcp6c 	23909 	get DHCP option IA_PD, len 41
Dec 1 21:07:15 	dhcp6c 	23909 	IA_PD: ID=0, T1=84771, T2=207360
Dec 1 21:07:15 	dhcp6c 	23909 	get DHCP option IA_PD prefix, len 25
Dec 1 21:07:15 	dhcp6c 	23909 	IA_PD prefix: 2a01:aaaa:bbbb::/56 pltime=259200 vltime=259200
Dec 1 21:07:15 	dhcp6c 	23909 	get DHCP option server ID, len 20
Dec 1 21:07:15 	dhcp6c 	23909 	DUID: 00:02:00:00:05:58:44:45:53:48:41:59:45:53:53:55:44:52:4f:54
Dec 1 21:07:15 	dhcp6c 	23909 	get DHCP option client ID, len 14
Dec 1 21:07:15 	dhcp6c 	23909 	DUID: 00:01:00:01:27:56:36:8a:00:1b:21:32:24:45
Dec 1 21:07:15 	dhcp6c 	23909 	get DHCP option authentication, len 27
Dec 1 21:07:15 	dhcp6c 	23909 	proto: unknown(0), alg: unknown(0), RDM: mono counter, RD: 0000 0000 0000 0000
Dec 1 21:07:15 	dhcp6c 	23909 	Discarding null authentication
Dec 1 21:07:15 	dhcp6c 	23909 	dhcp6c Received REQUEST
Dec 1 21:07:15 	dhcp6c 	23909 	make an IA: PD-0
Dec 1 21:07:15 	dhcp6c 	23909 	create a prefix 2a01:aaaa:bbbb::/56 pltime=140733193647232, vltime=140733193647232
Dec 1 21:07:15 	dhcp6c 	23909 	executes /var/etc/dhcp6c_wan_script.sh
Dec 1 21:07:19 	dhcp6c 	23909 	script "/var/etc/dhcp6c_wan_script.sh" terminated
Dec 1 21:07:19 	dhcp6c 	23909 	removing an event on em0, state=REQUEST
Dec 1 21:07:19 	dhcp6c 	23909 	removing server (ID: 00:02:00:00:05:58:44:45:53:48:41:59:45:53:53:55:44:52:4f:54)
Dec 1 21:07:19 	dhcp6c 	23909 	got an expected reply, sleeping. 

JKnott

Mine looks nothing like that. I have a shell script.

more /var/etc/dhcp6c_wan.conf
interface em0 {
send ia-na 0; # request stateful address
send ia-pd 0; # request prefix delegation
request domain-name-servers;
request domain-name;
script "/var/etc/dhcp6c_wan_script.sh"; # we'd like some nameservers please
};
id-assoc na 0 { };
id-assoc pd 0 {
prefix ::/56 infinity;
prefix-interface bge0 {
sla-id 0;
sla-len 8;
};
prefix-interface bge0.3 {
sla-id 3;
sla-len 8;
};
prefix-interface re0 {
sla-id 4;
sla-len 8;
};
};

Dough29

As I can see I'm missing the "prefix-interface" statements in "id-assoc pd"...

Looks like when you check the "Advanced configuration" you are loosing the "Track Interface" configuration from all LAN interfaces...

With my ISP I can't do without using the "Advanced" option...

Gertjan

@Dough29 said in Subneting my /56 prefix to multiple internal LANs:

ISP is Orange (France) giving me a /56 prefix.

Oh, men, you have my attention here.

I tell you up front that the most persistent phrase in this thread is, up until now :

@JKnott said in Subneting my /56 prefix to multiple internal LANs:

It sounds like there may be something weird with Orange.

@JKnott : you're not even close. But heading in the right direction.

First things first : I'm not an IPv6 expert.

I 'own and maintain' 2 Orange Internet connections in France, using a Livebox Pro v4 at work, and a Livebox 4 at home.

The Pro box is really pro : no IPv6 what so ever.
The only pro thing about it that my IPv4 is static (I guess, it never changes). The pro is more expensive. Dono why.
I do not use TV or phone equipment. Neither the build in Wifi.
Just the VDSL (modem) part.

At home, because if live in the middle of no-where : just ADSL. I don't use the (VOIP) phone neither TV neither Wifi of this Livebox v4 router.
This one has IPv6 capabilities.
From what I know : they do somewhat reserve a /56 or even a /48 (?) for the connection/livebox but they only assign the first /64 to the LAN.
No other /64 blocks can be accessed / routed / passed on to a more qualified downstream router (pfSense).

edit : I think they allocate a /56 for everybody, which is fine, although a /48 is more standard. Still, they only support a (one !) routed /64.

I have a privileged access to their support system but even after a decade or two ( !!) of asking, they still consider that a single /64 is - I quote :
" more then enough as 2^64 is huge".
Don't laugh.

When I explain I have multiple LANs, things get quiet.
I already understood, for a home set-up, I'm asking to much.
But wait : they sell also "professional connections" - I use one of those. These are 'one LAN' only, also. Just put a router behind our router, this is where pfSense comes into play here, and "you'll be fine !"
Me : "Right, guys, that IPv4 question - more then one network - has been solved at the end of the last century. Now I'm talking about multiple IPv6 networks ...."

@Dough29 said in Subneting my /56 prefix to multiple internal LANs:

What is the "best practice" for delegating a /56 subnet on a pfSense router ?

As said, I'm using right now a /48.
Works as the books stated : cut out a /64, assign it to an LAN type interface - set up a DHCPD IPv6 pool and done.
At least, tunnel.he.net works that way. he.net, as they said, uses the related RFCs, no other things have to be invented.

Ones in a while I 'scan' the news the french blogs/messages/forums about IPv6 in France, and how to do it will Orange (I know others like Free are doing more for IPv6)
For that matter : The Openone (cloned from pfSense years ago), being based in Europe, is more aware of this subject.
It is possible to use the IPv6 from Orange using pfSense, with the "send raw-option" stuff you mentioned above.
What I understood : start a vanilla FreeBSD 11.2 VM, install the tools for make / compile / link and patch dhcp6d. Use this binary to replace the existing one.
As far as I know, thing won't go better as obtaining a single /64 out of Orange.
It's a 'prefix 0', and that's it.

Don't forget that the Orange boxes (Livebox) have only one physical LAN port (and a 5 port switch put in front of it), thus using one IPv4 network.
Asking for more then one /64 doesn't make sense for that box.

Using your own modem ? That was accepted back then. Totally not supported to day.
I also think their VDSL is proprietary (partially RFC).
And look at the way they handle DHCP6 ! ( I guess they have their reasons).

@Dough29 said in Subneting my /56 prefix to multiple internal LANs:

WAN : to my bridged modem

What is this device ?
I could consider to go back to a modem type - pppoe is crap, but all I need, as long as fibre isn't there yet.

Btw : I'm really hoping that I'm completely wrong here.

Dough29

@Gertjan thank you for all these informations !

I also don't use the TV or Voice over IP services.

My line is VDSL2 (Sosh), I have fixed IPv4 (for now it never changed / DHCPv4 in pfSense) behind a Netgear DM200 modem in bridge mode, custom firmware : https://github.com/dough29/openwrt-netgear-dm200-bridge

I can use the whole /56 prefix Orange gives me (see DHCP6C log / 2a01:aaaa:bbbb:0::/64 to 2a01:aaaa:bbbb:ff::/64) and expose services without any problem....

Gertjan

It's me thanking you !

So, I can put that ISP router (livebox) where it belongs : in it's box - and use some other device like the "Netgear DM200" that supports VDSL2 - Orange - Sosh is for me the same thing as Orange btw.
Good news !

@Dough29 said in Subneting my /56 prefix to multiple internal LANs:

I can use the whole /56 prefix Orange gives me

But you have to hard code the LAB's with /64 networks.
What happens if Orange decides to change the IPv6 prefix ?? (answer : all your IPv6 will break and you have to redo the static settings. That would be a definite show stopper).

I understand why you want tracking to work.

Dough29

Yep the Livebox is in it's box since the day I received it, never opened the parcel

For now, from pfSense WEB UI, I have to put each LAN in "Static IPv6" and give it a 2a01:aaaa:bbbb:<prefix ID>::/64 subnet by hand...

So you are right, tomorrow if the prefix changes... everything will break !

To solve that I was thinking the "Track Interface" feature will do the job but it seems to be broken when using DHCP6C in "Advanced Configuration" on the WAN side...

Dough29

Hello there.

I gave a try again on using my ::/56 prefix with the option "Track interface" on my LAN interfaces.

This time I got through the code and the answer is simple : when you have "Advanced Configuration" checked (so we can add send options for example) there is no code that could handle the LAN interfaces using "Track interface" for IPv6.

In interfaces.inc we come in function interface_dhcpv6_configure and go to subfunction DHCP6_Config_File_Advanced that doesn't handle the "Track interface" option.

Is it something missing ? Or is this related to a RFC or other thing ?

For now I'm still using the "Configuration Override" option so I have to handle the config file by myself...

Gertjan

@Dough29

What Livebox are you using ?
I'm using the "6" - firmware Version SG60-fr-G03.R00.C01_02.

pfSense Interface WAN : I've set the "IPv6 Configuration Type" to "DHCP6".
My DHCP6 client (on WAN interface) settings :

The LAN interface "IPv6 Configuration Type" is set to "Tracking".

You see the "(hexadecimal from 0 to 0)" ?
This doesn't mean 'nothing or zero' but there is one prefix available.
And that's the first part of the issue right now.
AFAIK : You can do what you want with the (dhcp6c) settings, the Livebox will only give ONE prefix to a downstream router (pfSense) that asks for one or more prefix.

On the Livebox side :

It says - what I make of it - that it has a /56 available. That's 256 prefixes of /64 - great.
It gave prefix number "0xdc" to the device called pfSense, the MAC shwon is the MAC of y pfSense WAN interface.
So, my prefix isn't number zero, but number "0xdc" or 220 decimal.
Note : whatever I do : I always get that prefix - my Orange Ipv6 never changed since I joined the fiber, end of last year.

The "2a01:cb19:xxx:a6dc::/64" is mapped to my LAN interface, and the DHCP6 server on the LAN page can use a IPv6 pool from this prefix to hand over IPv6 to LAN clients.

This part works : outgoing IPv6 traffic is ok. Most LAN initiated traffic is now IPv6, it was already the case for local traffic, but now also for outgoing traffic.
For example : I'm posting on this forum for years now using only IPv6.

What doesn't work :
The Livebox firewall : whatever I do, I can't set up IPv6 rule so I can contact a LAN based device using 2a01:cb19:xxx:a6dc::/64, for example 2a01:cb19:xxx:a6dc::88 (a NAS).

pfSense only obtains one (1) prefix with the size of a /64, not more.
edit : I'm not an dhcp6v expert - I've tried to craft my own dhcp6c config file .....
The Livebox can probably give another /64 to another router attached to it's LAN ports .... but that doesn't make sense. I'm not going to add another pfSense to my Livebox so I can make available to a second LAN .....

edit : my conclusion : IPv6 works for classic home IPv6 usage : just one LAN. And you can't reach these IPv6 from the Internet, as I could do with IPv4 (that still works).
And no, I'm not going to even try "NAT" IPV6 ......

Dough29

@Gertjan I'm not using the Livebox, it's left in its box

I'm using a NetGear DM200 Modem in bridge mode to give pfSense the full control of the line.

Gertjan

@Dough29

Interesting.
You are using the phone ?
TV ?

Dough29

@Gertjan I have no need for phone or TV but some are doing well on this. You can check on forum lafibre.info for this

Gertjan

@Dough29 said in Subneting my /56 prefix to multiple internal LANs:

forum lafibre.info

That's where I go to check if any progress exists