IPv6 Help / tutorial / something please!
-
Hi all,
I'm coming as a bit of a noob on IPv6, I'm ok with v4 but not so much on this new version.
So we got a /64 network from our provider and a gateway inside that /64. I can add an address to WAN and select the GW it works I get connectivity from the WAN interface.
What is the most correct way to now give IPv6 to the machines on the inside interfaces?
Should I part the /64 in minor subnets?
Also, having CARP should I add IPv6 config to CARP?Thank you.
-
@maverickws said in IPv6 Help / tutorial / something please!:
on this new version
New? I first read about IPv6 in the April 1995 issue of Byte magazine. I've also been running it at home for almost 11 years.
One thing different with IPv6 is your firewall/router can take a large prefix, I have a /56, and split it into multiple /64s. To do this, you'll need a bigger prefix than a single /64. Then you'd use DHCPv6-PD to get your prefixes, which you then configure pfsense to provide a prefix ID to each interface. Can you get something other than a /64 from your ISP?
Incidentally, one thing you may notice is your WAN address has absolutely nothing to do with your LAN prefixes. This is entirely normal and you may also find that WAN address isn't even used for routing, as link local addresses are often used.
-
Hi @jknott thanks for your reply!
Well... "new". Right! :) New in the sense that it's still not properly implemented everywhere and efforts are still being made for it to be generally available.
My DC only gives me a /64. I thought about parting it in /68 subnets, which should result in 16 /68 subnets. Is this feasible?
-
I thought about parting it in /68 subnets, which should result in 16 /68 subnets. Is this feasible?
That will break things. IPv6 was designed with the idea that an address consists of a 64 bit network address and a 64 bit host address. Stuff like SLAAC depend on that.
When you get that /64, is your modem in bridge or gateway mode? Pfsense requires bridge mode to work properly.
-
@jknott I must say I have enormous questions why the heck is a /64 (which corresponds to 18 446 744 073 709 551 616 addresses) the "standard". Even it being, attributing /64's to customers, the inability of parting the /64 in smaller subnets and using them without "breaking things" is something that dazzles me.
Now, in regards to my situation, we don't have any bridged config on our pfsense. The current setup is two pfsense routers with CARP/HA and a /28 IPv4 network and we use NAT 1:1 to forward traffic to the desired servers.
-
@maverickws A /64 is a network. That's how it is defined. It's shocking that ISPs continue to hand out only one network. You can look into using a tunnel broker, such as Hurricane Electric, who will give you a static /48. The cost is an increase in latency, usually small. Not sure how that impacts you, there is an end point in Lisbon.
https://docs.netgate.com/pfsense/en/latest/recipes/ipv6-tunnel-broker.html
-
@jwj I'm sorry mate I didn't get your reply. I know /64 is a network.
-
@maverickws My point was that the definition of a /64 as a network isn't the problem, it's getting only one /64 that is a problem. Sorry for the confusion. ISPs can easily give more, no reason to not do so.
You can explore using a tunnel broker too see if that would work in your situation.
-
@maverickws Stop thinking about the number of addresses on a subnet. You never have to think about that again. They are all /64 and it is impossible (Yes, I said impossible) to put that many devices on a single network segment.
Think about an IPv6 assignment as the number of /64 networks you can service so:
/64-/56 = 8 bits or 256 /64 networks
/64-/48 = 16 bits or 65536 /64 networksTo extend:
/64 - /64 = 0 bits or 0 /64 networks, which is where you find yourself.Your ISP needs to assign a WAN address to you in some fashion and route a /56, /48, etc to you there. You can then further assign /64s out of that or do whatever you want. (To appease @JKnott, Yes, they can just route to your link-local WAN address if they can get it all provisioned correctly. And, in this case, they would have to if you are going to be putting the single /64 you have on the inside.)
Your service is provisioned to provide one /64. That is OK if you are a home user who only wants to run one inside network, but is incompatible with assigning /64s to multiple networks and might be incompatible for putting behind a router at all depending on how they actually provision things.
The absolute MINIMUM any ISP should be assigning to even residential users is a /56.
-
https://www.ripe.net/publications/docs/ripe-690
"Assigning a /64 or longer prefix does not conform to IPv6 standards and will break functionality in customer LANs. With a single /64, the end customer CPE will have just one possible network on the LAN side and it will not be possible to subnet, assign VLANs, alternative SSIDs, or have several chained routers in the same customer network, etc."
-
It's not pfsense that has to be configured for bridge mode, it's your modem. Users have some device that connects to the ISP for the local network. It is often in gateway mode, where it provides DHCP, NAT, etc. You don't want that with pfsense. In bridge mode, pfsense does all that gateway mode does and lots more.
As for the /64s, that's simply the way it was designed. It was the same way, at one time, with IPv4, before address classes were created and also with Novell's IPX, which used to be popular years ago or IBM's SNA. This variable size subnet is a "feature" of IPv4, necessitated by stretching out IPv4 addresses. When IPv6 was created, they decided to have such a huge address space that you'd never run out, whether in network or host addresses. As mentioned above, it's unbelievable that some ISPs only provide a single /64. My gives me a /56 and some even a /48. You can get a /48 for free from he.net.
So, determine what your ISP offers, if you're in bridge mode. As I mentioned, I get a /56 from mine, but I'd only get a single /64 in gateway mode.
-
@derelict said in IPv6 Help / tutorial / something please!:
The absolute MINIMUM any ISP should be assigning to even residential users is a /56.
Yes!
Using HE is straight forward, you get a static /48. What's not to like.
-
BTW, the IPv6 address space is so huge, that even with only 1/8 of it allocated for Global Unique Addresses (GUA), there are enough to give every single person on earth over 4000 /48s. So, there's no need for an ISP to be so stingy as to provide only a single /64.
Incidentally, my cell phone gets a /64, which I can share with tethering.
-
@jwj What's not to like.
It could be successfully argued that GIF tunneling to get IPv6 is an ugly hack.
That said, due to ISP idiocy HE is currently my IPv6 provisioning strategy.
-
Well I'd like to thank all for this very interesting discussion.
I'd like to say regarding the comment about not accounting for the number of possible hosts in any given subnet, well ok I get that, its just that each of these networks is so huge I feel other subnetting options made standard could be effective and I felt like commenting that. But ok, lets disregard that and it is how it is so moving on! :)
I have HE at home, its nice to have IPv6 connectivity where your ISP doesn't provide it, but its still v6 over v4 and I was looking for a leaner solution for service machines hosted on a datacenter.
I'm touching base with them and looking forward to see their reply.
I still have kind of a question tho, about @JKnott remark "pfsense requires bridge mode to work properly" does this mean if I get a /56 or /48 I'd still have to add a bridge for IPv6 to work?
-
@maverickws said in IPv6 Help / tutorial / something please!:
does this mean if I get a /56 or /48 I'd still have to add a bridge for IPv6 to work?
The bridge vs gateway mode refers to the device your ISP uses to provide your connection. I have a cable modem. Others have ADSL or even fibre. You're thinking of LAN bridges, which are essentially a 2 port switch and has nothing to do with this discussion. What piece of hardware do you connect to for your Internet access? That's where you would have the bridge/gateway choice. This has nothing to do specifically with pfsense. You'd do the same thing for any firewall/router.
-
@jknott so basically I have a virtual switch to which my servers are connected to, and the both the IPv4 and IPv6 subnets are delivered via VLAN, and they give me an upstream gateway for the /64 network which belongs to said subnet.
I don't think they'll be assigning anything else other than a /64. They say they can provide /56 networks but that would be routed through an host (server) which is the contrary of what we have being it delivered through a switch.
-
@maverickws A router is a router. A switch is a switch. A /64 is insufficient for anything other than the most basic, single-segment home network behind the ISP device. Make them provide a /56.
You should also probably paste EXACTLY what they are telling you instead of your interpretation of the same.
-
@derelict lol man I read your reply 5 times and all them 5 it felt like you're calling me stupid. Do you think or have you felt in the previous interactions that I have some interpretation problem or something?
Here's the "paste EXACTLY" instead of "interpretation"
Dear Client,
for your server you can have an additional /56 if you want but this is not possible on vswitch feature due of technical reasons.
Unfortunately on the vswitch it is only possible to have /64 prefix.
Kind regards
Please let me know if you feel my interpretation is correct or should I take some classes.
-
@maverickws Get them to route the /56 to you.
As soon as they are doing that you can worry about how it's routed internally.
An ISP giving advice on configuring a vswitch? I wouldn't even try to explain to them what you are trying to do on the inside. Just get the /56 routed to you.