IPv6 WAN configuration for static IP address range but gateway from RA message?

JesperTreetop

We are using pfSense and are configuring IPv6 access. According to information from our ISP, it should be possible to set our static IP address range, but get the gateway address from the Router Advertisement message. This doesn't cleanly map to any IPv6 configuration type - static requires the gateway to be entered statically, DHCPv6 and SLAAC listen to RA messages but have their own opinions about which IP address to set. We have a /48 net routed to the interface in question.

JKnott

@jespertreetop

What ISP are you using? Someone else here may have experience with them.

JesperTreetop

@jknott That would surprise me. It's a small Swedish company providing it as part of a datacenter setup - we are one of a handful of customers privately trialing their IPv6 setup. I don't think I'm at liberty to mention them, but hopefully that shouldn't be relevant to whether the functionality exists in pfSense or not. It seems to me like a missing option to have "static, but grab the gateway from RA".

When I set up the same network statically, with the gateway IP address burned in manually, I can't set up the LAN interface to track that interface, since it's not dynamic. And I can't set up a LAN interface overlapping a /64 net I aim to use. Does this functionality need DHCP and Prefix Delegation?

JKnott

@jespertreetop

If you're in a data centre, then you're probably not using an ISP in the usual sense. In my case, I connect to my ISP with a cable modem and they use DHCPv6-PD to provide my /56 prefix. My understanding, based on what you say is you're getting a static address block to pfsense. Addresses on the LAN side are normally automatically provided, either using SLAAC or DHCPv6, your choice, though Android devices don't support DHCPv6. I can't see the available config choices at the moment, as my pfsense system is down, due to computer failure. Are they providing you a routed block of addresses? Or just a block?

Derelict

@jespertreetop We have a /48 net routed to the interface in question.

What address are they routing that /48 to?

If it were me I would pcap for the RAs and see what, exactly, they are advertising.

MikeV7896

If your ISP is routing a static IPv6 block to you, then you would similarly use the static setting on pfSense for your internal interface(s). Pick a /64 out of the address block your ISP provided, set an IPv6 address for the interface on pfSense and apply that /64 to your network.

Then set up DHCPv6/RA depending on how you want to provide IPv6 addresses to your other devices:

• RA only (static addresses on devices)
• Stateless (SLAAC)
• Managed (DHCPv6)
• or Assisted (DHCP if available, otherwise SLAAC)

If you have servers, going with DHCPv6 or static addressing might be preferred, but that might depend on the OS of your servers.

Derelict

@jespertreetop When I set up the same network statically, with the gateway IP address burned in manually, I can't set up the LAN interface to track that interface, since it's not dynamic. And I can't set up a LAN interface overlapping a /64 net I aim to use. Does this functionality need DHCP and Prefix Delegation?

Track interface is dependent upon a Prefix Delegation from DHCP6. It exists solely for the purpose of assigning /64s out of a DHCP PD to inside interfaces.

There is no reason to use it with a statically-routed prefix.

All you need to do is statically number the inside interfaces with /64s out of the /48.

JesperTreetop

@derelict Good questions - the only information I was told was that the pfSense box where we currently receive our IPv4 uplink now also receives IPv6 traffic, that we have the xxxx:yyyy:100::/48 subnet, that we should use the gateway as advertised via RA (and that seems to flip back and forward between two different servers, thus my reticence to hardcode something since it sounds like they're load balanced/round-robined and what if one of those boxes are taken down for servicing), and that there is no DHCPv6 server.

On the current IPv4 setup, we have a WAN, a LAN and a few VLAN interfaces hanging off the LAN with separate IPv4 subnets, and most of our servers are within one of those VLAN interfaces. Attempting to distribute /64 ranges within our /48 for each of those interfaces fails since they overlap with the WAN's range. I understand that this is solvable with Track Interface and choosing WAN, but that only works if WAN has a DHCP'd range which is then chopped up using Prefix Delegation. There's nothing for the static approach.

It really sounds like this scenario demands a DHCPv6 server right now.

JesperTreetop

@virgiliomi As per the post above - that sounds sort of doable, but since we have VLAN interfaces hanging off of the LAN interface, they would stomp over the same range, right? They can't Track Interface on a non-DHCP interface.

MikeV7896

If you have a /48 from your provider, you have 65,000+ /64's to choose from for your networks. Assign one to your LAN and another to your VLAN.

For example...
Your provider assigns you aaaa:bbbb:cccc::/48
You can put aaaa:bbbb:cccc:1001::/64 on LAN
You can put aaaa:bbbb:cccc:1002::/64 on the VLAN

They're two separate subnets so they don't overlap. They're just part of the same /48 block that your provider is routing to you. pfSense will route them back to your provider's router based on the router advertisement it is receiving.

Then you can set up SLAAC, DHCPv6, or whatever you want to provide addresses to your devices connecting to those two networks. The Settings > DHCPv6 Server/RA menu should be your next stop to do that.

Derelict

@jespertreetop No. You don't get a gateway from DHCP6 either. It is either static or obtained via an RA. What makes sense depends on how the upstream has provisioned it.

(I would still pcap the RAs and see what they are actually sending.)

JesperTreetop

@virgiliomi Okay, assigning separate /64 subnets was always the plan, but that's where I run into trouble.

Right now, my WAN has the static address aaaa:bbbb:100::/48. Trying to assign the aaaa:bbbb:100:1::/64 static address to one of the VLANs, I get an error message:

IPv6 address aaaa:bbbb:100:1::/64 is being used by or overlaps with: WAN (aaaa:bbbb:100::/48)

If the idea is to instead use RA to broadcast that as the subnet - okay, fair enough, but then what do I put as the static address for the VLAN?

@Derelict Okay, but I don't see a way to configure static to obtain the gateway from RA, just to pick a statically entered gateway.

Derelict

@jespertreetop Again, hard to say without seeing exactly what they are sending. Have you tried just not setting a gateway on WAN and seeing what shows up via RA?

Or setting it to SLAAC is also an option.

Derelict

@jespertreetop said in IPv6 WAN configuration for static IP address range but gateway from RA message?:

Right now, my WAN has the static address aaaa:bbbb:100::/48

Never put a /48 on an interface. That is almost always wrong. /64. Always /64 unless it is a statically-configured point-to-point link or similar and they tell you to use something like /126.

JesperTreetop

@derelict Okay, that penny dropped and that makes sense - but I'm in the mindset that WAN and the uplink are synonymous and that all traffic enters through the WAN and have never had public addresses on other interfaces before. Doesn't that mean that the traffic to the VLAN ranges won't know to get there from WAN? Or does all this magically work its way out as long as everything is correct in the routing table, and the traffic from the outside will definitely reach everything with a public address no matter what? WAN has an upstream gateway and the others don't, after all.

Derelict

@jespertreetop It's all routing.

Your LAN clients send their traffic to the pfSense LAN interface because they have received an RA from it and set their default gateway accordingly.

Your pfSense firewall looks at the destination and sends it to its default gateway that was configured however it was configured (RA or static).

The only time an address must exist on an interface is if the firewall must respond to Neighbor Discovery. The only neighbor that the ISP needs to discover is the address the /48 is routed to. Everything else (the /48) is just routed to that neighbor address.

The only real difference between IPv6 routing and IPv4 routing at this basic level is the introduction of the Router Advertisement.

JesperTreetop

@derelict Well, bloody hell, I have a lot to think about. I've been to school for this stuff (Please Do Not Throw Sausage Pizza Away) but it pre-dated widespread IPv6 deployment and not all of it has been exercised regularly. Thanks for your patience and clarity - there are many guides about how to split up and manage and plan out /48 nets into /64 nets and so on, but I guess it's never really spelled out in explicit detail that you shouldn't do what I did and only deal in concrete /64 nets at this layer. (For what it's worth, the pfSense documentation could stand to gain a lot from a "so you have a functioning IPv4 gateway and you're tasked with adding IPv6 connectivity" page with a checklist of what to think about and what maps cleanly to things and what doesn't.)

@virgiliomi Thanks to you too, I think Derelict took over at some point.

JesperTreetop

@derelict So just to bring all this together, since I'm having some trouble getting this to work but don't quite know if it's mismatching the IP address from the RA, but also have to stop now and get back to this tomorrow:

Currently, in IPv4 land, we have a x.y.z.50/28 net on the WAN interface. Using NAT, we map x.y.z.54 traffic on port 443 to 10.1.41.123, to get the https traffic from that public IP to the server in one of the VLANs, the 41 VLAN (which has the net 10.1.41.1/24).

In IPv6 land, we could instead have aaaa:bbbb:100:1::/64 on the WAN interface (and a gateway set for it). We could also have, on the 41 VLAN, the address range aaaa:bbbb:100:41::1/64 without a gateway set, and the same server, if it had the statically assigned address aaaa:bbbb:100:41::123, could then receive https traffic from the public via its own IP (aaaa:bbbb:100:41::123), assuming the rules allowed this. As long as that server has the aaaa:bbbb:100:41::1 address as its IPv6 default gateway, the traffic to its own IP address will arrive to it, and the traffic sent from it will come from that IP address.

Is this correct?

Derelict

In IPv6 land, we could instead have aaaa:bbbb:100:1::/64 on the WAN interface (and a gateway set for it).

@jespertreetop Sounds about right. But the WAN configuration depends on how the ISP is actually provisioned. If they are not provisioned to receive traffic on the gateway address in aaaa:bbbb:100:1::/64 it won't work because you'll do a Neighbor Discovery for it and there will be no answer.

JKnott

@jespertreetop said in IPv6 WAN configuration for static IP address range but gateway from RA message?:

but I'm in the mindset that WAN and the uplink are synonymous and that all traffic enters through the WAN and have never had public addresses on other interfaces before.

This is one area where IPv4 & IPv6 differ. You may have a public WAN address or you might not. You often don't need one, as the link local address can be used for routing. Also, if you do have one, the public WAN address is rarely within your prefix. With IPv6 global addresses, they are all "public".