Assign WAN IPv6 to LAN Clients
-
Helo! I thank the attention!
My scenario is as follows:
-> WAN: 170.XX.YY.187 (/29) 2804:XXXX:1::1 (/48) -> LAN: 192.168.2.1 (/24)WAN -> Internet outbound switch (receives IPv4 and IPv6)
LAN -> Internal switch (pfsense)I set pfsense with static IP 2804:XXXX:1::1 on WAN (GW 2804:XXXX:1::0). The idea is that LAN clients would use 2804:XXXX:1::1 (pfsense) as a gateway and could set static IPs of the same range using pfsense as a gateway. Something like:
-> WAN: 170.XX.YY.187 (/29) 2804:XXXX:1::1 (/48) -> LAN: 192.168.2.1 (/24) 2804:XXXX:1::2 (/48)Tried NAT 1:1 but was unsuccessful (or didn't set it right)
Does anyone have any ideas? Thank you in advance!
-
@mguarienti Are you sure the /48 is for the WAN, you’ve not been given a /64 and a /48, the same subnet can’t exist on two interfaces.
You shouldn’t have any need to NAT IPv6.
-
exactly.
but I only received a /48 from the ISP assigned to the WAN switch
should i get a /64 for WAN and a /48 for LAN from the ISP?
-
Assuming the ISP is using DHCPv6-PD, that /48 would be used by pfsense to provide local LAN /64s. If you are assigned a WAN IPv6 address, and no you don't need one other than link local, it should be outside of that /48.
BTW, what ISP are you with? Someone else here might have experience with them.
-
I would like each host on my LAN to receive a valid IPv6 of this range /48, but that it was filtered by pfsense. However, IPv6 is accessible only over the WAN interface.
-
This goes down to how IPv6 is provided. Most ISPs use DHCPv6-PD, as I mentioned. This is why I asked about your ISP, so we know. I'm with Rogers in Canada and they use DHCPv6-PD. I get a /56 from them, which pfsense can split into as many as 256 /64s. I also have a WAN address that's not from within my /56 prefix. They'd have their customers sharing a /64 for the WAN addresses. However, if you want help, you have to provide some info that we can work with. Just saying you have a /48 doesn't say much. We can only assume they are intelligent enough to use DHCPv6-PD and are not dumb enough to provide a /48 on a single network.
BTW, forget NAT with IPv6. It's a curse that was created only to get around the IPv4 address shortage.
-
Hey!
I came back bringing the solution. It was necessary for the ISP to split the /48 into two /49s in BGP. Once that was done, then I could split it into two /49 in pfsense (one for wan, one for lan). Also, set the WANGW_v6 gateway as the default for IPv6. I thank the help of all you!
-
A /49? That means you have only 32,768 /64s to work with.
-
I don't think it will be enough
-
So... here's what I did with my IPv6 prefix...
My ISP (Verizon Fios; I'm lucky to be in an IPv6 test area) only provides a /56 prefix via DHCPv6-PD, not a WAN address. No big deal, Link Local works fine for routing. BUT... I still want a global WAN address (so Unbound can use that for making recursive DNS requests, and to use for external access, like VPN)...
So what I did was take a /64 from the prefix (prefix ID ff) and set up a virtual IP on WAN within that prefix. Technically, this is what the ISP provided routers do, they just do it based on a DHCP option that tells them what prefix ID to use for WAN addressing. It's all part of the prefix that's already being routed to me, so nothing else special needs to be done. The only down side is that in pfSense the virtual IP is static, so if my prefix changes for any reason in the future, I need to update the virtual IP. Not the end of the world, just an annoyance. I've thought about submitting a feature request to use the DHCP option method to automatically handle the WAN address, like the ISP router does... just haven't gotten that far yet.
The S in IOT stands for Security
-
@virgiliomi
Why not just use a different pfsense interface? They should all be reachable, provided your rules allow it. After decades of using IPv4 and NAT, there are some new things to learn about using IPv6. One is every address within your /56 will be routed through your WAN port. Also, there's a WAN setting Do not allow PD/Address release, which should prevent the prefix from changing. Also, the VPN doesn't have to terminate on your WAN port, it can terminate on any pfsense interface.
-
@virgiliomi
One other point about VPNs. I use my IPv4 address for it for 2 reasons. One is I only use the VPN from my notebook computer, which I might be using from a location that only has IPv4 and the other has to do with DNS. I use a public DNS server which is configured for the IPv6 addresses that I want to make available on it. But my public IPv4 address is an alias that points to the host name provided by my ISP and is based on my cable modem and firewall MAC addresses. With the alias, the IPv6 address is never used. I could directly configure the IPv4 address, so that the IPv4 or IPv6 address would be used as appropriate, but that would then fail on the very rare occasion that my address changes.
