IPv6 DHCPv6 Delegation Range

SimpleOne

Hi All.

I'm trying to get pfSense (pf) to pass on a delegation range to downstream routers (and their clients) via DHCPv6.

Just for background, the pf box is setup with multi-wan, but I'm focusing here only on the primary wan and IPv6 from that provider. The pf box has numerous down stream physical and vlan interfaces, with some physical interfaces only carrying a single vlan, whilst others have multiple tagged vlans per physical interface.

Currently I have IPv6 prefix delegation working from the ISP to the pf via it's primary WAN. The ISP is assigning a /128 from a /64 for the WAN's global IPv6 address. They are providing a /56 via IPv6 prefix delegation. So, on the pf:

WAN:

• Gets a /128 ipv6 global (from a /64) for the WAN itself.
• Gets a /56 prefix delegation to pass to LAN/OPT.
  LAN/OPT's:
• Tracks the WAN, setting their own Prefix ID (between 0 and ff) after the /56 from the ISP's Prefix Delegation.

DHCPv6 is where I'm struggling, in particular with managing the fact that I do not want to statically specify the IPv6 prefix delegation range (since it is, in principle, dynamic) for the DHCPv6 server on each LAN/OPT interface.

I'm trying to understand two main things:

• How to set the 'Prefix Delegation Range' so that it is dynamic and doesn't need to be reconfigured if the /56 from the ISP were to change.

• Should I be using link-local for many of the DHCPv6 functions when pointing clients to services running on the pf box, rather than trying to find a way to reference the interface's (potentially dynamic) IPv6 global address?

In terms of the 'Prefix Delegation Range', how do I set this in way that references globally unique IPv6, without manually having to specify the leading /56 that comes from the ISP?
If I can solve this, it might resolve the second question... So, can I:

• use some sort of alias for the /56 prefix designation from the ISP?
• set just the equivalent of prefix-bits? (much like the LAN/OPT has when tracking the WAN).

If not, in terms of the DHCPv6 + RA for services hosted on the pf box:

DHCPv6 + RA's need to point downstream clients to some services running on the pf box. Link-local ipv6 should work for this for on-link clients of the pf box. However, for the clients of downstream routers, that presumably would not work as those clients can't get traffic routed to the pf boxes link-local (unless their local router operates as some sort of relay/proxy).

To solve, this should I be trying to find a way to configure the address of these services on the pf box, such that it in some way dynamically references the global ipv6 that it has derived from tracking the WAN and the PD range provided by the ISP?

Or, should I in some way rely on downstream routers to use a process of cascaded link-local addressing that eventually pickups client requests and then proxies/relay's them back upstream to the pf box (for recursive DNS/NTP etc) before passing results back down the link-local chain?

It might also be that I'm just asking a bit much of pfSense here and need to look at other platforms to resolve what are virtually issues of minimising config re-work in a scaled environment.

Thanks

JKnott

@simpleone said in IPv6 DHCPv6 Delegation Range:

How to set the 'Prefix Delegation Range' so that it is dynamic and doesn't need to be reconfigured if the /56 from the ISP were to change.

Should I be using link-local for many of the DHCPv6 functions when pointing clients to services running on the pf box, rather than trying to find a way to reference the interface's (potentially dynamic) IPv6 global address?

I haven't configured for DHCPv6 server, so I can't help with that. I have only used manual configuration. However, regarding your questions above,. have to configured the WAN interface to not release the prefix? And yes, link local addresses are used for a lot of things with IPv6.

SimpleOne

@jknott yep, I saw that option. The ISP (who believe it or not is still only in the 'alpha' stage of their IPv6 rollout) specifically ask people not to use options that prevent releasing address space (at least at this stage). As such, I'm trying to investigate what the 'dynamic' alternatives might be (if any), when it comes to downsteam prefix delegation (from pf box to client routers) but with central service provision (i.e. running on the pf box) such as recursive DNS resolution etc.

Bob.Dig

@simpleone So much text for a simple question. The DHCPv6 Server will add those prefixes to the host-parts you define there, problem solved. For firewallrules you can create aliases containing the hostnames from the DHCPv6 Server, so also not a problem.

SimpleOne

@bob-dig are you mixing up the 'Range' and 'Prefix Delegation Range' fields of the DHCPv6 server by any change there?

I know you can specify the range field as ::0 to ::ffff or whatever, and it will prefix with the ISP's assigned PD + your given prefix bits for the interface. But, that's not what I'm asking about, I'm not talking about directly connected, on-link clients to the pf box (other than downstream routers). I'm really asking about downstream routers that are requesting prefix delegation from the pf box, and then how the clients of those downstream routers recieve information about how to route requests to services running on the pf box...

Which might not be possible, they might have to route to their local router which forwards to the pf box, but I'm not clear if that's that best approach or not?

The 'Prefix Delegation Range' fields for the DHCPv6 server on the pf box I'm playing with here, refuse to accept any sort of abbreviated IPv6 address specification (and actually work) that I have been able to come up with and try....

Bob.Dig

@simpleone You got me. But why do you that anyway?

Ethereal

@bob-dig probably his setup is a bit more complex and using the firewall as firewall - rather than a router for his lan.

@simple0ne I have a similar setup at home and I was thinking to go ahead and try to implement it.
Will give it a go next weekend or so.

SimpleOne

@ethereal said in IPv6 DHCPv6 Delegation Range:

@bob-dig probably his setup is a bit more complex and using the firewall as firewall - rather than a router for his lan.

@simple0ne I have a similar setup at home and I was thinking to go ahead and try to implement it.
Will give it a go next weekend or so.

@Ethereal sounds good. I will get back to testing this further in the next few days hopefully, so I'll let you know if I discover any thing interesting.

@Bob-Dig, yep two use separate use cases. One is where the firewall is basically already just serving as firewall (+ proxy for some services on IPv4) as @Ethereal mentioned.

The second scenario is actually a little different and has two flavours (though they are quite similar to each other):

1. The pf is serving as the outside firewall of a dual vendor DMZ, but the pf is also providing some services to devices/networks living within the DMZ.
2. Similar to the first, but the pf is the only firewall, but is providing some services to downstream clients. There are a few networks, each with a lot of WAPs (that are actually routing) on them, which are managed separately, but wish to have IPv6 routed to them for allocation to wireless clients.

Part of the problem here isn't purely technical, it's that the administrative domains for different devices/parts of the network are owned by different parties. This makes for some additional headwinds when it comes to adopting wider changes that could make everything a bit easier to resolve.