ISP provided IPv6 prefix and NPt

csoban

Short: Somehow I would like to switch to a pfSense HA with working IPv6 (and NPt?) to use ISP provided dynamic prefixes.

Long:

• ISP provides new IPv6 address and a new /56 prefix every week (same time when IPv4 address renewed).
• Used 'track interface' type of IPv6 on internal networks (LAN, DMZ, etc.) which was quite good even with DHCPv6.
• Would like to switch to HA which doesn't supported with 'track interface' kind of IPv6. Looking for a way to achieve that without loosing IPv6.
• Planning to go to ULA addressing internally with NPt to the ISP's dynamic prefixes. Already have some IPv6 ULAs NPted, used for VPN, because VPN doesn't support 'track interface'. Have a cronned phpshellsession script which checks and fixes the NPt translation if the ISP prefix differs. It's kind of tricky, yet: the script checks the LAN's IPv6 to determine the correct prefix as the LAN is 'track interface' type of IPv6, yet. Is there any way to determine the /56 prefix without any 'track interface' type of interface?
• When wiresharked it seems every /64 subnets within the /56 is routed to the firewall even if the firewall does not use it in any interface. But some part of the /56 is still in use. Is pfSense routes the ISP prefixes even if none of them is used with track interface? Or there is a must to have at least one 'track interface' to force using the /56?

JKnott

@csoban said in ISP provided IPv6 prefix and NPt:

When wiresharked it seems every /64 subnets within the /56 is routed to the firewall even if the firewall does not use it in any interface. But some part of the /56 is still in use. Is pfSense routes the ISP prefixes even if none of them is used with track interface? Or there is a must to have at least one 'track interface' to force using the /56?

The Internet doesn't know which /64s you've enabled, only that the entire /56 is provided to your router, that is unless you're running a routing protocol such as OSPF or BGP, which can advertise which /64 prefixes you have enabled. If you don't want a particular /64 to access the Internet, then you use a rule to block it. You can have both GUA and ULA on the same interface. In fact, you can have multiple ULA on an interface.

BTW, why would anyone want to use NAT with IPv6. It was created to get around the IPv4 address shortage and creates problems in the process.

csoban

@jknott said in ISP provided IPv6 prefix and NPt:

The Internet doesn't know which /64s you've enabled, only that the entire /56 is provided to your router, that is unless you're running a routing protocol such as OSPF or BGP, which can advertise which /64 prefixes you have enabled. If you don't want a particular /64 to access the Internet, then you use a rule to block it. You can have both GUA and ULA on the same interface. In fact, you can have multiple ULA on an interface.

BTW, why would anyone want to use NAT with IPv6. It was created to get around the IPv4 address shortage and creates problems in the process.

I'd like to workaround the issue of not using 'track interface' type of IPv6 but to use HA:
e.g.: have ULA within the network (so my pfSense DHCPv6-ed it to everyone) and NPt-ed the ULA to my GUA (which changes approx every week) with some scripts.

(I was looking for ways to workaround the Dynamic NPt issue: https://redmine.pfsense.org/issues/4881.)

Derelict

@csoban said in ISP provided IPv6 prefix and NPt:

ISP provides new IPv6 address and a new /56 prefix every week (same time when IPv4 address renewed).

This is a completely broken deployment by the ISP and you should complain bitterly about it.

They should give the same prefix to the same DUID as best they can.

JKnott

@csoban said in ISP provided IPv6 prefix and NPt:

my GUA (which changes approx every week)

Do you have Do not allow PD/Address release set on the WAN page?

csoban

@derelict said in ISP provided IPv6 prefix and NPt:

@csoban said in ISP provided IPv6 prefix and NPt:

ISP provides new IPv6 address and a new /56 prefix every week (same time when IPv4 address renewed).

This is a completely broken deployment by the ISP and you should complain bitterly about it.

They should give the same prefix to the same DUID as best they can.

I know. :) People have a long backlog to understand IPv6, here. I had a long story with my ISP to them provide IPv6 properly. So I would feel like sending my complains to the /dev/null but I will give a try as it "surly be a no if not asking" anyway :).

csoban

@jknott said in ISP provided IPv6 prefix and NPt:

@csoban said in ISP provided IPv6 prefix and NPt:

my GUA (which changes approx every week)

Do you have Do not allow PD/Address release set on the WAN page?

I tried that before w/o any luck but I'm giving a chance to that, again. Will see the result in a week...

JKnott

@csoban

My ISP has been providing native IPv6 for almost 6 years and via tunnel for a while before that. While the tech support generally understands it, I find I have to educate them on the finer points. Generally speaking though, the service works quite well, though there was one issue I had difficulty getting resolved, as the people who were supposed to handle it refuse, as I was running my own router, instead of using the modem gateway function.

csoban

@jknott
Pretty similar here, adding that Eastern Europe is a bit (although less and less) behind Western Europe and/or NAM in vendor perspective. However we are selling our tech and IT knowledge to the world :D
It seems that the ISP's real tech guys are few and overloaded therefore they hide them behind several level of support contacts and it is hard to get someone who even fully understands these kind of questions :)
I'm working in an IT Service Center of a huge US bank together with many network and IT security guys and found that IPv6 is NOT a common knowledge within this firm, yet, either. I myself did learn a lot since I started playing my pfSense's IPv6 setup at home using it, as you said, as a router instead of the ISP's equipment (which was a router, wifi, sip, everything with lot's of vulns and it works as a cable modem by now :))
Anyway I asked them whether they are intentionally giving new IPv6 address and prefix at the same time when my IPv4 lease expires or not.

JKnott

@csoban

A big part of the problem are those who think an inadequate address space + hacks is a good idea, even though it's holding back many things. One thing I was reading about recently was how China plans to be single stack IPv6 only by 2030. This means if you want to reach sites there, you will need IPv6. There are other parts of the world, where they won't hand out IPv4 addresses to anyone who's not also running IPv6. I don't know how things are in Eastern Europe, but in North America it's still possible to get by with only IPv4 because we have so many of the addresses here. In Canada, some of the major IPs are providing IPv6, but Bell Canada, which used to be a world leader in telecom, is falling behind.