Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ISP provided IPv6 prefix and NPt

    Scheduled Pinned Locked Moved IPv6
    10 Posts 3 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • csobanC
      csoban
      last edited by csoban

      Short: Somehow I would like to switch to a pfSense HA with working IPv6 (and NPt?) to use ISP provided dynamic prefixes.

      Long:

      • ISP provides new IPv6 address and a new /56 prefix every week (same time when IPv4 address renewed).
      • Used 'track interface' type of IPv6 on internal networks (LAN, DMZ, etc.) which was quite good even with DHCPv6.
      • Would like to switch to HA which doesn't supported with 'track interface' kind of IPv6. Looking for a way to achieve that without loosing IPv6.
      • Planning to go to ULA addressing internally with NPt to the ISP's dynamic prefixes. Already have some IPv6 ULAs NPted, used for VPN, because VPN doesn't support 'track interface'. Have a cronned phpshellsession script which checks and fixes the NPt translation if the ISP prefix differs. It's kind of tricky, yet: the script checks the LAN's IPv6 to determine the correct prefix as the LAN is 'track interface' type of IPv6, yet. Is there any way to determine the /56 prefix without any 'track interface' type of interface?
      • When wiresharked it seems every /64 subnets within the /56 is routed to the firewall even if the firewall does not use it in any interface. But some part of the /56 is still in use. Is pfSense routes the ISP prefixes even if none of them is used with track interface? Or there is a must to have at least one 'track interface' to force using the /56?
      JKnottJ DerelictD 2 Replies Last reply Reply Quote 0
      • JKnottJ
        JKnott @csoban
        last edited by

        @csoban said in ISP provided IPv6 prefix and NPt:

        When wiresharked it seems every /64 subnets within the /56 is routed to the firewall even if the firewall does not use it in any interface. But some part of the /56 is still in use. Is pfSense routes the ISP prefixes even if none of them is used with track interface? Or there is a must to have at least one 'track interface' to force using the /56?

        The Internet doesn't know which /64s you've enabled, only that the entire /56 is provided to your router, that is unless you're running a routing protocol such as OSPF or BGP, which can advertise which /64 prefixes you have enabled. If you don't want a particular /64 to access the Internet, then you use a rule to block it. You can have both GUA and ULA on the same interface. In fact, you can have multiple ULA on an interface.

        BTW, why would anyone want to use NAT with IPv6. It was created to get around the IPv4 address shortage and creates problems in the process.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        csobanC 1 Reply Last reply Reply Quote 0
        • csobanC
          csoban @JKnott
          last edited by

          @jknott said in ISP provided IPv6 prefix and NPt:

          The Internet doesn't know which /64s you've enabled, only that the entire /56 is provided to your router, that is unless you're running a routing protocol such as OSPF or BGP, which can advertise which /64 prefixes you have enabled. If you don't want a particular /64 to access the Internet, then you use a rule to block it. You can have both GUA and ULA on the same interface. In fact, you can have multiple ULA on an interface.

          BTW, why would anyone want to use NAT with IPv6. It was created to get around the IPv4 address shortage and creates problems in the process.

          I'd like to workaround the issue of not using 'track interface' type of IPv6 but to use HA:
          e.g.: have ULA within the network (so my pfSense DHCPv6-ed it to everyone) and NPt-ed the ULA to my GUA (which changes approx every week) with some scripts.

          (I was looking for ways to workaround the Dynamic NPt issue: https://redmine.pfsense.org/issues/4881.)

          JKnottJ 1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate @csoban
            last edited by

            @csoban said in ISP provided IPv6 prefix and NPt:

            ISP provides new IPv6 address and a new /56 prefix every week (same time when IPv4 address renewed).

            This is a completely broken deployment by the ISP and you should complain bitterly about it.

            They should give the same prefix to the same DUID as best they can.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            csobanC 1 Reply Last reply Reply Quote 0
            • JKnottJ
              JKnott @csoban
              last edited by

              @csoban said in ISP provided IPv6 prefix and NPt:

              my GUA (which changes approx every week)

              Do you have Do not allow PD/Address release set on the WAN page?

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              csobanC 1 Reply Last reply Reply Quote 0
              • csobanC
                csoban @Derelict
                last edited by

                @derelict said in ISP provided IPv6 prefix and NPt:

                @csoban said in ISP provided IPv6 prefix and NPt:

                ISP provides new IPv6 address and a new /56 prefix every week (same time when IPv4 address renewed).

                This is a completely broken deployment by the ISP and you should complain bitterly about it.

                They should give the same prefix to the same DUID as best they can.

                I know. :) People have a long backlog to understand IPv6, here. I had a long story with my ISP to them provide IPv6 properly. So I would feel like sending my complains to the /dev/null but I will give a try as it "surly be a no if not asking" anyway :).

                JKnottJ 1 Reply Last reply Reply Quote 0
                • csobanC
                  csoban @JKnott
                  last edited by

                  @jknott said in ISP provided IPv6 prefix and NPt:

                  @csoban said in ISP provided IPv6 prefix and NPt:

                  my GUA (which changes approx every week)

                  Do you have Do not allow PD/Address release set on the WAN page?

                  I tried that before w/o any luck but I'm giving a chance to that, again. Will see the result in a week...

                  1 Reply Last reply Reply Quote 0
                  • JKnottJ
                    JKnott @csoban
                    last edited by

                    @csoban

                    My ISP has been providing native IPv6 for almost 6 years and via tunnel for a while before that. While the tech support generally understands it, I find I have to educate them on the finer points. Generally speaking though, the service works quite well, though there was one issue I had difficulty getting resolved, as the people who were supposed to handle it refuse, as I was running my own router, instead of using the modem gateway function.

                    PfSense running on Qotom mini PC
                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                    UniFi AC-Lite access point

                    I haven't lost my mind. It's around here...somewhere...

                    csobanC 1 Reply Last reply Reply Quote 0
                    • csobanC
                      csoban @JKnott
                      last edited by

                      @jknott
                      Pretty similar here, adding that Eastern Europe is a bit (although less and less) behind Western Europe and/or NAM in vendor perspective. However we are selling our tech and IT knowledge to the world :D
                      It seems that the ISP's real tech guys are few and overloaded therefore they hide them behind several level of support contacts and it is hard to get someone who even fully understands these kind of questions :)
                      I'm working in an IT Service Center of a huge US bank together with many network and IT security guys and found that IPv6 is NOT a common knowledge within this firm, yet, either. I myself did learn a lot since I started playing my pfSense's IPv6 setup at home using it, as you said, as a router instead of the ISP's equipment (which was a router, wifi, sip, everything with lot's of vulns and it works as a cable modem by now :))
                      Anyway I asked them whether they are intentionally giving new IPv6 address and prefix at the same time when my IPv4 lease expires or not.

                      JKnottJ 1 Reply Last reply Reply Quote 0
                      • JKnottJ
                        JKnott @csoban
                        last edited by

                        @csoban

                        A big part of the problem are those who think an inadequate address space + hacks is a good idea, even though it's holding back many things. One thing I was reading about recently was how China plans to be single stack IPv6 only by 2030. This means if you want to reach sites there, you will need IPv6. There are other parts of the world, where they won't hand out IPv4 addresses to anyone who's not also running IPv6. I don't know how things are in Eastern Europe, but in North America it's still possible to get by with only IPv4 because we have so many of the addresses here. In Canada, some of the major IPs are providing IPv6, but Bell Canada, which used to be a world leader in telecom, is falling behind.

                        PfSense running on Qotom mini PC
                        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                        UniFi AC-Lite access point

                        I haven't lost my mind. It's around here...somewhere...

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.