Configure IPv6 on multiple LAN interfaces

DrPhil · Jan 11, 2024, 2:05 PM

Hi,

I am trying to configure IPv6 on multiple LAN interfaces (LAN and DMZ).

Everything works fine on LAN. But I am struggling to make it work on DMZ.

I have a suspicion it may be because my ISP (Verizon FIOS) is assigning me a single /64. But I need someone smarter to check my hypothesis. (If my hypothesis is correct, my next question would be what are my options).

This is the setting that I am basing my opinion on.

johnpoz · Jan 11, 2024, 2:09 PM

@DrPhil if you want to another interface, you would need to change the prefix ID, for example your lan would be 0, and your new DMZ would be say 1.

Does the dmz interface get an IP when use track and set a different prefix ID different than lan prefix ID?

When your isp hands you a prefix say a /60 or /56 etc.. The prefix ID you set for track tells pfsense which /64 out of that /60 or /56 to put on this interface.. They can't be the same..

DrPhil · Jan 11, 2024, 2:10 PM

Hi @johnpoz

I only get 0 as the option for both LAN and DMZ.

johnpoz · Jan 11, 2024, 2:13 PM

@DrPhil you need to change it.. its not auto done. It will just default to 0, change the 0 to a 1 for your dmz interface..

DrPhil · Jan 11, 2024, 2:15 PM

@johnpoz

It wouldn't let me pick another number. For example if I pick 1, I get this:

The specified IPv6 Prefix ID is out of range. (wan) - (0) - (0)

I suspect it's because my ISP is handing me a single /64. Is that possible? If yes, is there a way for me to split a single /64 across two interfaces?

johnpoz · Jan 11, 2024, 2:20 PM

@DrPhil so your isp is only delegating a single /64 to you? That is pretty pointless of them to even hand out delegation.

Did you request something bigger? Try a /60

If you were static for your IPv6 - it would be possible to split your /64 but that is going to break all kinds of stuff. IPv6 really is meant to only use /64s for interfaces and networks.. If you use something else like a 65 or something all kinds of stuff not going to work.

DrPhil · Jan 11, 2024, 2:29 PM

@johnpoz
Thank you!

That worked. I didn't even know I had the option to request something from the ISP. The default populated on my WAN interface was /64, so that's what my ISP was giving me. I now requested /60, and it gave me /60.

johnpoz · Jan 11, 2024, 2:52 PM

@DrPhil they don't actually all pay attention to what you request, they might just hand you a /60 even though you requested a /56 for example.. Or if you only requested a /64 they might still hand you a /60 or /56 say..

Nice to see they are paying attention to what you requested. Wonder if you could get a /48 from them ;) To be honest the min prefix that should be given to any site is a /48.. Its not like there is really any concern of running out of IPv6 space.. For a home or smb then ok a /56 should be enough.. But a /60 is just being stingy ;)

A min allocation for a company from arin is like a /32 - which has 65k /48s in it.. A ISP should be prob getting something bigger, but I believe /32 is the smallest, or I think if your really small isp you can get a /34..

If they are handing out even /56 a /32 gives them like 16.7 million /56s they could hand out.

JKnott · Jan 11, 2024, 3:17 PM

@johnpoz said in Configure IPv6 on multiple LAN interfaces:

To be honest the min prefix that should be given to any site is a /48.. Its not like there is really any concern of running out of IPv6 space..

I trust you understand there are only enough addresses available to give over 4000 /48s to every person on earth!

johnpoz · Jan 11, 2024, 3:28 PM

@JKnott yeah only 4k each.. Its going to run out fast ;) heheh

Keep in mind that is only using the small portion of Ipv6 that has actually been allocated for use..

But then we have ISP being stingy and only giving users either only a single /64 or small /56..

A /56 can have 256 /64's so it is for sure large enough for pretty much any home or smb.. But its the principle of the thing ;) heheh

DrPhil · Jan 11, 2024, 7:15 PM

Looks like my celebration was a bit premature.

I requested a /60, and I assumed I got it because pfSense let me pick a different IPv6 Prefix ID for my DMZ interface. I picked 0 for LAN and 1 for DMZ, and was happy.

However, I was still having issues on DMZ. My linux server was not getting a v6 IP assigned dynamically, and when I tried to "force" the client to get one

sudo dhclient -6 -v eno1

I got a v6 IP, which was labelled "scope global" vs. "scope global dynamic". But the bigger issue I think is that the prefix is the same as what I have on LAN.

I suspect it's because my ISP is only giving me a /64 prefix even though I am requesting a /60.

PS: I've been on the phone with Verizon now for more than an hour, having been transferred a few times. Still haven't found a person who understands what I am asking for.

johnpoz · Jan 11, 2024, 7:45 PM

@DrPhil prefixes can be a bit harder to spot with IPv6.. do you mind posting what you got on your lan and dmz? You can PM them too me.

The guy to ask most likely would be @JKnott he is our resident IPv6 fan boy ;) and expert.. I run IPv6, but my isp doesn't even have it so I run a HE tunnel. which is a static /48 they assign to me.. But you could for sure watch your dhcp traffic from your isp and see what they are handing you for delegation be it a /60 or /56 or a /64, etc.

How are you trying to hand your clients on your dmz IPv6, dhcpv6? just SLAAC?

JKnott · Jan 11, 2024, 7:58 PM

@DrPhil said in Configure IPv6 on multiple LAN interfaces:

I suspect it's because my ISP is only giving me a /64 prefix even though I am requesting a /60.

Do a packet capture of the full DHCPv6 sequence and post the capture file here.

DrPhil · Jan 11, 2024, 8:31 PM

@DrPhil prefixes can be a bit harder to spot with IPv6.. do you mind posting what you got on your lan and dmz? You can PM them too me.

Just PMed those over to you.

How are you trying to hand your clients on your dmz IPv6, dhcpv6? just SLAAC?

dhcpv6.

JKnott · Jan 11, 2024, 8:38 PM

@DrPhil said in Configure IPv6 on multiple LAN interfaces:

Just PMed those over to you.

I don't see anything.

Just post it in the thread, so it will be available to others.

johnpoz · Jan 11, 2024, 9:00 PM

@DrPhil said in Configure IPv6 on multiple LAN interfaces:

Just PMed those over to you.

Yeah those are not right if they have a /128 on them..

@JKnott he sent me the IPs he has on lan and dmz, but they show a /128

JKnott · Jan 11, 2024, 9:29 PM

@johnpoz said in Configure IPv6 on multiple LAN interfaces:

he sent me the IPs he has on lan and dmz, but they show a /128

That's fine for the WAN, but not a prefix. I have a /128 for my WAN too.

I guess he sent the file to you but not me.

johnpoz · Jan 11, 2024, 9:30 PM

@JKnott no he didn't send any file, just the ips with /128 on them.

Those sure can not work for a lan side network - sure as a transit on the wan no problem..

DrPhil · Jan 11, 2024, 9:38 PM

@JKnott

Just to clarify, what I sent to @johnpoz were not prefixes but v6 IPs that clients on my LAN and DMZ got assigned by the respective DHCPv6 servers.

Here is the output line from

ip address

on each network (for a single client).

On LAN (client 1)
inet6 2600:4040:a30c:8801::2d83/128 scope global dynamic

On DMZ (client2)
inet6 2600:4040:a30c:8801::23ec/128 scope global

I am just reading the first 16 hex characters and calling it the same prefix (not sure that's a technically sound conclusion).

johnpoz · Jan 11, 2024, 9:43 PM

@DrPhil they are not the "same" prefix with the /128 on them..

if they had a /64 on them - then they would yeah be the same network/prefix

a /128 in IPv6 land, is the same as a /32 in IPv4.. Its a single IP.. There is no "network" if you will. Its just that IP..