Routing IPV6 over site-to-site VPNs when they are globally unique assigned from a dynamic PA
-
I'm looking for suggestions on how to set up a network and route IPV6 over a site-to-site VPN between several sites (3-4+), ideally using wireguard and globally unique IPV6 addresses.
Background
- I have several sites consisting of homes and offices. The IPV4 private address networks are connected together using Wireguard
- I use wireguard because it is very fast. I have fiber symmetrical gigabit and we get round trip latency of less than 3ms.
- For IPV4, for multicast traffic, I never managed to get PIMD to work properly or reliably, I was trying to deploy it over GRE/GIF over wireguard and also tried OpenVPN.
- So instead I just set up AVAHI to route mDNS over a separate OpenVPN site-to-site tunnel. This seems to resolve all ipv4 mDNS between sites for service discovery of supported devices.
- IPV4 routing is set up over Wireguard between sites using static routes.
- My fiber providers provide /60 PD, so I am able to get full /64 subnets for the main networks as well as guest and other networks. However, the PDs are assumed to be dynamically assigned
- One site is on TMobile internet, which does not provide prefix delegation. I'll probably use private IPV6 space for this network and NAT the IPV6 internet traffic until I find a better solution.
I would prefer to stick to Wireguard because it is very fast. What are my best options to set up IPV6 routing between sites?
- While I would prefer to set up static routing, the prefixes are dynamic making this impossible without some sort of automation
- I could assign private space IPV6 addresses to each network and then use NPt to map them globally unique IPV6 when they go out to the internet, but NPt in pfsense can't operate on dynamic prefixes.
- I could use OSPF which would require it running over a tunnel interface that supports multicast (not wireguard, unless it was within GRE/GIF), but even if the routing tables were automatically updated, wireguard only supports static IP routing
- Give up because IPV6 is dumb
So.... What is the best way to go about IPV6 site-to-site over a VPN?. Thanks for your suggestions.
-
You could try Unique Local Addresses.
-
@JKnott said in Routing IPV6 over site-to-site VPNs when they are globally unique assigned from a dynamic PA:
You could try Unique Local Addresses.
Now I understand that a device can have several IPV6 addresses at a time. (IP4 too, but it was a common design feature to do so on IPV6). Does this cause problems with
- Some clients like Android do not do DHCP and only do SLAC. Other clients prefer to do DHCP.
- the IPV6 addresses returned by discovery protocols like mDNS would return IPV6 addresses that include globally routable address that won't reach the other side's device. How do we make sure that the clients choose the private addresses returned from, for example, mDNS?
But a problem is that the NPt feature in pfsense allows a delegated prefix to be selected only if it is assigned to an interface. Otherwise, NPt won't allow selecting a delegated prefix. So I can't figure out how to use unique local addressing with NPt.
-
The Android problem is with DHCPv6 only and has nothing to do with ULA. You can have both GUA and ULA on the same LAN, as I do here. The advantage of ULA is the prefix doesn't change, unless you change it.
BTW, do you have System/Advanced/Networking/Do not allow PD/Address release selected? If not, your prefix will change. However, not all ISPs honour it.
