HE tunnel and 2 WAN interfaces question

JonathanLee · Jul 20, 2024, 4:15 AM

Hello fellow Netgate community members can you please help?

I have been using HE tunnel, and I want to also add ipv6 to my other interfaces however when I attempt to do this, I get the following error...

The following input errors were detected:

IPv6 address REDACTED::/64 is being used by or overlaps with: WLAN  (REDACTED::/64)

Do I just split them up if so, how do I do that? It is not like subnetting ipv4 here...

Goal: What I want to happen is use my secure lan with my HE tunnel and use my guest wifi with my HE tunnel, I do not wnat them to talk to each other at all, only access outbound IPv6 gateway

johnpoz · Jul 20, 2024, 4:42 AM

@JonathanLee did you get the /48 from them, so you can then create your /64s out of that for your different networks?

JonathanLee · Jul 20, 2024, 5:16 AM

@johnpoz Thanks for your help yes I got one line that states routed /48

Do I use that in place of the routed /64 on the interface assignments change it to that one? If so how would I subnet that one into two /64s? Just use a subnet calculator like in the old days?

So like REDACTED::/48

Can be changed to...
Change to REDACTED:1::/64 and REDACTED:1:100::/64

johnpoz · Jul 20, 2024, 5:19 AM

@JonathanLee yes you would subnet out your /48 into /64s and then you would use those on your different networks. A /48 gives you what like 65k /64s to work with - so you have plenty to choose from ;)

Sure you can use a ipv6 calc if you so want.. But /64s are pretty easy from a /48 I use number that matches up with my IPv4s

So for example my IPv4 is 192.168.9.0/24

So for my IPv6 out of my /48

2001:470:xxxx::/48

I just use

2001:470:xxxx:9::/64

Then I can just match up the ipv6 with my IPv4 address in a way

pfsense is 192.168.9.253, so its IPv6 is 2001:470:xxxx:9::253/64, my pc at 192.168.9.100 would be 2001:470:xxxx:9::100/64

One of my other segments is 192.168.3.0/24 so the IPv6 is 2001:470:xxxx:3::/64

JonathanLee · Jul 20, 2024, 5:30 AM

@johnpoz Thank you so much for that information. That fixed it spot on understandable info.

JonathanLee · Jul 20, 2024, 5:49 PM

@johnpoz To use SLAC do you just use Assisted RA Flags?

How do I enable IPv6 EUI-64 ??

JonathanLee · Jul 20, 2024, 6:19 PM

@johnpoz how can I make the Two interfaces can’t talk to each other? Do just make a lan rule approve any !securelan? Would that understand IPv6 also?

johnpoz · Jul 20, 2024, 6:53 PM

@JonathanLee don't use bang rules.. If you don't want lan net to talk to opt net, then put in a block rule for opt net above your allow. Yes the network/subnet aliases would be the ipv4 or ipv6 networks on said interfaces.