Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Divide IPv6 prefix among multiple independent routers

    Scheduled Pinned Locked Moved IPv6
    21 Posts 3 Posters 3.2k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C Offline
      CZvacko @SteveITS
      last edited by CZvacko

      @SteveITS I'm not sure what you mean, routing public address (GUA) is common scenario in IPv6 or not? Now I have only one IPv6 enabled Pfsense router in my lab. When I tried to increase WAN IP +1 (last hex number plus one), internal route is still same, but ping from LAN source fails affer few minutes, I dont know why.

      JKnottJ S 2 Replies Last reply Reply Quote 0
      • JKnottJ Offline
        JKnott @CZvacko
        last edited by

        @CZvacko said in Divide IPv6 prefix among multiple independent routers:

        it gives me 8 new subnets which I assign to each router (and divide again for their lan interfaces).

        You can't do that. Each LAN uses an entire /64 and you can't split them without breaking things. So, with a /53 you can have at most 8 LANs, each with a /64.

        BTW, I've never heard of an ISP providing a /53. Many provide a /56, some /48 or /60 and the cheapskates, /64.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        1 Reply Last reply Reply Quote 0
        • JKnottJ Offline
          JKnott @SteveITS
          last edited by

          @SteveITS said in Divide IPv6 prefix among multiple independent routers:

          you’d need to use one /64 for your outer router’s LAN/inner routers’ WAN network

          It's possible to use Unique Local addresses for that.

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          1 Reply Last reply Reply Quote 0
          • JKnottJ Offline
            JKnott @CZvacko
            last edited by

            @CZvacko said in Divide IPv6 prefix among multiple independent routers:

            @SteveITS I'm not sure what you mean, routing public address (GUA) is common scenario in IPv6 or not? Now I have only one IPv6 enabled Pfsense router in my lab. When I tried to increase WAN IP +1 (last hex number plus one), internal route is still same, but ping from LAN source fails affer few minutes, I dont know why.

            You're trying to do something that's impossible. With a /53 you have only 8 /64 prefixes and every LAN you create requires one of them. As I mentioned, in another note, the connection between your 1st router and the rest could use a Unique Local Address, leaving all 8 /64s for the other routers, but that's as far as you can go. You cannot create further networks beyond that.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            C 1 Reply Last reply Reply Quote 0
            • C Offline
              CZvacko @JKnott
              last edited by

              @JKnott said in Divide IPv6 prefix among multiple independent routers:

              With a /53 you have only 8 /64 prefixes

              Really ? Base on this calculator /53 can have 2048 of /64 and /56 can have 256 of /64s. Or look at this.

              JKnottJ 1 Reply Last reply Reply Quote 0
              • S Offline
                SteveITS Galactic Empire @CZvacko
                last edited by

                @CZvacko In a simple scenario, our data center gave us a WAN IP with a /125 mask so we could set up one IP (with HA/CARP it's 3 but that's not important for the story). Our /64 is routed to that one WAN IP. We then use that /64 on LAN. pfSense knows where its defined subnets are and the data center knows the /64 is routed to that one WAN IP.

                In our office we have a /56. Our ISP router LAN gets a /64 so the WAN IP of an internal router is in that /64. The internal router's LAN can have multiple subnets. Each router can request a subnet or prefix from the router in front of it. The ISP knows to route the entire /56 to their router's WAN IP and the ISP router knows to route the requested block to the internal router.

                So when you say you tried to use a different WAN IP is that on that same router? Are you trying to set up multiple routers in parallel, next to each other? Because I think you'd either need multiple routers (your outside router with WAN and LAN, then multiple inside) or one router with multiple interfaces (WAN, and LAN1-8 or whatever, each with their own /64).

                IPv6 normally doesn't do NAT but the routers need to know where to route each subnet/prefix. Basically, it's the same as IPv4 without NAT.

                Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
                Upvote 👍 helpful posts!

                C 1 Reply Last reply Reply Quote 0
                • JKnottJ Offline
                  JKnott @CZvacko
                  last edited by

                  @CZvacko

                  Sorry, my mistake. I hadn't had my morning beer yet. 😉

                  The comments about 8 subnets misled me, when I wasn't fully awake. Yeah, you should be able to split it.

                  One thing to check is your prefix IDs, They have to be appropriate for the various subnets.

                  PfSense running on Qotom mini PC
                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                  UniFi AC-Lite access point

                  I haven't lost my mind. It's around here...somewhere...

                  1 Reply Last reply Reply Quote 0
                  • C Offline
                    CZvacko @SteveITS
                    last edited by CZvacko

                    @SteveITS said in Divide IPv6 prefix among multiple independent routers:

                    multiple routers in parallel

                    I want to achieve this scenario, which is not a problem with IPv4 and NAT (each router have its own WAN IP). If one router dies, others are not affected.
                    multi routers.jpg
                    But it seems that it can't work when NAT is not used, in my initial post I wasn't sure if IPv6 brings some new feature that might solve this. Actually, ISP support seems to have confused me, when I called them they said I can select a different WAN IP for other routers, but it seems that I can't. 😢

                    And it doesn't matter whether I use GUA or LUA in the ISP line, right? And there is no other way to achieve it, just put an extra "master" router before the others ? Or pfSenseA can become master, but then need use some OPT interface to connect with others...

                    S JKnottJ 2 Replies Last reply Reply Quote 0
                    • S Offline
                      SteveITS Galactic Empire @CZvacko
                      last edited by

                      @CZvacko And these Clients are all separate networks?

                      If you want multiple routers then you need multiple WAN IPs and the ISP will need to forward the subnet to each of the three routers' WAN IP so it gets to the correct place.

                      Otherwise you'll need to add a fourth router to split your /53. Something like:

                      pfSense OUTER WAN: use the IP your ISP tells you
                      pfSense OUTER LAN: use one /64 from your /53

                      pfSense A WAN: IP from that same /64 so the two routers can communicate, ask for prefix delegation of a /60
                      pfSense A LAN1: its own unique /64 from that /60 (Track Interface)
                      pfSense A LAN2: its own unique /64 from that /60 (Track Interface)

                      etc.

                      Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                      When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
                      Upvote 👍 helpful posts!

                      JKnottJ 1 Reply Last reply Reply Quote 0
                      • JKnottJ Offline
                        JKnott @CZvacko
                        last edited by

                        @CZvacko

                        First off, I haven't tried what you want. However, I mentioned prefix IDs. You have to divide up that /53. You'd be using ID 0 for that and the /53 subnet size. Then, on each of the local networks you have to send a /56 (I assume), so you then have to split up that /53 into 8 /56s. How are you doing that? Are you using DHCPv6-PD, as you receive from your ISP? Or are you doing a manual configuration? Once that's done, the 1st router will know about the 8 next level routers and so should have routes to them. But what about what's beyond? You have to start mapping out addresses and where they are. And yes, you can use ULA between router levels, if you don't want to use GUA. However, the WAN port to the ISP will be GUA, if it has an address assigned. However, that's not needed, as link local addresses are normally used for routing.

                        I would suggest starting small and get 1 LAN going before working on the other 7.

                        You've just demonstrated a real big problem with NAT in that people don't learn how to properly route. Splitting big address blocks into smaller ones is how the Internet has always worked. This is just more of the same.

                        PfSense running on Qotom mini PC
                        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                        UniFi AC-Lite access point

                        I haven't lost my mind. It's around here...somewhere...

                        1 Reply Last reply Reply Quote 0
                        • JKnottJ Offline
                          JKnott @SteveITS
                          last edited by

                          @SteveITS said in Divide IPv6 prefix among multiple independent routers:

                          and the ISP will need to forward the subnet to each of the three routers' WAN IP so it gets to the correct place.

                          Nonsense. The ISP sends the entire /53 to him and everything within it. It is then his responsibility to split up the /53 and deal with the internal routing.

                          I have a /56 here, with a few /64s. I don't have to tell my ISP when I set up a network, as everything for my /56 is received by pfSense. When I add a subnet, pfSense knows what address each one is and forwards appropriately. His complication is he's adding another layer of routers, which adds to the routing he has to manage.

                          PfSense running on Qotom mini PC
                          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                          UniFi AC-Lite access point

                          I haven't lost my mind. It's around here...somewhere...

                          S 1 Reply Last reply Reply Quote 0
                          • S Offline
                            SteveITS Galactic Empire @JKnott
                            last edited by

                            @JKnott if the ISP router is receiving the /53 then sure. I interpreted that as external/upstream.

                            In your example it sounds like you have one router not 3. I think OP wants 3 in parallel.

                            OP could use HA and two routers for redundancy and max uptime but each would need 7 interfaces, plus one for pfsync.

                            Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                            When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
                            Upvote 👍 helpful posts!

                            JKnottJ 1 Reply Last reply Reply Quote 0
                            • JKnottJ Offline
                              JKnott @SteveITS
                              last edited by

                              @SteveITS said in Divide IPv6 prefix among multiple independent routers:

                              In your example it sounds like you have one router not 3. I think OP wants 3 in parallel.

                              His diagram isn't clear on what's happening. First off his ISPs gateway has to provide more than a /64, which means it's not a typical consumer level device. What is it? Maybe he should be using bridge mode and do everything himself. We simply don't have enough detail to do much more than guess. I have set up several systems, where the connection is via fibre, to a media converted and then a Cisco router and that router is capable of what the OP wants. Again though, we don't know enough.

                              As for that ISP line, what is that? A switch with multiple routers connected? If that's the case, he has to set up the routing to describe how to reach LAN, etc..

                              PfSense running on Qotom mini PC
                              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                              UniFi AC-Lite access point

                              I haven't lost my mind. It's around here...somewhere...

                              1 Reply Last reply Reply Quote 0
                              • C Offline
                                CZvacko
                                last edited by CZvacko

                                The ISP gives me the prefix as a static configuration, so /53 is routed to us. Now when the confusion about WAN IPs was resolved, I'm thinking to ask ISP for do other setup (split on their side?).
                                Yes, ISP line = switch

                                All this happens because I need to keep the current IPv4 setup (have static /29 routed to us) and run dual-stack. Currently there are not only pfSense routers on my internet line, but also others that have stricter security policies (corporate), so they need to run independently.

                                HA setup for pfSense may be my next action, also dual WAN setup, for which I may raise another topic to ask what will be the best strategy to do it.

                                JKnottJ 1 Reply Last reply Reply Quote 0
                                • JKnottJ Offline
                                  JKnott @CZvacko
                                  last edited by

                                  @CZvacko

                                  Does the ISP router provide the entire /53 in one block? Or does it split the block with individual /64s sent to each pfSense? In that case, there would have to be routes from the ISP router to each pfSense router configured in the ISP's router If one block, then you need a router in there to split it. What hardware is the ISP's router?

                                  BTW, IPv6 routing works pretty much the same as IPv4, so what would use do with IPv4, assuming you weren't using NAT? Same problem.

                                  If you're splitting the block in the router and then routing to the pfSense routers, you'd have to have an address on each router, such as X:Y:Z:1 on the ISP, :2 on the first pfSense, :3 on the 2nd. etc. Then you'd have to route the /64s to each of those addresses.

                                  PfSense running on Qotom mini PC
                                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                                  UniFi AC-Lite access point

                                  I haven't lost my mind. It's around here...somewhere...

                                  C 1 Reply Last reply Reply Quote 0
                                  • C Offline
                                    CZvacko @JKnott
                                    last edited by

                                    @JKnott said in Divide IPv6 prefix among multiple independent routers:

                                    one block

                                    Yes, currently only one block, if they can change it to multiple blocks, it may solve the problem? I do not know what router they use, they supplies us with a 1000BASE-T cable (in my diagram I drew the ISP router, but it is somewhere on their side). In curent IPv4 setup we use NAT.

                                    JKnottJ 1 Reply Last reply Reply Quote 0
                                    • JKnottJ Offline
                                      JKnott @CZvacko
                                      last edited by

                                      @CZvacko

                                      As I mentioned, you have to split into /64s. I suspect the ISP won't do that, as it's generally the customers responsibility. I'd suggest you put another pfSense between the ISP's gateway and your other pfSense boxes. That way it can split the /53 into 8 /56s, assuming that's what you want. You could use different addresses, as I suggested, to get to the right pfSense.

                                      My question about IPv4 was assuming you didn't use NAT. If you can solve for that, you've got it solved for IPv6.

                                      Do you have much experience with routers?

                                      PfSense running on Qotom mini PC
                                      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                                      UniFi AC-Lite access point

                                      I haven't lost my mind. It's around here...somewhere...

                                      C 1 Reply Last reply Reply Quote 0
                                      • C Offline
                                        CZvacko @JKnott
                                        last edited by CZvacko

                                        @JKnott

                                        Last week I discussed with the ISP about splitting the prefix on their side, but as you predicted, the ISP won't do that.
                                        So the conclusion is: multiple independent routers cannot be used with IPv6 unless NAT is used or ISP split the prefix and set routing to related WAN IPs.

                                        I'd suggest you put another pfSense between the ISP's gateway and your other pfSense boxes.

                                        I will do that in the future. For now, I need to keep the current setup where the (parallel) routers are independent. Since I'm using a dual WAN for IPv4, I'll also have to ask the second ISP for an IPv6 setup on their side, but I assume they'll do a similar setup as the first ISP (and face the same problem).

                                        Due to the dual wan requirement, it seems that the best strategy is to use ULA on the LAN side and perform outbound NAT. I have set this up in my LAB router and it seems to work as expected.
                                        2025-02-27 08.09.15 193.165.139.206 cd334c9168f9.jpg

                                        I also tried define a virtual IP (GUA block) on the WAN (use Proxy ARP) and set NPt to translate the ULA to the related GUA block, but it doesn't seem to work that way. Maybe because the Proxy ARP only applies to IPv4 ?

                                        1 Reply Last reply Reply Quote 0
                                        • C Offline
                                          CZvacko
                                          last edited by

                                          Here is update: I requested an IPv6 prefix from the second ISP, who was able to split it and set up routing to the related WAN IP addresses. I then contacted the first ISP again and they agreed to do the same. Problem solved, I can still run the routers independently. ☺

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.