Howto / Example for IPv6 Setup of a DMZ sith static public IP addresses?



  • Hello,

    since I found no examples in this forum / google search for such setup I would ask if someone other has perhaps good example how to do it (we have BGP routed IPv4 / IPv6 network).

    I setup first all static but only my gateways and firewalls can communicate external; clients behind the firewalls packages goes out and came back to the gateways but then the gateways didn't know the backroute to the client…

    I think I found a good information here:
    MicroNugget: IPv6 Prefix Delegation
    Youtube Video

    If I understand this information right I must use my complete assignment here (for instance /51) for my DMZ so that the gateways know that all these IP adresses are behind them... and then the firewalls use several /64 networks which they delegate to each LANs.

    So I tried to setup DHCPv6 with /51 (or /56) on the gateways with same "Prefix Delegation Range" and /64 mask for PDR on them. which seems no problem for the gateway itself.

    Then I let the WAN interface of the firewall stil static and tried requesting the firewall LAN interface one DHCP segment by setting it to type DHCPv6 with "DHCPv6 Prefix Delegation size" to /64 and checked "Send IPv6 prefix hint".

    But then I got into trouble - the LAN interface also set IPv4 address to DHCP ?
    And no public IPv6 address was set on the LAN interface... :(

    Would be great if someone has external info sources for it or can write quick common setup tipps.

    Thanks.



  • Maybe I misunderstand what you're saying, but to do prefix delegation, you set only your WAN interface to DHCP6 and configure a prefix delegation size on it; the WAN interfaces are set to "track interface", each with a different "IPv6 prefix ID".



  • @razzfazz:

    Maybe I misunderstand what you're saying, but to do prefix delegation, you set only your WAN interface to DHCP6 and configure a prefix delegation size on it; the WAN interfaces are set to "track interface", each with a different "IPv6 prefix ID".

    for this setup type I found several howtos…

    "Problem" is, that we don't use DHCP/ DHCPv6 service from our ISP but we have static IPs which we announce ourself with BGP to our ISP ;)

    Additional "interesting" is that DHCPv6 service on pfsense have no CARP/replication modus?

    our Setup (each 2 servers with CARP failover):

    
          ISP-line1                    ISP-line2
            |    |                       |    |        (transfer-networks IPv4/IPv6 fixed)
      gw1-jws1  gw2-jws1           gw1-zws1  gw2-zws2
            |    |                       |    |
          [DMZ ----------------------------- DMZ]      (public static IPv4 / IPv6 networks - here BGP announced)
            |    |                       |    |
      fw1-jws1  fw2-jws1           fw1-zws1  fw2-zws2
            |    |                       |    |        (public NAT for IPv4 servers / public IPv6 networks wanted)
          [LANs JWS1]                  [LANs ZWS8]
    
    

Log in to reply