Native /64 on WAN, use on LAN?
-
I switched to a different ISP, which has given me a static /64 to use as I see fit. They reserved 1 IP as my upstream WAN gateway and one as my pfSense router address, but the rest of the /64 is free to use.
I'm trying to use this same /64 for clients on the LAN side, which mostly works, except for the fact that no connection from the clients to the router or to the WAN is possible over IPv6. I'm using DHCPv6 with RA and that is all working fine: clients get an IP address and a gateway and DNS server addresses. I can also ping other clients on their IPv6 address no problem. The IPv6 anti lockout rule is still in place, so it's not a problem with the firewall. Also, IPv6 traffic from the router to the WAN works fine (using the built-in diagnostic tools).
I do think it's a problem with the way I setup the interface, probably with the netmasks. I attached my WAN and LAN interface configurations.
Can anyone tell me what I'm doing wrong? I'm very new to IPv6 still so I'm probably making a newbie mistake :-[
-
It doesn't work that way.. You don't take an address in a network and put on wan and then take another address in same network and put on your lan.
If they gave you a /64 then it should be routed to you over a transit network, this is the network you would put on your wan this could be a /128 for example. What ISP are you working with?
To be honest if you want to play with and use ipv6, just get a free tunnel from hurricane electric – you can get a /48 from them and use as many /64 on your inside networks that you want. Or you can just get a /64 from them if that is all you need.
-
I thought I wasn't doing something right. I did some more digging and it seems I actually got a /48 from my ISP (which is Ziggo in The Netherlands, by the way).
So I can just setup my WAN as a /48, and setup my LAN with a /64, correct?
-
Yes, peel off a /64 and make LAN-net static address.
-
It depends on how they route things to you
Some of them will give you a /48 and use the first /64 of the /48 for your WAN network, routing the remainder. Never set /48 as the subnet mask on an interface directly!
So you pick the first /64 out to be your WAN subnet, and then you can make other nets for LAN, DMZ, etc using the remaining chunks of the routed block. An interface subnet should nearly always be /64 with larger segments routed to other firewalls/routed or used for things like prefix delegation.
With a /48 routed to you that way you've got 65535 other /64 nets you can allocate (subtracting 1 for the WAN net).
-
Perhaps you need to use a NDP proxy (same as arp proxy but for IPv6)
But i don t find it
Pra -
@pra:
Perhaps you need to use a NDP proxy (same as arp proxy but for IPv6)
But i don t find itIt does not and should not exist. You don't need nor want to proxy NDP. WAN and LAN(s) must have distinct subnets with proper routing. The ISP must supply you with a /64 or larger routed to your WAN address.