Is there any way to hand off a prefix to another pfsense instance?

  • This may be a really dumb question, but I don't seem to be able to find the answer/make this work.
    Here's the scenario.

    Comcast is my ISP. I have IPv6 working for my home network..
    I was able to switch over to requesting a /60 instead of the default /64, and I am using track interface on my LAN interface off the WAN gateway, and that works fine (all local LAN clients get valid IPv6 addresses, routing, …).
    Now, I have a VMware ESXi system with a bunch of virtual machines. It's attached to my local LAN, but internally, it has its own IPv4 subnet that all of the VMs use. The lab network is firewalled off through a pfsense VM whose WAN interface is my LAN, and whose LAN interface is the private VM network.

    What I would like to be able to do is somehow hand off one of my other 15 available prefixes from the LAN/WAN firewall over to the VM firewall so that it can hand out real IPv6 addresses on the VM network. It seems like that should be possible but I don't seem to be able to come up with a working configuration. If anybody can hit me with the cluebat, I'd be most grateful!

  • The client asks with its WAN DHCP6 for delegation of size, say a /62, from server (1st pfSense).

  • Hmmm, that's what I tried.
    I tried requesting a /64 on the WAN interface of the VM gateway and set LAN to track interface, prefix 0, or ask for a /63 on WAN and set the track interface to either 0 or 1 on LAN.
    Either way, I get a valid IPv6 address on the WAN interface and no IP v6 address on the LAN side.

  • You have to configure your DHCPv6 server on the main system to hand out PDs to the systems inside the LAN. Unless your PD stays static, that's essentially impossible (or requires manual config change) as things stand today. If your PD is at least relatively static, could configure the PD accordingly. Though because the DHCPv6 screen is hidden where you're using track interface (today at least), that's more convoluted.

    Doable, but requires some hacking.

  • Thanks cmb,
    that was the conclusion I was coming to.
    ISTM that it ought to be possible for this to automated i.e. to generate the correct config for the DHCPv6 server on the LAN side of the internet pfsense appliance, and to regenerate this when the lease expires.
    Does that make sense?
    I might see what I can come up with here.

  • Hmm, this is getting stranger quickly.

    My dhcpdv6.conf already has a rather interesting delegation line in it. I just upgraded to 2.2.4 to make sure everything is current, and checked the file again. It seems to be set up to hand out up to 3x /63 delegations. So I made the lab firewall ask for a /63, and sure enough, I get one. Here's my /var/dhcpd/etc/dhcpdv6.conf with addresses suitably munged:

    option domain-name "";
    option ldap-server code 95 = text;
    option domain-search-list code 119 = text;

    default-lease-time 7200;
    max-lease-time 86400;
    log-facility local7;
    one-lease-per-client true;
    deny duplicates;
    ping-check true;
    update-conflict-detection false;
    subnet6 2601:STUV:WXYZ:2de0::/64 {
            range6 2601:STUV:WXYZ:2de0::1000 2601:STUV:WXYZ:2de0::2000;
            option 2601:STUV:WXYZ:2de0:XXXX;XXXX:XXXX:XXXX;
            prefix6 2601:STUV:WXYZ:2de8:: 2601:STUV:WXYZ:2dec:: /63;
            option 2601:STUV:WXYZ:2de0:XXXX;XXXX:XXXX:XXXX;

    ddns-update-style none;

    That prefix6 line is there, but I didn't do anything to create it. My WAN setup isn't using advanced and simply requests a /60 along with the checkbox for "Send an IPv6 prefix hint …" checked. Any thoughts on how we generated this?

  • Looks like the following code starting at line 1217 in file etc/inc/ in origin/master is responsible:

                            /* prefix length > 0? We can add dhcp6 prefix delegation server */
                            if ($pdlen > 2) {
                                    $pdlenmax = $pdlen;
                                    $pdlenhalf = $pdlenmax -1;
                                    $pdlenmin = (64 - ceil($pdlenhalf / 4));
                                    $dhcpdv6cfg[$ifname]['prefixrange'] = array();
                                    $dhcpdv6cfg[$ifname]['prefixrange']['prefixlength'] = $pdlenmin;

    This is in the "fake out" code for track6 interfaces. It ought to be relatively simple to make the values configurable.

  • @tenortim:

    WAN setup isn't using advanced and simply requests a /60 along with the checkbox for "Send an IPv6 prefix hint ..." checked.

    To configure all things to your liking you have to use [Interfaces: WAN DHCP6 -Client- conf. Advanced] on the 1st pfSense in order to be able to manage the DHCP6 Server on that 1st pfSense.

    The method "Track Interface" is a default consumer non-professional solution. You would like to work with your quasi-Static (by dhcp6c) /60 from ISP and with your Static LAN config on 1st pfSense and 2nd pfSense.

  • Hi hda,
    the problem with overriding the file by hand is that that only works for a static IPv6 allocation. That's not what Comcast hand out (though it does seem pretty stable). The code that I quoted is  the beginning of code in pfSense today that sets some of the variables that cause PD to happen. If you have at least a /60, it will set up some prefixes to hand out.
    After restarting everything, I got a /63 handed out to my 2nd-level gateway.

    The only things that concern me are:

    • this functionality doesn't seem to be documented

    • the subnet sizes are hardcoded based on the original delegation

    For the most simplistic case using track interface, ISTM that we should assign one /64 to LAN, and set up delegations for /64 for the remaining address range (so in my /60 case, we'd offer up to 15x /64 prefixes) on the basis that it's unlikely that anyone will have more than two tiers (perhaps I should say "even more unlikely than somebody having more than one  ;)")

    Is there any interest in me working on the code to make this configurable i.e. to add a couple of nerd knobs for "Track interface" along the lines of

    • Enable Prefix Delegation

    • Prefix subnet size


  • @cmb:

    Though because the DHCPv6 screen is hidden where you're using track interface (today at least), that's more convoluted.

    Just thought I'd point out Feature 3029… someone has provided a pull request for it. There are lots that would love to set custom DHCPv6 and RADVD settings with a track interface LAN, if'it's something that is really feasible.

  • Yeah that's a priority to get in for 2.3.

  • Hate digging up old topics, but is this feature still on track to be included in 2.3 ? If not i've better start saving some bucks in hope that i can bribe someone working for my isp (gunning for a static /56 ).

  • It would be great if Chris would provide an update… given that 2.3 is in beta now and apparently major features aren't being added/changed, I'm getting the feeling that this won't make the 2.3 release, and the can gets kicked down the road a little more.

    Unless it's something being tested outside of the beta snapshots, and will be merged all at once before RC... which I doubt...

  • Well, a glimmer of hope that this will make it to 2.3… :) The Redmine feature request has been assigned, and has a target version of 2.3.

    I'll be happy to give it some testing when all is said and done!

  • Yep… time to give this some testing when I get home tonight!!

Log in to reply