Netgate SG-1000 microFirewall

Author Topic: Prefix delegation to second router.  (Read 3244 times)

0 Members and 1 Guest are viewing this topic.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10292
  • Karma: +1177/-313
    • View Profile
Re: Prefix delegation to second router.
« Reply #15 on: January 16, 2017, 04:56:07 am »
Not a problem in 2.4.

Just routed a /56 to a 2.4 VM and set up /60 PDs behind it. Client is also 2.4.

Routing table:
2001:470:xxxx:7df0::/60   2001:470:xxxx:7e01::32a2   UGS   0   1500   xn0

DHCPv6 leases:
2001:470:xxxx:7df0::/60
Routed To: 2001:470:xxxx:7e01::32a2
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

marjohh

  • Guest
Re: Prefix delegation to second router.
« Reply #16 on: January 16, 2017, 05:06:22 am »
I take it back :)

The question is then, what I am I doing wrong that you are doing right, or maybe it just won't work were LAN IPv6 tracks the WAN interface.


Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10292
  • Karma: +1177/-313
    • View Profile
Re: Prefix delegation to second router.
« Reply #17 on: January 16, 2017, 05:07:51 am »
The client VM there is a default config with DHCPv6 on WAN and tracking LAN.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

marjohh

  • Guest
Re: Prefix delegation to second router.
« Reply #18 on: January 16, 2017, 05:27:41 am »
So what does your prefix delegation range entry look like on the dhcp6 server and RA when you have selected /60 as the prefix delegation size?

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10292
  • Karma: +1177/-313
    • View Profile
Re: Prefix delegation to second router.
« Reply #19 on: January 16, 2017, 05:35:03 am »
Routed subnet: 2001:470:xxxx:7d00::/56

Prefix delegation range:
From: 2001:470:xxxx:7d00:: To: 2001:470:xxxx:7df0::
Prefix delegation size: 60
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

marjohh

  • Guest
Re: Prefix delegation to second router.
« Reply #20 on: January 16, 2017, 05:52:28 am »
Ah, I think I see the error of my ways.

I'll confirm that shortly.

marjohh

  • Guest
Re: Prefix delegation to second router.
« Reply #21 on: January 16, 2017, 06:00:11 am »
Indeed yes... Thank you Derelict. Simple error on my part.

nivek1612

  • Guest
Re: Prefix delegation to second router.
« Reply #22 on: January 17, 2017, 05:38:28 am »
Care to share your settings in the GUI ?

marjohh

  • Guest
Re: Prefix delegation to second router.
« Reply #23 on: January 17, 2017, 06:44:52 am »
What for IPv6? or are you still trying to get v4 to work arse backwards? :P

nivek1612

  • Guest
Re: Prefix delegation to second router.
« Reply #24 on: January 17, 2017, 02:50:24 pm »
IPv6

I realised after your tutoring that my IPv4 looback idea would just stupid :-)

marjohh

  • Guest
Re: Prefix delegation to second router.
« Reply #25 on: January 17, 2017, 02:59:28 pm »
Not too difficult though. You could  forward  port 80 on the Wan of the  second router to the lan address of the 2nd router, you'll need to create the relevent rules.

Why you would want to do it is what i am unsure about.

I can think of a more secure way of doing it though. Port forward 'x' port on the primary to 'x' port on the secondary and have openvpn listen on that 'x' port on the secondary, then you'll have a vpn to the secondary LAN side and can do whatever you like.
« Last Edit: January 17, 2017, 03:09:31 pm by marjohn56 »

Offline Elv

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: Prefix delegation to second router.
« Reply #26 on: January 31, 2018, 10:01:42 am »
I can manually add a gateway and route to the primary router, then it works, is that the norm or am I completely wide of the mark?

edit:

Think I am getting my head around this. dhcp6c puts a /64 prefix on the LAN, which means that in my case, with a /56 prefix the last eight bits of the prefix on my LAN are always going to be 0. Any /64 prefix delegation on my LAN will be be using those eight bits, thus giving my my 256 sub nets.

I have exact the same problem. Data going through WAN into internet and answers are received on WAN and not forwarding to LAN. Can you explain the gateway and route you have added in detail, please?

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10292
  • Karma: +1177/-313
    • View Profile
Re: Prefix delegation to second router.
« Reply #27 on: January 31, 2018, 01:19:55 pm »
OK. The first image here is from my edge. That firewall has the HE.NET tunnel configured.

One of the interfaces on it is XENWAN which goes to the virtual infrastructure. That network is the WAN interface for the test boxes (172.25.228.0/24 in the diagram in the sig.)

There is also dual stack STATICALLY CONFIGURED to a downstream router (::11). That is the CARP VIP of an HA cluster.

To that router I route two /56 prefixes. One is 2001:470:XXXX:7d00::/56 the other is 2001:470:XXXX:7e00::/56 .

I use 2001:470:XXXX:7d00::/56 to break into /64s to STATICALLY assign to the inside interfaces on the downstream test router. On LAN I also defined a range for the DHCPv6 server there.  In that DHCP server I also used 2001:470:XXXX:7e00::/56 for /60 prefix delegations. Second image.

DHCPv6 clients that connect to that LAN get an address from the DHCPv6 server and a /60 automatically routed to them if they request one.

Note that all of the interfaces need to pass all of the necessary routed subnets, etc.
« Last Edit: January 31, 2018, 01:23:04 pm by Derelict »
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline Elv

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: Prefix delegation to second router.
« Reply #28 on: February 01, 2018, 01:52:20 am »
Thanks for answer. The solution seems to be switch from TRACKED LAN by WAN and RA (which I using, because IPv6 changing on reconnect even IPv4 changed) to STATICALLY LAN and DHCPV6-Server?

Additionally I have to use a cable modem to connect to ISP, which is a Fritzbox 6490 Cable. That has its own limitation and can only delegate a 62 network. Other requests failed. Getting prefix through IPv4 does not work, too.

May be there is no solution using IPv6 subnets on this configuration?



ISP: Got rotating IPv4 and IPv6/56 after some reconnects

Connection: FritzBox 6490 Cable

pfSense WAN: Static IPv4 / DHCP6 / Request only an IPv6 prefix / DHCPv6 Prefix Delegation size: 62 (no other works) / Send IPv6 prefix hint / Reserved Networks: Both checkboxes off

pfSense LAN: Static IPv4 / Track Interface (IPv6) / IPv6 Interface: WAN / IPv6 Interface ID: 0 (1,2,3)

DHCPv6 Server & RA - LANRouter Advertisements: Unmanaged or Assisted or Stateless working, but wit same results

All other reseted to default!

LAN-Client -> pfSense LAN -> pfSense WAN -> Fritzbox -> Network request: OK
Network replay -> Fritzbox -> pfSense WAN … ends here and nothing revives on pfSense LAN!



2.4.2-RELEASE-p1 and it the same problem 'marjohh' has described on page 1! He seems to be a solution in this scenario by adding a route manually.
« Last Edit: February 01, 2018, 04:04:12 am by Elv »

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10292
  • Karma: +1177/-313
    • View Profile
Re: Prefix delegation to second router.
« Reply #29 on: February 01, 2018, 05:17:25 am »
Why the hell would you need to delegate prefixes to the inside if all you have is dynamic in the first place?
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM