Netgate SG-1000 microFirewall

Author Topic: Configure ipv6  (Read 368 times)

0 Members and 1 Guest are viewing this topic.

Offline josepho

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Configure ipv6
« on: November 15, 2017, 05:40:34 pm »
Hi,

I think this topic was covered more than once, but i cant seem to find the right info. I basically got a /64 v6 subnet from my datacenter. My Subnet is xxxx:xxxx:xxxx:21::/64. I configured xxxx:xxxx:xxxx:21::2/64 on the WAN interface of the pfsense (and gateway to xxxx:xxxx:xxxx:21::1/64). How do i now give v6 to the devices behind the pfsenes?
« Last Edit: November 15, 2017, 06:57:17 pm by josepho »

Offline JKnott

  • Hero Member
  • *****
  • Posts: 956
  • Karma: +33/-4
    • View Profile
Re: Configure ipv6
« Reply #1 on: November 15, 2017, 08:32:31 pm »
How are you connecting?  Generally, when you get a prefix, it is routed to you over an IPv6 connection.  Typically, with IPv6, routers use the link local addresses (start with fe80) for this, but you might also be assigned an IPv6 address that's outside your prefix.  Did you talk to whoever provided that prefix?

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14423
  • Karma: +1336/-200
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Configure ipv6
« Reply #2 on: November 16, 2017, 04:19:30 am »
If they only gave you 1 /64 you don't

They are giving you that because they believe all your devices are directly attached to their network and each device would get an IP in that /64

But you have added a router.. So you need more than 1 /64... Because you are not directly attached to their network..  what they should do is route you say a /60 or /56 or even a /48 via a transit network.  You would then breakup that prefix they gave you into the /64 you want to use behind pfsense.

This is no different really if they gave you IPv4 space.. If they routed you a /24 you could break it up into say /28 behind pfsense..
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x SG-4860 2.4.2-RELEASE (home)

Offline josepho

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: Configure ipv6
« Reply #3 on: November 16, 2017, 08:39:39 am »
John and all,

Thanks for your response. I confused about something. You mention that they should give me a /58 (or lower) which i can then break up in /64's. On the same note, i can break up the /64 they provided into /65 or /66. I obviously don't need a full 18-billion /64. The issue is the other point you mentioned, the devices which are behind the pfsnese LAN interface are not directly attached to their network, so how would that work? Regardless what they route to me, its always going to end up arriving on the pfsense WAN interface.

Offline NogBadTheBad

  • Sr. Member
  • ****
  • Posts: 385
  • Karma: +31/-0
    • View Profile
Re: Configure ipv6
« Reply #4 on: November 16, 2017, 08:53:31 am »
Ask for more address space, don't split a /64.

Offline josepho

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: Configure ipv6
« Reply #5 on: November 16, 2017, 09:07:24 am »
So say they give me a second /64, can you please help me with the config?

Lets assume i got the following 2 /64's

xxxx:xxxx:xxxx:21::/64
xxxx:xxxx:xxxx:22::/64

I'll configure the xxxx:xxxx:xxxx:21::/64 subnet on the WAN interface. What am i now configuring on the LAN interface?

Just curious, why shouldn't i split up a /64. And again, even they provide me with a /56, how would i configure it? Lets say i get xxxx:xxxx:3000::/56, would i configure xxxx:xxxx:3000::/58 on the pfsense WAN interface and then xxxx:xxxx:3000:40::/58 on the LAN interface?


Offline JKnott

  • Hero Member
  • *****
  • Posts: 956
  • Karma: +33/-4
    • View Profile
Re: Configure ipv6
« Reply #6 on: November 16, 2017, 09:11:55 am »
John and all,

Thanks for your response. I confused about something. You mention that they should give me a /58 (or lower) which i can then break up in /64's. On the same note, i can break up the /64 they provided into /65 or /66. I obviously don't need a full 18-billion /64. The issue is the other point you mentioned, the devices which are behind the pfsnese LAN interface are not directly attached to their network, so how would that work? Regardless what they route to me, its always going to end up arriving on the pfsense WAN interface.

A /64 will work fine, but we need to know how they're providing it to you.  If it's just a bridged connection, then you can only connect to a switch for local distribution.  If they are forwarding it to you via an IP address, then you can use a router.

Also, it's a bad idea to split a /64 on a LAN, as it breaks things, such as the method used to assign an address to a device.

In my case, I get a /56 from my ISP, which I can split into 256 /64s for use on multiple networks.  But the WAN side of my firewall has a separate interface with it's own global and link local IPv6 addresses.  The link local address is used to carry my /56 prefix to my firewall.  The global address is not within my /56.

Offline JKnott

  • Hero Member
  • *****
  • Posts: 956
  • Karma: +33/-4
    • View Profile
Re: Configure ipv6
« Reply #7 on: November 16, 2017, 09:14:32 am »
So say they give me a second /64, can you please help me with the config?

Lets assume i got the following 2 /64's

xxxx:xxxx:xxxx:21::/64
xxxx:xxxx:xxxx:22::/64

I'll configure the xxxx:xxxx:xxxx:21::/64 subnet on the WAN interface. What am i now configuring on the LAN interface?

Just curious, why shouldn't i split up a /64. And again, even they provide me with a /56, how would i configure it? Lets say i get xxxx:xxxx:3000::/56, would i configure xxxx:xxxx:3000::/58 on the pfsense WAN interface and then xxxx:xxxx:3000:40::/58 on the LAN interface?

You need to find out what they're providing you.  Are they providing a routed connection or bridged?  As I mentioned above, if "bridged", then you cannot route to your network.

Offline josepho

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: Configure ipv6
« Reply #8 on: November 16, 2017, 09:16:14 am »
Ok, let me find out. I'll post back.

Thanks


Offline josepho

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: Configure ipv6
« Reply #9 on: November 17, 2017, 10:35:00 am »
Phew... After a long battle with the DC...

I obtained a second /64 routed and carried over the existing WAN address. I assigned it to the LAN and to devices. All is good!

Thanks!!