Netgate SG-1000 microFirewall

Author Topic: Changing from /64 to /48  (Read 238 times)

0 Members and 1 Guest are viewing this topic.

Offline TravisH

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Changing from /64 to /48
« on: November 22, 2017, 07:40:00 pm »
Hello all,

I am trying to get my feet wet with adding an IPv6 network. My ISP (in Australia) does not support IPv6 native at the moment so I have set up an HE tunnel using the instructions at https://doc.pfsense.org/index.php/Using_IPv6_with_a_Tunnel_Broker

I had a /64 but requested a /48 as I would like to break the network up slightly. Ideally, i would love to prefix the network into multiple /64's. My main need is actually the VPN which needs to be a TUN interface (i can't use TAP because end clients don't support it) so if I could not segment the entire network I would only need to segment the main network (e.g. home/servers/guest) into one subnet and the OpenVPN server into another.

My question is, can DHCPv6 Server & RA be configured to give out different subnets to different networks like IPv4 DHCP?
Secondly, how do I go about adding the different subnets (e.g. Home & VPN). Do i need to just enter one subnet into the LAN side of things, and another into the OpenVPN and create a route between them, or do I need to create more routes between subnets and the 'parent /48'.

If it helps, my planned assignment is below, and also the IPv4 addresses. I am just not entirely sure how I go about the subnetting. Like for example do I put the /48 address in the LAN, and tell the DHCP server to issue /64 subnets, as well as OpenVPN or should it be done a different way?

Apologies if these are stupid questions, IPv6 is mind blowing even in sheer numbers of subnets and available questions!

Many Thanks!

2001:xx:xx::/48

HOME:                 2001:xx:xx:0004:0000:0000:0000:0000/64   10.30.23.0/24
SERVERS:            2001:xx:xx:0005:0000:0000:0000:0000/64   10.31.23.0/24
WLAN_GUEST:      2001:xx:xx:0006:0000:0000:0000:0000/64   10.32.23.0/24
VPN:                   2001:xx:xx:0007:0000:0000:0000:0000/64   10.33.23.0/24
« Last Edit: November 22, 2017, 07:51:00 pm by TravisH »

Online JKnott

  • Hero Member
  • *****
  • Posts: 1086
  • Karma: +43/-7
    • View Profile
Re: Changing from /64 to /48
« Reply #1 on: November 22, 2017, 08:21:00 pm »
Quote
My question is, can DHCPv6 Server & RA be configured to give out different subnets to different networks like IPv4 DHCP?
Secondly, how do I go about adding the different subnets (e.g. Home & VPN). Do i need to just enter one subnet into the LAN side of things, and another into the OpenVPN and create a route between them, or do I need to create more routes between subnets and the 'parent /48'.

On each network, you can choose the IPv6 prefix ID to be used.  With a /48, the values range from 0 - ffff.  For OpenVPN, you have to specify the network address in the IPv6 tunnel network box. eg. 2001:xx:xx:0007::/64.

Offline TravisH

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: Changing from /64 to /48
« Reply #2 on: November 22, 2017, 09:42:28 pm »
Thanks JKnott,

Presumably, i need to set up routing on each interface to the gateway for the tunnel?

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14787
  • Karma: +1373/-202
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Changing from /64 to /48
« Reply #3 on: November 23, 2017, 05:04:27 am »
"Presumably, i need to set up routing on each interface to the gateway for the tunnel?"

No.. Why would you think that?  Your just attaching a network to pfsense, just like a ipv4 network..  Pfsense will be the gateway to the clients on that network. 

Pfsense knows what its default gateway is for wan, and it knows what it is for ipv6 via your tunnel you setup - you would not setup a gateway on an interface unless it was a wan connection.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)