So, please don't shoot me.
I followed https://docs.opnsense.org/manual/how-tos/ipv6_dsl.htm (https://docs.opnsense.org/manual/how-tos/ipv6_dsl.htm)l this how to since I have a ADSL connection, but it seems not to be working in my case.
My setup is the following:
ONT/Router from ISP connected to the internet and providing a /64 IPv6.
OpnSense is connected behind it and I do have a double NAT for IPv4.
I set the WAN interface IPv6 as DHCPv6, Request only an IPv6 prefix, Send IPv6 prefix hint and Use IPv4 connectivity checked.
The interface does get an IPv6 starting with 2804, so not a local one.
The LAN interface is set to track the WAN interface with prefix 0. The LAN interface only have a local IPv6.
All DHCP clients doesn't get any IPv6.
Should the LAN interface get an IPv6 address as the WAN interface have ? What should I do to make the other clients get a valid IPv6 address ?
There's not really much you can do with a /64 since it represents a single subnet in IPv6. Make sure you allow IPv6 ICMP on your WAN interface and you may get local hosts joining the multicast groups from your ISP router advertisements.
You may want to petition your ISP for a /56 at least. It's not like there is a shortage of IPv6 addresses.
Bart...
Tks
you can subnet it out to smaller segments 80,96,112
https://www.ibm.com/docs/en/ts3500-tape-library?topic=formats-subnet-masks-ipv4-prefixes-ipv6
Interesting link! To be fair, you can subnet your assignment any way you like. However, I find it safest to stick to the standards: https://datatracker.ietf.org/doc/html/rfc2373#section-2.5.1 Somewhere along the line an outlier is going to bite you.
I think that there is a lot of inertia within ISP's where they still think in terms of IPv4 with every subscriber getting issued a single dynamic address from their precious pool.
IPv6 is just drastically different. The address space is so huge so let's just stick to subnets which are humungous by themselves. There are more than 36 million /64 subnets available for every square meter of the planet and 4.5 million of those subnets are publicly routable. My ISP gets that and grants me a reasonable 256 subnets. Between IoT, guest and VPN tunnel subnets I will only ever use a small fraction of those.
To effect change, subscribers that can should put pressure on their providers to change their thinking and express a willingness to vote with their feet. Think about it this way; a lot of your life is dependent on a good internet connection. Do you rely on an engineering-led company for this?
Sorry for the long rant :)
Bart...
Quote from: bartjsmit on September 11, 2021, 09:24:04 AM
Interesting link! To be fair, you can subnet your assignment any way you like. However, I find it safest to stick to the standards: https://datatracker.ietf.org/doc/html/rfc2373#section-2.5.1 Somewhere along the line an outlier is going to bite you.
SLAAC won't work with subnets smaller than /64, as an example.
Quote from: lilsense on September 11, 2021, 12:16:44 AM
you can subnet it out to smaller segments 80,96,112
https://www.ibm.com/docs/en/ts3500-tape-library?topic=formats-subnet-masks-ipv4-prefixes-ipv6
Obviously the IBM TS3500 Tape Documentation Dept were not experts in ipv6 even back in 2012.
The ipv6 was formally standardized in July 2017
RFC 8200 (STD: 86) Internet Protocol, Version 6 (IPv6) Specification
/64 was set as the smallest allowed subnet for Global Unique subnets.
RFC4291, issued in Feb 2006, is what specifies the minimum subnet size (or more specifically the required "interface identifier" size) of 64 bits for unicast addresses. So IBM had even less excuse...
They are kind of right, you can subnet to a smaller size, only you really shouldn't.
Quote from: bimbar on September 12, 2021, 06:57:16 PM
They are kind of right, you can subnet to a smaller size, only you really shouldn't.
RFC 4291 - IP Version 6 Addressing Architecture - Section 2.5.4. Global Unicast Addresses says you are constrained to 64 bit.
It doesn't make it optional and many things break if you try otherwise.
Quote from: IsaacFL on September 12, 2021, 07:53:06 PM
Quote from: bimbar on September 12, 2021, 06:57:16 PM
They are kind of right, you can subnet to a smaller size, only you really shouldn't.
RFC 4291 - IP Version 6 Addressing Architecture - Section 2.5.4. Global Unicast Addresses says you are constrained to 64 bit.
It doesn't make it optional and many things break if you try otherwise.
Obviously, you are NOT reading it correctly. So to clarify for you, the ISP is providing you a GUA which is /64 as it states in the section 2.5.4. Where you have an issue not reading correctly, it states:
Quotewhere the global routing prefix is a (typically hierarchically-
structured) value assigned to a site (a cluster of subnets/links),
the subnet ID is an identifier of a link within the site, and the
interface ID is as defined in Section 2.5.1.
"A cluster of subnets" --- you can chop it up any which way as you please. it's quite simply a normal IP thing to do.
You might want to look at section 2.5.1 and what it says about the number of bits for interface identifiers
Quote from: lilsense on September 13, 2021, 12:30:13 PM
Obviously, you are NOT reading it correctly. So to clarify for you, the ISP is providing you a GUA which is /64 as it states in the section 2.5.4. Where you have an issue not reading correctly, it states:
Here is the whole Section 2.5.4 . It clearly states that for All Global Unicast addresses, the global routing prefix + subnet ID must be 64 bits. Or do disagree with the RFC?
2.5.4. Global Unicast Addresses
The general format for IPv6 Global Unicast addresses is as follows:
| n bits | m bits | 128-n-m bits |
+------------------------+-----------+----------------------------+
| global routing prefix | subnet ID | interface ID |
+------------------------+-----------+----------------------------+
where the global routing prefix is a (typically hierarchically-
structured) value assigned to a site (a cluster of subnets/links),
the subnet ID is an identifier of a link within the site, and the
interface ID is as defined in Section 2.5.1.
All Global Unicast addresses other than those that start with binary
000 have a 64-bit interface ID field (i.e., n + m = 64), formatted as
described in Section 2.5.1. Global Unicast addresses that start with
binary 000 have no such constraint on the size or structure of the
interface ID field.
Examples of Global Unicast addresses that start with binary 000 are
the IPv6 address with embedded IPv4 addresses described in Section
2.5.5. An example of global addresses starting with a binary value
other than 000 (and therefore having a 64-bit interface ID field) can
be found in [GLOBAL].
Wow, the discussion has been very rich so far.
I think I'm still lost at this moment. Is there anything I can/should do ? Or the only solution is to ask for more than /64 for my ISP ?
Thanks
Try setting the "Prefix delegation size" to different sizes. My ISP will give out a /56 but if I only ask for a /60 it will ignore and just give a /64. Set the debug on, and see if the log helps.
If the ISP only gives you a /64, then you can only have one subnet, so then no routing for you.
Quote from: andrema2 on September 13, 2021, 05:57:51 PM
Or the only solution is to ask for more than /64 for my ISP ?
It really depends how much it matters to you. You could live quite happily without IPv6, at least until some must-have new service is only available on it. Possible candidates would be in emerging economies or IoT space.
Talk to your ISP regardless, so they are aware that they're not meeting their customer needs perfectly. If they have competition, weigh up the costs and benefits of switching.
At least with OPNsense, you don't have the hassle of changing all your internal networks to fit a new router.
Bart...
Frankly, if your ISP is only handing out a /64 prefix, they are short-changing you and not implementing IPv6 properly for their customers. My ISP gives me a /56, and is soon to switch that to a /48.
Quote from: andrema2 on September 13, 2021, 05:57:51 PM
Wow, the discussion has been very rich so far.
I think I'm still lost at this moment. Is there anything I can/should do ? Or the only solution is to ask for more than /64 for my ISP ?
Thanks
Once you have a /64, you can create a /80 or /96 for your internal network set up your DHCP and block your router to directly connecting to the internal network. This works just fine since your router is responsible to forward traffic.
OR
to calm everyone down here... you can use ULA Fc00:: address for your internal network as well.
https://datatracker.ietf.org/doc/html/rfc4193
Not sure that using ULAs will help unless NAT is also implemented, which undermines the whole philosophy of IPv6. Without NAT, how do clients reach the internet? And BTW, as the RFC makes clear, don't use fc00::/8 for ULAs, as it is reserved. Only use fd00::/8.
Bottom line, any "solution" with only a /64 prefix will be a hack. See the top answer here (https://serverfault.com/questions/714890/ipv6-subnetting-a-64-what-will-break-and-how-to-work-around-it) for a nice description of several of those hacks.
Edit: I noticed that the comments in the link above reference RFC7421 (https://datatracker.ietf.org/doc/html/rfc7421), which explains the origins of the 64 bit specification for interface identifiers and the effects of not following that specification.