Hi,
Is there a recommended way to handle an IPv6 address assignment for the WAN interface, where I'm receiving a /56 PD from my ISP?
Details:
I have a static(!) IPv6 /56 PD from my ISP. The WAN interface receives it correctly from my ISP via DHCPv6, which is great. I also request a regular /128 IP address from my ISP (which I don't believe is static and is not from the PD). I would probably prefer to assign the WAN address from the /56, but I don't know how to do that. Perhaps I just assign a static address? But then, I don't think I can track interface to push the PD down to the "LAN" side, can I?
I've currently set the "LAN" interface to be the ::1 from the PD, which means it can be reached from the internet. But it's not the origin of packets from the firewall to the internet on IPv6 (that is the /128), which makes me slightly uncomfortable.
How is this recommended to be handled. I've seen other posts asking a similar question (getting a PD from ISP, how to assign from it) but never seen an actual answer saying "do this".
Thanks!
Leave the WAN with the /128. After all only OPNsense itself needs that. Remember there is no NAT in IPv6. Use individual /64 from the /56 and SLAAC for your devices. They will all communicate using their GUA. The address of the firewall is irrelevant and only needed to reach the ISP gateway.
+1, although with dynamic IP addresses, the OpnSense IP can also be relevant for example for dynamic DNS.
You could request a prefix only, but then you cannot assign a subnet from that prefix to the WAN interface currently (see https://forum.opnsense.org/index.php?topic=28171.msg136834#msg136834 and the still-open request https://github.com/opnsense/core/issues/6233).
I am in that situation, since my ISP does not hand out an additional WAN address. Thus, I am forced to use one of the LAN IPs for OpnSense itself. I wished I was in your situation.
@meyergru picking a single address from LAN and assigning it to WAN with /128 works perfectly well, if the ISP routes your entire prefix to your MAC address as one of our hosting providers does. Needs static address assignments, of course.
Thanks for your answers. I've added a static IPv6 to the "LAN" side, using the "virtual IPs" mechanism. I can't seem to turn off the automatic "anonymous" address it also gets for itself. This seems to be a common problem for IPv6 actually - everything is always getting the randomized anonymous address, in addition to any "static" IP I assign to it (even if I turn on DHCPv6 for the LAN side and force an IP for the DUID).
Anyway, thanks again, it seems like I'm probably doing this about as well as I can.