I have an OPNSense firewall connected to an ICX 7250-C12P switch running layer 3 (router) firmware.
I have three VLANS - management, clients and IOT. Nothing on native VLAN. Currently I use ISC DHCP on OPNSense so have to have all three interfaces on the firewall connected via a tagged switch port. I will move to Kea and use a single trunk for firewall to switch with DHCP helper for IPv4 soon.
My ISP currently gives me only a single /64 IPv6 via DHCPv6 PD over IPv4 which is in theory dynamically assigned. It's a new function for them and I've pointed them at the RIPE best practice guidance 😝
I want to give my clients VLAN the only prefix and allow them to use SLAAC. I don't care if only this one subnet has a GUA prefix. How/which technology do I use to achieve this?
I've set the trunk giving each a ULA. I assume I want to do something with RA but I'm a little lost!
What I'm hoping to achieve is this...
1 - OPNSense retrieves PD from ISP over DHCPv6 via IPv4 PPPoE link - done although ISP does not give me a link IP so using LL to gateway
2 - Single 'trunk' (I think this is the right term) layer 3 connection to sub-router (layer 3 switch)
3 - Layer 3 switch has three VLANs. I want one of these VLANs to receive GUA IPv6 addresses from the single /64 prefix I have so they can use SLAAC.
I'm thinking the way to do this is to assign each VLAN's SVI a /64 ULA prefix so every client can have an IPv6 address. But then somehow also let the clients VLAN SVI have a GUA address and prefix. I'm just unclear what I should be doing bearing in mind I don't want to have to reconfigure my switch if my GUA prefix changes
ULA are not very useful as they have a lower priority than IPv4.
In any case you would have to do masquerading on your outbound interface.
It all doesn't sound like a good idea to me.
Yep. ULA are essentially useless if the goal is Internet access.
https://blog.ipspace.net/2022/05/ipv6-ula-made-useless.html
OK,
So I don't give a ULA to the clients VLAN and only give devices and the SVI on the switch a GUA. Other VLANs can have ULAs or not, doesn't really matter. Is there a way to "redelegate" the whole prefix to the switch for just ONE VLAN.
I assume no masquerading is needed as I'd set a default IPv6 route on the layer 3 switch and a route for the prefix to the layer switch on OPNSense
But I assume I'd have to have an interface on OPNSense with a GUA in the same prefix though? Can I not route GUA traffic over ULA links?
Let me simplify this for a moment to help me understand the concepts...
I have OPNSense as my firewall. It has LAN and WAN interfaces. WAN receives IPv4 with PPPoE and a single /64 PD via DHCPv6 over IPv4. WAN interface therefore has single IPv4 address and a LL address.
LAN has a static IPv4 address with a DHCP service running for clients. LAN is set to track interface for IPv6 and Router Advertisement is set to Unmanaged.
LAN is connected to layer 3 switch via a routed interface (this is what I meant when I said trunk port). Layer 3 switch has two VLANs with two corresponding SVIs on two subnets with ACLs. I assume with the appropriate routes this will just work but unless I filter RA somehow on the switch, both VLANs are on the same IPv6 subnet which would be an issue when writing ACLs?
You cannot subnet an IPv6 /64. It's the smallest (actually the only) possible prefix in an Ethernet network. Anything else breaks SLAAC, RA, ... almost everything that makes IPv6 work smoothly.
What I do if I need a "private" /64 somewhere is pick a GUA that I know is not used anywhere. E.g. each my home network and our two office locations have static /56 allocations from Deutsche Telekom. Since I need only a handful of the 256 /64 networks that gives me per location I can use others in other places and NAT or NPT them.
To be clear. I don't wish to subnet a /64 prefix. I am not looking to share a /64 between different networks. I want to give a /64 prefix to only one of my two networks (because I only have one) and do not know how to do this when a subrouter is involved
The other network also needs some IPv6 prefix or how are you intending to route?
OK, theoretically you could use strictly link-local addresses on all other links. I admit I never tried that.
The other network can be IPv4 only for the purposes of this example.
The bit I don't know how to do is re-delegate my whole /64 PD from OPNSense to a subrouter.
OPNsense needs more than a /64 to delegate a smaller allocation. That's just how it works. Can't you "just" configure it statically?
So is there no technology that can pass the entire /64 prefix a router receives to another router?
Not to my knowledge.