Messages

So is there no technology that can pass the entire /64 prefix a router receives to another router?

The other network can be IPv4 only for the purposes of this example.

The bit I don't know how to do is re-delegate my whole /64 PD from OPNSense to a subrouter.

To be clear. I don't wish to subnet a /64 prefix. I am not looking to share a /64 between different networks.  I want to give a /64 prefix to only one of my two networks (because I only have one) and do not know how to do this when a subrouter is involved

OK,

So I don't give a ULA to the clients VLAN and only give devices and the SVI on the switch a GUA. Other VLANs can have ULAs or not, doesn't really matter. Is there a way to "redelegate" the whole prefix to the switch for just ONE VLAN.

I assume no masquerading is needed as I'd set a default IPv6 route on the layer 3 switch and a route for the prefix to the layer switch on OPNSense

But I assume I'd have to have an interface on OPNSense with a GUA in the same prefix though? Can I not route GUA traffic over ULA links?

Let me simplify this for a moment to help me understand the concepts...

I have OPNSense as my firewall. It has LAN and WAN interfaces. WAN receives IPv4 with PPPoE and a single /64 PD via DHCPv6 over IPv4. WAN interface therefore has single IPv4 address and a LL address.

LAN has a static IPv4 address with a DHCP service running for clients. LAN is set to track interface for IPv6 and Router Advertisement is set to Unmanaged.

LAN is connected to layer 3 switch via a routed interface (this is what I meant when I said trunk port). Layer 3 switch has two VLANs with two corresponding SVIs on two subnets with ACLs. I assume with the appropriate routes this will just work but unless I filter RA somehow on the switch, both VLANs are on the same IPv6 subnet which would be an issue when writing ACLs?

I have an OPNSense firewall connected to an ICX 7250-C12P switch running layer 3 (router) firmware.

I have three VLANS - management, clients and IOT. Nothing on native VLAN. Currently I use ISC DHCP on OPNSense so have to have all three interfaces on the firewall connected via a tagged switch port. I will move to Kea and use a single trunk for firewall to switch with DHCP helper for IPv4 soon.

My ISP currently gives me only a single /64 IPv6 via DHCPv6 PD over IPv4 which is in theory dynamically assigned. It's a new function for them and I've pointed them at the RIPE best practice guidance 😝

I want to give my clients VLAN the only prefix and allow them to use SLAAC. I don't care if only this one subnet has a GUA prefix. How/which technology do I use to achieve this?

I've set the trunk giving each a ULA. I assume I want to do something with RA but I'm a little lost!

What I'm hoping to achieve is this...

1 - OPNSense retrieves PD from ISP over DHCPv6 via IPv4 PPPoE link - done although ISP does not give me a link IP so using LL to gateway

2 - Single 'trunk' (I think this is the right term) layer 3 connection to sub-router (layer 3 switch)

3 - Layer 3 switch has three VLANs. I want one of these VLANs to receive GUA IPv6 addresses from the single /64 prefix I have so they can use SLAAC.

I'm thinking the way to do this is to assign each VLAN's SVI a /64 ULA prefix so every client can have an IPv6 address. But then somehow also let the clients VLAN SVI have a GUA address and prefix. I'm just unclear what I should be doing bearing in mind I don't want to have to reconfigure my switch if my GUA prefix changes