"
Is it not possible to assign each VLAN interface a static IPv6 in my provided subnet, then setup DHCP such that it only advertises a non-overlapping range (across all VLANs) in that subnet? This should still provide quite a few addresses per interface?
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
General Discussion / Re: Configuring IPv6 for VLANs when not using DHCP from ISP (static IPv6 range)
December 29, 2024, 01:40:41 AM #2
General Discussion / Re: Configuring IPv6 for VLANs when not using DHCP from ISP (static IPv6 range)
December 28, 2024, 11:01:33 PM
I'm fine if they are not on a separate subnet, I do not plan to use IPv6 internally on the network so I can maintain segregation by creating firewall rules to prevent access between VLANs.
How will this provide other VLAN interfaces with IPv6?
Quote from: bartjsmit on December 28, 2024, 05:30:23 PMGive the LAN interface of the firewall a fixed IPv6 in your subnet, Services: Router Advertisements: [LAN], Unmanaged, High, Automatic, advertise default gateway. Test with a few clients, most of which will default to SLAAC and just work ;)
How will this provide other VLAN interfaces with IPv6?
#3
General Discussion / Re: Configuring IPv6 for VLANs when not using DHCP from ISP (static IPv6 range)
December 28, 2024, 02:50:00 PM
It might be helpful to note that even though I have an ADI line I am not a "business" customer. I had to get one (with a 3 year contract) in order for them to build out fiber to my rural home. I work from home as a software engineer and most of my networking knowledge is self-taught and mostly limited to IPv4.
So with that being said...
> Why not designate the management subnet as OPT and give it a non-routable IPv6 subnet address from fc00::/7 or fe80::/10 instead? That makes your management network more secure since it is isolated from the internet.
I probably will do something like this, my point was mostly just that I intend to deprecate/retire that existing LAN network once I successfully setup my VLANs. Either way, I will want to be able to assign IPv6 addresses to devices on different VLANs.
> As for DHCPv6, ask yourself what you need over and above the routing and DNS info disseminated by SLAAC/RADVD, which are much easier to manage.
I don't know enough about these options to answer this. I kinda _barely_ got IPv6 working at all after much trial and error. I just know I want IPv6 for my "trusted" device VLAN and I also would _like_ it for my IoT VLAN - I have some services and devices that are being very finicky about not getting an IPv6 address on startup. I could just assign them something non-routable as you suggested or I could also modify the devices networking to disable IPv6 (which is kind of a pain), but ultimately I would still like to learn / understand how this _should_ work if I wanted it to.
So with that being said...
> Why not designate the management subnet as OPT and give it a non-routable IPv6 subnet address from fc00::/7 or fe80::/10 instead? That makes your management network more secure since it is isolated from the internet.
I probably will do something like this, my point was mostly just that I intend to deprecate/retire that existing LAN network once I successfully setup my VLANs. Either way, I will want to be able to assign IPv6 addresses to devices on different VLANs.
> As for DHCPv6, ask yourself what you need over and above the routing and DNS info disseminated by SLAAC/RADVD, which are much easier to manage.
I don't know enough about these options to answer this. I kinda _barely_ got IPv6 working at all after much trial and error. I just know I want IPv6 for my "trusted" device VLAN and I also would _like_ it for my IoT VLAN - I have some services and devices that are being very finicky about not getting an IPv6 address on startup. I could just assign them something non-routable as you suggested or I could also modify the devices networking to disable IPv6 (which is kind of a pain), but ultimately I would still like to learn / understand how this _should_ work if I wanted it to.
#4
General Discussion / Configuring IPv6 for VLANs when not using DHCP from ISP (static IPv6 range)
December 28, 2024, 05:08:59 AM
I have an ATT/ADI line and I am trying to figure out how to configure IPv6 with what they gave me. So far I have been able to get IPv6 working on WAN/LAN but not on VLAN interfaces. My question is around how to configure these interfaces for DHCP based on what the ISP gave me.
IPv6 WAN IP Address: 2001:XXXX:YYYY:QQQQ:0000:0000:FF73:4890
IPv6 LAN IP Address: 2001:XXXX:ZZZZ:1F00::1
I plugged in the WAN IP Address into my IPv6 Gateway and I configured the LAN interface to 2001:XXXX:ZZZZ:1F00::1/64. I then enabled DHCPv6 for the LAN interface and set the Router Advertisements to "Unmanaged" (not sure about this setting - but it worked - would appreciate any extra input here).
I am now setting up VLANS for devices (trusted, IoT, etc) and want to provide IPv6 to them. The LAN interface will essentially become management only. I am not sure how to specify ranges _within_ what my ISP has given me to each VLAN as basically it's own subnet. I also tried just copying the same exact config that I did for the LAN interface but this did not seem to work either - I am assuming I created some sort of conflict.
Any guidance or pointers here would be appreciated.
IPv6 WAN IP Address: 2001:XXXX:YYYY:QQQQ:0000:0000:FF73:4890
IPv6 LAN IP Address: 2001:XXXX:ZZZZ:1F00::1
I plugged in the WAN IP Address into my IPv6 Gateway and I configured the LAN interface to 2001:XXXX:ZZZZ:1F00::1/64. I then enabled DHCPv6 for the LAN interface and set the Router Advertisements to "Unmanaged" (not sure about this setting - but it worked - would appreciate any extra input here).
I am now setting up VLANS for devices (trusted, IoT, etc) and want to provide IPv6 to them. The LAN interface will essentially become management only. I am not sure how to specify ranges _within_ what my ISP has given me to each VLAN as basically it's own subnet. I also tried just copying the same exact config that I did for the LAN interface but this did not seem to work either - I am assuming I created some sort of conflict.
Any guidance or pointers here would be appreciated.
#5
General Discussion / How to NAT behind a single public IP (DIA) without 2nd router?
November 11, 2024, 04:54:27 PM
I just had a DIA circuit installed at my home and I was given a block of 5 public IP addresses. Currently I have everything working but the router's WAN IP is not one of the public block I was given and it does not properly geolocate me. I don't really _need_ these public IPs but ATT just provides them. At some point I may utilize them as I build out my network but currently I just want to NAT my basic consumer devices behind one of these public IPs with correct geolocation.
I tested out creating a new OPT1 interface which uses the public IPs and skips outbound NAT. This works fine for a single device plugged into the OPT1 interface. My issue is that it appears that I can only configure DHCP for the other 4 addresses in the range. I want to put my whole 192.168.1.x network behind one of these addresses. Is there a way to do this without introducing another downstream router?
Config notes:
WAN Gateway IP: 12.xxx.yyy.49
Router WAN IP: 12.xxx.yyy.50/30 (static IPv4 configuration)
OPT1 Static IPv4: 12.zzz.ooo.17/29
Firewall rule: WAN interface, source: 12.zzz.ooo.16/29 NO NAT
I tested out creating a new OPT1 interface which uses the public IPs and skips outbound NAT. This works fine for a single device plugged into the OPT1 interface. My issue is that it appears that I can only configure DHCP for the other 4 addresses in the range. I want to put my whole 192.168.1.x network behind one of these addresses. Is there a way to do this without introducing another downstream router?
Config notes:
WAN Gateway IP: 12.xxx.yyy.49
Router WAN IP: 12.xxx.yyy.50/30 (static IPv4 configuration)
OPT1 Static IPv4: 12.zzz.ooo.17/29
Firewall rule: WAN interface, source: 12.zzz.ooo.16/29 NO NAT
Pages1
