Configuring IPv6 for VLANs when not using DHCP from ISP (static IPv6 range)

Started by ciarlill, December 28, 2024, 05:08:59 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 28, 2024, 05:08:59 AM
I have an ATT/ADI line and I am trying to figure out how to configure IPv6 with what they gave me. So far I have been able to get IPv6 working on WAN/LAN but not on VLAN interfaces. My question is around how to configure these interfaces for DHCP based on what the ISP gave me.

IPv6 WAN IP Address: 2001:XXXX:YYYY:QQQQ:0000:0000:FF73:4890
IPv6 LAN IP Address: 2001:XXXX:ZZZZ:1F00::1

I plugged in the WAN IP Address into my IPv6 Gateway and I configured the LAN interface to 2001:XXXX:ZZZZ:1F00::1/64. I then enabled DHCPv6 for the LAN interface and set the Router Advertisements to "Unmanaged" (not sure about this setting - but it worked - would appreciate any extra input here).

I am now setting up VLANS for devices (trusted, IoT, etc) and want to provide IPv6 to them. The LAN interface will essentially become management only. I am not sure how to specify ranges _within_ what my ISP has given me to each VLAN as basically it's own subnet. I also tried just copying the same exact config that I did for the LAN interface but this did not seem to work either - I am assuming I created some sort of conflict.

Any guidance or pointers here would be appreciated.
December 28, 2024, 10:03:06 AM #1
Internal IPv6 subnets are /64. If your ISP gives you only that as a delegation, they restrict you to one IPv6 subnet. Pretty mean given the size of the address space. Most give out /56.

Quote from: ciarlill on December 28, 2024, 05:08:59 AMThe LAN interface will essentially become management only.
Why not designate the management subnet as OPT and give it a non-routable IPv6 subnet address from fc00::/7 or fe80::/10 instead? That makes your management network more secure since it is isolated from the internet.

As for DHCPv6, ask yourself what you need over and above the routing and DNS info disseminated by SLAAC/RADVD, which are much easier to manage.

Bart...
December 28, 2024, 02:50:00 PM #2 Last Edit: December 28, 2024, 02:51:53 PM by ciarlill
It might be helpful to note that even though I have an ADI line I am not a "business" customer. I had to get one (with a 3 year contract) in order for them to build out fiber to my rural home. I work from home as a software engineer and most of my networking knowledge is self-taught and mostly limited to IPv4.

So with that being said...

> Why not designate the management subnet as OPT and give it a non-routable IPv6 subnet address from fc00::/7 or fe80::/10 instead? That makes your management network more secure since it is isolated from the internet.

I probably will do something like this, my point was mostly just that I intend to deprecate/retire that existing LAN network once I successfully setup my VLANs. Either way, I will want to be able to assign IPv6 addresses to devices on different VLANs.

> As for DHCPv6, ask yourself what you need over and above the routing and DNS info disseminated by SLAAC/RADVD, which are much easier to manage.

I don't know enough about these options to answer this. I kinda _barely_ got IPv6 working at all after much trial and error. I just know I want IPv6 for my "trusted" device VLAN and I also would _like_ it for my IoT VLAN - I have some services and devices that are being very finicky about not getting an IPv6 address on startup. I could just assign them something non-routable as you suggested or I could also modify the devices networking to disable IPv6 (which is kind of a pain), but ultimately I would still like to learn / understand how this _should_ work if I wanted it to.
December 28, 2024, 05:30:23 PM #3
You can't have a separate IoT IPv6 subnet or any other subnet/VLAN with IPv6 on a /64. You need to ask your ISP for a larger delegation.

Give the LAN interface of the firewall a fixed IPv6 in your subnet, Services: Router Advertisements: [LAN], Unmanaged, High, Automatic, advertise default gateway. Test with a few clients, most of which will default to SLAAC and just work ;)
December 28, 2024, 11:01:33 PM #4
I'm fine if they are not on a separate subnet, I do not plan to use IPv6 internally on the network so I can maintain segregation by creating firewall rules to prevent access between VLANs.

Quote from: bartjsmit on December 28, 2024, 05:30:23 PMGive the LAN interface of the firewall a fixed IPv6 in your subnet, Services: Router Advertisements: [LAN], Unmanaged, High, Automatic, advertise default gateway. Test with a few clients, most of which will default to SLAAC and just work ;)

How will this provide other VLAN interfaces with IPv6?
December 28, 2024, 11:41:34 PM #5
With only a single /64 you can have only one interface with IPv6. You cannot subnet further.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 29, 2024, 01:40:41 AM #6 Last Edit: December 29, 2024, 01:50:16 AM by ciarlill
Is it not possible to assign each VLAN interface a static IPv6 in my provided subnet, then setup DHCP such that it only advertises a non-overlapping range (across all VLANs) in that subnet? This should still provide quite a few addresses per interface?
December 29, 2024, 10:11:03 AM #7
No. One interface, one /64.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 29, 2024, 11:00:07 AM #8
Quote from: ciarlill on December 28, 2024, 11:01:33 PMmaintain segregation by creating firewall rules to prevent access between VLANs.

You can only enforce firewall rules between VLAN's if these have different subnets. If two devices are in the same subnet, their traffic will not go via the firewall unless you configure the firewall as a transparent bridge, in which case they need to be on the same VLAN. Layer 2 vs Layer 3.
Print
Go Up Pages1
User actions