IPv6 proper planning

[random1104]

Hello!,

My ISP handed me over an /48 without any additional guidance about how to use it, so I'm going the trial & error route and would like to hear best practices or "proper" way of doing it from the community.

Currently I've setup my WAN interface statically with the the first /80 prefix available (<prefix>::2/80 my side, <prefix>::1 on the ISP side) and I can ping Internet nodes with IPv6.

My questions would be:

- should the WAN be an /64 instead?
- how to configure the internal subnets?, track WAN interface?, static /80?, static /64?)
- how to delegate ranges for OpenVPN roadwarriors?
- how to statically delegate IPs/ranges for some roadwarrior clientes (we use IPv4 overrides for some users to match firewall rules and allow access in a "pseudo per user" way)

I'm planning to use DHCPv6 on the internal subnets to allow for unbound host<-->ip mapping.

[bartjsmit]

Some thoughts:

- IPv6 subnets with hosts on them are /64
- Your WAN doesn't need a routable address since it forwards over link-local to the ISP router (fe80: and doesn't NAT
- DHCPv6 is an edge case - use RADV instead
- Internal servers should have static IPv6 addresses unless you want to use mDNS
- Tunnels are just subnets and you can delegate /64 subnets from your range to each (you have plenty)
- Different security policies require different tunnels - you can run loads of them by picking different ports
- Enable ICMPv6 liberally since your multicast stuff relies on it

Bart...

[random1104]

Some thoughts:

- IPv6 subnets with hosts on them are /64
- Your WAN doesn't need a routable address since it forwards over link-local to the ISP router (fe80: and doesn't NAT
- DHCPv6 is an edge case - use RADV instead
- Internal servers should have static IPv6 addresses unless you want to use mDNS
- Tunnels are just subnets and you can delegate /64 subnets from your range to each (you have plenty)
- Different security policies require different tunnels - you can run loads of them by picking different ports
- Enable ICMPv6 liberally since your multicast stuff relies on it

Bart...

Thanks!,

If I need to receive traffic on the firewalls (load balancing, or any other service running on them), should I allocate an /64 then?.

When do you use /80?

I was looking at DHCPv6 only because of:
* reservations / static assignments from a central point
* DNS integration/update (assuming it's the same as IPv4)

mDNS would replace a regular unbound installation?, will need to read more about that...

My usecase is Roadwarrior VPN, so it would be a single server. Should I delegate an /64 per user in the overrides?. The mapping to users seems complicated doing it by IP moving to IPv6, I don't see any other capabilities as found in other firewall products..

Any special treatment for CARP setups (2 node cluster)?

[bartjsmit]

If I need to receive traffic on the firewalls (load balancing, or any other service running on them), should I allocate an /64 then?.

You don't receive traffic on the firewalls The servers behind the firewall have public IP addresses (2000::/3) and the firewall allows clients to access them on certain ports/protocols. Remember, no NAT?

If you want to manage your firewall remotely; e.g. through the web GUI, use your VPN.

When do you use /80?

You don't; all subnets containing your servers and clients are /64. You have about 64 thousands of those, which should be enough. Say one for your main LAN, one for IoT devices, a DMZ if you're paranoid, and a couple for your tunnels. All connect through OPNsense on rules you set for them.

I was looking at DHCPv6 only because of:
* reservations / static assignments from a central point
* DNS integration/update (assuming it's the same as IPv4)

Not much is the same as IPv4, I'm afraid. If you have a server, you can resolve its name using traditional DNS with AAAA records pointing to a static IPv6, or you can use mDNS which uses multicast (a.k.a. Avahi, Zeroconf, Bonjour). Both your server and your client need to support mDNS.

Easiest to have mDNS internally and publish your servers on public DNS through domains you own. Something like myserver.local and myserver.mydomain.tld.

My usecase is Roadwarrior VPN, so it would be a single server. Should I delegate an /64 per user in the overrides?. The mapping to users seems complicated doing it by IP moving to IPv6, I don't see any other capabilities as found in other firewall products.

Security policy divides your users into several roles, and assigns them permissions based on those roles. You can enforce permissions through authentication on your servers and/or firewall rules that restrict access. Your groups should have multiple users though. Apply the KISS principle.

Any special treatment for CARP setups (2 node cluster)?

Shouldn't make any difference (famous last words).

Bart...

[random1104]

Well, my ISP provided little guidance :/

First I got fe80:<something> advertisement for gateway, then they changed the configuration to use my <delegated>::1/48 GUA on their side, so I set <delegated>:10/64 on my side and I can ping the outside world from the firewall.

Also set <delegated>:ffff::0/64 for LAN, and <delegated>::fffe::0/64 for a test subnet. DHCP6 + Assisted RA is working, since I get an IP and a gateway. Traffic between subnets work, but traffic from the internal subnets to Internet don't. Firewall logs don't show any blocked traffic.

Do I need RA on WAN?, do the ISP need to set static routing or something like that?

[random1104]

My usecase is Roadwarrior VPN, so it would be a single server. Should I delegate an /64 per user in the overrides?. The mapping to users seems complicated doing it by IP moving to IPv6, I don't see any other capabilities as found in other firewall products.

Security policy divides your users into several roles, and assigns them permissions based on those roles. You can enforce permissions through authentication on your servers and/or firewall rules that restrict access. Your groups should have multiple users though. Apply the KISS principle.

In the IPv4 world, I had users authenticating VPN connections with certificates, and client overrides to assign an ip to X user, alias for the IP and firewall rules allowing destination that the user needed to that IP. Can I actually apply firewall rules to traffic from an authenticated user irrespective of the source IP changing between session?   

[random1104]

I was looking at DHCPv6 only because of:
* reservations / static assignments from a central point
* DNS integration/update (assuming it's the same as IPv4)

Not much is the same as IPv4, I'm afraid. If you have a server, you can resolve its name using traditional DNS with AAAA records pointing to a static IPv6, or you can use mDNS which uses multicast (a.k.a. Avahi, Zeroconf, Bonjour). Both your server and your client need to support mDNS.

Easiest to have mDNS internally and publish your servers on public DNS through domains you own. Something like myserver.local and myserver.mydomain.tld.

So, no DHCP6 registering entries dynamically with unbound based on the leases? 

[random1104]

Well, my ISP provided little guidance :/

First I got fe80:<something> advertisement for gateway, then they changed the configuration to use my <delegated>::1/48 GUA on their side, so I set <delegated>:10/64 on my side and I can ping the outside world from the firewall.

Also set <delegated>:ffff::0/64 for LAN, and <delegated>::fffe::0/64 for a test subnet. DHCP6 + Assisted RA is working, since I get an IP and a gateway. Traffic between subnets work, but traffic from the internal subnets to Internet don't. Firewall logs don't show any blocked traffic.

Do I need RA on WAN?, do the ISP need to set static routing or something like that?

Had to call them, asked for link-local integration (CARP on my side), they gave back my delegated range and configured static routing.

Traffic flows now.