Recommended way to handle ipv6 address on WAN interface from PD

[cpw]

Hi,
Is there a recommended way to handle an IPv6 address assignment for the WAN interface, where I'm receiving a /56 PD from my ISP?

Details:
I have a static(!) IPv6 /56 PD from my ISP. The WAN interface receives it correctly from my ISP via DHCPv6, which is great. I also request a regular /128 IP address from my ISP (which I don't believe is static and is not from the PD). I would probably prefer to assign the WAN address from the /56, but I don't know how to do that. Perhaps I just assign a static address? But then, I don't think I can track interface to push the PD down to the "LAN" side, can I?

I've currently set the "LAN" interface to be the ::1 from the PD, which means it can be reached from the internet. But it's not the origin of packets from the firewall to the internet on IPv6 (that is the /128), which makes me slightly uncomfortable.

How is this recommended to be handled. I've seen other posts asking a similar question (getting a PD from ISP, how to assign from it) but never seen an actual answer saying "do this".

Thanks!

[Patrick M. Hausen]

Leave the WAN with the /128. After all only OPNsense itself needs that. Remember there is no NAT in IPv6. Use individual /64 from the /56 and SLAAC for your devices. They will all communicate using their GUA. The address of the firewall is irrelevant and only needed to reach the ISP gateway.

[meyergru]

+1, although with dynamic IP addresses, the OpnSense IP can also be relevant for example for dynamic DNS.

You could request a prefix only, but then you cannot assign a subnet from that prefix to the WAN interface currently (see https://forum.opnsense.org/index.php?topic=28171.msg136834#msg136834 and the still-open request https://github.com/opnsense/core/issues/6233).

I am in that situation, since my ISP does not hand out an additional WAN address. Thus, I am forced to use one of the LAN IPs for OpnSense itself. I wished I was in your situation.

[Patrick M. Hausen]

@meyergru picking a single address from LAN and assigning it to WAN with /128 works perfectly well, if the ISP routes your entire prefix to your MAC address as one of our hosting providers does. Needs static address assignments, of course.

[cpw]

Thanks for your answers. I've added a static IPv6 to the "LAN" side, using the "virtual IPs" mechanism. I can't seem to turn off the automatic "anonymous" address it also gets for itself. This seems to be a common problem for IPv6 actually - everything is always getting the randomized anonymous address, in addition to any "static" IP I assign to it (even if I turn on DHCPv6 for the LAN side and force an IP for the DUID).

Anyway, thanks again, it seems like I'm probably doing this about as well as I can.