Recommended way to handle ipv6 address on WAN interface from PD

Started by cpw, April 14, 2023, 09:25:34 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 14, 2023, 09:25:34 PM
Hi,
Is there a recommended way to handle an IPv6 address assignment for the WAN interface, where I'm receiving a /56 PD from my ISP?

Details:
I have a static(!) IPv6 /56 PD from my ISP. The WAN interface receives it correctly from my ISP via DHCPv6, which is great. I also request a regular /128 IP address from my ISP (which I don't believe is static and is not from the PD). I would probably prefer to assign the WAN address from the /56, but I don't know how to do that. Perhaps I just assign a static address? But then, I don't think I can track interface to push the PD down to the "LAN" side, can I?

I've currently set the "LAN" interface to be the ::1 from the PD, which means it can be reached from the internet. But it's not the origin of packets from the firewall to the internet on IPv6 (that is the /128), which makes me slightly uncomfortable.

How is this recommended to be handled. I've seen other posts asking a similar question (getting a PD from ISP, how to assign from it) but never seen an actual answer saying "do this".

Thanks!
April 14, 2023, 10:30:30 PM #1
Leave the WAN with the /128. After all only OPNsense itself needs that. Remember there is no NAT in IPv6. Use individual /64 from the /56 and SLAAC for your devices. They will all communicate using their GUA. The address of the firewall is irrelevant and only needed to reach the ISP gateway.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
April 14, 2023, 11:17:35 PM #2 Last Edit: April 14, 2023, 11:21:31 PM by meyergru
+1, although with dynamic IP addresses, the OpnSense IP can also be relevant for example for dynamic DNS.

You could request a prefix only, but then you cannot assign a subnet from that prefix to the WAN interface currently (see https://forum.opnsense.org/index.php?topic=28171.msg136834#msg136834 and the still-open request https://github.com/opnsense/core/issues/6233).

I am in that situation, since my ISP does not hand out an additional WAN address. Thus, I am forced to use one of the LAN IPs for OpnSense itself. I wished I was in your situation.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 440 up, Bufferbloat A+
April 14, 2023, 11:25:07 PM #3
@meyergru picking a single address from LAN and assigning it to WAN with /128 works perfectly well, if the ISP routes your entire prefix to your MAC address as one of our hosting providers does. Needs static address assignments, of course.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
April 17, 2023, 01:06:36 PM #4
Thanks for your answers. I've added a static IPv6 to the "LAN" side, using the "virtual IPs" mechanism. I can't seem to turn off the automatic "anonymous" address it also gets for itself. This seems to be a common problem for IPv6 actually - everything is always getting the randomized anonymous address, in addition to any "static" IP I assign to it (even if I turn on DHCPv6 for the LAN side and force an IP for the DUID).

Anyway, thanks again, it seems like I'm probably doing this about as well as I can.
Print
Go Up Pages1
User actions