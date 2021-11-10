Geekzone: technology news, blogs, forums
IPv6 Clarification - IPv6 Prefix vs IPv6 Delegated Prefix?
#290419 10-Nov-2021 15:45
Hey there.

 

Recently joined Voyager as a residential customer.

 

This might be more of a general IPv6 question as opposed to Voyager specific, but I figured someone here who knows Voyager specifically might be able to help. 

 

Let me first start by saying that I'm a mega nerd and work in IT, however my IPv6 knowledge is limited and I'm trying to change that.

 

I have a static IPv4 which works fine.

 

I also have Voyager set me up with a static IPv6 prefix/delegation which does work fine, but I have questions. 

 

 

 

In an e-mail I got from Voyager they told me I have been assigned an IPv6 prefix AND an IPv6 Prefix Delegation.

 

 

Note there's a single character difference between the two. The Prefix has 9B and the delegated prefix is B9.

 

On pfSense, my WAN and my LAN both have IPv6 addresses. The WAN is within the IPv6 Prefix network and the LAN (and all my other subsequent devices getting addresses from SLAAC) are on the B9 network. 

 

My ultimate question here is, what's the difference between the two? Why do I have a /64 IPv6 prefix and a /56 Delegated prefix?
From what I can see here is that I effectively ignore the /64 and use the /56 to assign IP's and create smaller subnets if I wish. But I'm still not understanding the difference between the two, or the need for them. 

 

Thanks

Zeon
  #2810528 10-Nov-2021 16:11
The prefix is the subnet that sits between your router and the Voyager router. The delegated prefix will be what subnets are routed to your router's address from Voayager's (and the wider internet's) point of view. Remember IPv6 (OK there are exceptions) is publicly routable with no address translation so Voyager is sending that /56 subnet to your router. You could have multiple routers behind your gateway router too.

 

Welcome to the real internet :)




VygrNetworkMonkey
  #2810531 10-Nov-2021 16:27
Zeon:

 

The prefix is the subnet that sits between your router and the Voyager router. The delegated prefix will be what subnets are routed to your router's address from Voayager's (and the wider internet's) point of view. Remember IPv6 (OK there are exceptions) is publicly routable with no address translation so Voyager is sending that /56 subnet to your router. You could have multiple routers behind your gateway router too.

 

Welcome to the real internet :)

 

 

@zeon's on the money!

 

Traditionally the case is:
The /64 is for the WAN 'link' between your router and the BNG.
The /56 is for LAN side.

 

Why a /56 n the LAN? - Because this facilitates 256x /64's - which you can split into VLANs on your 'internal' (given IPv6 is entirely public, 'internal' is relative :P) 

 

A key component for IPv6 to operate correctly relies on /64 being the smallest/longest prefix size deployed - assuming you want features such as SLAAC/RA etc to operate.

 

It's a lot of addresses .... more than most will ever need, but you got them anyway.




  #2810545 10-Nov-2021 16:44
OK, understood! Thank you!

 

So to be absolutely clear, I will basically never touch the /64 and everything I do should be within that /56 ?



  #2810713 10-Nov-2021 19:49
GARBAGE:

 

OK, understood! Thank you!

 

So to be absolutely clear, I will basically never touch the /64 and everything I do should be within that /56 ?

 

 

Well.... you technically could use only IPs from the /64, depending on routers featuresets... but I wouldn't recommend it.

 

Best to stick with the /56 - even if you will only ever use a fraction of it.




  #2810907 10-Nov-2021 23:00
Ok, I think I’m getting the hang of it, but I’ve now uncovered more questions with regards to splitting my subnet up.

Say my delegated prefix is
AAAA:AAAA:AAAA:AD00::/56

I’m using pfSense and when I set my LAN to track interface on WAN, it automatically assigns addresses within that range, but does it break it out into a /64? Or is it still using the entire /56?

One would assume if it was a /64 and I wanted to use another subnet say for servers in my home network, the next /64 would be aaaa:AAAA:AAAA:AD01::/64
Is that correct?

Is anything within that /56 automatically routable? My testing indicates no, and I’m rent struggling with learning this. The subnetting itself I understand fine (I think) but I’m not grasping the implementation and splitting up of that initial /56.

Thanks for your help. Happy to DM anyone my actual prefix to help if you want.

  #2810954 11-Nov-2021 07:57
Heya @GARBAGE

 

I'm not familiar with pfSence sorry - so I cant advise how to configure it.. but... 

 

To see how your router is breaking it up on the LAN, simply go into your network settings and see what IPv6 address you have been assigned. 
Ignore the fe80 addresses (they're link-local addresses) - but look for the ones that start with 2406:1e00... thats Voyagers IPv6 range that were using currently.
On these IP's, there will be a subnet mask .... ie: 2406:1e00:xxxx:xxxx:xxxx:xxxx/64 <-- this will tell you what your pfSence box is doing with the subnets.

 

Ultimately, whether it's /56 or /64 shouldn't change the routeability of the addressing scheme - they're all public addresses, and all routable. It just comes down to how your CPE/Router manages it.

 

A lot of CPE's will break up the /56 into random smaller /64 chunks and assign at will, if you do not specify the subnet explicitly - totally fine.
If you want to manually break up the /56 into individual /64's per VLAN, then you can absolutely do that (thats what I've done .... of course I've over engineered my home network  :P).
I would recommend double checking everything with a IPv6 Subnet Calculator - This ones helpful, as it shows in colour which bits you can alter within a subnet mask - http://www.gestioip.net/cgi-bin/subnet_calculator.cgi 




  #2811348 12-Nov-2021 01:14
Thanks for your help @VygrNetworkMonkey -- I appreciate you do this for free and have no obligation to help me here, it means a lot!

 

I'm gonna paste here what I posted on reddit just now to see if anyone in r/fSense knows what the deal is, but maybe you could provide some insight. I managed to get an extra subnet going last night but it's not quite working how I would expect.

 

For privacy sake let's say that prefix is

 

1234:5678:9ABCD:EF00::/56

 

I set my pfSense WAN to DHCPv6 where they assign me a /64 outside of that range, then I set my pfSense LAN interface to Track Interface on WAN.

 

pfSense then automatically subnets that /56 into a /64 which is fine (pfSense doesn't appear to have the ability to adjust that /64 to anything else??). That /64 is 1234:5678:9ABCD:EF00::/64 (the subnet ID I have in pfSense is 0, so it uses the first subnet available from that /56).

 

To be clear this works perfectly. Clients on my network get IPv6 addresses within that /64 and everything works fine.

 

The confusion I'm having is if I want an additional subnet, and how routing works.

 

On my pfSense I setup an additional OPT1 interface that's just on VLAN1. I don't have any other VLAN's anywhere on my network. On the OPT1 interface I set the interface ID to "1". That seemed to work and I got a subnet of 1234:5678:9ABCD:EF01::/64 and the OPT1 interface has an IP address that friends of mine are able to ping from outside the internet.

 

However, despite firewall rules being in place, I cannot ping that IP from anywhere inside my LAN, from any machine. Whenever I do, I just get destination host unreachable. If I check my Windows Route table, I can actually see that new OPT1 subnet 1234:5678:9ABCD:EF01::/64 but it says "on-link". Is this normal for IPv6? How does the routing actually work? I understand that outside of my network, that my ISP throws anything destined for my /56 at my router, but internally? How do I make this work?

 

Sorry for the wall of text. Hope someone is able to give me a hand.



  #2811348 12-Nov-2021 01:14
GARBAGE:

 

Thanks for your help @VygrNetworkMonkey -- I appreciate you do this for free and have no obligation to help me here, it means a lot!

 

I'm gonna paste here what I posted on reddit just now to see if anyone in r/fSense knows what the deal is, but maybe you could provide some insight. I managed to get an extra subnet going last night but it's not quite working how I would expect.

 

For privacy sake let's say that prefix is

 

1234:5678:9ABCD:EF00::/56

 

I set my pfSense WAN to DHCPv6 where they assign me a /64 outside of that range, then I set my pfSense LAN interface to Track Interface on WAN.

 

pfSense then automatically subnets that /56 into a /64 which is fine (pfSense doesn't appear to have the ability to adjust that /64 to anything else??). That /64 is 1234:5678:9ABCD:EF00::/64 (the subnet ID I have in pfSense is 0, so it uses the first subnet available from that /56).

 

To be clear this works perfectly. Clients on my network get IPv6 addresses within that /64 and everything works fine.

 

The confusion I'm having is if I want an additional subnet, and how routing works.

 

On my pfSense I setup an additional OPT1 interface that's just on VLAN1. I don't have any other VLAN's anywhere on my network. On the OPT1 interface I set the interface ID to "1". That seemed to work and I got a subnet of 1234:5678:9ABCD:EF01::/64 and the OPT1 interface has an IP address that friends of mine are able to ping from outside the internet.

 

However, despite firewall rules being in place, I cannot ping that IP from anywhere inside my LAN, from any machine. Whenever I do, I just get destination host unreachable. If I check my Windows Route table, I can actually see that new OPT1 subnet 1234:5678:9ABCD:EF01::/64 but it says "on-link". Is this normal for IPv6? How does the routing actually work? I understand that outside of my network, that my ISP throws anything destined for my /56 at my router, but internally? How do I make this work?

 

Sorry for the wall of text. Hope someone is able to give me a hand.

 

 

"On-link" means that the Windows PC can send directly to that address block without going through a router.  It should have an IPv6 address from that address block on one of its network ports, so if you run ipconfig you should see that address.

 

Windows should have your pfSense router as its default route.  In IPv6, the default route is "::0".  This is from the top of my "route print" output on my main Windows box:

 

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 12     25 ::/0                    pppp:pppp:pppp:pp01::251
  7     25 ::/0                     pppp:pppp:pppp:pp02::251
  7    281 ::/0                    fe80::1ae8:29ff:febe:e296
 12    281 ::/0                   fe80::1ae8:29ff:febe:e295

 

I have replaced my delegated /56 prefix with pppp:pppp:pppp:pp.  This box has two Ethernet cards, interface 12 connected to my "Outer" subnet (01) and interface 7 connected to my "Inner" subnet (02).  The Outer subnet is a DMZ, where guests and untrusted devices are connected.  The "Inner" subnet is where all my trusted devices connect.  My ER4 router has one Ethernet port connected to Outer and one to Inner, and its device ID on both subnets is ::251, and both of those addresses are in the routing table as default routes.  The router's link-local addresses (fe80::) are also in the routing table as default routes, as IPv6 often routes packets using the link-local addresses as the next hop address and does not actually need to have a global unicast IPv6 address to route packets to.  With these routing table entries, any packet sent to an address that is not elsewhere in the routing table will be sent via the default route with the lowest metric, so it will be sent to pppp:pppp:pppp:pp01::251, my ER4's Outer IPv6 address.  The ER4 will then look up its routing table to send the packet on.

Create new topic





