Home / server / Questions / 424853
In Process
neu242
Asked: 2012-09-07 00:46:07 +0800 CST

WAN and LAN setup for IPv6

  • 772

We just got a IPv6 /48 range (a gateway and an IP address) for our company, but I'm unsure about how to set it up. We use FreeBSD 8.4 (pfSense 2.1) as a router/firewall.

Currently we have IPv4 setup with a WAN towards the internet, and a NAT-ed LAN behind it for office PCs.

We want to keep the LAN network for security, and we want IPv6 addresses from the /48 for all office PCs (without NAT).

The WAN is configured with the IPv6 gateway 1111:2222:3333::1/48 and interface address 1111:2222:3333::2/48. But when it's configured this way, I guess it's impossible to fit the LAN on a /64 within the /48?

I believe I should configure the WAN subnet on 1111:2222:3333:1::/64 and the LAN on a subnet like 1111:2222:3333:2::/64. Is this something I can configure myself, or do I have to ask the ISP to configure that routing for me?

Current test setup:

  • WAN gateway 1111:2222:3333::1/48
  • WAN interface (em3) 1111:2222:3333::2/64
  • LAN interface (em1) 1111:2222:3333:1::1/64
  • Test client on LAN 1111:2222:3333:1::abcd/64

netstat -r shows:

Destination         Gateway            Flags      Netif Expire
default             1111:2222:3333::1  UGS         em3
localhost           localhost          UH          lo0
1111:2222:3333::    link#4             U           em3
1111:2222:3333::2   link#4             UHS         lo0
1111:2222:3333:1::  link#2             U           em1
1111:2222:3333:1::1 link#2             UHS         lo0

I can ping the WAN gateway from the router. From the test client I can ping the LAN & WAN interfaces, but not the WAN gateway.

If I try to add an explicit route, I get an error:

$ route add -inet6 -net 1111:2222:3333:1::/64 1111:2222:3333::2
route: writing to routing socket: File exists
add net 1111:2222:3333:1::/64: gateway 1111:2222:3333::2: route already in table
networking

2 Answers

  1. You've got the right idea here, and you need to ask your ISP exactly what they're routing to you.

    Usually if you're getting subnet of addresses then your edge router's WAN address will be on a small assigned linknet /64 so you have the larger /48 on your LAN side interface without losing any nets for the purposes of talking to your ISP, then you can subnet off the smaller nets as required and the ISP will always send the traffic to your edge router's WAN interface.

    • 3

  2. You have many many /64 inside a /48. Use the first /64 (the one where the gateway is) as your point-to-point subnet (in a IPv4 environment, this would be the /30 you use for the ppp connection to your central office).

    You can start allocating subnets to your lan starting from the next /64 (1::/64)

    If they allocated you that /48, they already have a static route in place that throws all the traffic for it towards your pipe.

    Practical example:

    My WAN IPv6 gateway (with which i talk through wan0) is 2001:470:1f0a:314::1/64

    My WAN IPv6 is 2001:470:1f0a:314::2/64 (the very next ip, assigned to wan0)

    Be sure you have a default route set for wan0 on your router.

    If after this, you have connectivity on your router, it means your wan is working properly. If it doesn't, you have to fix it with your isp and it has nothing to do with routes on your LAN and whatnot.

    My LAN Subnet is 2001:470:1f0b:314::/64

    Simply configure 2001:470:1f0b:314::1 as your eth0 IP on the router.

    Assign 2001:470:1f0b:314::2 to a PC on the same lan as eth0 and set on that pc 2001:470:1f0b:314::1 (your router address) as your default gateway.

    If you don't have any iptables rule in place that blocks this kind of traffic, your border router (which we're assuming is a linux box) will simply route any incoming packet for 2001:470:1f0b:314::/64 from wan0 to eth0 because this is a directly connected network and thus the routing table already "knows" it.

    On eth0, if the router knows the MAC address of the end destination (your officepc that you're theorically pinging from the internet), it will send it directly there. Otherwise, it will make an arp request asking "WHO THE HECK HAS THIS ADDRESS?" and if target pc is online and has this address properly configured and it has the default gateway set, it will answer establishing communication.

    Remember that most common knowledge about IPv4 applies to IPv6 too. Do not assume things work differently all the time :P

    EDIT #2:

    My answer gives many assumptions. Keep in mind that you don't need to declare explicitly directly connected networks. Have you assigned an IP of your LAN subnet to your router? Do you have that IP as your default gateway on the LAN computers you're testing from?

    I guess i fell aswell in the "overcomplicate ipv6" trap :P

    EDIT #3:

    This part was silly wrong if we are talking about directly connected. Disregard it.

    Simply add a route for this last subnet to eth0 like this

    route -A inet6 add 2001:470:1f0b:314::/64 eth0.
    • 2