I read How does IPv6 subnetting work and how does it differ from IPv4 subnetting? but my question was not answered there.
I'm upgrading our IPv4 network to IPv6. Currently, our NAT gateway splits our one IPv4 address into 2 private subnets, our main subnet and an isolated guest subnet. I want to continue this practice of having 2 separated subnets under IPv6. I read that I should not use a prefix larger than /64 because it will break things, but the delegated prefix my router is picking up (I believe via DHCPv6) is a /64 prefix. So somehow I want to get a /56 prefix automatically assigned (suggestions welcome), but even after I get that, it is still going to be dynamic, so my question is how do I set up 2 subnets based on this dynamic allocation?
I am used to using NAT and statically configured IPv4 private subnets. Now I am going to have to manage 2 public subnets with a firewall between them, but I don't see how I'm supposed to configure a RouterOS router to say "combine the /56 dynamic prefix with this 8-bit static subnet identifier to create /64 subnet". How do I do that (or what should I do instead)?
The way Mikrotik implemented it in RouterOS is that the router has a DHCP client that gets a /56 prefix from the ISP and puts it in an address pool. Then the router also has a DHCP server that hands out /64 prefixes from that address pool to individual interfaces.
That puts
ether2
andether3
on two different /64 subnets of the /56 prefix delegated by the ISP. Since all the IPv6 addresses are globally routable, you need to add extra firewall rules to keep them protected from the internet, and then some more if you want to keep the 2 subnets from talking to each other. You will want to use interface-based rules rather than address-based rules since the addresses will be dynamic.Note that to get a /56 prefix instead of a /64 prefix from my ISP, I had to configure the DHCP client with
prefix-hint=::/56 request=prefix