Debugging IPv6 routing issues

I have been given a native (no tunneling etc) IPv6 /64 block by my ISP. My pfSense router has successfully got an address, and from its WAN interface I can for instance ping ipv6.google.com and get a reply. However, on my internal network, it does not work, and I can't figure out why. I have a DHCPv6 server handing out addresses, and the router is doing router advertisements, and this seems fine to me.

I'll try to illustrate. Lets say I have a prefix 2001:a:b:c::/64. My router gets it's WAN address using SLAAC, and that becomes 2001:a:b:c:20c:29ff:fef9:b914. On the internal interface, I have assigned it 2001:a:b:c::1 (old IPv4 habit, I guess...). DNS and DHCP is hosted on a server with 2001:a:b:c::10 (static assignment). My workstation then requests an address using DHCP and has been assigned 2001:a:b:c::11ab.

My routing table contains two default (::/0) routes, one for the router's internal static IP, and one for it's link-local IP.

Pinging ipv6.google.com now gives Destination host unreachable. Where do I start to debug this? It seems to me that it is a routing issue, but I don't know where to start looking.

carlpett

Posted 2014-07-27T11:44:10.457

Reputation: 285

As an aside, unrelated to your question unless you're using that WAN address somewhere: the ff:fe in your IPv6 address seems to indicate you don't have Privacy Addressing enabled, which exposes the MAC address of the computer making the request. In your example that's a VMware virtual machine, if I'm correct. You would get a different IPv6 address when using another computer/VM.

– Arjan – 2014-07-27T12:23:00.520

Answers

If you only have one /64 prefix and that prefix is on your WAN side then you can't do IPv6 for your LAN. An ISP is supposed to give you multiple /64s so that you can put a separate /64 on each LAN. It is common for an ISP to give everybody (residential and business) a /48 (65536 /64s). For residential customers they might hand out a /56 (256 /64s). That way you have plenty prefixes to number your network, even if it gets more complicated over time (Internet-of-Things deployment etc).

Some ISPs are still sticking too much to the IPv4 mentality and only giving out a /60 (16 /64s) or so. While that will probably be enough now it will cause problems as IP-capable devices become more common, and you don't really want your living room lighting and AC to be in the same subnet as the children's toys, do you? ;)

ISPs that only hand out a single /64 prevent you from any subnetting at all. If that /64 is on the WAN interface then you'll never get decent IPv6 on your LAN(s). This is the ISPs fault and they should fix this by giving out a decent amount (/48 or /56) of addresses.

Sander Steffann

Posted 2014-07-27T11:44:10.457

Reputation: 4 169

Ah, some people think even a /64 is too much, but this is a nice explanation to prove otherwise.

– Arjan – 2014-07-27T13:04:29.717

Well, you can create subnets with a longer prefix than /64; you just end up breaking some IPv6 features in the process.

– Bob – 2014-07-27T15:49:51.860

1Good reference. At some point I was tempted to help write an RFC on allowing longer than /64 prefixes for SLAAC. The problem is that while that would be nice to have it would also create compatibility issues (updated devices do SLAAC, older devices/firmware don't) which would make it a nightmare. So 'wasting' a few bits is preferable to causing deployment problems and instability. – Sander Steffann – 2014-07-27T15:54:19.970

1The typical home router will generally be expecting to receive DHCPv6 with prefix delegation from upstream, and provide the same downstream, though as always this is usually configurable to use SLAAC only or disabled or whatever. Anyway, at this point someone who thinks a /64 is wasting addresses has yet to fully understand the true vastness of the IPv6 address space. – Michael Hampton – 2014-07-28T01:11:29.480

Thank you for your answer, very interesting! So, really there is no way for me to make my LAN IPv6 without either convincing my ISP that they should change (which seems unlikely) or breaking a bunch of IPv6 features (ie subnetting to /60:s or similar)? – carlpett – 2014-07-28T07:17:47.343

Well, the network you're connected to is already a /64 so you can't break it up. The only option would be to bridge everything and make the WAN side and the LAN side one big layer-2 network... – Sander Steffann – 2014-07-28T14:06:30.417

You need to have a prefix in your LAN as well. You could use DHCPv6 prefix delegation. By that the prefix you get on the WAN interface is delegated to the inside. The router must be able do handle this.

But I find it odd that you get only a /64 - should be at least a /56 or so. However, do not subnet a /64! Whatever others tell you, mechanisms like SLAAC will trample on your subnetting.

countermode

Posted 2014-07-27T11:44:10.457

Reputation: 851