1

I have received an IPv6 network from my provider, say it's 2001:db8:1::/48. I did not get delegated prefix from them.

I would like to use the IPv6 addresses on different networks behind a firewall (Sophos UTM)

So I assign the address 2001:db8:1::1 to the Internet port of the firewall with the prefix length being 48 as communicated by the provider. The provider's address was said to be 2001:db8:1::2. This connection seems to work fine.

Now I want to use several networks behind this firewall. Which ones could that be? I do not want to use things like NAT, as there are many addresses available and NAT should not be needed anymore with IPv6...

I decided to use the subnet 2001:db8:1:1::/64 (S1) and 2001:db8:1:2::/64 (S2) on two interfaces of the firewall. But now, the same IPv6 addresses are used on two interfaces and I am not sure if this it's correct. Also, it does not work at all.

I think I also understand, why:

Let's say a client in one subnet wants to connect to a client on the other subnet:

2001:db8:1:1:100 wants to connect to 2001:db8:1:2:200.

But on which network should the host 2001:db8:1:2:200 be? The IPv6 addresses both belongs to the network on the Internet interface (2001:db8:1::/48) and to the network S2 (2001:db8:1:2::/64) I fully understand that the firewall does not know where to route the packets...

But how to solve this? What would be the solution to this problem? Do I really net NAT? How to use all the many IPv6 addresses the provider allowed me to use? Maybe I didn't fully get some principles for IPv6, but all the other networks where the provider delegated a subnet to me, are working great.

So, can anyone explain to me how to configure my network to make my setup work?

TomS
  • 111
  • 4

2 Answers2

4

I have received an IPv6 network from my provider, say it's 2001:db8:1::/48. I did not get delegated prefix from them.

That is the delegated prefix. I think you mean they did not assign a transit network. Just use the first /64 network (2001:db8:1::1/64) as the transit network.

So I assign the address 2001:db8:1::1 to the Internet port of the firewall with the prefix length being 48 as communicated by the provider.

No. You should use the first /64 network from the n/48 prefix: 2001:db8:1::1/64

Now I want to use several networks behind this firewall. Which ones could that be?

After the 0 network for transit, there are 65,535 more /64 networks for you to use.

2001:db8:1:1::1/64
2001:db8:1:2::1/64
2001:db8:1:3::1/64
...
2001:db8:1:fffd::1/64
2001:db8:1:fffe::1/64
2001:db8:1:ffff::1/64

I decided to use the subnet 2001:db8:1:1::/64 (S1) and 2001:db8:1:2::/64 (S2) on two interfaces of the firewall. But now, the same IPv6 addresses are used on two interfaces and I am not sure if this it's correct. Also, it does not work at all.

Using those two networks will work, but you need to change the WAN interface to /64.

But on which network should the host 2001:db8:1:2:200 be? The IPv6 addresses both belongs to the network on the Internet interface (2001:db8:1::/48) and to the network S2 (2001:db8:1:2::/64) I fully understand that the firewall does not know where to route the packets...

You should only use /64 networks, including on the WAN interface. When the ISP sends traffic to any address in the /48 network, it will send it to your firewall, and your firewall will then be able to route it to the proper /64 network. It is simple routing.

But how to solve this? What would be the solution to this problem? Do I really net NAT? How to use all the many IPv6 addresses the provider allowed me to use? Maybe I didn't fully get some principles for IPv6, but all the other networks where the provider delegated a subnet to me, are working great.

Only use /64 networks, even on the WAN interface.

So, can anyone explain to me how to configure my network to make my setup work?

  • WAN = 2001:db8:1::1/64
  • LAN 1 = 2001:db8:1:1::1/64
  • LAN 2 = 2001:db8:1:2::1/64

You can then have one or more routers or layer-3 switches behind your firewall to use any of the rest of the /64 networks from the prefix. You will need some way to tell the firewall about those networks, either with static routes, or through a routing protocol.

Ron Maupin
  • 99,565
  • 26
  • 120
  • 195
  • I am not in the office the next days, so I will not be able to verify that immediately. Making this as the correct answer might take some days. But thank you for explaining that! I did not think that the firewall accepts the IPv6 packets on that port if their destination address is from a different network and that the prefix lengths may be different on both ends of the network connection. Thanks again! – TomS Jun 07 '22 at 13:46
  • Or another question: Why should i spend a /64 network for the transfer network? Wouldn't it be better to use some longer prefix like /112 or so? I could use much more addresses for my own allocations (Not that I would really like to do that, I just would like to understand if this is possible) – TomS Jun 07 '22 at 13:59
  • 1
    Point-to-point links can use /127, but many ISPs do not support that. For the most part, IPv6 needs /64 networks, or you can break IPv6 features, so the ISPs just use that. The exceptions are /127 for point-to-point links, and /128 for loopback addresses. Using other size networks can cause problems. IPv6 is designed to waste addresses (get out of the IPv4 address conservation way of thinking), and address conservation is actually detrimental. You get 65,536 /64 networks (each with 18,446,744,073,709,551,616 addresses) from your `/48 prefix. – Ron Maupin Jun 07 '22 at 14:06
  • 1
    @TomS, see this answer and the last section of this answer. There are many question with answers here about IPv6 if you just search here for ipv6. – Ron Maupin Jun 07 '22 at 14:24
  • 1
    @TomS, "I did not think that the firewall accepts the IPv6 packets on that port if their destination address is from a different network and that the prefix lengths may be different on both ends of the network connection." The ISP is the using link-local addressing between their router and yours (firewall), and any destination in that prefix is sent to you for you to route within your network. IPv6 uses the link-local address of a router as the gateway, unlike IPv4, giving all networks on the link the same gateway address because you can have multiple IPv6 networks on a link. – Ron Maupin Jun 07 '22 at 14:40
  • That makes perfect sense. Thank you very much for these explanations. I didn't think about link-local addresses... – TomS Jun 07 '22 at 15:43
  • unfortunately, this configuration does not work on my side. I get answers from 2001:db8:1::1 and from 2001:db8:1::2 (the provider's IP address and the IPv6 address of the WAN interface of the UTM), but I do not get an answer from 2001:db8:1:1::1, which is the IPv6 address of another interface of the UTM. – TomS Jul 12 '22 at 11:45
  • With any type of firewall, you need to set up rules to allow traffic between the interfaces because such traffic is blocked by default. Also, with IPv6, you must allow some ICMP through. There is an RFC about that: RFC 4890, Recommendations for Filtering ICMPv6 Messages in Firewalls. – Ron Maupin Jul 12 '22 at 12:19
0

In the meantime I asked the provider if there's some configuration issue on their side. They confirmed that the previous setup was not designed to work in my environment.

They now reconfigured the subnet so that all traffic to that network is routed to a specific IPv6 address in an additional /127 network they gave to me (transfer network). After the reconfiguration on the provider's end, my network setup is working perfectly fine!

TomS
  • 111
  • 4