IPV6 Address Distribution

[Ouraing]

My ISP provides DHCPV6-PD up to /56 and I am looking to rebuild my home network with multiple VLANS. Currently it's a single flat layer 2 domain and I have functional v6 connectivity to those devices, I would like to maintain that after segregating the network.

I've worked with v4 networks for a few decades and have my vlan, routing, and ip allocation plan worked out for the v4 side of things. DHCP will vary depending on the VLAN, most will be handled by the switches.

The devices I will be using are Aruba 2500, 3500 and Brocade ICX-6450s none of which properly support IPV6 address distribution themselves.

If I get a /56 I wanted to split that into a /58 for internal zoning (e.g. 1 for home lab, 1 for home use, 2 reserved for future) and from those /58s have a way to distribute the /64s to clients in their respective vlans. The /58 segmentation is so that in the future I have a potential environment to experiment with dynamic v6 routing protocols since SDN is one of the things I want to homelab.

Since I can't use the switches to provide DHCPv6 to my clients and I will need to be able to delegate different subnets to different DHCP servers, how in the world do you accomplish this in the world of V6 when your prefix delegation comes from your ISP, is subject to change periodically and you don't want your firewall handling all your DHCP and Routing?

 

[PigLover]

I'd probably skip the /58 part. Just assign a /64 for each VLAN. You can still assign a different set of /64's for your SDN playground later (you have 256 of them to play with, after all - with your 3 switches you'd run out of switch ports before you run out of subnets ). There is no real issue with disconnected /64s for any of the common v6 SDNs (ILA, etc.) and you'll probably have a full block usable even without assigning a /58.

What do you use for a gateway router/firewall today? Many routers - even some low-end D-Link/Netgear boxes that understand enough about DHCPv6-PD to land your ISP - offer IPv6 router advertisement and then you can use stateless auto-configuration to assign addresses rather than DHCPv6. DHCPv6 is a PITA anyway. pfSense does this really well, allowing you to just number the segments. Then you get addresses made up of your delegated prefix + network number to get the /64. Since the prefix can change you'll need to use dynamic DNS updates anyway, so in most cases the SLAAC address is just as good as DHCPv6. Then if/when the delegated prefix changes the address on the router advertisement changes with it and all of your hosts update (*).

All the other things you normally distribute via DHCP (NTP reference hosts, DNS server, default gateway, etc) can all be distributed on the RA messages for v6.

If you REALLY insist on doing DHCPv6 you'll either need to use a router that understands it (pfSense can to that too) or build one for each VLAN, probably hosted on a Linux or BSD server.

Also - and I apologize if this is obvious, but it needs to be said - once you pull publicly routed v6's inside your LAN you need to pay strict attention to your firewall rules at your gateway. With most V4 the LAN side is 100% NAT'd RFC1918 addresses, which gives you a "free" blocking rule right out of the gate. Nobody can talk to your hosts unless you start the conversation. Not true once you have publicly routeable addresses assigned inside your LAN. Tread cautiously...

(*) I've been doing v6 using pfSense and Comcast prefix delegation for several years - I was one of their first customers using it and they prioritized installing it in my local node just for me. In all of those years my prefix has only changed twice. It is not frequent. It is much more stable than my DHCPv4 address assignment, which only changes every 10-12 months.

 

[Ouraing]

Admittedly my understanding of IPV6 is a bit weak because I've never really had a reason to manage it beyond co-existing with it in a dual-stack configuration.

What do you use for a gateway router/firewall today?

Today it's an EdgeRouter Lite which does this once I manually edit some files (though I understand the current firmware pulled some of this into the UI). With a curious teenager in the house though I need something more advanced and I also want to have more granular IoT device control so I'll be replacing it with Untangle, Sophos UTM|XG, pfSense or similar - still researching which provides the features I am looking for (Captive Portal for guests or non-AD integrated devices, timer based rules, Content filtering with HTTPS/TLS inspection, Transparent AD Integration).

I don't necessarily want my firewall being my internal router between directly attached VLANS - especially when that is a 10G core, I only want it handling ingress/egress traffic.

Fundamentally I'm trying to understand if I don't leverage my firewall as my DHCPv6 or RA announcement server for all VLANS how I would hand off the appropriate prefix to whatever devices is doing the address delegation - ideally dynamically in case that PD changes upstream.

Also - and I apologize if this is obvious, but it needs to be said - once you pull publicly routed v6's inside your LAN you need to pay strict attention to your firewall rules at your gateway.

That's already happening in my current configuration because devices are getting v6 addresses and looking at traffic stats maybe 20% of my traffic is v6 and the UI for my EdgeMax does NOT show this traffic and the rules interface is v4 only. IoT devices in particular seem to be doing this to bypass stuff like local DNS servers which kind of negates my pi-hole for example. This is one of the drivers behind wanting to segregate things so I can have simpler "this vlan can't connect to anything except these explicit services, don't allow non-established ingress" which is a challenge when you have a single mixed use subnet.

 

[PigLover]

I can't speak for the other options, but I can confirm that pfSense can do all of the functions you listed. I'd guess Sophos or Untangle could too.

You can always use something like pfSense (or whatever) as firewall/gateway, DHCP, v6 RA, etc, but not configure any inter-VLAN routing on it. Then you could do whatever suits you for inter-VLAN routing on your switches or otherwise. Pretty simple to do, though the layer-3 capabilities of the 3 switches you listed all route through the on-board CPU and would get swamped pretty fast with any significant traffic so the performance limit is really 6 of one/half dozen of the other.

Personally, if there is significant inter-VLAN traffic I'd re-examine the VLAN design itself.