Clarifying IPv6 ULA

Blue)(Fusion

Active Member
Mar 1, 2017
133
49
28
Chicago
Having just replaced my virtualized OPNSense with a cheap eBay Check Point 4600 and loading up OPNSense, my public IPv4 and IPv6/56 all changed. This meant I had to go through the switches and a few other devices with static assignments (Proxmox) and resetting all the IPv6 addresses. This also gave me a bit of a headache until I realized I had to fix the routers in OPNsense too.

I want to use IPv6 ULAs to prevent these issues in the future. Global IPv6 assignment is still a must for internet access, but I want edge router to core router link via ULA and most devices on the network to have both global and ULA addresses.

How do I accomplish this with a Brocade ICX? Linux?

I'm still confused on the fc00/8, fd00/8, stuff. Can someone please dumb it down for me?
 

Blue)(Fusion

Active Member
Mar 1, 2017
133
49
28
Chicago
FWIW, I just changed my edge <--> core routing to link-local. Not sure if this is most appropriate but so far it is working atleast.
 

ttabbal

Active Member
Mar 10, 2016
776
209
43
45
What I did was to generate a ULA prefix using one of the many websites that do it for you. You want this so that your prefix is unique, at least that you have a high probability of it being unique anyway. This is nice so that you don't have collisions should you use a VPN or something else that connects your network with another ULA. It will likely be a /48, like fd12:1234:1234::/48.

Then go into OpnSense at "Interfaces: Virtual IPs: Settings".. Click the "+", and add an IP alias. Interface will be the internal network, probably "LAN". Type is "Single Address". Then pick an address from the block. The easy option is to just add numbers on the end. fd12:1234:1234:1::1/64, for example. Once you apply the changes, OpnSense should start advertising that prefix in addition to the global prefix. You can static assign addresses in that /64 and let SLAAC assign others. IPv6 detects collisions and SLAAC will just pick something else if needed. So ::1 can be the router, ::2 a file server, ::3 a printer, etc..

ULA won't route outside, and will never be used for outbound connections unless you have prefix translation set up, but IPv6 is designed for each host to have many addresses and handles it fine if you have ULA and GLA at the same time. GLA will be used for outbound access, and you can use ULAs for local access. I have a number of local servers in the local DNS using the ULA addresses, so I can use internal stuff even if the ISP link is down, so I don't have a GLA prefix. You could use IPv4 for that, but it's nice to have options and practice IPv6 only networking.
 

Blue)(Fusion

Active Member
Mar 1, 2017
133
49
28
Chicago
Thanks a ton @ttabbal ! I didn't know there were RFC4193 generator websites. This made it easy to get the /48. With that said, here's what I did and feedback appreciated:

  • I used the MAC of my core switch for the /48.
  • I did not go with the virtual IP option in OPNSense, instead I just assigned the LAN interface with the appropriate ULA /64, and no GLA /64.
  • OPNSense isn't sending out router advertisements since it's only a direct link to the core switch (ICX6610).
  • I assigned a seperate /64 on each VLAN interface (VE) on my ICX6610.
  • All hosts seem to have already SLAACed (past tense verb?) with the additional ULA address.

Next steps:

  • It's my understanding that the SLAAC IPs in each of these IPv6 subnet should never change so long as the MACs never change, right? These addresses are what I should add to the AAAA records in my LAN DNS?
  • Is it more appropriate to use the link-local address or the ULA for configuring the static route between OPNSense and the ICX? As far as I can tell, both addresses should be equally permanent.
 

ttabbal

Active Member
Mar 10, 2016
776
209
43
45
Right, the address assigned from SLAAC should be stable with most even remotely modern gear. You can put them in DNS without issues. If you find a problem, you can static assign as well. The OS determines the details, like which method is used to generate addresses and if privacy addresses are used. If they are, you can ignore them. They only get used for outbound connections anyway. Those display on Linux with "temporary" on the address. I think Windows is similar.

Both ULA and LL should work about the same for the default route. The biggest difference is that LL won't be accessible from other interfaces like VPNs. In this case, it probably doesn't matter. Address stability will be the same.
 

Blue)(Fusion

Active Member
Mar 1, 2017
133
49
28
Chicago
Thanks alot @ttabbal

I'm happy with stable ULA SLAAC and a few static assignments. It's been working great with local DNS AAAA records and LL static routing used between OPNSense and the ICX6610.
 

RobstarUSA

Active Member
Sep 15, 2016
214
93
28
Having just replaced my virtualized OPNSense with a cheap eBay Check Point 4600 and loading up OPNSense, my public IPv4 and IPv6/56 all changed. This meant I had to go through the switches and a few other devices with static assignments (Proxmox) and resetting all the IPv6 addresses. This also gave me a bit of a headache until I realized I had to fix the routers in OPNsense too.

I want to use IPv6 ULAs to prevent these issues in the future. Global IPv6 assignment is still a must for internet access, but I want edge router to core router link via ULA and most devices on the network to have both global and ULA addresses.

How do I accomplish this with a Brocade ICX? Linux?

I'm still confused on the fc00/8, fd00/8, stuff. Can someone please dumb it down for me?
I had the same issue & went a different route. I got a /48 static from HE.net. Works great, rock solid. I wonder if that is a possible solution for you. If that's not something you are interestd (gif tunnel in opnsense, or Tun in cisco IIRC) I can look back at the ULA stuff (I haven't looked in a while) and explain it to you. I've been running full dual stack at home for a while, including some vms that are v6 only.

Edit: Looks like you may have solved your issue already...whoops :)
 

kpfleming

Active Member
Dec 28, 2021
226
103
43
Pelham NY USA
I'll second the suggestion to get your own /48; I have been using that for some time but *also* had ULAs on my LAN, and just removed them today and simplified to just using GUAs that 'belong' to me. In the end the ULAs weren't really being used for much traffic and the additional complexity to maintain them seemed to be unjustified.