Protect yourself online
S

New Member

 • 

62 Messages

Sun, Feb 7, 2021 10:55 PM

IPv6 WAN address /125 block

I was able to get IPv6 working on AT&T internet.   The delegate prefix is configured at my house.   How can I get a /124 block instead of a /128 block for the WAN?   I want to create other web servers and need a unique WAN address.

New Member

 • 

62 Messages

1年前

You definitely did help me out.   Fortinet and I have been working on this for over 6 months.  AT&T and Fortinet leave a lot to desire.  Fortinet had no KBs on setting up IPv6.   The L3 and I found several sites that had it laid out.  AT&T is redoing IPv6 from what they told me.   The tech I spoke to said most don't even understand it.   I talked with the IEEE about subnetting IPv6.  They didn't think it would be a problem because I took the entire delegated subnet /64 and assigned it to the Fortinet 60E.   The 60E does the routing.   Fortinet said I was 3rd to get IPv6 working that he knew of.  Most give up on it.   AT&T took 3 weeks just to get me a delegated prefix.  I doubt I can get any more /64 blocks.   

I know you could assign a /64 block to every person, insect, mammal, device, and probably grains a sand.   I me one /64 is more than enough.   I don't think I could get enough devices for my house.  

I had it translated into words
eighteen quintillion four hundred forty-six quadrillion seven hundred forty-four trillion seventy-three billion seven hundred nine million five hundred fifty-one thousand six hundred sixteen

What I want is AT&T to get my gigabit fiber put in at my new house and help them get IPv6 working and pushed out fully.   



tinslwc

Teacher

 • 

207 Messages

1年前

I havent heard that ATT is changing anything related to their IPv6 implementation. The issue you are running into is that the RG DHCP6 server is only configured to give out /64 prefixes (within the /60 delegated to the RG from the upstream DHCP6 server). 

The RG will not delegate anything larger than a /64.

The RG will delegate up to 8x /64 networks.

Because of this distinction, every router I've seen has had to have a manual configuration to make it work (i.e. a custom dhcp6c.conf). I'll post my config when I get to a computer.

On subnetting a /64, if you do this,  SLAAC doesn't work anymore. Unless something has changed, Android devices will not work with IPv6 on those networks.

New Member

 • 

62 Messages

1年前

The Fortinet 60E is configured to get an address from ATT 210 modem via passthrough.   I will be curious to see how you configured your stuff.  

tinslwc

Teacher

 • 

207 Messages

1年前

Here is my DHCP6c config for my WAN interface:

# em0 is the WAN interface for my installation.
# Setup requests for the WAN interface.
interface em0 {
	# Request a single IPv6 address for WAN interface (RG responds with 2600:1702:xxxx:yyy0::48)
	send ia-na 10;
	# Request 8x /64 prefix delegations:
	send ia-pd 0;
	send ia-pd 1;
	send ia-pd 2;
	send ia-pd 3;
	send ia-pd 4;
	send ia-pd 5;
	send ia-pd 6;
	send ia-pd 7;
	send rapid-commit;
	request domain-name-servers;
	request domain-name;
	script "/var/etc/dhcp6c_wan_script.sh";
	#script "/conf/set_wan_static_v6.sh";
};
# These blocks are required, and I should probably 
# assign the prefixes to the LAN interfaces here.
# Since my /60 has not changed since I implemented
# this, I treat them as static and assign them as such.
id-assoc na 10 { };
id-assoc pd 0 { };
id-assoc pd 1 { };
id-assoc pd 2 { };
id-assoc pd 3 { };
id-assoc pd 4 { };
id-assoc pd 5 { };
id-assoc pd 6 { };
id-assoc pd 7 { };

The prefixes may be assigned to an interface inside the id-assoc stanzas to make it truly correct (and follow any future changes to the prefixes). What I have seen is that on a cold start of everything, sometimes the PD's don't come back with the same prefix, so I pull all 8 of them as I know that the sum total will be the same.  Then I statically assign the prefix to each LAN segment:

The S2S is a site to site VPN that carries IPv4 and IPv6 traffic.  The fd87::/16 is in the IPv6 private space (akin to 10.0.0.0/8 or 192.168.0.0/16 in IPv4).
I use IP Passthrough for IPv4 (see 66. address for WAN interface above).  This has no impact on the IPv6 configurations though.  The BGW210 (and NVG599, but not the Pace 5268) issue PD leases for 1 hour, so DHCP6c will renew every 30 minutes.  I get the following in my logs (this is only the response, not the renew request, to keep it simple):
Feb 16 08:12:46  dhcp6c  33626  IA_PD prefix: 2600:1702:xxxx:yyyf::/64 pltime=3600 vltime=3600
Feb 16 08:12:46  dhcp6c  33626  IA_PD prefix: 2600:1702:xxxx:yyy9::/64 pltime=3600 vltime=3600 
Feb 16 08:12:43  dhcp6c  33626  IA_PD prefix: 2600:1702:xxxx:yyyd::/64 pltime=3600 vltime=3600
Feb 16 08:12:37  dhcp6c  33626  IA_PD prefix: 2600:1702:xxxx:yyye::/64 pltime=3600 vltime=3600 
Feb 16 08:12:37  dhcp6c  33626  IA_PD prefix: 2600:1702:xxxx:yyy8::/64 pltime=3600 vltime=3600 
Feb 16 08:12:27  dhcp6c  33626  IA_PD prefix: 2600:1702:xxxx:yyyc::/64 pltime=3600 vltime=3600 
Feb 16 08:12:13  dhcp6c  33626  IA_PD prefix: 2600:1702:xxxx:yyya::/64 pltime=3600 vltime=3600 
Feb 16 08:12:13  dhcp6c  33626  IA_PD prefix: 2600:1702:xxxx:yyyb::/64 pltime=3600 vltime=3600 

These repeat every 30 minutes as expected. My unused prefixes are available on my LAN segment for delegation (only used for testing). Mine has been functional for a few years (since they converted me from 6rd to native) and has passed all IPv6 tests.

As for the RG settings, all I've done is make sure IPv6 is enabled and prefix delegation is turned on.  The firewall is practically disabled (IPv4 and v6) and IP Passthrough is enabled for IPv4.

I have 2 homes (as referenced by the site to site VPN above).  One has a NVG599 and one has a BGW210.  Settings are the same on both.  The configuration pages look a little different because of the different models.

New Member

 • 

62 Messages

1年前

What device is em0?  I am trying to convert it to Fortinet 60E

tinslwc

Teacher

 • 

207 Messages

1年前

em0 is my WAN interface. The emx interfaces are physical ports (as far as the software is concerned).  My router is virtualized, so in reality, the ports are mapped to a VLAN by the hypervisor.

*** Welcome to pfSense 2.4.5-RELEASE-p1 (amd64) on home ***

 WAN (wan)       -> em0        -> v4/DHCP4: 66.aaa.bbb.ccc/22
                                  v6/DHCP6: 2600:1702:xxxx:yyy0:20c:29ff:fec0:42fc/64
 LAN (lan)       -> em1        -> v4: 192.168.67.1/24
                                  v6: 2600:1702:xxxx:yyy8::1/64
 OPVN (opt1)     -> ovpns1     -> v4: 192.168.69.1/24
                                  v6: 2600:1702:xxxx:yyy9::1/64
 GUEST (opt2)    -> em2        -> v4: 192.168.68.1/24
                                  v6: 2600:1702:xxxx:yyya::1/64
 IOT (opt3)      -> em3        -> v4: 192.168.71.1/24
                                  v6: 2600:1702:xxxx:yyyb::1/64
 AAA (opt4)      -> em4        -> v4: 192.168.70.1/24
                                  v6: 2600:1702:xxxx:yyyc::1/64
 S2S_RIDGE (opt5) -> ovpns2     -> v4: 10.67.57.1/32
                                  v6: fd87:41de:2a2e:d981::1/64

And here is the "ifconfig em0" output:

em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
	ether 00:0c:29:c0:42:fc
	hwaddr 00:0c:29:c0:42:fc
	inet6 fe80::20c:29ff:fec0:42fc%em0 prefixlen 64 scopeid 0x1
	inet6 2600:1702:xxxx:yyy0:20c:29ff:fec0:42fc prefixlen 64 autoconf
	inet6 2600:1702:xxxx:yyy0::48 prefixlen 128
	inet 66.aaa.bbb.ccc netmask 0xfffffc00 broadcast 66.aaa.bbb.255
	nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active

I don't know why the DHCP address of ::48 is listed as a /128, but it is indeed within the /64 network range and responds to requests as such.  Probably something I just don't understand about the way it is being displayed.  Could also be that is the way it is displayed because the dhcp6c id-na statement assigns 1 address (a /128).

New Member

 • 

62 Messages

1年前

Fortinet will probably ask which device.   I don't have many devices at home I would need to reconfigure.   I sent off your config to Fortinet.

New Member

 • 

62 Messages

1年前

Now I am starting to understand how you get the /64 blocks.  
You incremented yyy0 to yyyf so you kept /64.  I was going to the next octet.  

 

New Member

 • 

62 Messages

1年前

IPv6 Addressing Subnet (including length) 2600:1702:980:25e0::/64
IPv6 Delegated Prefix Subnet (including length) 2600:1702:980:25ef::/64

WAN2: 2600:1702:980:25e0::/64
Each interface could be 25e1/64 to 25ef /64

New Member

 • 

62 Messages

1年前

IPv6 Addressing Subnet (including length) 2600:1702:980:25e0::/64
IPv6 Delegated Prefix Subnet (including length) 2600:1702:980:25ef::/64

I see why it says teacher....

You are correct it is an entire /60 block.  
It creates 2^4 = 16 subnets of /64 

2600:1702:0980:25e0:0000:0000:0000:0000 to 2600:1702:0980:25ef:ffff:ffff:ffff:ffff

I have learned more IPv6 today than ever before.   You are absolutely amazing.   

tinslwc

Teacher

 • 

207 Messages

1年前

Technically, all the addresses associated with 2600:1702:980:25e0::/60 belong to you.  This would be everything from 2600:1702:980:25e0:: through 2600:1702:980:25ef:ffff:ffff:ffff:ffff.

Because of the ATT implementation at the RG level, you can only use half of the /64s for yourself and you MUST perform a PD request, otherwise, the RG doesn't know where to send the packets because the network will not be in the RG routing table (and there is no way to manually add them).

So, for you, the following networks are terminated by your ATT RG:


2600:1702:980:25e0::/64 (Used on the LAN interfaces of the BGW210)

2600:1702:980:25e1::/64 (Don't know how to use)

2600:1702:980:25e2::/64 (Don't know how to use)

2600:1702:980:25e3::/64 (Don't know how to use)

2600:1702:980:25e4::/64 (Don't know how to use)

2600:1702:980:25e5::/64 (Don't know how to use)

2600:1702:980:25e6::/64 (Don't know how to use)

2600:1702:980:25e7::/64 (Don't know how to use)

2600:1702:980:25e8::/64 (Available as a PD for downstream networks)

2600:1702:980:25e9::/64 (Available as a PD for downstream networks)

2600:1702:980:25ea::/64 (Available as a PD for downstream networks)

2600:1702:980:25eb::/64 (Available as a PD for downstream networks)

2600:1702:980:25ec::/64 (Available as a PD for downstream networks)

2600:1702:980:25ed::/64 (Available as a PD for downstream networks)

2600:1702:980:25ee::/64 (Available as a PD for downstream networks)

2600:1702:980:25ef::/64 (Available as a PD for downstream networks)

One day, I'm going to try a router advertisement to the BGW to see if I can use the lower numbered networks, but it isn't high on my priority list at the moment.

New Member

 • 

62 Messages

1年前

My 60E is 10 port.  Two WAN, 8 LAN.   So 8 subnets was my goal.   I did /67 because I didn't realize I could use the rest.  Fortinet wasn't even sure because of how it was presented.  

I have two Apache2 Web Servers at my house.   I need two WAN IP addresses so I can VIP traffic to both.   Now, that I know the pattern, I won't use DHCPv6.  I can manually address the 60E and devices till I get around to my two DNS/DHCP servers.   Did you try ia-na 16-18 and ia-pd 8 and above?  

tinslwc

Teacher

 • 

207 Messages

1年前

For stinky stuff and giggles, I spun up a firewall VM and attached to my RG to test some of your (and my) thoughts.

1) I requested a prefix delegation using ia-pd and received a reply that none were available.  So, max 8 available via prefix delegation. I'm pretty sure I've done this in the past, so I'm not really surprised.

2) I configured a LAN interface for 2600:1702:xxxx:yyy1::/64 and advertised that prefix on the WAN interface (basically working backwards from what would be typical, but should be within the IPv6 spec) to see if the ATT RG would pick it up and add my new router to it's routing table.  No such luck.  I could not get IPv6 behind the new router to work using that subnet.  It seems that subnets 1 through 7 are simply unusable because there is no way to get the route into the ATT RG.

3) Per your request, I added 3 additional ia-na stanzas to my dhcp6c.conf and picked up the following addresses and assigned to the WAN address:

2600:1702:xxxx:yyy0::20

2600:1702:xxxx:yyy0::40

2600:1702:xxxx:yyy0::42

2600:1702:xxxx:yyy0::45

So, as expected for this one, no issues with assigning and using multiple IPv6 addresses.

That was fun.

New Member

 • 

62 Messages

1年前

I have been having a lot of fun doing IPv6.   I made a web site for my notes.  [EDITED]

I can't wait to write this up.   


I worked backwards from 25ef to 25e8 starting with DMZ to internal 1.  DMZ already uses 25ef and has most of my stuff in it.  So I left it.  

I just wished AT&T would give us better notes and understanding on this.   Hopefully, these new notes will help the next person.   

[EDITED per Community Guidelines]

(edited)

New Member

 • 

62 Messages

1年前

Fortinet 60E is working on it.   Only issue is getting another WAN2 address.   It wants to keep a /128 WAN address.   I need to figure out a way to add another one without breaking traffic.  

I can ping6, tracert6, nslookup for ipv6 from the servers and Windows 10.   

I will be writing it up and putting it on my web site[EDITED per Community Guidelines]

I hope this post can help the next person.  

You have been a great help.   

(edited)

Need help?
New to the AT&T Community? Start by visiting the Community How-To.
New to the AT&T Community?
Visit the Community How-To.