Friday, July 3, 2015

subnet - IPv6 subnetting a dynamic /56 prefix



I read How does IPv6 subnetting work and how does it differ from IPv4 subnetting? but my question was not answered there.



I'm upgrading our IPv4 network to IPv6. Currently, our NAT gateway splits our one IPv4 address into 2 private subnets, our main subnet and an isolated guest subnet. I want to continue this practice of having 2 separated subnets under IPv6. I read that I should not use a prefix larger than /64 because it will break things, but the delegated prefix my router is picking up (I believe via DHCPv6) is a /64 prefix. So somehow I want to get a /56 prefix automatically assigned (suggestions welcome), but even after I get that, it is still going to be dynamic, so my question is how do I set up 2 subnets based on this dynamic allocation?



I am used to using NAT and statically configured IPv4 private subnets. Now I am going to have to manage 2 public subnets with a firewall between them, but I don't see how I'm supposed to configure a RouterOS router to say "combine the /56 dynamic prefix with this 8-bit static subnet identifier to create /64 subnet". How do I do that (or what should I do instead)?


Answer



The way Mikrotik implemented it in RouterOS is that the router has a DHCP client that gets a /56 prefix from the ISP and puts it in an address pool. Then the router also has a DHCP server that hands out /64 prefixes from that address pool to individual interfaces.




/ipv6 dhcp-client 
add add-default-route=yes comment="delgate ISP-assigned prefix" \
interface=ether1-WAN pool-name=wan6-pool prefix-hint=::/56 \
request=prefix use-peer-dns=no

/ipv6 dhcp-server
add address-pool=wan6-pool interface=ether2-LAN name=LAN
add address-pool=wan6-pool interface=ether3-Guest lease-time=3h name=guest

/ipv6 address add from-pool=wan6-pool interface=ether2-LAN

/ipv6 address add from-pool=wan6-pool interface=ether3-Guest


That puts ether2 and ether3 on two different /64 subnets of the /56 prefix delegated by the ISP. Since all the IPv6 addresses are globally routable, you need to add extra firewall rules to keep them protected from the internet, and then some more if you want to keep the 2 subnets from talking to each other. You will want to use interface-based rules rather than address-based rules since the addresses will be dynamic.



Note that to get a /56 prefix instead of a /64 prefix from my ISP, I had to configure the DHCP client with prefix-hint=::/56 request=prefix


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...