I have a superfluos (if ISPs would assign always /60 or better) problem to solve - I successfully connected a longer unused TO with an MC7455 to a mobile network and get a /64 prefix assigned with my chosen mobile contract, which is foreseen to be installed in a remote location and shall be connected to my local TO.
The local TO has a /56 PD assigned via ISP, so the (for this topic relevant) 2 subnets vlan#1 + vlan#2 and one Homeassistant installation (which is part of subnet vlan#3) have each a public IPv6 assigned.
My plan is to have on the remote TO as well 2 subnets vlan#4 and vlan#5 and a Homeassistant installation (which shall be part of subnet vlan#6), which I want to be accessible from my local TO.
My understanding of IPv6 so far is, that with a /64 PD I can only assign public IPv6 to one subnet. So my plan to have
vlan#1 and vlan#4 (management interfaces, must be isolated from other subnets) via wireguard interface wg0 connected
vlan#2 and vlan#5 (interface for private devices, firewall rule to allow forwarding to iot subnets vlan#3/vlan#6) via wireguard interface wg1 connected
Homeassistant remote TO (part of vlan#6) a TLD assigned
seems a little bit complicated.
My only idea would have been to assign static public IPs within my PD to the subnets vlan#4 and vlan#5 as well as to the Homeassistant remote TO - but the provides (O2 Germany) seems to change the delegated prefix every 24 hours, so that does not make any sense. Another provider that does not adhere to global standards…
Any other idea on how to reach my goals?
On the private mobile customer market in Germany there does not seem to be an option to get a fix /64 or better prefix. Even a Starlink subscription with premium price tag (600€ per year + 350€ initially compared to 150€ per year for 200GiB with the mobile contract) only provides a dynamic prefix, but a /56.
So if there is a technical solution I would want to avoid this high investment which would be quite overkill for an allotment-installation I only visit once a week…
What about IPv6 port forwarding - will that work?
I would use dynamic prefix forwarding to assign a predictable /64 to my IoT vlan#6 (and thus get a TLD assigned to my Homeassistant VM).
And for the VPN traffic I would only use a local IPv6 for wg0 and wg1 ports and forward the respective ports to these permanent local addresses?
Well, you can split the /64 interface identifier locally as you please… if you all your devices support address assignment via DHCPv6 there is no real stopping you from carving that /64 into what ever you want. The problem comes with devices that only d o SLAAC and insist upon using the last 64 bits for that (android, looking ad you here, sadly).
The IETF is currently contemplating alternatives, like allowing /80 prefixes (so leaving 48 bits as interface identifier) and or assigning each device its own prefix (which requires more prefixes, hence the prefix-space extension). This last measure aims at addressing neighbour discovery cache exhaustion attacks to which IPv6 networks are currently sensitive, but I digress. Point is, you might already be able to implement a virtually longer prefix (modulo the ND cache issue) with DHCPv6 IFF all end devices play along…
No that would be too easy ,
I believe (but have not tested, so I might be out to lunch here) it means you would need to manually configure the addresses for the end devices in the different VLANs to align with the desired “prefix”. This should work from the router if the devices accept DHCPv6 assigned IP addresses and do not try to autogenerate addresses via SLAAC/privacy extensions, otherwise you would need to manually set the IPv6 addresses manually inside the OS of every end device.
This seems to be doomed to failure. I bet various of the IoT-devices will not adhere to these rules - sad but true.
I decided to forget about beauty and assign the one /64 GLA-prefix to my IoT-vlan#6 and for the other interfaces use my ULA. There was some annoying finding when using only option ip6assign '64' for each interface: the /64 GLA was delegated to the interface with the “lowest” first character (so an interface called beta would always be the winner against an interface called gamma). But for this the option ip6class 'local' (which I assigned to all but the IoT-if) won my day.
The wireguard connections work without any issue after opening the firewall for the respective wireguard-port. So I’d say goal achieved
I’m not sure how the assignment over a wireguard tunnel works but assuming that it is handled the same as a vlan or physical interface you could setup your local TO to request the /56 prefix on the wan interface and enable “Delegate IPv6 prefixes”.
Then on the Advanced Settings tab of the wireguard interface on your local TO you would check the “Delegate IPv6 prefixes” checkbox, set the “IPv6 assignment length” to eg. 60 (max. 16x /64 subnets) and maybe an IPv6 assignment hint.
The remote router should then be able to request a /61 from your local TO over the wireguard tunnel. With the “IPv6 prefix filter” you can force only the subnets from the tunnel to be applied to that interface and not the dynamic prefix of the mobile connection.
For the vlans on the remote site you then should also define the IPv6 prefix filter to the /61 prefix from the tunnel.
You maybe then also have to define the routing of all ipv6 traffic (or only your internal traffic) to be send through the tunnel.
So in theory that should work and would result in a setup where you can essentially split you /56 prefix over the two sides. The only problem might be that the IPv6 traffic on the remote side then depends on the wireguard tunnel to be working and if that fails IPv6 connectivity would not work.
Alternatively you could also try to get a vodafone red business (not the Privatkunden ones) contract for selfemployed customers which should have an option for static ips and static ipv6 prefixes. The small ones are 40-70€/month. You may have to request that via the hotline if you can’t provide proof that you are running a business.
Basically that means I will route all IPv6-traffic through the wireguard-if, right?
I will think about that wile setting up the rest of the network - I do not feel like it is needed to have global reachable IPv6-addresses on all subnets, so maybe my basic-approach suffices my needs.
But as soon as everything is working I will for sure try this more advanced stuff (at least to learn more on wg and IPv6).
Yes to routing all the IPv6 traffic through the wireguard.
If you don’t need public IPv6 access on the remote vlans you can also use ULA-Prefixes (set in Network>Interfaces>Global network options) to assign local (or here via a tunnel) routable IPv6 to the interfaces. Then on each router add static routes with the other routers prefix ranges as target and its wireguard tunnel ip as destination.
Then local IPv6 traffic between the vlans is also possible if the tunnel connection doesn’t work. But for connecting to the Internet via IPv6 you would need to use NAT6
,
