Multiple ULA ranges?

Software SW help
1

Hello,
I’m trying to set to completely different ULA range for different LAN interfaces, i’m currently able to get each interface a /64 if I configure a /63 ULA range, but I would prefer being able to set multiple /64 to better control the ranges since the router will be communicating through tunnels to remote ULA addresses.

Current method of setting a global ULA parameter, such as

config globals 'globals'
        option ula_prefix 'fd00:4170:6878:9401::/63'

Doesn’t let me pick which interface gets which /64, and doesn’t allow me to, for example, use ‘fd00:4170:6878:9401::/64’ for no VLAN, ‘fd00:4170:6878:9403::/64’ for VLAN 3, not using ‘9400’ at all etc.

Of course, I would need to transparently translate these ULA addresses to globally routable addresses. I get a /56 upstream, but there are scenarios where I might only get a /64 in the future, but still need multiple /64 ULA as odhcpd doesn’t seem to support splitting /64 in /112.

In case it matters, the router i’m doing tests on runs TurrisOS 7.0.1 7b8ccbd37c897070d0b12d02e87a8b52b516fcc7

What are my options here?

2

I would try a /48.
Recommended smallest prefix is a /64 it should not be segmented.
No idea why ISPs started to give out /56, Since they are supposed to give out a /48 to each subscriber.
/48 is also what the Unique Local IPv6 Generator is giving you.

Of course, I would need to transparently translate these ULA addresses to globally routable addresses.

That is not how it should be done with IPv6, where NAT is not recommended. The idea of ULA is to use it for isolatation, which means no contact with the outside world.

If you have a device or a service which needs access to outside world, it should get a public IP from your ISP-delegated prefix.

If you have a device or service which should not have access to or from the outside world, i.e. a management VLAN, it should get an address from your ULA-Prefix.

If a device or service with a public address needs access to both, i.e. a local printer and the outside world, you give it addresses in both
networks, by giving it an address each from both prefixes.

Having multiple IPs on network interfaces is normal with IPv6.
Using NAT is not normal, but unfortunately unavoidable in IPv4.

3

Yup try /48 and in luci you have ipv6 hint so you put there 9401 and in other interface 9403 and so on and /64 and it should work

4

Some even gives you a /64, or worse a /128, this is how it is and no amount of RFC will change that.

Even if following you there, having more than a /64 per physical site makes it needlessly hard to remember. using a /112 we can have a site identifier at fourth row, and VLAN identifier at seventh row. We already get plenty IP addresses with a /112.

How do you multi-home without BGP/OSPF this way? I do not wish to let the client device decide which ISP they use in priority themselves.

5

I would have some of the /64 already consumed in other physical sites there.
Only OpenWRT have this behavior, other sites using other Linux distros correctly accepts /112 splitting.

6

If you have multiple gateways in your LAN, I would say, that is what router advertisements are for. Usually they specify the routers link-local address (not the IP from the public prefix), but you are free to specify any IP address, the host can reach (possibly trough other routes). There is also a router-preference flag you can include in case of multiple routes or gateways.

If you have one gateway connected with multiple WANs, the gateway should take care of it.

7

I can’t follow your point here. Since the /64 is bigger, you can use the same numbering scheme in your /64 as you use in your /112.

The address length and number of nibbles doesn’t change with the size of the subnet.

There are plenty of of options to make it more readable, i.e. you can put the double colon “::” at any position after the prefix.

fd00:4170:6878::9401:a:b:c/64
fd00:4170:6878:9401::a:b:c/64
fd00:4170:6878:9401:a::b:c/64
fd00:4170:6878:9401:a:b::c/64

The way I understand it, ULAs where specifically designed to avoid the problems we have with “192.168…”, where you often come across different networks using the same address. Every physical site is supposed to create and use its own ULA. Anything else re-introduces the same problems again.

I dunno about that. But its not recommended, and since many commercial router and network equipment vendors use Openwrt as base for their own firmware, I would not bet on it working everywhere.

Even for point-to-point links, where only two addresses are needed, the recommendation is to define /64 subnets.

Besides ease of use and readability there is also the fact that routing-table-sizes exploded after the introduction of classless routing In IPv4, which was never planned, but was the only way to free up more addresses. IPv6 was designed to avoid these kind of problems in the first place. If we start to introduce this again in IPv6, routing tables will explode by a magnitude larger then they exploded with the introduction of CIDR in IPv4 (I leave the math to reader).

So in sum:

  • Create a dedicated /48 ULA for every site.
  • Create your desired number of /64 subnets based on your requirements

There are plenty of sources, documents, whitepapers, tutorials from RIPE, ARIN, network equipment vendors who explain IPv6 addressing scheme best practices.

There is also an easy to find number of blog posts with bad experiences
of device compatibility problems, while using smaller subnets then /64, as you are already experiencing yourself.

For example, if you look at page 8 of IPv6 Addressing Guide from Cisco:

They forgot to mention SLAAC, which also expects a /64.

1 Like
8

Using /48 ULA doesn’t allow 1:1 mapping with /64 GUA.
Even if the ISP is wrong to not provide more, there are economical reality the RFCs do not account for and changing ISP isn’t that easy due to that.

In this case, following RFCs to the letter means no VLAN.

I had no issues except SLAAC with /112, and Android devices that matters have a DHCPv6 client.

For the multi-homing,OpenWRT documents you should be using ULA and NAT 1:1. Using /112 ULA for each VLAN would allow 1:1 mapping with /64 WAN. Multiple /64 VLAN wouldn’t allow that for this scenario.

Yes you could have multiple IPv6 on client interfaces and give them a public IP from both WAN, then you don’t get to control which exit link is used by the device.

Ideally, everyone could own a block and peer with the ISPs, but this is not the case.