16 IPv6 subnets with pfSense and Comcast

One part of my project is to set up IPv6 on certain of my VLANs. IPv6 has long been a bit of a mystery to me. While IPv4 is complicated, the addresses can be held in memory, so we’ve all gotten used to memorizing 4 octets. Further, it allows a fairly simple topography in that the subnets are ‘human-sized’. IPv6 is totally different. It has huge numbers and unreadable addresses. I want each of my VLANs to use IPv6 subnets as appropriate, so here is how I did it. It’s not too complex.

Comcast

By default, Comcast issues you one 64-bit subnet. That gives you 2^64 addresses on one subnet to use. The weird thing is that with IPv6, the smallest network you can have is that size. It’s huge. So huge you’ll never need to worry. But it’s also not divisible. Unlike IPv4 where you could subnet at any level, IPv6 limits you to 2^64 total networks, and each network has 2^64 addresses. In a way it’s a reversion to the old class A/B/C networks before scarcity made us switch to CIDR networks.

If you want more flexibility than 1 network allows, you can request it. I use Comcast, and all I had to do was alter my WAN Interface setting to look like the below:

WAN Interface Configuration
WAN Interface Configuration
WAN DHCPv6 Settings
WAN DHCP6 Settings

The key here in the ‘DHCP6 Client Configuration’ to set the ‘DHCPv6 Prefix Delegation Size’ to 60, and check ‘Send an IPv6 prefix hint to indicate the desired prefix size for delegation’. Once you save (you may need to reboot), you’ll have a new IPv6 address, and 16 subnets allocated to you.

Subnetting

the /60 prefix gives you 16 subnets (64-60 = 4, thus 2^4) and the way you parcel them out is to set your LAN interfaces ‘IPv6 Configuration Type’ to ‘Track Interface’, then in the ‘Track IPv6 Interface’ Section, select your WAN interface, then a value from 0 to f (hex) to indicate which of the 16 subnets to use.

LAN Interface Setup
LAN Interface Setup
LAN Interface IPv6 Track Setup
LAN Interface IPv6 Track Setup

That’s it. I usually reboot at this point, since the LAN interfaces don’t always pick up the tracked subnets. With this, the magic of IPv6 will cause your devices to automagically get IPv6 addresses, using, I believe, router discovery from the radvd daemon.

Conclusion

This works really well overall, and Comcast made this super-easy. I don’t put IPv6 addresses on each subnet – for instance, the ‘KIDS’ subnet that I have hardened, I won’t setup IPv6 yet until I really understand how to proxy it. No proxy setup form that I have seen looks like it’s IPv6 ready, and IPv6, as far as I know, is not at all like the NAT that we all take for granted. I think without more comprehensive firewall rules that it might be possible to actually access into the subnets because IPv6 has no ‘private’ networks. A project for later.

What I’m listening to as I do this:

Beethoven’s Leonore Overture No. 3, on a CD I took from my Dad many years ago. I first heard this at Tanglewood where Seiji Ozawa conducted the Boston Symphony Orchestra one summer in high school. I find it’s one of the prettiest pieces of classical music.