Long time listener, first-in-a-while caller. I've got what might be a very simple question that has many parts: I want to get IPv6 working on my one-IP static v4 BCI connection, with the ability to subnet the v6 delegation into multiple subnets behind my router/fw. What's the best/right way to do this?
My infrastructure:
Cable Modem: SMC D3G (I believe), Firmware 3.1.6.56
WAN DHCP IPv6 Address: ${WAN_V6}/64
LAN Gateway v6 Address: ${LAN_GW_V6}::1/64
LAN v6 Prefix Delegation: ${LAN_GW_V6}::/64
Firewall/Router: 1U server running OpenBSD 5.6
v4 Network: 3 internal interfaces: WIFI (DHCP), Wired (DHCP), DMZ (Static)
v4 WAN interface statically configured for WAN_v4/30, with 3 statically configured subnets, one on each interface as above.
My LAN is a mix of Linux hosts, OSX, Android and iPhones.
Questions:
* Is rtsold the right way to get the relevant IPv6 address and delegation for my FW and LAN respectively? I can see the RA's coming in on my WAN interface with tcpdump, and running 'rtsold -F $wan_if' works. I can now ping6 and traceroute6 to external v6 hosts on the internet. But what about DHCPv6 ? I've tried various incarnations of isc-dhcp's dhclient as well as wide-dhcpv6's dhcp6c, and all they do is send out dhcpv6 requests, but never receive a response. Is this operating as expected?
* Are any incoming connections on v6 blocked, or is it wide open? I tried ssh'ing from my desktop at work which is v6-enabled to my FW over IPv6, and saw no response on my FW, not even in PF blocks or tcpdump.
* My understanding is that with OpenBSD, if you are using dynamic configuration on one interface (WAN), accepting RA's and with forwarding enabled, you cant advertise connectivity via rtadvd on the internal addresses. Am I missing something, or is this true?
* I see that my LAN v6 delegation is a /64 in the cable modem status UI. As I understand it, this would only allow me to v6-enable one of the WIFI/Wired/DMZ subnets in my home. Correct? I read various posts about /58's and /60's coming. I'll happily sit tight if this is the case, but if I'm missing something that I could get this functionality now, I'm all ears.
↧