This HowTo describes how to place an IPv6 prefix as a /64 network on a specific interface.
Last adaptation to the version: 12.6.0
New:
notemptyThis article refers to a Beta version
Introduction
It is possible by prefix delegation to split an IPv6 network (assigned by the provider) (e.g.:2001:0db8:aaaa:bb::/56) into /64 networks (e.g.:2001:0db8:aaaa:bb00::/64, 2001:0db8:aaaa:bb01::/64 etc.) and assign them to individual interfaces. All devices in this network segment can then receive an IPv6 address from their interface identifier and the prefix if router advertisement is activated. The respective interface of the UTM receives the first address, in the example 2001:0db8:aaaa:bb00::1/64.
IPv6 prefix delegation is enabled on the interface that is connected to the WAN.
The UTM can request an IPv6 prefix from the provider via the PPPoE connection and divide it into smaller /64 subnets and automatically place them on the interfaces.
Configuration
Activating the prefix delegation | |||
| In the menu Area Network interfaces button the interface (e.g. wan0 ) that is assigned to a larger IPv6 network via PPPoE must be configured. In the bottom section of the General tab: | |||
| Caption | Value | Description | UTMuser@firewall.name.fqdnNetworkNetwork configuration  Edit interface
|
|---|---|---|---|
| IPv6: | On | ||
| IPv6 Prefix Delegation: | On | Activates the prefix delegation | |
| Only IPv6 networks from a delegated prefix are placed on an interface if they have the Router Advertisement feature and do not have a fixed configured IPv6 address. Click Save and close to apply the changes. | |||
Transfer to interface by router Advertisement | |||
| In the menu Area Network interfaces the interface to which the smaller /64 subnet is to be assigned (e.g.: LAN2) must be configured: | |||
| Caption | Value | Description | UTMuser@firewall.name.fqdnNetworkNetwork configuration  Edit interface Router Advertisement
|
| Name: | LAN2 | Display of the selected interface | |
| DHCP Client: | |||
| Router Advertisement: | On | With this function, the allocation of a prefix is taken over by the router (here: the UTM firewall) | |
| Assign IPv6 addresses: | On | This function enables the router to distribute IPv6 addresses | |
| IPv6 Prefix Delegation: | off | Prefix delegation is only permitted for external interfaces. | |
| Only IPv6 networks from a delegated prefix are placed on an interface if they have the Router Advertisement feature and do not have a fixed configured IPv6 address.
notempty Die Subnetze werden der Reihe nach zugeordnet. Wird nachträglich IPv6 über das Router Advertisement auf einer Schnittstelle de-/aktiviert oder werden weitere VLANs hinzugefügt wird die Zuordnung erneut durchgeführt. Durch die geänderte Reihenfolge erhalten die Schnittstellen anschließend ggf. neue Subnetze! Click Save and close to apply the changes. |
UTMuser@firewall.name.fqdnNetwork  Display in the network configuration
| ||
Add default route | |||
| In order to route the IPv6 addresses, a default route must be added under Area Routing button . | |||
| Caption | Value | Description | UTMuser@firewall.name.fqdnNetworkNetwork configuration  Default-Route
|
| Gateway Type: | The type of gateway | ||
| Gateway: | wan0 | The selected interface | |
| IPv6: | On | ||
Inspection | |||
| Under tab , a ping is performed on an address that reliably uses (and also answers) IPv6. This verifies that the routing is working properly. | |||
Options
| |||
| Caption | Value | Description |  |
| IPv6 | On | Enable for IPv6 to be used at all | |
| Source: | 2001:db08:aaaa:bbb00::1 | Selection of the IPv6 address to be pinged with | |
| Destination: | k.root-servers.net | Destination name or IP address | |
| Start Ping-Test | |||
Response |
The root server k.root-servers.net of the Ripe NCC should respond as shown in the picture | ||
Adjust packet filter rules
| notempty When using IPv6, all packet filter rules must additionally be created for IPv6. | |||
Create IPv6 network objects | |||
External zone | |||
| Create the Internet zone for IPv6 under button . | |||
| Caption | Value | Description | UTMuser@firewall.name.fqdnFirewallNetwork configuration  Network object Internet_v6
|
|---|---|---|---|
| Name: | Internet_v6 | Unique designation | |
| Type: | |||
| Address: | The entire Internet | ||
| Zone: | notempty The zone must be assigned to the corresponding interface | ||
| Group: | The network object can be assigned to a group if applicable | ||
| Click Save and close to apply the changes. | |||
Internal Zone | |||
| Configuration of the internal network object: | |||
| Caption | Value | Description | UTMuser@firewall.name.fqdnFirewallNetwork configuration  Internal IPv6 network object
|
| Name: | Internal_Network_v6 | Unique designation | |
| Type: | Selection according to your own requirements. For this example network (interface) | ||
| Interface: | Selection of the internal interface to be supplied with IPv6 | ||
| Zone: | |||
| Group: | The network object can be assigned to a group if applicable | ||
| Click Save and close to apply the changes. | |||
Add packet filter rule | |||
| notempty The existing ruleset only applies to IPv4. A completely new set of rules, including the network objects, must be created for IPv6. | |||
| Now a rule can be created under Tab Packetfilter Button : | |||
| Caption | Value | Description | UTMuser@firewall.name.fqdnFirewallPacket filter  Packet filter rule for IPv6
|
| Active: | On | ||
| Source: |  Internal_Network_v6 |
Source network | |
| Destination: |  Internet_v6 |
Destination network | |
| Service: |  default-internet |
Select desired service or service group | |
| Action: | Accept packet | ||
| Logging: | Select desired logging level | ||
| Group: | Add to desired group | ||
| notempty Unlike IPv4, no NAT is required here! | |||
| Click Save or to save the packet filter rule. | |||
| Click to have the packet filter rules updated. | |||