IPv6 assignments other than /64

Hello ,

I'm trying to delegate /58 IPv6 prefixes to my lan networks. I've set the IPv6 assignment length to 58 on all my LAN networks and I can see /58 assignments in the UI. Yet when running ip -6 r on the router I can see all my routes having /64 and then there's other side-effects which I believe are related ...

Thanks,

Please post your network config and your route table....

Is this private IP space you're discussing, or are you issued a prefix larger than /56 from your ISP for use on your network?

My ISP issues a /56 prefix and I'm trying to divide it into /58 so that the routers behind my main one can issue /64.

The setup is a bit convoluted in terms of layers as I've got 2 sites connected via L2 VPN. One of the sites does not have ipv6 connectivity so it's coming out through its peer. This is a home setup so it's just my experimentation + I have no formal networking training, I understand things but not sure whether the setup matches best practices (probably not as /58 should not be delegated).

My network config (trimmed as I have many more interfaces, all of them have a similar setup to UNSEC):

config interface 'UNSEC'
        option device 'br-UNSEC'
        option proto 'static'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'
        option ip6assign '58'
        option ip6weight '50'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option norelease '1'

And my routing table ip -6 r (removed the routes that are not related to UNSEC and there's some unreachables there which I don't know whether they're relevant or not):

default from 2a01:...00::/56 via fe80::9ee0:41ff:fe5e:ebe8 dev eth0.2 proto static metric 512 pref medium
...
2a01:...40::a28 dev br-UNSEC proto static metric 1024 pref medium
2a01:...40:81:bf5e:52ac:c8a0 dev br-UNSEC proto static metric 1024 pref medium
2a01:...40:3df3:e47c:7936:9c1a dev br-UNSEC proto static metric 1024 pref medium
2a01:...40:c594:53e3:74c4:d35a dev br-UNSEC proto static metric 1024 pref medium
2a01:...40:dc63:4f0d:9a25:72b9 dev br-UNSEC proto static metric 1024 pref medium
2a01:...40::/64 dev br-UNSEC proto static metric 1024 pref medium
...
unreachable 2a01:...00::/56 dev lo proto static metric 2147483647 pref medium
...
fdba:b69:e039:40:1415:7fad:627:bf1c dev br-UNSEC proto static metric 1024 pref medium
fdba:b69:e039:40:1456:d61e:1694:2910 dev br-UNSEC proto static metric 1024 pref medium
fdba:b69:e039:40:3f62:d7b:91bf:5312 dev br-UNSEC proto static metric 1024 pref medium
fdba:b69:e039:40:dc63:4f0d:9a25:72b9 dev br-UNSEC proto static metric 1024 pref medium
fdba:b69:e039:40::/64 dev br-UNSEC proto static metric 1024 pref medium
...
unreachable fdba:b69:e039::/48 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev br-UNSEC proto kernel metric 256 pref medium
fe80::/64 dev eth1.4 proto kernel metric 256 pref medium
fe80::/64 dev eth0.2 proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
...

Check the table closely-- there should be a /58 route to each lan. That is what the /58 at the end of the LAN IP means; a route has also been installed.

It is normal on the unreachable route as the device is the loopback interface.

v6 protocols such as DHCPv6 and RA work at layer 3 so it is possible to forward to another site on a layer 3 VPN. Avoid layer 2 VPNs whenever possible.

That's what I would have expected as well, but there's no /58 in the table at all. ip -6 r | grep /58 comes back blank.

I'm using L2 VPN because the VPN also carries IPv4 traffic

Iirc you have one /56 which you want to split into 4 /58, then please use ip6hint to set the proper id for each site.
Of I do the math correctly without a calculator it should be either 00, 40, 80 or c0.
And a nit-pick: these routes are not unreachable because they point the loopback but because it's the poor men's version of a black hole route. It avoids that traffic for your LAN is leaving via wan.
(Nether the less, iproute2 even supports dedicated back hole routes...)

I think you have only four /58 blocks in /56 subnet

That is correct, my prefixes are ...00/58, ...40/58, '...80/58' and ...c0/58. I already get those assigned without ip6hints, don't think adding them in will make a difference.

Just checked, 4 blocks and it's only 4 LANs that are configured to delegate on my main router.

You were talking about many more and as you did not provide the whole setup we keep guessing

Furthermore it is possible the WAN interface also has a /64 assigned.

I would disable one interface to see if that will work

I wasn't being rude/offending, just answering concerns raised, to progress the discussion.
The default route (WAN) is there as well:

default from 2a01:...00::/56 via fe80::9ee0:41ff:fe5e:ebe8 dev eth0.2 proto static metric 512 pref medium

Just to clarify, the IP assignment is correct, only the routes are wrong (or more restrictive than the actual assignment).

Just spotted something, I was messing with the ip6hint for one of the LANs in the UI and when I've added the hint as 00 which is the same as the automatically assigned prefix and applyied the changes, I get duplicated routes, the old ones you see in my route print + the expected /58 equivalents. Afterwards, if I restart the network service the /58 disappear (they're no longer added).

I think this is potentially a bug...

Please post the network conf and routes from all routers in your network.
From what I'm guessing you mix up the allocation size on an interface. And maybe even the hint.
An stub interface with an vlan gets an /64, and interfaces where routers are attached which can request a delegation prefix too, these interfaces needs therefore a larger allocation....
I have to say I still can't quiet follow you.
Please provide the conf and routes and if necessary a description what is how connected...

If the wan has an IP within the /56 then one of the /58 blocks will not be available for LANs.

Do you really need to try to push this to the limit with /58s on the LANs or would /60s work as well?

I second this.

What's the actual number of vlans/networks do you have and how many do you will have in the foreseeable future?

It's for inst6a good strategy too mess up only the first quarter or even the first half but not everything as once beside you have good reason to do so

Just tried setting the prefix length to /60, my routes still show /64.

It's getting late and my Cristal Ball wants to go to sleep...

Apologies for the delay, this is my network config:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdba:0b69:e039::/48'

config device
        option name 'br-UNSEC'
        option type 'bridge'
        list ports 'eth1.1'
        list ports 'tap0.unsec'

config interface 'UNSEC'
        option device 'br-UNSEC'
        option proto 'static'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'
        option ip6weight '90'
        option ip6assign '58'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option norelease '1'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '6t 3 2 1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 5'
        option vid '2'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '3'
        option ports '6t'

config device
        option type 'bridge'
        option name 'br-SEC'
        option bridge_empty '1'
        list ports 'tap0.sec'

config interface 'SEC'
        option device 'br-SEC'
        option proto 'static'
        option netmask '255.192.0.0'
        option ipaddr '10.1.0.1'
        option ip6weight '100'
        option ip6assign '58'

config device
        option type '8021q'
        option ifname 'tap0'
        option vid '102'
        option name 'tap0.sec'

config device
        option type '8021q'
        option ifname 'tap0'
        option vid '101'
        option name 'tap0.unsec'

config interface 'VPN'
        option device 'tun1'
        option proto 'static'
        option ipaddr '192.168.11.1'
        option netmask '255.255.255.0'
        option delegate '0'
        option ip6assign '58'
        option ip6weight '20'

config device
        option name 'tap1'

config interface 'GIPSY'
        option proto 'static'
        option device 'tap1'
        option ipaddr '192.168.253.1'
        option netmask '255.255.255.0'
        option ip6assign '58'
        option ip6weight '10'

config route
        option interface 'UNSEC'
        option gateway '192.168.10.2'
        option target '192.168.254.2/32'

config route
        option interface 'UNSEC'
        option target '192.168.50.0/24'
        option gateway '192.168.10.2'

config route
        option interface 'UNSEC'
        option target '192.168.51.0/24'
        option gateway '192.168.10.2'

config device
        option name 'usb0'

config interface 'PHONE'
        option proto 'dhcp'
        option device 'usb0'

config switch_vlan
        option device 'switch0'
        option vlan '4'
        option ports '6t 4'
        option vid '4'

config device
        option name 'phy1-ap3'

config device
        option name 'phy0-ap0'

config device
        option name 'phy1-ap0'

config device
        option name 'phy1-ap1'

config device
        option name 'phy1-ap2'

config interface 'OANA_WIFI'
        option proto 'static'
        option device 'eth1.4'
        option ipaddr '192.168.0.1'
        option netmask '255.255.255.0'
        list dns '8.8.8.8'
        option delegate '0'

config interface 'IoT'
        option proto 'static'
        option device 'br-IOT'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'

config device
        option type 'bridge'
        option name 'br-IOT'
        list ports 'eth1.3'

and my ipv6 routes:

default from 2a01:...:e500::/56 via fe80::9ee0:41ff:fe5e:ebe8 dev eth0.2 proto static metric 512 pref medium
2a01:...:e500::/64 dev tun1 proto kernel metric 256 pref medium
2a01:...:e500::/64 dev br-SEC proto static metric 1024 pref medium
2a01:...:e540:d9a:3382:c781:f9a5 dev br-UNSEC proto static metric 1024 pref medium
2a01:...:e540:28b7:126d:3de0:a0f1 dev br-UNSEC proto static metric 1024 pref medium
2a01:...:e540:6094:281d:f363:d19e dev br-UNSEC proto static metric 1024 pref medium
2a01:...:e540:dea6:32ff:fe55:14b4 dev br-UNSEC proto static metric 1024 pref medium
2a01:...:e540::/64 dev br-UNSEC proto static metric 1024 pref medium
2a01:...:e580::/64 dev tun1 proto static metric 1024 pref medium
2a01:...:e5c0::/64 dev tap1 proto static metric 1024 pref medium
unreachable 2a01:...:e500::/56 dev lo proto static metric 2147483647 pref medium
fdba:b69:e039::/64 dev br-SEC proto static metric 1024 pref medium
fdba:b69:e039:40::e0f dev br-UNSEC proto static metric 1024 pref medium
fdba:b69:e039:40:1415:7fad:627:bf1c dev br-UNSEC proto static metric 1024 pref medium
fdba:b69:e039:40:28b7:126d:3de0:a0f1 dev br-UNSEC proto static metric 1024 pref medium
fdba:b69:e039:40::/64 dev br-UNSEC proto static metric 1024 pref medium
fdba:b69:e039:80::/64 dev tun1 proto static metric 1024 pref medium
fdba:b69:e039:c0::/64 dev tap1 proto static metric 1024 pref medium
unreachable fdba:b69:e039::/48 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev br-SEC proto kernel metric 256 pref medium
fe80::/64 dev eth1.4 proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth0.2 proto kernel metric 256 pref medium
fe80::/64 dev br-IOT proto kernel metric 256 pref medium
fe80::/64 dev tap1 proto kernel metric 256 pref medium
fe80::/64 dev tun1 proto kernel metric 256 pref medium
fe80::/64 dev tap0 proto kernel metric 256 pref medium
fe80::/64 dev br-UNSEC proto kernel metric 256 pref medium

and as soon as I apply any changes to the UI it converts to:

default from 2a01:...:e500::/56 via fe80::9ee0:41ff:fe5e:ebe8 dev eth0.2 proto static metric 512 pref medium
2a01:...:e500::/64 dev tun1 proto kernel metric 256 pref medium
2a01:...:e500::/64 dev br-SEC proto static metric 1024 pref medium
2a01:...:e500::/58 dev br-SEC proto kernel metric 256 expires 7194sec pref medium
2a01:...:e540::d07 dev br-UNSEC proto static metric 1024 pref medium
2a01:...:e540:d9a:3382:c781:f9a5 dev br-UNSEC proto static metric 1024 pref medium
2a01:...:e540:28b7:126d:3de0:a0f1 dev br-UNSEC proto static metric 1024 pref medium
2a01:...:e540:6094:281d:f363:d19e dev br-UNSEC proto static metric 1024 pref medium
2a01:...:e540:6909:319c:7a33:108d dev br-UNSEC proto static metric 1024 pref medium
2a01:...:e540:dea6:32ff:fe55:14b4 dev br-UNSEC proto static metric 1024 pref medium
2a01:...:e540::/64 dev br-UNSEC proto static metric 1024 pref medium
2a01:...:e550::/60 via fe80::f823:2bff:fe51:a88 dev br-UNSEC proto static metric 1024 pref medium
2a01:...:e540::/58 dev br-UNSEC proto kernel metric 256 expires 7194sec pref medium
2a01:...:e580::/64 dev tun1 proto static metric 1024 pref medium
2a01:...:e580::/58 dev tun1 proto kernel metric 256 expires 7194sec pref medium
2a01:...:e5c0::/64 dev tap1 proto static metric 1024 pref medium
2a01:...:e5c0::/58 dev tap1 proto kernel metric 256 expires 7194sec pref medium
unreachable 2a01:...:e500::/56 dev lo proto static metric 2147483647 pref medium
fdba:b69:e039::/64 dev br-SEC proto static metric 1024 pref medium
fdba:b69:e039::/58 dev br-SEC proto kernel metric 256 expires 7194sec pref medium
fdba:b69:e039:40::e0f dev br-UNSEC proto static metric 1024 pref medium
fdba:b69:e039:40:1415:7fad:627:bf1c dev br-UNSEC proto static metric 1024 pref medium
fdba:b69:e039:40:28b7:126d:3de0:a0f1 dev br-UNSEC proto static metric 1024 pref medium
fdba:b69:e039:40:a771:ba95:d6aa:ef63 dev br-UNSEC proto static metric 1024 pref medium
fdba:b69:e039:40::/64 dev br-UNSEC proto static metric 1024 pref medium
fdba:b69:e039:50::/60 via fe80::f823:2bff:fe51:a88 dev br-UNSEC proto static metric 1024 pref medium
fdba:b69:e039:40::/58 dev br-UNSEC proto kernel metric 256 expires 7194sec pref medium
fdba:b69:e039:80::/64 dev tun1 proto static metric 1024 pref medium
fdba:b69:e039:80::/58 dev tun1 proto kernel metric 256 expires 7194sec pref medium
fdba:b69:e039:c0::/64 dev tap1 proto static metric 1024 pref medium
fdba:b69:e039:c0::/58 dev tap1 proto kernel metric 256 expires 7194sec pref medium
unreachable fdba:b69:e039::/48 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev br-SEC proto kernel metric 256 pref medium
fe80::/64 dev eth1.4 proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth0.2 proto kernel metric 256 pref medium
fe80::/64 dev br-IOT proto kernel metric 256 pref medium
fe80::/64 dev tap1 proto kernel metric 256 pref medium
fe80::/64 dev tun1 proto kernel metric 256 pref medium
fe80::/64 dev tap0 proto kernel metric 256 pref medium
fe80::/64 dev br-UNSEC proto kernel metric 256 pref medium

which is what I'd expect to see.

I went further and disabled ipv6 completely in my downstream router and LANs and the same behavior persists. I think there's a bug somewhere.