IPv6 in LAN without constant access to WAN - e.g. mobile lab / ship /

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi,

I am trying to prepare simple network configuration for a mobile lab (e.g.ship/airpalne) supporting IPv6. I'd like to use IPv6 for both local traffic between 4-5 lab devices as well as for accessing WAN - once the lab returns to the "base" (or any other place with internet access via IPv6 infrastructure) where there is an actual internet connectivity. When at "base" and connected to WAN all lab devices gets global IPv6 addresses delegated from /64 prefix assigned by our ISP, However I am no sure how to retain connectivity between devices while not connected to WAN?
Should I rely on ULA or statically assigned IPv6 in that case for any communication between lab devices and assign the delegate IPv6 from ISP?
Or I should rely solely on ULA and perform NAT66 between LAN and WAN?
Is is even possible to route between ULA LAN and WAN?

Thanks a lot,
Rob

2

Either use ULA and NPT to access Internet. With a VPN / site to site tunnel you can access all your networks from each other.
Or better, get proper Internet numbers from your provider as a sponsored resource or from your RIR directly. Then you can assign GUA however you like.

(If you have never heard of these terms, please consult a professional network dude. But when I read "lab" and "airplane" and "ship".... I would hope for a serious network design.)

2 Likes
3

No worries about the final solution - the mobile lab,airplane and ship was to reflect that there are scenarios when the Internet connection might be not available so that no public addresses will be assigned by ISP at every moment. This is solely for learning purposes with running OpenWRT on RaspberryPi. Not targeting some safety critical environment :).

Either use ULA and NPT to access Internet.

Thanks for the NPT hint - I thought NAT66 is the only option to.

Or better, get proper Internet numbers from your provider as a sponsored resource or from your RIR directly. Then you can assign GUA however you like.

Do you mean that in that case I would use those GUA addresses for LAN side communicatione even if WAN is temporarily not available?

4

Yes. If you got allocation from a rir either because you are a LIR yourself or via a Sponsoring LIR then these addresses are yours. Not in a sense of owning but in a sense of allocated. (Most people thing they own addresses but no. ARIN or RIPE can revoke your allocated addresses in case you violate policies.)

You can now assign addresses as you like. You even would not need them to use on the Internet. Your network could be totally air gaped but nobody should ever be able to use these addresses on the Internet but you. Nowadays there are multiple layers on the Internet in use to ensure that only the legitim holder of address space is able to announce these address via bgp on the Internet. Either you have an ASN and do it yourself or you have an ISP which does it on your behalf and you have setup your route objects accordingly.

If you have any kind of business contract with an ISP ask them about it. Normally it's either included already in business contracts or does not costs that much at all.
But in this case you easily now have a /32 or /29 of IPv6 address space available and you will have plenty of networks. As a reminder. The smallest network one can announce on the Internet is a /48. Which is like 64k (local) subnets. And a /32 enables you to have like 64k of these local branch networks.... So if this is more of a serious work which should hold together for a few years please don't f... it up and design the network properly :wink:

Ps: without wan connectivity you have no site to site access of course but local communication would still just and only GUA addresses. If you have static GUA, please do not use ULA. It just calls for issues and troubles.

1 Like
5

In addition. Even on a remote site with a shitty ISP who is not able to offer proper networking, static gua can be used. You would just tunnel your traffic through a tunnel to the nearest datacenter and exit to the Internet there.

1 Like
6

Why is everyone using these? It's one of the worst hardware for networking. If you are located in Europe, have a look at i.e. https://www.ipu-system.de/ or any other vendor offering x86 boards with multiple intel nic and an RTC....

7

Why is everyone using these? It's one of the worst hardware for networking.
As I said - learning. I have spare Raspberry Pi so I wanted to use it as a starting point :).

A question on getting numbers from my provider. This is what I see on my Connect Box config:

connect box
connect box904×617 35.7 KB

A /64 prefix and 245 "available addresses". I cannot change that DHCPv6 config but does that mean I could theoretically assign 2a02:a312:abcd:efhg::1 through ::245 (or any other numbers as long as I don't use more than 245 of them) as static address for LAN side devices?

Another thing that confuses me is what my OpenWRT receives from Connect Box:

IPv6: 2a02:a312:abcd:ef8g:xxxx:xxxx:xxxx:xxxx/128
IPv6: 2a02:a312:abcd:ef8g:yyyy:yyyy:yyyy:yyyy/64
IPv6-PD: 2a02:a312:abcd:ef9g::/60

I understand the first two IPv6 addresses as their prefixes matches what I see on Connect Box config page 2a02:a312:abcd:ef8g::/64 but I don't understand where does the IPv6-PD 2a02:a312:abcd:ef9g::/60 that differs both in length (60 vs 64) and the second to last prefix value (9 vs 8). I assume this is somehow generated by OpenWRT itself and if I use addresses with the IPv6-PD prefix on my LAN I would be essentially taking addresses that my ISP didn't intend for me which may violate some policies.

Thanks a lot for all your help.

8

Multiple aspects.

  • /64 and 245... I assume its a "technical limitation". AFAIK it's still unclear for most DHCPv6 servers how to really allocate addresses. Like, "do we just increment with each lease?", "do we choose RANDOM from pool?", "how to keep track of addresses if we use a really huge pool?" that's why at least some DHCPv6 server implementation just said: "f... it, let's just use a small range like to first 256 or 1024/4092 addresses and either stupidly increment or pseudo random allocation...." (If you are heavily board have fun by yourself and dig in the mailinglist of the ISC, Internet Systems Consortium, mailing list reading how they struggled to implement it sanely with kea the successors for dhcpd... and kea is not a "small" project but like dhcpd or bind9 THE reference implementation :confused: I will not complain because I find their (ISC) software more then useful, and I like to continue using them.)

And ISP has more or less two ways allocation IPv6 to a customer, but you need in any way a /64 (for simplicity we ignore more esoteric options for now, ok...) for the connection ISP to Customer router device, or CPE as it is called: Customer Premises Equipment. And one prefix/allocation for the customer network itself.
Either the ISP is stupid, then its a /64 or /60, or the ISP has read the "recommendations" by the IPv6 Working-group and RIPE or ARIN, and they allocate at least(!) a /56 to the customer. (It is expected that a customer has nowadays more then "a single LAN". Like a typical household already has: "trusted LAN", IoT, Guest, Work-from-Home, etc So a single /64 is just dump and /60 still stupid. A /56 would be save and future ready. In the early days it was considered to just throw a /48 at each Internet-User and never have any debates about "Shit! We are sparse on network numbers" again. But a /56 is at least a sane number. 256 local subnets should serve for a while even with more advanced local setups...)

Back to topic: How to allocate the customer network?
This customer allocation could be now:

  • In the same network as the allocation for the WAN link; or
  • from a dedicated network.

If I got your example right...

$ sipcalc 2001:db8:2003:abc0::/59 -S /60
-[ipv6 : 2001:db8:2003:abc0::/59] - 0

[Split network]
Network                 - 2001:0db8:2003:abc0:0000:0000:0000:0000 -
                          2001:0db8:2003:abcf:ffff:ffff:ffff:ffff
Network                 - 2001:0db8:2003:abd0:0000:0000:0000:0000 -
                          2001:0db8:2003:abdf:ffff:ffff:ffff:ffff

Maybe they just burn their address space and using only a single /64 for the uplink out of that first /60 and use the second /60 as PD. Don't know...

I'm with Deutsche Telekom, and it looks like they serve customers per region from a /40, where the uplinks coming from the very last /48 and all /56 PD are within the /40. So they serve around 65K customer per /40.

wan: 2003:e4:bfff:xxxx:1234:5678:9abc:def0/64
lan: 2003:e4:bfab:cd00::/56

You mainly do these of routing efficiency. So within there core network / back bone, there are only a handful routes to my city.

(You will also see that the default OpenWrt installation enables the user to "daisy chain" routers. Like if your ISP gives a /56, your LAN will show you it has a /60, and you can now plugin an other OpenWrt router (with its WAN port) into a LAN-port of the first one, and the 2nd router gets its "own" /64 out of that /60.)

I hope this makes sense. I got a cold and my brain feels dizzy. If something is unclear, feel free to ask again, then I'll try again...

9

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.