IPv6 Question about LAN "ipassign"

New OpenWRT user coming over from pfSense. I've got a NanoPi r4s up and running connected to a Verizon fiber ONT (500/500). I'm just trying to get the basic configuration working smoothly, and make sure I understand it, before adding any packages. Everything seems to be working well, but I have one question about IPv6 that I haven't been able to answer.

I'm requesting a /56 from Verizon, and getting it. I can ping6 out from both the router and from clients with no problem, and in browsers I pass the ipv6 tests. Clients seem to be getting 3 or 4 IPv6 address, including public ones.

The one thing I don't understand: I have set the LAN "ipassign" option to 64. My LAN interface is getting assigned a /64, but all of my DHCP6 leases show /128 address in the lease table.

My questions:

• Is it a problem to be getting assigned /128's in the lease table?
• Should I change the "ipassign" option on the LAN to /60?

Here's my network config:

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd61:43cc:37c3::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'

config device
	option name 'eth1'
	option macaddr '76:99:56:ee:0a:86'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '64'

config device
	option name 'eth0'
	option macaddr '76:99:56:ee:0a:85'

config interface 'wan'
	option device 'eth0'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix '56'
	option norelease '1'

Yes a subnet is the size of a /64 but a single address is a /128. And a DHCP assigned host address is a single address.
In ipv4 land we needed the subnet mask but not with dhcpv6

The reason to have larger than a /64 on a LAN is to support routers downstream. If there are no such routers, only endpoint devices, each device will have one (or more) single IPs (/128) within the /64. Multiple IPs per device was a plan to implement some obscurity for example different browser tabs could use a different IP so they can't be cross-tracked simply. Though being in the same /64 means they are at least in the same house if not on the same device.

It doesn't hurt to set /60 so there is support for routers downstream. When a router connects it could request a separate /64 or /62 prefix, which is inside the /60 thus everything from the Internet routes to it without NAT. The downstream router then assigns out of its separate prefix and it does not need to coordinate with upstream. All the endpoints on the upstream LAN (including the wan interface of routers) will still be in the first /64 of that /60. That is set aside and can't be delegated downstream.

Thanks @_bernd and @mk24 – this is very clarifying. I have had a hard time wrapping my mind around IPv6, but with your responses I feel like I'm starting to see how it all goes together.

I have no downstream routers, so it seems like setting it at /64 causes me no problems, but that I could also switch to /60 and make space for that contingency in the future.

OpenWrt insists on activating both DHCPv6 and ULAs by default for some reason. That's probably why you have additional addresses, especially if combined with SLAAC with privacy addresses.

Not only downstream routers, having multiple /64 subnets also becomes necessary if your single router should service different networks (guest, IOT, VPN, ...). ISPs who only hand out a single /64 are broken.

Yes, but those would be on different LAN segments, where each segment/vlan is a /64.

But yes, ISPs that only delegate a single /64 prefix to their customers are terrible and should be avoided.