IPv6 solution for provider only providing a /64
So, ChatGPT kept giving me *terrible* advice for what to do when a provider provides only a /64 and you have a firewall in front of your LAN.
The solution is actually fairly straightforward, providing you are using static or DHCP assigned addresses:
0) Turn on routing and proxy ndp:
net.ipv6.conf.all.forwarding=1
net.ipv6.conf.all.accept_ra=2
net.ipv6.conf.all.proxy_ndp=1
1) Install ndppd.conf with a config file similar to this:
route-ttl 30000proxy ens192 {
router yes
timeout 500rule 2605:9f80:2000:110::/64 {
static
}
}
2) Create a interface on the upstream side of the firewall that is 2605:9f80:2000:110::2/64
3) Create a interface on the downstream side of the firewall that is 2605:9f80:2000:110:8000::1/65
4) Assign addresses inside that /65 to other things on the LAN
Advantages over the ChatGPT suggested solution of manually entering a /128 route and creating a /128 entry and adding a fd00 interface to every host:
#1: It keeps the wire settigns “honest”. Setting a /128 for each host means you are lying to the host about the wire. This can cause local traffic problems even if the router does route single-homed traffic
#2: It’s *simple*. Set it up once, forget about it. Minimal configuration needed. No need to add additional configuration to the router as you add each host.
#3: It fits conventional subnetting rules. Even though normally one never assigns ipv6 smaller than a /64 so that self-addressing can work correctly, if one is using statics or a DHCP server this works just fine, while also fitting the way we usually subnet IP networks.