simple DHCPv6 config with /56-Prefix

Sun Aug 21 07:51:52 UTC 2022

I'm far from an expert, so don't take my suggestions as guaranteed.

> I got 2001:db8:0:100::/56  for my LAN, and what I want is the
> following:

Great.  So with a /56, it means you can further delegate a bunch of /64
subnets.  You probably don't want to use the whole /56 as a single
subnet.

> that the DHCP only hands out IPv6 addresses within this range:
> 2001:db8:0:17f::/64

So you've picked a single /64 for DHCP clients?  What other /64 subnet
have you selected for the other hosts in your LAN?

> the router - runs BIND, DHCP, DHCPv6, ... - has on its LAN side the 
> following IPv6 address
> 2001:db8:0:100::1/56         <-- is this correct?

I don't think it is.  If you're putting hosts in at the /56 level, then
you have a single /56 subnet so you can't further break it up into
smaller subnets.  If you want multiple subnets then whatever size you
break this up into (/57, /58, etc.) you need to keep that same subnet
size for all of them at that level.  For example you can have one /56,
two /57, four /58, or 256 /64s.  But you can't have a /56 and a /64 that
overlap and share some of the same IPs as it will lead to confusion.

Each of these subnets you can split further (so e.g. if you have two
/57s then you can keep one as a /57 and split the other /57 into 128
/64s) however what you can't do is have a single IP that belongs to two
different subnets at the same time.

Since your router is assigned to 2001:db8:0:100::1/56, this /56 also
includes your 2001:db8:0:17f::/64 DHCP subnet.  So if you picked a
random IP like 2001:db8:0:17f::1, which subnet does that belong to?

Technically it is in both the /64 and the /56 at the same time, which
leads to confusion.  This is because when 2001:db8:0:17f::1/64 wants to
send a message to 2001:db8:0:100::1/56, it's outside the /64 subnet so
it will try to contact a gateway.  But when 2001:db8:0:100::1/56
replies, it thinks 2001:db8:0:17f::1/64 is within its own subnet so
there is no need to reply via a gateway.  But then when
2001:db8:0:17f::1/64 receives the reply direct from an IP outside its
subnet that didn't come from a gateway, it will probably discard the
packet as invalid, and so the two hosts are unable to connect to each
other.

> I also gave the LAN interface this scope local IPv6 addess: fe80::1/64

This is fine, but as above, the confusion is more around when packets
should/shouldn't go via this gateway.

> and my local mail server [a Linux] with this:
>       2001:db8:0:101::4d:4149:4c30/56
> 
> why is it possible for this VM to connect to my workstation without
> any problems, but has troubles connecting to the mail server?

You'll probably find it can contact the mail server fine, but the mail
server cannot send any packets back as it does not realise those
packets need to be sent via a gateway.  I thinks the VM is in the same
subnet as it is, so it tries to contact it directly, which is incorrect.

> when I change the prefix length of the mail server from 56 to 64, it
> works?

When you do this it's clear to both ends that they are in a different
subnet, and thus they need to send all their packets via the gateway,
in both directions.

Note that if you put all your DHCP clients in one /64 and your servers
in another /64, all traffic between the two subnets will transit via
your router.  Assuming all machines are connected to the same switch
this is quite inefficient, as all network traffic will be pushed
through a single host (your router) even when the machines could
have communicated with each other directly via the switch.

If this is your set up, you will get better performance by assigning a
single /63 that covers all devices plugged into the switch, and then
allocating half of that (equivalent to a /64) to DHCP and putting your
servers in the other half of the /63.  This way, all machines are in the
same /63 subnet so they can communicate with each other directly, and
you avoid forcing all traffic through your router, which will then only
need to handle traffic entering and leaving the /63 subnet.

Hopefully this makes sense!

Cheers,
Adam.