Rather than fill the Ubiquiti thread with IPv6 questions, I thought I'd start a dedicated topic. [Note to mods: if this is OK, you could even give it the official stars].
So, I'm with Aquiss, and my package includes a IPv6 /56 PD. I've successfully set this up on my Cloud Gateway Ultra, and I can turn on IPv6/SLAAC on each of my internal networks/VLANs. I've tried this on a couple, and each network/VLAN gets a /64 network address within my /56 PD range as expected. What I'm struggling with is how I sort my internal resources and VLANs - it's all straight in my head with IPv4, but IPv6 feels like a whole other ball game.
IPv4 Setup
VLAN 1 (Default): 192.168.1.0/24
VLAN 2 (IoT): 192.168.2.0/24
VLAN 4 (Trusted/Main): 192.168.4.0/24
VLAN 5 (Servers): 192.168.5.0/24
VLAN 99 (Guest): 192.168.99.0/24 -- set as "isolated" and "guest", DHCP provides DNS server addresses 1.1.1.1 and 1.0.0.1
Each of these VLANs/subnets has DHCP provided by the UCG and sets DNS servers as 192.168.5.2 and 192.168.5.3, with all the requisite firewall rules to allow that across VLANs etc. Easy.
IPv6 Setup
ISP provided PD (masked, of course): 2001:xxxx:xxxx:xx00::/56.
I turned on IPv6 on the WAN port, told it to use SLAAC, prefix delegation, and a delegation size of 56 (as above).
I turned on IPv6 for VLAN 4, with settings:
Interface Type: Prefix Delegation
PD interface: WAN1
PD ID: Auto (this is forced in the latest UniFi network application)
Client Address Assignment: SLAAC.
With this setup, the UCG gave itself a gateway address and subnet of 2001:xxxx:xxxx:xx00::1/64. This makes sense. Devices got an IPv6 address in this subnet without issue.
I then enabled it for the guest network (99), with the UCG getting 2001:xxxx:xxxx:xx01::1/64. Again, this makes sense.
What isn't quite getting straight in my head is that all of these are effectively public IPs. The UCG has enabled some additional v6 firewall rules which look to be effectively blocking all incoming traffic to my v6 addresses except Established and Related, which makes sense and almost makes them "private" ranges in essence, if not technicality.
If I want to use my own DNS servers, I understand I need to set these as the DNS servers given out to SLAAC clients. I could set a static v6 address on each of my DNS servers, which I could make as simple as 2001:xxxx:xxxx:xx02::3 (presuming the xx02 network is what is handed out to my servers' network if I turn IPv6 on).
My two main questions are this:
Can I really just set the static address and hope nothing else tries to take that address via SLAAC (I know it's a very slim chance given the amount of available addresses in a /64)?
Do I just need to make some LANv6 rules in the same vein as my v4 rules to allow each v6 network to send DNS requests "internally" to the two servers' static addresses?
So, I'm with Aquiss, and my package includes a IPv6 /56 PD. I've successfully set this up on my Cloud Gateway Ultra, and I can turn on IPv6/SLAAC on each of my internal networks/VLANs. I've tried this on a couple, and each network/VLAN gets a /64 network address within my /56 PD range as expected. What I'm struggling with is how I sort my internal resources and VLANs - it's all straight in my head with IPv4, but IPv6 feels like a whole other ball game.
IPv4 Setup
VLAN 1 (Default): 192.168.1.0/24
VLAN 2 (IoT): 192.168.2.0/24
VLAN 4 (Trusted/Main): 192.168.4.0/24
VLAN 5 (Servers): 192.168.5.0/24
VLAN 99 (Guest): 192.168.99.0/24 -- set as "isolated" and "guest", DHCP provides DNS server addresses 1.1.1.1 and 1.0.0.1
Each of these VLANs/subnets has DHCP provided by the UCG and sets DNS servers as 192.168.5.2 and 192.168.5.3, with all the requisite firewall rules to allow that across VLANs etc. Easy.
IPv6 Setup
ISP provided PD (masked, of course): 2001:xxxx:xxxx:xx00::/56.
I turned on IPv6 on the WAN port, told it to use SLAAC, prefix delegation, and a delegation size of 56 (as above).
I turned on IPv6 for VLAN 4, with settings:
Interface Type: Prefix Delegation
PD interface: WAN1
PD ID: Auto (this is forced in the latest UniFi network application)
Client Address Assignment: SLAAC.
With this setup, the UCG gave itself a gateway address and subnet of 2001:xxxx:xxxx:xx00::1/64. This makes sense. Devices got an IPv6 address in this subnet without issue.
I then enabled it for the guest network (99), with the UCG getting 2001:xxxx:xxxx:xx01::1/64. Again, this makes sense.
What isn't quite getting straight in my head is that all of these are effectively public IPs. The UCG has enabled some additional v6 firewall rules which look to be effectively blocking all incoming traffic to my v6 addresses except Established and Related, which makes sense and almost makes them "private" ranges in essence, if not technicality.
If I want to use my own DNS servers, I understand I need to set these as the DNS servers given out to SLAAC clients. I could set a static v6 address on each of my DNS servers, which I could make as simple as 2001:xxxx:xxxx:xx02::3 (presuming the xx02 network is what is handed out to my servers' network if I turn IPv6 on).
My two main questions are this:
Can I really just set the static address and hope nothing else tries to take that address via SLAAC (I know it's a very slim chance given the amount of available addresses in a /64)?
Do I just need to make some LANv6 rules in the same vein as my v4 rules to allow each v6 network to send DNS requests "internally" to the two servers' static addresses?
