My ISP has kindly handed me a /64 prefix, and I'm building an Ubuntu router, as most of my existing equipment is too old to support IPv6. Using various articles, I've managed to get it mostly working, but most examples I've found are centered around tunnel routers, which I've also built, but I guess I'm looking more for best practices when it comes to a native IPv6 router/firewall.
As background, eth0 is my internal interface, and eth1 is external. I currently have something like:
iface eth0 inet6 static
address 2605:xxxx:yyyy:zzzz::1
netmask 64
iface eth1 inet6 static
address 2605:xxxx:yyyy:zzzz::2
netmask 64
Connectivity has been verified in/out on eth1, so I'm being routed correctly by my ISP. I'm planning on using radvd on eth0. I'm also planning on using ip6tables as the firewall.
Where I'm fuzzy is how (or if) I should sub-divide my prefix. I have a number of VLANs accessible to eth0, though given the age of my equipment, I'll probably have to route them via this (virtual) router, so I may end up with either more interfaces or use trunking in some form on eth0.
Most of the machines on this network are virtual, largely on two VLANs. There are probably fewer than 200 active machines, most IPv6-capable.
I originally considered building a bridge instead of a router, but I do want some protection on my network - most machines only want outbound access, and we won't be hosting any public servers at this point.
My questions are pretty basic:
- From a best-practices standpoint, what prefix should I use for a VLAN/subnet? /72? /68?
- Should eth0 and eth1 be on separate subnets? Is this a dumb question?
- Should I be using a bridge instead of a router? Advantages/disadvantages?
My main issue is that there don't seem to be a lot of native examples out there that aren't simple, aren't about Cisco equipment, or don't use BGP. One, good simple example would probably answer all my questions.
Thanks!
