SonicOS 8 IPv6 Prefix Delegation (Router Advertisement)

Description

RA Prefix Delegation, an upstream router or ISP device advertises a prefix via Router Advertisement (RA). The firewall receives this prefix on the WAN interface and delegates sub-prefixes to downstream LAN-side interfaces. This mode uses route-based forwarding, providing the same logical function as NDP Proxy with greater security and control.

 

RA Prefix Delegation

Background

In some network deployments, the upstream router or ISP device advertises an IPv6 prefix to the customer firewall via Router Advertisement (RA) rather than through DHCPv6. The firewall receives this RA-advertised prefix on its WAN interface and uses it as the source for delegating sub-prefixes to downstream LAN-side interfaces.

This mechanism provides the same logical addressing function as NDP (Neighbor Discovery Protocol) Proxy, enabling LAN-side hosts to obtain IPv6 addresses from the upstream prefix, but operates in route mode rather than proxy mode. Because traffic is routed through the firewall at Layer 3, RA Prefix Delegation is more secure and offers greater administrative control than NDP Proxy.

SonicOS 8:  SonicOS supports RA Prefix Delegation on WAN interfaces. When an upstream router advertises a prefix via RA, the firewall can receive that prefix on the WAN interface and delegate sub-prefixes downstream. Route mode ensures that all traffic between upstream and downstream segments passes through the firewall's routing and security policies.

 

Prerequisites

  • The WAN interface must be configured to receive IPv6 addresses via RA (SLAAC or Static mode with RA listening enabled).
  • The upstream router must be configured to advertise the delegated prefix via RA.

 

Configuration

RA Prefix Delegation is configured on the WAN interface: Network > Interfaces > IPv6 Tab > select the WAN interface > Advanced Tab.

 

For step-by-step configuration instructions, refer to the SonicOS 8 Administration Guide.

https://www.sonicwall.com/support/technical-documentation/docs/sonicos8-system/Content/Interfaces/interfaces-settings-ipv4-add-4to6-tunnel-interface.htm

Comparison between DHCPv6 & RA Prefix Delegation

 

DHCPv6 Prefix Delegation

RA Prefix Delegation

Prefix Source

DHCPv6 server (ISP assigns prefix via DHCPv6)

Upstream router (prefix advertised via Router Advertisement)

WAN Interface Address from Prefix

Supported, assign an address from the delegated prefix to the WAN interface itself

Not applicable, prefix is received on the WAN interface from RA

Downstream Prefix Distribution

Sub-prefixes assigned to LAN-side interfaces

Sub-prefixes delegated to LAN-side interfaces via route mode

Forwarding Mode

Route mode

Route mode

NDP Proxy Equivalent

No

Yes, implements NDP Proxy functions without L2 proxy behavior

Configuration Location

WAN IPv6 Interface -> <Edit> -> General Tab -> (Enable DHCPv6 prefix delegation & send preferred delegated prefix)

 

WAN IPv6 Interface -> <Edit> -> <Advanced Tab> -> (Delegated Prefix Assignment, Preferred IPv6 Address, Preferred Prefix Length)

WAN IPv6 Interface ->  <Edit> -> Advanced Tab -> Advanced Settings

  • Enable Listening to Router Advertisement
  • Enable Stateless Address Autoconfiguration
  • Enable RA Delegation Upstream
  • RA Delegation Downstream Interfaces

 

Real-World Use Cases

Use Case

Scenario

Outcome

Upstream Router Advertising Prefix via RA

A service provider or upstream router advertises a prefix to the firewall via RA. The firewall must distribute sub-prefixes to multiple LAN-side segments so that downstream hosts can obtain IPv6 addresses from the upstream prefix range.

RA Prefix Delegation is configured on the WAN interface. The firewall receives the RA-advertised prefix and delegates sub-prefixes to LAN interfaces in route mode. Security and routing policies apply normally to all inter-segment traffic.

Replacing NDP Proxy with RA Prefix Delegation

An existing deployment uses NDP Proxy to share an upstream IPv6 prefix with downstream hosts. The organization wants to migrate to a more secure and controllable architecture without changing the upstream prefix advertisement method.

RA Prefix Delegation is configured in place of NDP Proxy. The upstream router continues to advertise the prefix via RA. The firewall delegates the prefix downstream in route mode, giving the administrator full visibility and policy control over inter-segment traffic.

 

Summary

SonicOS 8 supports RA Prefix Delegation on WAN interfaces, enabling the firewall to receive an IPv6 prefix advertised by an upstream router via Router Advertisement. The firewall can then delegate sub-prefixes to downstream LAN interfaces operating in route mode. This approach implements the logical function of NDP Proxy while maintaining the security and control of Layer 3 routing, making it the preferred method where traffic visibility and policy enforcement are required.

 

RA Prefix Delegation is configured on the WAN interface under Network > Interfaces > IPv6 Tab > <Edit Interfaces> > Advanced Tab.

Related Articles

  • How to Block Google AI button
    Read More
  • A Consolidated Guide to the different object types
    Read More
  • SonicWall GEN8 TZs and GEN8 NSas Settings Migration
    Read More

Categories

Firewalls
NSa Series
Firewalls
TZ Series
not finding your answers?
Ask the Community
Chat