SonicOS 8 IPv6 Prefix Delegation (Router Advertisement)
Description
RA Prefix Delegation, an upstream router or ISP device advertises a prefix via Router Advertisement (RA). The firewall receives this prefix on the WAN interface and delegates sub-prefixes to downstream LAN-side interfaces. This mode uses route-based forwarding, providing the same logical function as NDP Proxy with greater security and control.
RA Prefix Delegation
Background
In some network deployments, the upstream router or ISP device advertises an IPv6 prefix to the customer firewall via Router Advertisement (RA) rather than through DHCPv6. The firewall receives this RA-advertised prefix on its WAN interface and uses it as the source for delegating sub-prefixes to downstream LAN-side interfaces.
This mechanism provides the same logical addressing function as NDP (Neighbor Discovery Protocol) Proxy, enabling LAN-side hosts to obtain IPv6 addresses from the upstream prefix, but operates in route mode rather than proxy mode. Because traffic is routed through the firewall at Layer 3, RA Prefix Delegation is more secure and offers greater administrative control than NDP Proxy.
|
SonicOS 8: SonicOS supports RA Prefix Delegation on WAN interfaces. When an upstream router advertises a prefix via RA, the firewall can receive that prefix on the WAN interface and delegate sub-prefixes downstream. Route mode ensures that all traffic between upstream and downstream segments passes through the firewall's routing and security policies. |
Prerequisites
- The WAN interface must be configured to receive IPv6 addresses via RA (SLAAC or Static mode with RA listening enabled).
- The upstream router must be configured to advertise the delegated prefix via RA.
Configuration
RA Prefix Delegation is configured on the WAN interface: Network > Interfaces > IPv6 Tab > select the WAN interface > Advanced Tab.
-kA1VN000001IqQz0AK-0EMVN00000TTW73.jpg)
For step-by-step configuration instructions, refer to the SonicOS 8 Administration Guide.
Comparison between DHCPv6 & RA Prefix Delegation
|
|
DHCPv6 Prefix Delegation |
RA Prefix Delegation |
|
Prefix Source |
DHCPv6 server (ISP assigns prefix via DHCPv6) |
Upstream router (prefix advertised via Router Advertisement) |
|
WAN Interface Address from Prefix |
Supported, assign an address from the delegated prefix to the WAN interface itself |
Not applicable, prefix is received on the WAN interface from RA |
|
Downstream Prefix Distribution |
Sub-prefixes assigned to LAN-side interfaces |
Sub-prefixes delegated to LAN-side interfaces via route mode |
|
Forwarding Mode |
Route mode |
Route mode |
|
NDP Proxy Equivalent |
No |
Yes, implements NDP Proxy functions without L2 proxy behavior |
|
Configuration Location |
WAN IPv6 Interface -> <Edit> -> General Tab -> (Enable DHCPv6 prefix delegation & send preferred delegated prefix)
WAN IPv6 Interface -> <Edit> -> <Advanced Tab> -> (Delegated Prefix Assignment, Preferred IPv6 Address, Preferred Prefix Length) |
WAN IPv6 Interface -> <Edit> -> Advanced Tab -> Advanced Settings
|
Real-World Use Cases
|
Use Case |
Scenario |
Outcome |
|
Upstream Router Advertising Prefix via RA |
A service provider or upstream router advertises a prefix to the firewall via RA. The firewall must distribute sub-prefixes to multiple LAN-side segments so that downstream hosts can obtain IPv6 addresses from the upstream prefix range. |
RA Prefix Delegation is configured on the WAN interface. The firewall receives the RA-advertised prefix and delegates sub-prefixes to LAN interfaces in route mode. Security and routing policies apply normally to all inter-segment traffic. |
|
Replacing NDP Proxy with RA Prefix Delegation |
An existing deployment uses NDP Proxy to share an upstream IPv6 prefix with downstream hosts. The organization wants to migrate to a more secure and controllable architecture without changing the upstream prefix advertisement method. |
RA Prefix Delegation is configured in place of NDP Proxy. The upstream router continues to advertise the prefix via RA. The firewall delegates the prefix downstream in route mode, giving the administrator full visibility and policy control over inter-segment traffic. |
Summary
SonicOS 8 supports RA Prefix Delegation on WAN interfaces, enabling the firewall to receive an IPv6 prefix advertised by an upstream router via Router Advertisement. The firewall can then delegate sub-prefixes to downstream LAN interfaces operating in route mode. This approach implements the logical function of NDP Proxy while maintaining the security and control of Layer 3 routing, making it the preferred method where traffic visibility and policy enforcement are required.
RA Prefix Delegation is configured on the WAN interface under Network > Interfaces > IPv6 Tab > <Edit Interfaces> > Advanced Tab.
