Divide large IPv6 network into subnets

Hi there,

maybe the answer to my questions is quite obvious and I just don't see the forest for the trees...
But I currently don't have a clue and I don't even know how to search for the answer.
So please also bear with me if the question was already answered thousands of times and I didn't find it.

My provider provides me with an IPv6 network 2001:db8:1::/48.

My Sophos UTM has the IP address 2001:db8:1::2 on its Internet interface (eth0). The provider's endpoint has the address 2001:db8:1::1.

From an IPv6-enabled host in the Internet, I am able to reach both 2001:db8:1::1 and 2001:db8:1::2. So far so good.

As this is a very large network, I would like to split it up into several smaller ones. I am unsure how to accomplish that. (My provider did not delegate a separate subnet which I could use...)

So I thought, I assign the network 2001:db8:1:100::/64 to eth1 with eth1 having the IP address 2001:db8:1:100::1 and a client in that network having 2001:db8:1:100::2.

I thought, the UTM should receive all the network packets for the /48 subnet and it can decide to which interface the packets are to be forwarded to, i.e. all packets in the network 2001:db8:1:100::/64 should be forwarded to eth1, as the firewall knows this subnet. (Although now, there are two network interfaces in the same network - at least as eth0 understands the networks. The eth1's address (and whole address space) is in the same network where also eth0's IP address lies... So somehow, this seems wrong...)

I cannot reach either 2001:db8:1:100::1 or 2001:db8:1:100::2. Does anyone have an idea what I am doing wrong?

Or isn't that possible at all with the IP address and subnet given from my provider? (But why does my provider give me a /48 network, then?)

Any help would be highly appreciated.

Best regards


  • I posted a reply but the forum software found it to be "abusive".  Hopefully one of the mods will fix it. Otherwise we may have to continue this discussion on twitter..

  • I am still not sure if we are talking about the same thing.

    Basically, my question is:

    Do i need to have two IPv6 addresses/blocks in order to be able to connect my network to the Internet using Sophos UTM or is it sufficient to just have one?

    On this connection I have the block aaaa:bbbb:cccc::/48. That's it. They say that their endpoint is aaaa:bbbb:cccc::1 and I can use every address in that address space. 

    Other providers also give me an IPv6 address (aaa:bbbb:cccc::1) and also a delegated prefix (dddd:eeee:ffff::/48).
    These configurations work perfectly fine.

    But that one configuration does not.
    So, the only question I would like to be answered is if both configurations can be used to assign public IPv6 addresses to all clients behind the UTM.



  • Realistically speaking, one is sufficient as there is no nat going on with ipv6. Your isp gives you a block of up to 2^16 (65536) routable ipv6 subnets.  It's up to you how you choose to divvy it up.

    Do you have vlans? If so, I'd assign one /64 ipv6 subnet to each. ie a:b:c:1::/64, a:b:c:2::/64, etc..

  • One of the things I learned when allocation subnets is: think bigWink

    You have multiple sites / locations? Reseve one digit just for the site: Routing a /50 or /52 is much easier than enumerating single /64 in case you just coutnted them up.

    Different network types (management / office / production / DMZ / visitors)? Reserve a digit. It makes firewall zones mich easier.

    For the last, sinche we user RFC1918 nets internally (192.168.x.y) we reserve the last byte before the /64 for the x. So you simply see, which IPv4 space belongs to which IPv6. With 172.16.x.y the same, just other zone.

    Our border gateway is also a sohos utm (actually a HA pair) with a /48 from Deutsche Telekom, several Site2Site tunnels, VPN and all that stuff. Works well.

  • Thanks for your answers.
    Please bear with me, I still don't fully understand what's going wrong here.
    Maybe you can explain some basic IPv6 principles to me. Maybe I found how to summarize my problem.


    I have one Sophos UTM.
    Three network interfaces are connected:
    - eth0 (Internet)
    - eth1 (LAN 1)
    - eth2 (LAN 2)

    The network space I receive from my provider is 2001:db8:1::/48.
    As this is the network that is connected to eth0, I assign the IPv6 address 2001:db8:1::2 to eth0 and the prefix length is /48.
    The provider told me they have the IPv6 address 2001:db8:1::1. So, everything is fine on that interface. (hopefully...)

    On eth1, I want to have a subnet of this big network, let's say I want to have 2001:db8:1:100::/64 on eth1, with eth1 having the IPv6 address 2001:db8:1:100::1.

    On eth2, I want to have another subnet of this big network. The network there is 2001:db8:1:200::/64. The IPv6 address on eth2 is 2001:db8:1:200::1.

    A client in the LAN2 network (e.g. 2001:db8:1:200::5) now wants to send a packet to 2001:db8:1:100::39.

    The question now is: To which network interface should the UTM send that packet?
    The destination IPv6 address is part of both the networks on eth0 and eth1.

    Or (in other words): the network 2001:db8:1:100::/64 is available both on eth1 (as is) and on eth2 (as part of the bigger network from the provider). Is this a valid configuration? Is it okay that multiple network interfaces take care of the same IP network?

    I think, this pretty much summarizes what is unclear to me.
    With all the other providers, where I get a delegated prefix in addition to my IPv6 IP address and a remote gateway address, the connection is working perfectly fine (as the delegated network is part of another network as the UTM's IPv6 address).

    I definitely think that there's some point where I am wrong, but I don't know where that point is. Which part of my setup is wrong? How to solve the issue with the same IP network on multiple interfaces?

    Any help or hint would be highly appreciated.