Verizon FIOS and IPv6

tl;dr - if you want to run IPv6 on an internal network with an internal router behind a FIOS G1100 router, you must carve up a different /64 network from the /64 the FIOS gives you on the LAN interface, and then also update the FIOS G1100 route table to have a static route to this different /64 network, passing it to the "WAN" interface of your internal router which is really just connected to the LAN interface of the FIOS G1100 router.

IPv6, it's been around for a while. Verizon supports it and if I look at my Verizon Fios-G1100 router, I can also turn on IPv6:

and Verizon gives me a /56 network. Fun Fact! That /56 network gives me 4,722,366,482,869,645,213,696 possible IP addresses. The number is four sextillion, seven hundred and twenty-two quintillion, three hundred and sixty-six quadrillion, four hundred and eighty-two trillion, eight hundred and sixty-nine billion, six hundred and forty-five million, two hundred and thirteen thousand and six hundred and ninety-six. That's a lot of IP addresses.

What's interesting is the Fios-G1100 is configured to act as a DHCP server and so gives out a /64 address on the LAN:

This /64 turns gives me 18,446,744,073,709,551,616 IP addresses which is only eighteen quintillion, four hundred forty-six quadrillion, seven hundred forty-four trillion, seventy-three billion, seven hundred nine million, five hundred fifty-one thousand, six hundred and sixteen.

So I have a singular Linux router behind my Fios-G1100 so I can have more options with experimenting with stuff, and on the Linux router on my public interface, I see:

3: enp0s31f6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 1c:1b:0d:03:bb:ec brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.2/24 brd 192.168.1.255 scope global noprefixroute enp0s31f6
       valid_lft forever preferred_lft forever
    inet6 2600:1234:5678:abcd:1e1b:dff:fe03:bbec/64 scope global
       valid_lft 1258sec preferred_lft 1258sec
    inet6 fe80::1e1b:dff:fe03:bbec/64 scope link
       valid_lft forever preferred_lft forever

So it gives me out a singular /64, which is fine here. A bit strange that to Verizon I have a singular machine on my network. With the IPv4, I'm running NAT so get 192.168.1.2 here, with the Verizon router being 192.168.1.1. With IPv6, I get a public IP on the /64 network carved out from the /56 network. So that's one /64 network out of 255 possible in the /56. What was the challenge for me was that internally I wanted to have the /64 network available to all my boxes being my Linux router. That didn't work as I wanted to have the same 2600:1234:5678:abcd::/64 network on my LAN side of the Linux router that was the same as the /64 network on the WAN side of my Linux router, using the same /64 network assigned on the LAN side of the FIOS router. That confused routing of various things on the Linux side after setting up IP forwarding.

Here's how I was trying to define the LAN interface, which is wrong:

2: enp8s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 1c:1b:0d:03:bb:ee brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.1/24 brd 192.168.2.255 scope global noprefixroute enp8s0
       valid_lft forever preferred_lft forever
    inet6 2600:1234:5678:abcd:1e1b:dff:fe03:bbee/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::1e1b:dff:fe03:bbee/64 scope link
       valid_lft forever preferred_lft forever

After a fruitless week of googling, AI assistance, and generally learning about IPv6 and routing, getting all sorts of advice ranging from this should be just working, to I can turn off the majority of functionality in my FIOS router which should then enable a hidden "bridge mode" on the router which would in effect give the entire /56 to my Linux router WAN interface which would then let it carve that /56 into a /64 on the LAN interface. This may have worked, but then I would lose functionality of the FIOS router, including any out of the box firewall protection that I'm not yet confident enough I would be able to do in my Linux router.

The solution, as I stumbled across it, is to actually carve up a different /64 network for my internal Linux router LAN address and then configure the FIOS router to have a static route to that network:

2: enp8s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 1c:1b:0d:03:bb:ee brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.1/24 brd 192.168.2.255 scope global noprefixroute enp8s0
       valid_lft forever preferred_lft forever
    inet6 2600:1234:5678:abce:1e1b:dff:fe03:bbee/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::1e1b:dff:fe03:bbee/64 scope link
       valid_lft forever preferred_lft forever

The subtle part in there being my Linux router WAN interface (defined automatically by the FIOS router LAN side) is 2600:1234:5678:abcd:1e1b:dff:fe03:bbec/64, but my carve out for the internal LAN is 2600:1234:5678:abce:1e1b:dff:fe03:bbee/64. The notable difference being the "abcd" on the WAN side and the "abce" on the LAN side, so one address range higher in my /56 range given out by Verizon.

Then on the FIOS router, under the routing table:

I add a route entry with a Destination network of 2600:1234:5678:abce::/64 being sent to the Gateway of 2600:1234:5678:abcd::/64, which is the Verizon FIOS assigned LAN address that I am using for the WAN address on my Linux router. This makes sure that any packets that I have sent out that get returned to the FIOS router, it knows to just pass them off to my Linux router, which can then send them to my devices on my local IPv6 network.

None of this was obvious to me, and I suspect not many people are running their own custom Linux router behind the FIOS router and so don't need to do this additional route. I suspect people who are smart enough to run their own Linux router just inherently understand this route on the FIOS router thing, and so don't need guides on how to set it up. I am in this between world where I do need the guide, but also have the custom stuff internally that I sort of (?) understand. So here we are, me writing down this note since it took a week of figuring out and I wanted to immortalize the solution.