I notice one specific problem in your routing table. It specifies 2001:db8:14::/48
as directly attached to eth0
. That should have been a /64
. But I don't see how that could explain the symptoms.
One piece of information is clearly missing. The ISP router would have to be configured with a gateway address for 2001:db8:14::/48
. If that gateway address is 2001:db8:14::2
, the routing should be working correctly. If it is something else, then packets from outside cannot reach anything on your LAN, only the router WAN address would be reachable. That would explain why 2001:db8:14:a::1
is not reachable from outside. But 2001:db8:14::2
should still have been reachable from inside, which is puzzling.
The only way forward in such a situation is to repeat the pings, which did not work, and this time be observing the network traffic on both interfaces of the router with tcpdump or equivalent.
When sending packets from outside, the eth0
interface on the router should see neighbor discovery for the gateway that the ISP assigned for your prefix. If sending packets to any address in your /48 results in neighbor discovery for the exact same address, then that address is the gateway address you should be assigning to eth0
. There is a few other ways this can turn out, in that case you need to update your question with information about what traffic you actually see.
You're not going to get a gateway address inside the allocated /56 or whatever IPv6 block that's assigned to you and routed to your premises. If you somehow do, you politely ask the ISP to put someone on the phone who knows what they're doing. Or perhaps less than politely.
Usually, you don't have to worry about the upstream IPv6 address at all, as it will be autoconfigured as soon as you plug in your router. Most ISPs seem to be doing this with DHCPv6 (with prefix delegation), though it could also be done with straight up SLAAC if you have a statically assigned prefix.
Once the /56 comes into your network, you can subnet it however you like.
An example, with one possible (only partially fleshed out, and probably not very useful as-is) network design appears below. In any case, the IPv6 address of your upstream connection to your ISP is provided by the ISP and is outside your assigned prefix. You generally only need to worry about the inside interfaces. This example supposes you have an edge router with an integrated 4-port switch, such as many small business or SOHO routers.
IPv6 Address: (static, DHCPv6) IPv6 address: (SLAAC)
2001:db8:3481:2000::2/64 2001:db8:3481:2000::021d:e1ff:fe1a:630
Gateway: (static, DHCPv6) Gateway: (SLAAC)
2001:db8:3481:2000::1 fe80::0208:30ff:fe9d:aa61%ether1
ISP <-----+
|ether1
+---------+---------+
| Edge Router |
|-------------------| Your Prefix: __
| \ / | 2001:db8:3481:a700::/56
| X | ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
| / \ | Switch Ports example:
|-------------------|
| VLAN trunk/switch | 1: VLAN 1-64 2001:db8:3481:a700::/58
+---------+---------+ 2: VLAN 65-128 2001:db8:3481:a740::/58
|ether2 3: VLAN 129-192 2001:db8:3481:a780::/58
+----> Core 4: VLAN 193-256 2001:db8:3481:a7c0::/58
Downstream in your core, you can further subnet these at core routers (or even layer 3 switches, more SOHO routers, etc.). I've also assumed every /64 will be on its own VLAN, though whether you do that is another detail you'll have to work out on your own.
You can also use DHCPv6 with prefix delegation to actually handle the addressing, which is probably easiest. Or you can go with SLAAC, which requires a bit more setup, or even assign manually, which I wouldn't generally recommend simply because it would be too labor intensive.
Best Answer
IPv6 to consumer networks/customers is usually provided by using DHCPv6-PD between the ISP router and the home router (CPE). The PD stands for Prefix Delegation and is an addition to the normal DHCPv6 options. It not only provides on-link addresses to the CPE, but also gives it a whole prefix that it can then use to further distribute within its own network.
To be able to route the prefix to the right CPE the ISP router has to remember which prefixes got delegated to which CPE. To do that it remembers the DHCPv6 client ID (DUID), its link-local (fe80:) address, the delegated prefixes and the lease time. It then automatically creates a static route for each prefix with the link-local address of the CPE as next-hop, and it will remove that route again when the lease expires.
If the ISP router is not itself the DHCPv6 server (which it usually isn't) then instead it performs the role of DHCPv6 relay. It will relay DHCPv6 requests from the CPEs to a central DHCPv6 server which will provide each CPE with prefixes. When relaying those messages the ISP router will snoop inside them to see if prefixes are being delegated, and it will update its routes based on that.
As an example, here is some Cisco documentation of this feature.
There are also switches that snoop DHCPv6 traffic. This is done for security instead of for routing. By looking at which ethernet port was given which IPv6 addresses and prefixes the switch can make sure that devices on other ports can't spoof packets using someone else IPv6 address. This is called a Lightweight DHCPv6 Relay Agent and specified in RFC 6221.