oxidecomputer · internet-diglett · Jan 20, 2026 · Dec 15, 2025 · Jan 7, 2026 · Jan 12, 2026
diff --git a/openapi/wicketd.json b/openapi/wicketd.json
@@ -7784,6 +7784,11 @@
             "type": "string",
             "format": "ipv4"
           },
+          "rack_subnet_address": {
+            "nullable": true,
+            "type": "string",
+            "format": "ipv6"
+          },
           "switch0": {
             "type": "object",
             "additionalProperties": {

diff --git a/wicket-common/src/example.rs b/wicket-common/src/example.rs
@@ -196,13 +196,17 @@ impl ExampleRackSetupData {
             management_addrs: Some(vec!["172.32.0.4".parse().unwrap()]),
         });
 
+        let rack_subnet_address =
+            Some(Ipv6Addr::new(0xfd00, 0x1122, 0x3344, 0x0100, 0, 0, 0, 0));
+
         let rack_network_config = UserSpecifiedRackNetworkConfig {
+            rack_subnet_address,
             infra_ip_first: "172.30.0.1".parse().unwrap(),
             infra_ip_last: "172.30.0.10".parse().unwrap(),
             #[rustfmt::skip]
             switch0: btreemap! {
-		"port0".to_owned() => UserSpecifiedPortConfig {
-		    addresses: vec!["172.30.0.1/24".parse().unwrap()],
+                "port0".to_owned() => UserSpecifiedPortConfig {
+                    addresses: vec!["172.30.0.1/24".parse().unwrap()],
                     routes: vec![RouteConfig {
                         destination: "0.0.0.0/0".parse().unwrap(),
                         nexthop: "172.30.0.10".parse().unwrap(),
@@ -212,11 +216,11 @@ impl ExampleRackSetupData {
                     bgp_peers: switch0_port0_bgp_peers,
                     uplink_port_speed: PortSpeed::Speed400G,
                     uplink_port_fec: Some(PortFec::Firecode),
-		    lldp: switch0_port0_lldp,
-		    tx_eq,
-		    autoneg: true,
-		},
-	    },
+                    lldp: switch0_port0_lldp,
+                    tx_eq,
+                    autoneg: true,
+                },
+            },
             #[rustfmt::skip]
             switch1: btreemap! {
                 // Use the same port name as in switch0 to test that it doesn't
@@ -233,7 +237,7 @@ impl ExampleRackSetupData {
                     uplink_port_speed: PortSpeed::Speed400G,
                     uplink_port_fec: None,
                     lldp: switch1_port0_lldp,
-		    tx_eq,
+                    tx_eq,
                     autoneg: true,
                 },
             },

diff --git a/wicket-common/src/rack_setup.rs b/wicket-common/src/rack_setup.rs
@@ -99,6 +99,7 @@ pub struct BootstrapSledDescription {
 #[derive(Clone, Debug, PartialEq, Eq, Deserialize, Serialize, JsonSchema)]
 #[serde(deny_unknown_fields)]
 pub struct UserSpecifiedRackNetworkConfig {
+    pub rack_subnet_address: Option<Ipv6Addr>,
     pub infra_ip_first: Ipv4Addr,
     pub infra_ip_last: Ipv4Addr,
     // Map of switch -> port -> configuration, under the assumption that

diff --git a/wicket/src/cli/rack_setup/config_toml.rs b/wicket/src/cli/rack_setup/config_toml.rs
@@ -244,6 +244,19 @@ fn populate_network_table(
         return;
     };
 
+    if let Some(rack_subnet_address) = config.rack_subnet_address {
+        let value =
+            Value::String(Formatted::new(rack_subnet_address.to_string()));
+        match table.entry("rack_subnet_address") {
+            toml_edit::Entry::Occupied(mut entry) => {
+                entry.insert(Item::Value(value));
+            }
+            toml_edit::Entry::Vacant(entry) => {
+                entry.insert(Item::Value(value));
+            }
+        }
+    }
+
     for (property, value) in [
         ("infra_ip_first", config.infra_ip_first.to_string()),
         ("infra_ip_last", config.infra_ip_last.to_string()),

diff --git a/wicket/src/ui/panes/rack_setup.rs b/wicket/src/ui/panes/rack_setup.rs
@@ -710,6 +710,19 @@ fn rss_config_text<'a>(
             "External DNS zone name: ",
             Cow::from(external_dns_zone_name.as_str()),
         ),
+        (
+            "Rack subnet address (IPv6 /56): ",
+            rack_network_config.as_ref().map_or(
+                "(will be chosen randomly)".into(),
+                |c| {
+                    match c.rack_subnet_address {
+                        Some(v) => v.to_string(),
+                        None => "(chosen randomly)".to_string(),
+                    }
+                    .into()
+                },
+            ),
+        ),
         (
             "Infrastructure first IP: ",
             rack_network_config
@@ -755,7 +768,9 @@ fn rss_config_text<'a>(
         // This style ensures that if a new field is added to the struct, it
         // fails to compile.
         let UserSpecifiedRackNetworkConfig {
-            // infra_ip_first and infra_ip_last have already been handled above.
+            // rack_subnet_address, infra_ip_first, and infra_ip_last
+            // have already been handled above.
+            rack_subnet_address: _,
             infra_ip_first: _,
             infra_ip_last: _,
             // switch0 and switch1 re handled via the iter_uplinks iterator.

diff --git a/wicket/tests/output/example_non_empty.toml b/wicket/tests/output/example_non_empty.toml
@@ -71,6 +71,7 @@ allow = "any"
 [rack_network_config]
 infra_ip_first = "172.30.0.1"
 infra_ip_last = "172.30.0.10"
+rack_subnet_address = "fd00:1122:3344:100::"
 
 [rack_network_config.switch0.port0]
 routes = [{ nexthop = "172.30.0.10", destination = "0.0.0.0/0", vlan_id = 1 }]

diff --git a/wicketd/Cargo.toml b/wicketd/Cargo.toml
@@ -43,6 +43,7 @@ serde_json.workspace = true
 sha2.workspace = true
 slog-dtrace.workspace = true
 slog.workspace = true
+rand.workspace = true
 thiserror.workspace = true
 tufaceous-artifact.workspace = true
 tufaceous-lib.workspace = true
@@ -88,7 +89,6 @@ maplit.workspace = true
 omicron-test-utils.workspace = true
 openapi-lint.workspace = true
 openapiv3.workspace = true
-rand.workspace = true
 serde_json.workspace = true
 sled-agent-config-reconciler = { workspace = true, features = ["testing"] }
 sled-agent-types.workspace = true

diff --git a/wicketd/src/rss_config.rs b/wicketd/src/rss_config.rs
@@ -20,10 +20,9 @@ use display_error_chain::DisplayErrorChain;
 use omicron_certificates::CertificateError;
 use omicron_common::address;
 use omicron_common::address::Ipv4Range;
-use omicron_common::address::Ipv6Subnet;
-use omicron_common::address::RACK_PREFIX;
 use omicron_common::api::external::AllowedSourceIps;
 use omicron_common::api::external::SwitchLocation;
+use oxnet::Ipv6Net;
 use sled_hardware_types::Baseboard;
 use slog::debug;
 use slog::warn;
@@ -33,7 +32,6 @@ use std::collections::btree_map;
 use std::mem;
 use std::net::IpAddr;
 use std::net::Ipv6Addr;
-use std::sync::LazyLock;
 use thiserror::Error;
 use wicket_common::inventory::MgsV1Inventory;
 use wicket_common::inventory::SpType;
@@ -52,14 +50,6 @@ use wicketd_api::CurrentRssUserConfig;
 use wicketd_api::CurrentRssUserConfigSensitive;
 use wicketd_api::SetBgpAuthKeyStatus;
 
-// TODO-correctness For now, we always use the same rack subnet when running
-// RSS. When we get to multirack, this will be wrong, but there are many other
-// RSS-related things that need to change then too.
-static RACK_SUBNET: LazyLock<Ipv6Subnet<RACK_PREFIX>> = LazyLock::new(|| {
-    let ip = Ipv6Addr::new(0xfd00, 0x1122, 0x3344, 0x0100, 0, 0, 0, 0);
-    Ipv6Subnet::new(ip)
-});
-
 const RECOVERY_SILO_NAME: &str = "recovery";
 const RECOVERY_SILO_USERNAME: &str = "recovery";
 
@@ -659,10 +649,15 @@ fn validate_rack_network_config(
         }
     }
 
+    let rack_subnet = match validate_rack_subnet(config.rack_subnet_address) {
+        Ok(v) => v,
+        Err(e) => bail!(e),
+    };
+
     // TODO Add more client side checks on `rack_network_config` contents?
 
     Ok(bootstrap_agent_client::types::RackNetworkConfigV2 {
-        rack_subnet: RACK_SUBNET.net(),
+        rack_subnet,
         infra_ip_first: config.infra_ip_first,
         infra_ip_last: config.infra_ip_last,
         ports: config
@@ -686,6 +681,49 @@ fn validate_rack_network_config(
     })
 }
 
+pub fn validate_rack_subnet(
+    subnet_address: Option<Ipv6Addr>,
+) -> Result<Ipv6Net, String> {
+    use rand::prelude::*;
+
+    let rack_subnet_address = match subnet_address {
+        Some(addr) => addr,
+        None => {
+            let mut rng = rand::rng();
+            let a: u16 = 0xfd00 + Into::<u16>::into(rng.random::<u8>());
+            Ipv6Addr::new(
+                a,
+                rng.random::<u16>(),
+                rng.random::<u16>(),
+                0x0100,
+                0,
+                0,
+                0,
+                0,
+            )
+        }
+    };
+
+    // first octet must be fd
+    if rack_subnet_address.octets()[0] != 0xfd {
+        return Err("rack subnet address must begin with 0xfd".into());
+    };
+
+    // Do not allow rack0
+    if rack_subnet_address.octets()[6] == 0x00 {
+        return Err("rack number (seventh octet) cannot be 0".into());
+    };
+
+    // Do not allow addresses more specific than /56
+    if rack_subnet_address.octets()[7..].iter().any(|x| *x != 0x00) {
+        return Err("rack subnet address is /56, \
+                   but a more specific prefix was provided"
+            .into());
+    };
+
+    Ipv6Net::new(rack_subnet_address, 56).map_err(|e| e.to_string())
+}
+
 /// Builds a `BaPortConfigV2` from a `UserSpecifiedPortConfig`.
 ///
 /// Assumes that all auth keys are present in `bgp_auth_keys`.