Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Problem with 6rd feature and reported prefix

    Scheduled Pinned Locked Moved IPv6
    1 Posts 1 Posters 320 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      saivert
      last edited by saivert

      Currently the 6rd feature in PFSense 2.6 reports the prefix length of the WAN interface as the same as the prefix on the wan_stf interface which is actually doing the tunneling.

      For reference are outputs from ifconfig (with obfuscated addresses):

      [2.6.0-RELEASE][admin@saivertrouter.saivert.lan]/var/run: ifconfig wan_stf
wan_stf: flags=4041<UP,RUNNING,LINK2> metric 0 mtu 1480
	inet6 xxxx:xxxx:xxxx:xxxx:: prefixlen 30
	groups: stf
	v4net x.x.x.x/32 -> tv4br y.y.y.y
	nd6 options=101<PERFORMNUD,NO_DAD>

      As you can see the wan_stf interface is setup with a prefix length of 30 which is correct.

      [2.6.0-RELEASE][admin@saivertrouter.saivert.lan]/var/run: ifconfig igb0
igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	description: WAN
	options=8120b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER>
	ether 00:0e:c4:d4:40:15
	inet6 fe80::zzzz:zzzz:zzzz:zzzz%igb0 prefixlen 64 scopeid 0x1
	inet x.x.x.x netmask 0xfffff000 broadcast 255.255.255.255
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

      As you can see the igb0 (WAN) interface has prefix length of 64 which is correct. There is no public IPv6 assigned to this interface as the IPv6 connection is not actually terminated on this interface which it would be if using native IPv6.

      Yet PFsense pretends that the assigned WAN interface does double duty as IPv6 termination point and thus reports the same prefix as used on the wan_stf interface which is incorrect.

      This also causes problems because now the WAN interface as reported via internal configuration APIs occupies a whole /30 space and you cannot assign the other subnets to other interfaces otherwise you get an error:

      The following input errors were detected:

Address xxxx:xxxx:xxxx:xxxx:: is already configured on this firewall. [ WAN (yyyy:yyyy:yyyy:yyyy::/30) ]

      So I have to run a cron script to assign IPv6 address to my Wireguard interface for now to circumvent this issue.

      I'm not sure how the internal mechanisms work here but it seems tunnel interfaces should be ignored when doing validation of input like this. wan_stf is an implementation detail only and is not actually occupying any address space.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.