Static IPv6 "gateway does not lie within one the chosen interface's subnets"
-
@JKnott How did you configure this in pfsense?
-
@lmat you prob need to check this
Setup your gateway first. Then select it when you add the IPv6 address to the interface. It's under the advanced when you setup the gateway.
https://docs.netgate.com/pfsense/en/latest/routing/gateway-configure.html
-
@lmat you prob need to check this
Setup your gateway first. Then select it when you add the IPv6 address to the interface. It's under the advanced when you setup the gateway.
That's exactly the option I was looking for, thank you!
I just ran this test that I think shows the new configuration is not working:
(That's google.com, I think.) Did I conduct the test properly? What else should I be looking at to debug this?
(Although it seems related, I realize that this question doesn't match the subject of this Topic. Let me know if I should open a new topic!)
-
@lmat can you ping your gateway? Its possible that they don't allow traffic from the transit IP..
First step would be to validate you can talk to your gateway to be honest. If that works, then create a lan side /64 out of the /56 they are routing to you.
-
@johnpoz said in Static IPv6 "gateway does not lie within one the chosen interface's subnets":
@lmat can you ping your gateway? Its possible that they don't allow traffic from the transit IP..
First step would be to validate you can talk to your gateway to be honest. If that works, then create a lan side /64 out of the /56 they are routing to you.
Excellent idea, and thank you for the suggestion. It doesn't appear to work:
-
@lmat well you could try creating your lan with a /64 out of that /56 they gave you and try that.. Its possible the gateway doesn't even answer ping.. Do you get an arp entry in the table after you try?
I would prob do more than just 1 as well.. Sometimes it takes a bit to get an arp answer, etc. so your first ping might fail but 2 or 3 might work..
If after creating your lan side interface with /64 and and a client and that doesn't work - time to contact the isp, possible they sent the wrong gateway, etc. ?
-
@lmat said in Static IPv6 "gateway does not lie within one the chosen interface's subnets":
@JKnott How did you configure this in pfsense?
My ISP uses DHCPv6-PD to provide the configuration automagically.
-
@johnpoz said in Static IPv6 "gateway does not lie within one the chosen interface's subnets":
First step would be to validate you can talk to your gateway to be honest. If that works, then create a lan side /64 out of the /56 they are routing to you.
Problem is the WAN IP address can't be uses, as with a /128, it can't directly reach anything else. This means the ping will have to be routed, but that won't work either because of the invalid gateway.
-
@johnpoz said in Static IPv6 "gateway does not lie within one the chosen interface's subnets":
I would prob do more than just 1 as well.. Sometimes it takes a bit to get an arp answer, etc. so your first ping might fail but 2 or 3 might work.
No such thing as ARP on IPv6. It's ICMPv6 neighbor discovery instead. Also, there should be periodic router advertisements telling what the gateway is. I'd verify the gateway address and find out if it should actually be a link local address. Also, he might do some ICMPv6 packet captures on the WAN port, to see what's actually on the wire.
-
Thank you for your invaluable input. I will continue troubleshooting and reading based on what you two fine gentlemen have related here.
@JKnott said in Static IPv6 "gateway does not lie within one the chosen interface's subnets":
This means the ping will have to be routed, but that won't work either because of the invalid gateway.
Why do you say the gateway is invalid?
-
@JKnott true, no arp ;) I used the wrong term, shoot me ;)
-
@lmat said in Static IPv6 "gateway does not lie within one the chosen interface's subnets":
Why do you say the gateway is invalid?
What address on pfSense will be used to reach it? You can't use the WAN address as it's a /128, which means there is no other device possible, within it's subnet. As I mentioned, link local is generally used for gateways.
Try doing a packet capture on the WAN interface, filtering on ICMPv6, and post the capture file here. PfSense has a built in capture utility. If that fails, you can make a data tap from a cheap managed switch and put it ahead of the WAN interface. Leave the capture running for a few minutes so you can make sure you get a router advertisement.
-
@johnpoz said in Static IPv6 "gateway does not lie within one the chosen interface's subnets":
If that works, then create a lan side /64 out of the /56 they are routing to you.
...
...you could try creating your lan with a /64 out of that /56 they gave you...These two statements are interesting to me. It looks to me that they gave me one address (
/128) in a network (subnet?) with a 56-bit network mask. (Although if that was the case, I'm not sure why they wouldn't say my assigned IPv6 was2000:561:10:301::162/56.) But you're suggesting they have allocated all host IP addresses within that 56-bit network mask to me? Why do you think that?For example, they also gave me a public IPv4 address of 65.39.159.66/24, but I don't assume that I get 255 public IPv4 addresses. Why would I assume I get the whole 56-bit prefix in IPv6?
-
@lmat Working with IPv6 is in many ways different from IPv4. The only reason you get a single address on IPv4 is the shortage of addresses. There are nowhere enough to go around, to the point many ISPs now use CGNAT, which is even worse than 1 address & NAT. With IPv6, you get a block of addresses, to use as you chose. With a /56, which I also have, you can create 256 separate networks, each of which contains 18.4 billion, billion addresses. That said, your WAN address has absolutely nothing to do with your LAN addresses. They are completely independent. So, what you need is a link local address for the gateway, as you cannot use the assigned WAN address to talk to any gateway. If they'd given use a smaller prefix, even a /127, then you could use the WAN to reach the gateway. BTW, the link local address would likely have a /64 prefix, so a gateway can support 18.4 billion, billion devices (yeah, right), as that many are supported by the prefix.
-
@lmat said in Static IPv6 "gateway does not lie within one the chosen interface's subnets":
I don't assume that I get 255 public IPv4 addresses.
Because that is not a network address that /24 is a host address.. The ipv6 they gave you is prefix/network add not a host address. Also you would never assign a /56 to a single network.. That would be a routed network via the transit they assigned with the odd /128 setup, etc.
You can look at any address and tell if its a host or a network.. If it lands on a network boundary then its a network, if it doesn't land a network boundary then its a host address. They clearly gave you a /56 network there.
2000:561:10:301::/56
which would run from.. 2000:561:10:300:: - 2000:561:10:3ff::
Now that you mention it, that 301 isn't proper boundary..
I would get with your isp - they are clearly doing their ipv6 deployment without having a clue.. Or they just typo'd what they sent you for info.. So yeah 2000:561:10:301:0:0:0:0/56 would be a host address - but that would be insane to assign a /56 to some interface... prefixes in ipv6 should be a /64 in almost all cases, other then delegation of a prefix, or a route statement or firewall rule, etc.
Maybe they are not letting you use the 1st /64 in that /56?
-
@johnpoz said in Static IPv6 "gateway does not lie within one the chosen interface's subnets":
prefixes in ipv6 should be a /64 in almost all cases, other then delegation of a prefix, or a route statement or firewall rule, etc.
Or a point to point link, which can be a /127/
-
Thank you again for your most helpful replies.
@JKnott said in Static IPv6 "gateway does not lie within one the chosen interface's subnets":
That said, your WAN address has absolutely nothing to do with your LAN addresses. They are completely independent.
I think I follow this: My WAN address is a way for the ISP to address the edge of my network. When you say "LAN addresses", though, those addresses aren't isolated to my LAN, but they're publicly addressible Internet addresses, right?
So, what you need is a link local address for the gateway, as you cannot use the assigned WAN address to talk to any gateway.
Okay, I drafted the following message to my ISP representative, does it look correct?
I'm not sure how I'm supposed to contact the gateway because the IP address you gave is /128. That means I can't communicate with anything from that address because it is isolated in its own prefix.
I'll also ask if they can provide a link-local IP address to their gateway instead.
-
As always, thank you very much for your help!
@johnpoz said in Static IPv6 "gateway does not lie within one the chosen interface's subnets":
You can look at any address and tell if its a host or a network.. If it lands on a network boundary then its a network, if it doesn't land a network boundary then its a host address.
By "boundary", I assume you mean the lower boundary. (
2000:561:10:300::/56has a lower boundary of2000:561:10:300::and an upper boundary of2000:561:10:30ff:ffff:ffff:ffff:ffff, right?)They clearly gave you a /56 network there.
You say "They clearly gave" rather than "You're clearly on". I'll sleep on this some more until I get it through my mind that this is the way things work!
Now that you mention it, that 301 isn't proper boundary..
Yeah, looks like a typo. I'll clarify with them.
-
@lmat said in Static IPv6 "gateway does not lie within one the chosen interface's subnets":
I think I follow this: My WAN address is a way for the ISP to address the edge of my network. When you say "LAN addresses", though, those addresses aren't isolated to my LAN, but they're publicly addressible Internet addresses, right?
Yep. All the addresses are reachable from outside if you allow it. However, by default, the firewall blocks them.
And yes, you probably need a link local address for the gateway. While you have a WAN address, you don't need it. It's generally used for things like a VPN, but you could also use any LAN side interface address for that.
-
@lmat said in Static IPv6 "gateway does not lie within one the chosen interface's subnets":
By "boundary", I assume you mean the lower boundary. (2000:561:10:300::/56 has a lower boundary of 2000:561:10:300:: and an upper boundary of 2000:561:10:30ff:ffff:ffff:ffff:ffff, right?)
In this respect, IPv6 works the same as IPv4, except with much larger numbers. The prefix, can be almost anything, but an ISP will typically assign a /64, /60, /56 or /48. A network address will always end in ::, which indicates a continuous string of 0.
BTW, that :: can be used anywhere within an address, but can only be used once. If it isn't used at the end, then you'd see the 0 specifically included. Here's an example, the IPv6 loopback address: ::1. This indicates 127 0 bits followed by a single 1. This method is better than writing out all those 0s.