Static IPv6 "gateway does not lie within one the chosen interface's subnets"

JKnott

@johnpoz said in Static IPv6 "gateway does not lie within one the chosen interface's subnets":

prefixes in ipv6 should be a /64 in almost all cases, other then delegation of a prefix, or a route statement or firewall rule, etc.

Or a point to point link, which can be a /127/

lmat

Thank you again for your most helpful replies.

@JKnott said in Static IPv6 "gateway does not lie within one the chosen interface's subnets":

That said, your WAN address has absolutely nothing to do with your LAN addresses. They are completely independent.

I think I follow this: My WAN address is a way for the ISP to address the edge of my network. When you say "LAN addresses", though, those addresses aren't isolated to my LAN, but they're publicly addressible Internet addresses, right?

So, what you need is a link local address for the gateway, as you cannot use the assigned WAN address to talk to any gateway.

Okay, I drafted the following message to my ISP representative, does it look correct?

I'm not sure how I'm supposed to contact the gateway because the IP address you gave is /128. That means I can't communicate with anything from that address because it is isolated in its own prefix.

I'll also ask if they can provide a link-local IP address to their gateway instead.

lmat

As always, thank you very much for your help!

@johnpoz said in Static IPv6 "gateway does not lie within one the chosen interface's subnets":

You can look at any address and tell if its a host or a network.. If it lands on a network boundary then its a network, if it doesn't land a network boundary then its a host address.

By "boundary", I assume you mean the lower boundary. (2000:561:10:300::/56 has a lower boundary of 2000:561:10:300:: and an upper boundary of 2000:561:10:30ff:ffff:ffff:ffff:ffff, right?)

They clearly gave you a /56 network there.

You say "They clearly gave" rather than "You're clearly on". I'll sleep on this some more until I get it through my mind that this is the way things work!

Now that you mention it, that 301 isn't proper boundary..

Yeah, looks like a typo. I'll clarify with them.

JKnott

@lmat said in Static IPv6 "gateway does not lie within one the chosen interface's subnets":

I think I follow this: My WAN address is a way for the ISP to address the edge of my network. When you say "LAN addresses", though, those addresses aren't isolated to my LAN, but they're publicly addressible Internet addresses, right?

Yep. All the addresses are reachable from outside if you allow it. However, by default, the firewall blocks them.

And yes, you probably need a link local address for the gateway. While you have a WAN address, you don't need it. It's generally used for things like a VPN, but you could also use any LAN side interface address for that.

JKnott

@lmat said in Static IPv6 "gateway does not lie within one the chosen interface's subnets":

By "boundary", I assume you mean the lower boundary. (2000:561:10:300::/56 has a lower boundary of 2000:561:10:300:: and an upper boundary of 2000:561:10:30ff:ffff:ffff:ffff:ffff, right?)

In this respect, IPv6 works the same as IPv4, except with much larger numbers. The prefix, can be almost anything, but an ISP will typically assign a /64, /60, /56 or /48. A network address will always end in ::, which indicates a continuous string of 0.

BTW, that :: can be used anywhere within an address, but can only be used once. If it isn't used at the end, then you'd see the 0 specifically included. Here's an example, the IPv6 loopback address: ::1. This indicates 127 0 bits followed by a single 1. This method is better than writing out all those 0s.

JKnott

@JKnott said in Static IPv6 "gateway does not lie within one the chosen interface's subnets":

Yep. All the addresses are reachable from outside if you allow it. However, by default, the firewall blocks them.

There's one other thing, the address space is so sparse it's hard for an attacker to find anything to attack. Your LAN will have 18.4 billion, billion addresses, of which only a few are in use. So, unless the attacker already knows a device address, it will be almost impossible for them to attack anything. This compares with IPv4 where it's hard to find an address that's not in use somewhere.

lmat

Thank you! Please be patient as I'm still having trouble sorting through everything.

@JKnott said in Static IPv6 "gateway does not lie within one the chosen interface's subnets":

...you cannot use the assigned WAN address to talk to any gateway.

You said this because the assigned WAN address is /128 meaning it is the only host with that prefix. It can't talk to a gateway because that gateway doesn't share a prefix, right?

Earlier you said (and I've heard this several places)

...link local is generally used for gateways.

but the WAN address certainly won't share a prefix with that link local address (fe80::/10). I guess in that case I won't be sending traffic from my WAN address, but from my own link local (fe80::1/10) which properly shares a prefix?

Later you said:

All the addresses are reachable from outside if you allow it.

This suggests it doesn't matter whether they share a prefix or not?

Thank you again for your patience!

lmat

@JKnott said in Static IPv6 "gateway does not lie within one the chosen interface's subnets":

Try doing a packet capture on the WAN interface, filtering on ICMPv6, and post the capture file here.

I ran the packet capture for several minutes: tcpdump -vvv -ttt -i igb0 icmp6; and got the following:

00:00:01.000026 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) 2000:561:9:300::162 > ff02::1:ff00:6: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2000:561:9:3::7
          source link-address option (1), length 8 (1): 00:0a:cd:20:5d:97
            0x0000:  000a cd20 5d97
00:00:01.068027 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) 2000:561:9:300::162 > ff02::1:ff00:6: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2000:561:9:3::7
          source link-address option (1), length 8 (1): 00:0a:cd:20:5d:97
            0x0000:  000a cd20 5d97

and a BUNCH more just like it. It looks like my machine is issuing a solicitation every second, but getting nothing back?

JKnott

@lmat said in Static IPv6 "gateway does not lie within one the chosen interface's subnets":

You said this because the assigned WAN address is /128 meaning it is the only host with that prefix. It can't talk to a gateway because that gateway doesn't share a prefix, right?

Yes.

@lmat said in Static IPv6 "gateway does not lie within one the chosen interface's subnets":

but the WAN address certainly won't share a prefix with that link local address (fe80::/10). I guess in that case I won't be sending traffic from my WAN address, but from my own link local (fe80::1/10) which properly shares a prefix?

First off, the link local address will likely have a /64 prefix and a link local address starts with fe80 and then has 64 bits, often derived from the MAC address, so every link local address is in the same prefix, which starts with fe80::.

JKnott

@lmat said in Static IPv6 "gateway does not lie within one the chosen interface's subnets":

I ran the packet capture for several minutes: tcpdump -vvv -ttt -i igb0 icmp6; and got the following:

Use the packet capture that's in pfSense. You may have to install it. Then post the capture file here. It's a lot easier to examine the capture with Wireshark that what packet capture displays.

Here's what a router advertisement looks like in Wireshark:

And when expanded, selecting IPv6 info: