Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Static IPv6 "gateway does not lie within one the chosen interface's subnets"

    Scheduled Pinned Locked Moved IPv6
    27 Posts 3 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JKnottJ
      JKnott @johnpoz
      last edited by

      @johnpoz said in Static IPv6 "gateway does not lie within one the chosen interface's subnets":

      prefixes in ipv6 should be a /64 in almost all cases, other then delegation of a prefix, or a route statement or firewall rule, etc.

      Or a point to point link, which can be a /127/

      PfSense running on Qotom mini PC
      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
      UniFi AC-Lite access point

      I haven't lost my mind. It's around here...somewhere...

      1 Reply Last reply Reply Quote 0
      • L
        lmat @JKnott
        last edited by

        Thank you again for your most helpful replies.

        @JKnott said in Static IPv6 "gateway does not lie within one the chosen interface's subnets":

        That said, your WAN address has absolutely nothing to do with your LAN addresses. They are completely independent.

        I think I follow this: My WAN address is a way for the ISP to address the edge of my network. When you say "LAN addresses", though, those addresses aren't isolated to my LAN, but they're publicly addressible Internet addresses, right?

        So, what you need is a link local address for the gateway, as you cannot use the assigned WAN address to talk to any gateway.

        Okay, I drafted the following message to my ISP representative, does it look correct?

        I'm not sure how I'm supposed to contact the gateway because the IP address you gave is /128. That means I can't communicate with anything from that address because it is isolated in its own prefix.

        I'll also ask if they can provide a link-local IP address to their gateway instead.

        JKnottJ 1 Reply Last reply Reply Quote 0
        • L
          lmat @johnpoz
          last edited by

          As always, thank you very much for your help!

          @johnpoz said in Static IPv6 "gateway does not lie within one the chosen interface's subnets":

          You can look at any address and tell if its a host or a network.. If it lands on a network boundary then its a network, if it doesn't land a network boundary then its a host address.

          By "boundary", I assume you mean the lower boundary. (2000:561:10:300::/56 has a lower boundary of 2000:561:10:300:: and an upper boundary of 2000:561:10:30ff:ffff:ffff:ffff:ffff, right?)

          They clearly gave you a /56 network there.

          You say "They clearly gave" rather than "You're clearly on". I'll sleep on this some more until I get it through my mind that this is the way things work!

          Now that you mention it, that 301 isn't proper boundary..

          Yeah, looks like a typo. I'll clarify with them.

          JKnottJ 1 Reply Last reply Reply Quote 0
          • JKnottJ
            JKnott @lmat
            last edited by

            @lmat said in Static IPv6 "gateway does not lie within one the chosen interface's subnets":

            I think I follow this: My WAN address is a way for the ISP to address the edge of my network. When you say "LAN addresses", though, those addresses aren't isolated to my LAN, but they're publicly addressible Internet addresses, right?

            Yep. All the addresses are reachable from outside if you allow it. However, by default, the firewall blocks them.

            And yes, you probably need a link local address for the gateway. While you have a WAN address, you don't need it. It's generally used for things like a VPN, but you could also use any LAN side interface address for that.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            JKnottJ 1 Reply Last reply Reply Quote 1
            • JKnottJ
              JKnott @lmat
              last edited by

              @lmat said in Static IPv6 "gateway does not lie within one the chosen interface's subnets":

              By "boundary", I assume you mean the lower boundary. (2000:561:10:300::/56 has a lower boundary of 2000:561:10:300:: and an upper boundary of 2000:561:10:30ff:ffff:ffff:ffff:ffff, right?)

              In this respect, IPv6 works the same as IPv4, except with much larger numbers. The prefix, can be almost anything, but an ISP will typically assign a /64, /60, /56 or /48. A network address will always end in ::, which indicates a continuous string of 0.

              BTW, that :: can be used anywhere within an address, but can only be used once. If it isn't used at the end, then you'd see the 0 specifically included. Here's an example, the IPv6 loopback address: ::1. This indicates 127 0 bits followed by a single 1. This method is better than writing out all those 0s.

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              1 Reply Last reply Reply Quote 0
              • JKnottJ
                JKnott @JKnott
                last edited by

                @JKnott said in Static IPv6 "gateway does not lie within one the chosen interface's subnets":

                Yep. All the addresses are reachable from outside if you allow it. However, by default, the firewall blocks them.

                There's one other thing, the address space is so sparse it's hard for an attacker to find anything to attack. Your LAN will have 18.4 billion, billion addresses, of which only a few are in use. So, unless the attacker already knows a device address, it will be almost impossible for them to attack anything. This compares with IPv4 where it's hard to find an address that's not in use somewhere.

                PfSense running on Qotom mini PC
                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                UniFi AC-Lite access point

                I haven't lost my mind. It's around here...somewhere...

                1 Reply Last reply Reply Quote 0
                • L
                  lmat @JKnott
                  last edited by

                  Thank you! Please be patient as I'm still having trouble sorting through everything.

                  @JKnott said in Static IPv6 "gateway does not lie within one the chosen interface's subnets":

                  ...you cannot use the assigned WAN address to talk to any gateway.

                  You said this because the assigned WAN address is /128 meaning it is the only host with that prefix. It can't talk to a gateway because that gateway doesn't share a prefix, right?

                  Earlier you said (and I've heard this several places)

                  ...link local is generally used for gateways.

                  but the WAN address certainly won't share a prefix with that link local address (fe80::/10). I guess in that case I won't be sending traffic from my WAN address, but from my own link local (fe80::1/10) which properly shares a prefix?

                  Later you said:

                  All the addresses are reachable from outside if you allow it.

                  This suggests it doesn't matter whether they share a prefix or not?

                  Thank you again for your patience!

                  JKnottJ 1 Reply Last reply Reply Quote 0
                  • L
                    lmat @JKnott
                    last edited by

                    @JKnott said in Static IPv6 "gateway does not lie within one the chosen interface's subnets":

                    Try doing a packet capture on the WAN interface, filtering on ICMPv6, and post the capture file here.

                    I ran the packet capture for several minutes: tcpdump -vvv -ttt -i igb0 icmp6; and got the following:

                    00:00:01.000026 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) 2000:561:9:300::162 > ff02::1:ff00:6: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2000:561:9:3::7
                              source link-address option (1), length 8 (1): 00:0a:cd:20:5d:97
                                0x0000:  000a cd20 5d97
                    00:00:01.068027 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) 2000:561:9:300::162 > ff02::1:ff00:6: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2000:561:9:3::7
                              source link-address option (1), length 8 (1): 00:0a:cd:20:5d:97
                                0x0000:  000a cd20 5d97
                    

                    and a BUNCH more just like it. It looks like my machine is issuing a solicitation every second, but getting nothing back?

                    JKnottJ 1 Reply Last reply Reply Quote 0
                    • JKnottJ
                      JKnott @lmat
                      last edited by

                      @lmat said in Static IPv6 "gateway does not lie within one the chosen interface's subnets":

                      You said this because the assigned WAN address is /128 meaning it is the only host with that prefix. It can't talk to a gateway because that gateway doesn't share a prefix, right?

                      Yes.

                      @lmat said in Static IPv6 "gateway does not lie within one the chosen interface's subnets":

                      but the WAN address certainly won't share a prefix with that link local address (fe80::/10). I guess in that case I won't be sending traffic from my WAN address, but from my own link local (fe80::1/10) which properly shares a prefix?

                      First off, the link local address will likely have a /64 prefix and a link local address starts with fe80 and then has 64 bits, often derived from the MAC address, so every link local address is in the same prefix, which starts with fe80::.

                      PfSense running on Qotom mini PC
                      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                      UniFi AC-Lite access point

                      I haven't lost my mind. It's around here...somewhere...

                      1 Reply Last reply Reply Quote 0
                      • JKnottJ
                        JKnott @lmat
                        last edited by

                        @lmat said in Static IPv6 "gateway does not lie within one the chosen interface's subnets":

                        I ran the packet capture for several minutes: tcpdump -vvv -ttt -i igb0 icmp6; and got the following:

                        Use the packet capture that's in pfSense. You may have to install it. Then post the capture file here. It's a lot easier to examine the capture with Wireshark that what packet capture displays.

                        Here's what a router advertisement looks like in Wireshark:

                        ae550191-613d-491b-bc38-83746130322c-image.png

                        And when expanded, selecting IPv6 info:

                        1f6587bd-bae2-4ff2-8f09-66e18495c283-image.png

                        PfSense running on Qotom mini PC
                        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                        UniFi AC-Lite access point

                        I haven't lost my mind. It's around here...somewhere...

                        1 Reply Last reply Reply Quote 1
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.