WAN IPv6 problem "gateway does not lie within one the chosen interface's subnets"

JKnott

@seanmcb said in WAN IPv6 problem "gateway does not lie within one the chosen interface's subnets":

With IPv4, my gateway is the first IP in my /28 block. So although I know nothing of IPv6, I'm sorta surprised my gateway is not AAAA:BBBB:8006::1.

While the 1st address in a block is often used, there's no rule that says it has to be. It can be any usable address within the block and some people pick the highest. On IPv6, my gateway is fe80::217:10ff:fe9a:a199, which is a link local address and fe80::1:1 on the pfSense end. I also have a routeable WAN address, but it plays no part in routing.

BTW, my LAN link local address is also fe80::1.1, but the difference is that on both interfaces, that address is followed by the interface. For example here's my LAN link local address, with interface included: fe80::1:1%bge0

With IPv6, it's entirely permissible to have the same link local address on different interfaces, as the interface is also specified.

seanmcb

@JKnott said in WAN IPv6 problem "gateway does not lie within one the chosen interface's subnets":

While the 1st address in a block is often used, there's no rule that says it has to be. It can be any usable address within the block and some people pick the highest.

OK, maybe I need more coffee, but AAAA:BBBB:0:ffff::22 isn't actually within the AAAA:BBBB:8006::/48 block, is it? I suppose that's what the error message is saying.

JKnott

@seanmcb said in WAN IPv6 problem "gateway does not lie within one the chosen interface's subnets":

OK, maybe I need more coffee, but AAAA:BBBB:0:ffff::22 isn't actually within the AAAA:BBBB:8006::/48 block, is it? I suppose that's what the error message is saying.

I wouldn't expect it to be. Since it's a separate interface, it would be within a different prefix. The same applies to IPv4. As I mentioned, my gateway uses link local addresses, which are certainly not within my prefix.

seanmcb

Well, back to square one I guess. I still don't know how to configure this.

The 'gateway' my ISP provided seems to correspond with the 'gateway' stuff in the pfsense UI, that's probably fine.

But what should I put in "Static IPv6 Configuration > IPv6 address"? I've tried:

• AAAA:BBBB:8006::/48
• AAAA:BBBB:8006::1/48
• AAAA:BBBB:8006::/64
• AAAA:BBBB:8006::1/64

Everything results in the "The gateway address AAAA:BBBB:0:ffff::22 does not lie within one of the chosen interface's subnets". What does this message mean exactly?

JKnott

@seanmcb

As I mentioned, I've never needed to do a static IPv6 configuration on pfSense, though I have on Cisco. Hopefully someone else here has some ideas.

dotdash

It looks like a transit network. Why don't you use the 'linklet' (Your ISP actually called it that?) as your WAN address, and use one of the /64's out of the /48 for you LAN side?

awebster

I might be missing the point here, but it seems to me that the config is fairly straightforward, except for the /127 which is a bit unusual...

WAN: Static IPv6 AAAA:BBBB:0:ffff::23/127
IPV6 default gateway: AAAA:BBBB:0:ffff::22

LAN: Static IPv6 AAAA:BBBB:8006:0::1/64 (I'm putting :0 to identify the first subnet but technically not needed). If you are purist, you can use :1 to indicate VLAN 1, it doesn't matter.
Other OPT Interfaces: AAAA:BBBB:8006:2::1/64, AAAA:BBBB:8006:3::1/64, etc. Each one is a separate /64 subnet.

I'm assuming your ISP has correctly routed AAAA:BBBB:8006::/48 to AAAA:BBBB:0:ffff::23, in which case it should "just work".

IsaacFL

@awebster said in WAN IPv6 problem "gateway does not lie within one the chosen interface's subnets":

I might be missing the point here, but it seems to me that the config is fairly straightforward, except for the /127 which is a bit unusual...

WAN: Static IPv6 AAAA:BBBB:0:ffff::23/127
IPV6 default gateway: AAAA:BBBB:0:ffff::22

LAN: Static IPv6 AAAA:BBBB:8006:0::1/64 (I'm putting :0 to identify the first subnet but technically not needed). If you are purist, you can use :1 to indicate VLAN 1, it doesn't matter.
Other OPT Interfaces: AAAA:BBBB:8006:2::1/64, AAAA:BBBB:8006:3::1/64, etc. Each one is a separate /64 subnet.

I'm assuming your ISP has correctly routed AAAA:BBBB:8006::/48 to AAAA:BBBB:0:ffff::23, in which case it should "just work".

I think they have allocated 2 addresses, but your addresses are /128 each

AAAA:BBBB:0:ffff::23/128 is the pfsense WAN address
AAAA:BBBB:0:ffff::22/128 is the Gateway address.

awebster

@IsaacFL It would have to be /127 to have the gateway address inside the allocated subnet.
/127 = exactly 2 IP addresses

seanmcb

@dotdash not "linklet" (maybe that was a typo?), but they did name things exactly as in my first post.

Thanks all, it does work now, set the way @awebster first suggested. In retrospect, I feel dumb for not trying that "linknet" address for the WAN. :)

Now I'm off to read about DHCPv6, SLAAC, etc. :)

IsaacFL

@seanmcb said in WAN IPv6 problem "gateway does not lie within one the chosen interface's subnets":

@dotdash not "linklet" (maybe that was a typo?), but they did name things exactly as in my first post.

Thanks all, it does work now, set the way @awebster first suggested. In retrospect, I feel dumb for not trying that "linknet" address for the WAN. :)

Now I'm off to read about DHCPv6, SLAAC, etc. :)

I would suggest looking at:
RFC 8504 IPv6 Node Requirements Best Current Practice 220

JKnott

@seanmcb said in WAN IPv6 problem "gateway does not lie within one the chosen interface's subnets":

Well, back to square one I guess.

Drop by when you're in the neighbourhood. Square One is just down the road from me.

JKnott

@awebster said in WAN IPv6 problem "gateway does not lie within one the chosen interface's subnets":

except for the /127 which is a bit unusual

That's entirely normal for a point to point link. You can have 2 devices on it. The IPv4 equivalent is a /31.

JKnott

@seanmcb said in WAN IPv6 problem "gateway does not lie within one the chosen interface's subnets":

Thanks all, it does work now, set the way @awebster first suggested.

Actually, I suggested it in my first reply to you.

Now I'm off to read about DHCPv6, SLAAC, etc. :)

A good reference is IPv6 Essentials.

awebster

@JKnott said in WAN IPv6 problem "gateway does not lie within one the chosen interface's subnets":

That's entirely normal for a point to point link. You can have 2 devices on it. The IPv4 equivalent is a /31.

Yup, its just the Internet is a bit undecided about that...
One might argue that /127 is good because it very precisely identifies a PTP link, but others argue /126 is better because some vendors didn't implement /127 properly.
Yet others argue that a /64 with only 2 hosts is subject to scanning attack resource over utilisation, but that'd apply to any /64, not just PTP networks.
Further others might argue that the powers that be say everything should be a /64

The point that I find truly staggering is this:

• Each /64 has 18,446,744,073,709,551,616 host addresses
• 2 hosts in a /64 leaves 99.9999999...% unused
• 255 hosts -- a decent sized network -- in a /64 leaves 99.9999999...% unused
• 1,000,000 hosts -- why you'd do that is beyond me -- in a /64 leaves 99.9999999...% unused
• 2^32 hosts --the entire IPv4 Internet as it exists today -- in a single /64 leaves 99.9999999767...% unused

So basically regardless of what configuration you choose, any /64 is pretty much 100% unused!
Consequently, IMHO there is absolutely no reason not to use /64 for any network allocation.
You just won't run out, no matter how hard you try.

IsaacFL

@awebster
Actually there is an RFC 6164 Using 127-Bit IPv6 Prefixes on Inter-Router Links that addresses it.

You don't have to depend on a random internet person.

As far as /64 bit boundaries per RFC 4291 IP Version 6 Addressing Architecture it is mandatory for all addresses except those that start with the first 3 bits of 000 are 64 bit boundaries with the exception of RFC 6164.

seanmcb

@JKnott said in WAN IPv6 problem "gateway does not lie within one the chosen interface's subnets":

Actually, I suggested it in my first reply to you.

Not to be unappreciative (honest!), but I don't see that you did, at least not explicitly enough for my thick head. :)

Thanks all for the reading suggestions too!

JKnott

@awebster said in WAN IPv6 problem "gateway does not lie within one the chosen interface's subnets":

One might argue that /127 is good because it very precisely identifies a PTP link, but others argue /126 is better because some vendors didn't implement /127 properly.

I've never heard of /126 being recommended, though I had heard of /30, because some operating systems (Windows) couldn't handle a /31. There are also RFCs advocating both /64 and /127 for p-p links, though the /127 one is later, IIRC.

So basically regardless of what configuration you choose, any /64 is pretty much 100% unused!

Don't forget, with SLAAC, you could have as many as 8 GUAs on an interface.

I have a /56 and a half dozen or so IPv6 capable devices on 1 /64 and another /64 for OpenVPN. However, this sparse address space makes scanning attacks pretty much a waste of time, as you're unlikely to find a device in any useful time.

IsaacFL

@JKnott said in WAN IPv6 problem "gateway does not lie within one the chosen interface's subnets":

@awebster said in WAN IPv6 problem "gateway does not lie within one the chosen interface's subnets":

One might argue that /127 is good because it very precisely identifies a PTP link, but others argue /126 is better because some vendors didn't implement /127 properly.

I've never heard of /126 being recommended, though I had heard of /30, because some operating systems (Windows) couldn't handle a /31. There are also RFCs advocating both /64 and /127 for p-p links, though the /127 one is later, IIRC.

So basically regardless of what configuration you choose, any /64 is pretty much 100% unused!

Don't forget, with SLAAC, you could have as many as 8 GUAs on an interface.

I have a /56 and a half dozen or so IPv6 capable devices on 1 /64 and another /64 for OpenVPN. However, this sparse address space makes scanning attacks pretty much a waste of time, as you're unlikely to find a device in any useful time.

You can have a lot more than 8. I don't know if there is a limit. Probably each OS might have it's own limits.

Once I got a DHCP server messed up in my lab, I had a Windows PC that had over 800 ip v6 addressess. They all seemed to work as far as ping, etc.

One concept of multiple addresses on an interface is for each service on the host to have its own GUA. That way you don't have to worry about port conflicts.

That was one of the reasons they decided on 64 bits for the host part of the address so that they could be randomly generated by the service with a reasonable chance that it wouldn't be a duplicate.

JKnott

@IsaacFL

You can have a lot more than 8. I don't know if there is a limit. Probably each OS might have it's own limits.

Both Linux & Windows have 8 addresses, after being up for a week, with a new one each day

One concept of multiple addresses on an interface is for each service on the host to have its own GUA. That way you don't have to worry about port conflicts.

There are also privacy addresses with SLAAC, which change daily

That was one of the reasons they decided on 64 bits for the host part of the address so that they could be randomly generated by the service with a reasonable chance that it wouldn't be a duplicate

Also, to work with the EUI-64 MAC addresses. EUI-48 addresses are converted to EUI-64 by inserting fffe in the middle.

On my own network, I have both GUA and ULA addresses, 8 of each.