Access webConfigurator via link-local IPv6?



  • Hi guys

    I've got native IPv6 and have my LAN set to Track.  ISP gives me a /56 and I have the first /64 assigned to my LAN.  So all is fine there and I can access the pfSense GUI at e.g. https://[2604:2000:xxxx:xxxx:xxxx:a2ff:fe0a:zzzz].  But if that WAN goes down, the IPv6 gets removed from the LAN interface, and the webGUI becomes unavailable (have to switch to IPv4). I tried to instead browse to the link-local IP which should always be there regardless of WAN status, but it doesn't work- https://[fe80::1:1%igb0] just gives me an error (tried Chrome, Safari, Firefox…)

    Does anyone know if this is possible to do? Is nginx even listening on this address?  Is this even a thing? thanks
    https://msdn.microsoft.com/en-us/library/windows/desktop/ms740593(v=vs.85).aspx


  • Rebel Alliance Developer Netgate

    Sadly the problem is that IPv6 link-local IPv6 addresses must include a scope when used, like you show ending in %igb0 (but using your client PC's network card name!), but browsers have decided that figuring out scoped addresses is too hard and they won't make it work.

    https://bugs.chromium.org/p/chromium/issues/detail?id=70762
    https://bugzilla.mozilla.org/show_bug.cgi?id=700999

    I spent some time testing it out a while back, I could not get any current browser to work with it.

    The daemon is bound there, and responds when queried. From a command prompt I can hit the port with nc, and I can ssh to the box using the scoped address.

    The problem is entirely the browser.



  • Gotcha, thank you for the great explanation. It confirms what I thought but I wanted to be sure. I submitted PR#3636 yesterday to at least partially work around the "issue".



  • Why are you using %igb0? For that to work you'd need a BSD GUI desktop with an Intel NIC. If you're on Linux or Windows %igb0 is wrong.



  • @severach:

    Why are you using %igb0? For that to work you'd need a BSD GUI desktop with an Intel NIC. If you're on Linux or Windows %igb0 is wrong.

    Yes, I'd tried %en0 and %en1 as well. No luck.


  • Rebel Alliance Developer Netgate

    It just has to match whatever the name of the network card is. On Linux I can use %eth0 and it works for other things (ping, ssh, etc), on Mac %en0 works, on Windows %0 works if it's the first nic (second would be %1 and so on)

    That doesn't matter to browsers since they won't properly interpret the scoped URL.

    I did forget one thing, but it's kind of useless. There is one browser that does work with scoped URLs. The text-only console browser, Links.


  • Rebel Alliance Developer Netgate

    That tangent had nothing to do with this thread topic so I split it off.



  • As mentioned, browsers don't work with link local IPv6 addresses. What I do when I don't have an IPv6 address is just manually enter the IPv4 address.  It's easy enough to remember 172.16.1.1.

    BTW, that's a secret address, so don't tell anyone.  ;)


  • Rebel Alliance Developer Netgate

    If you only have IPv6 or want to use fe80::1:1, You could also ssh to the link-local address and use an ssh forward and load up localhost:443


Log in to reply