Access webConfigurator via link-local IPv6?

luckman212 · Mar 10, 2017, 12:49 PM

Hi guys

I've got native IPv6 and have my LAN set to Track. ISP gives me a /56 and I have the first /64 assigned to my LAN. So all is fine there and I can access the pfSense GUI at e.g. https://[2604:2000:xxxx:xxxx:xxxx:a2ff:fe0a:zzzz]. But if that WAN goes down, the IPv6 gets removed from the LAN interface, and the webGUI becomes unavailable (have to switch to IPv4). I tried to instead browse to the link-local IP which should always be there regardless of WAN status, but it doesn't work- https://[fe80::1:1%igb0] just gives me an error (tried Chrome, Safari, Firefox…)

Does anyone know if this is possible to do? Is nginx even listening on this address? Is this even a thing? thanks
https://msdn.microsoft.com/en-us/library/windows/desktop/ms740593(v=vs.85).aspx

jimp · Mar 10, 2017, 3:51 PM

Sadly the problem is that IPv6 link-local IPv6 addresses must include a scope when used, like you show ending in %igb0 (but using your client PC's network card name!), but browsers have decided that figuring out scoped addresses is too hard and they won't make it work.

https://bugs.chromium.org/p/chromium/issues/detail?id=70762
https://bugzilla.mozilla.org/show_bug.cgi?id=700999

I spent some time testing it out a while back, I could not get any current browser to work with it.

The daemon is bound there, and responds when queried. From a command prompt I can hit the port with nc, and I can ssh to the box using the scoped address.

The problem is entirely the browser.

luckman212 · Mar 10, 2017, 3:53 PM

Gotcha, thank you for the great explanation. It confirms what I thought but I wanted to be sure. I submitted PR#3636 yesterday to at least partially work around the "issue".

severach · Mar 10, 2017, 5:10 PM

Why are you using %igb0? For that to work you'd need a BSD GUI desktop with an Intel NIC. If you're on Linux or Windows %igb0 is wrong.

luckman212 · Mar 10, 2017, 5:24 PM

@severach:

Why are you using %igb0? For that to work you'd need a BSD GUI desktop with an Intel NIC. If you're on Linux or Windows %igb0 is wrong.

Yes, I'd tried %en0 and %en1 as well. No luck.

jimp · Mar 10, 2017, 5:23 PM

It just has to match whatever the name of the network card is. On Linux I can use %eth0 and it works for other things (ping, ssh, etc), on Mac %en0 works, on Windows %0 works if it's the first nic (second would be %1 and so on)

That doesn't matter to browsers since they won't properly interpret the scoped URL.

I did forget one thing, but it's kind of useless. There is one browser that does work with scoped URLs. The text-only console browser, Links.

jimp · Mar 13, 2017, 8:28 PM

That tangent had nothing to do with this thread topic so I split it off.

JKnott · Mar 15, 2017, 2:27 PM

As mentioned, browsers don't work with link local IPv6 addresses. What I do when I don't have an IPv6 address is just manually enter the IPv4 address. It's easy enough to remember 172.16.1.1.

BTW, that's a secret address, so don't tell anyone. ;)

jimp · Mar 15, 2017, 2:50 PM

If you only have IPv6 or want to use fe80::1:1, You could also ssh to the link-local address and use an ssh forward and load up localhost:443