Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    WAN IPv6 problem "gateway does not lie within one the chosen interface's subnets"

    Scheduled Pinned Locked Moved IPv6
    23 Posts 5 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      seanmcb
      last edited by

      @dotdash not "linklet" (maybe that was a typo?), but they did name things exactly as in my first post.

      Thanks all, it does work now, set the way @awebster first suggested. In retrospect, I feel dumb for not trying that "linknet" address for the WAN. :)

      Now I'm off to read about DHCPv6, SLAAC, etc. :)

      IsaacFLI JKnottJ 2 Replies Last reply Reply Quote 0
      • IsaacFLI
        IsaacFL @seanmcb
        last edited by

        @seanmcb said in WAN IPv6 problem "gateway does not lie within one the chosen interface's subnets":

        @dotdash not "linklet" (maybe that was a typo?), but they did name things exactly as in my first post.

        Thanks all, it does work now, set the way @awebster first suggested. In retrospect, I feel dumb for not trying that "linknet" address for the WAN. :)

        Now I'm off to read about DHCPv6, SLAAC, etc. :)

        I would suggest looking at:
        RFC 8504 IPv6 Node Requirements Best Current Practice 220

        1 Reply Last reply Reply Quote 0
        • JKnottJ
          JKnott @seanmcb
          last edited by JKnott

          @seanmcb said in WAN IPv6 problem "gateway does not lie within one the chosen interface's subnets":

          Well, back to square one I guess.

          Drop by when you're in the neighbourhood. Square One is just down the road from me. ๐Ÿ˜‰

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          1 Reply Last reply Reply Quote 0
          • JKnottJ
            JKnott @awebster
            last edited by

            @awebster said in WAN IPv6 problem "gateway does not lie within one the chosen interface's subnets":

            except for the /127 which is a bit unusual

            That's entirely normal for a point to point link. You can have 2 devices on it. The IPv4 equivalent is a /31.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            awebsterA 1 Reply Last reply Reply Quote 0
            • JKnottJ
              JKnott @seanmcb
              last edited by

              @seanmcb said in WAN IPv6 problem "gateway does not lie within one the chosen interface's subnets":

              Thanks all, it does work now, set the way @awebster first suggested.

              Actually, I suggested it in my first reply to you.

              Now I'm off to read about DHCPv6, SLAAC, etc. :)

              A good reference is IPv6 Essentials.

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              S 1 Reply Last reply Reply Quote 0
              • awebsterA
                awebster @JKnott
                last edited by

                @JKnott said in WAN IPv6 problem "gateway does not lie within one the chosen interface's subnets":

                That's entirely normal for a point to point link. You can have 2 devices on it. The IPv4 equivalent is a /31.

                Yup, its just the Internet is a bit undecided about that...
                One might argue that /127 is good because it very precisely identifies a PTP link, but others argue /126 is better because some vendors didn't implement /127 properly.
                Yet others argue that a /64 with only 2 hosts is subject to scanning attack resource over utilisation, but that'd apply to any /64, not just PTP networks.
                Further others might argue that the powers that be say everything should be a /64

                The point that I find truly staggering is this:

                • Each /64 has 18,446,744,073,709,551,616 host addresses
                • 2 hosts in a /64 leaves 99.9999999...% unused
                • 255 hosts -- a decent sized network -- in a /64 leaves 99.9999999...% unused
                • 1,000,000 hosts -- why you'd do that is beyond me -- in a /64 leaves 99.9999999...% unused
                • 2^32 hosts --the entire IPv4 Internet as it exists today -- in a single /64 leaves 99.9999999767...% unused

                So basically regardless of what configuration you choose, any /64 is pretty much 100% unused!
                Consequently, IMHO there is absolutely no reason not to use /64 for any network allocation.
                You just won't run out, no matter how hard you try.

                โ€“A.

                IsaacFLI JKnottJ 2 Replies Last reply Reply Quote 0
                • IsaacFLI
                  IsaacFL @awebster
                  last edited by

                  @awebster
                  Actually there is an RFC 6164 Using 127-Bit IPv6 Prefixes on Inter-Router Links that addresses it.

                  You don't have to depend on a random internet person.

                  As far as /64 bit boundaries per RFC 4291 IP Version 6 Addressing Architecture it is mandatory for all addresses except those that start with the first 3 bits of 000 are 64 bit boundaries with the exception of RFC 6164.

                  1 Reply Last reply Reply Quote 0
                  • S
                    seanmcb @JKnott
                    last edited by

                    @JKnott said in WAN IPv6 problem "gateway does not lie within one the chosen interface's subnets":

                    Actually, I suggested it in my first reply to you.

                    Not to be unappreciative (honest!), but I don't see that you did, at least not explicitly enough for my thick head. :)

                    Thanks all for the reading suggestions too!

                    1 Reply Last reply Reply Quote 0
                    • JKnottJ
                      JKnott @awebster
                      last edited by

                      @awebster said in WAN IPv6 problem "gateway does not lie within one the chosen interface's subnets":

                      One might argue that /127 is good because it very precisely identifies a PTP link, but others argue /126 is better because some vendors didn't implement /127 properly.

                      I've never heard of /126 being recommended, though I had heard of /30, because some operating systems (Windows) couldn't handle a /31. There are also RFCs advocating both /64 and /127 for p-p links, though the /127 one is later, IIRC.

                      So basically regardless of what configuration you choose, any /64 is pretty much 100% unused!

                      Don't forget, with SLAAC, you could have as many as 8 GUAs on an interface. ๐Ÿ˜‰

                      I have a /56 and a half dozen or so IPv6 capable devices on 1 /64 and another /64 for OpenVPN. However, this sparse address space makes scanning attacks pretty much a waste of time, as you're unlikely to find a device in any useful time.

                      PfSense running on Qotom mini PC
                      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                      UniFi AC-Lite access point

                      I haven't lost my mind. It's around here...somewhere...

                      IsaacFLI 1 Reply Last reply Reply Quote 0
                      • IsaacFLI
                        IsaacFL @JKnott
                        last edited by

                        @JKnott said in WAN IPv6 problem "gateway does not lie within one the chosen interface's subnets":

                        @awebster said in WAN IPv6 problem "gateway does not lie within one the chosen interface's subnets":

                        One might argue that /127 is good because it very precisely identifies a PTP link, but others argue /126 is better because some vendors didn't implement /127 properly.

                        I've never heard of /126 being recommended, though I had heard of /30, because some operating systems (Windows) couldn't handle a /31. There are also RFCs advocating both /64 and /127 for p-p links, though the /127 one is later, IIRC.

                        So basically regardless of what configuration you choose, any /64 is pretty much 100% unused!

                        Don't forget, with SLAAC, you could have as many as 8 GUAs on an interface. ๐Ÿ˜‰

                        I have a /56 and a half dozen or so IPv6 capable devices on 1 /64 and another /64 for OpenVPN. However, this sparse address space makes scanning attacks pretty much a waste of time, as you're unlikely to find a device in any useful time.

                        You can have a lot more than 8. I don't know if there is a limit. Probably each OS might have it's own limits.

                        Once I got a DHCP server messed up in my lab, I had a Windows PC that had over 800 ip v6 addressess. They all seemed to work as far as ping, etc.

                        One concept of multiple addresses on an interface is for each service on the host to have its own GUA. That way you don't have to worry about port conflicts.

                        That was one of the reasons they decided on 64 bits for the host part of the address so that they could be randomly generated by the service with a reasonable chance that it wouldn't be a duplicate.

                        JKnottJ 1 Reply Last reply Reply Quote 0
                        • JKnottJ
                          JKnott @IsaacFL
                          last edited by

                          @IsaacFL

                          You can have a lot more than 8. I don't know if there is a limit. Probably each OS might have it's own limits.

                          Both Linux & Windows have 8 addresses, after being up for a week, with a new one each day

                          One concept of multiple addresses on an interface is for each service on the host to have its own GUA. That way you don't have to worry about port conflicts.

                          There are also privacy addresses with SLAAC, which change daily

                          That was one of the reasons they decided on 64 bits for the host part of the address so that they could be randomly generated by the service with a reasonable chance that it wouldn't be a duplicate

                          Also, to work with the EUI-64 MAC addresses. EUI-48 addresses are converted to EUI-64 by inserting fffe in the middle.

                          On my own network, I have both GUA and ULA addresses, 8 of each.

                          PfSense running on Qotom mini PC
                          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                          UniFi AC-Lite access point

                          I haven't lost my mind. It's around here...somewhere...

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.