WAN IPv6 problem "gateway does not lie within one the chosen interface's subnets"
-
@dotdash not "linklet" (maybe that was a typo?), but they did name things exactly as in my first post.
Thanks all, it does work now, set the way @awebster first suggested. In retrospect, I feel dumb for not trying that "linknet" address for the WAN. :)
Now I'm off to read about DHCPv6, SLAAC, etc. :)
-
@seanmcb said in WAN IPv6 problem "gateway does not lie within one the chosen interface's subnets":
@dotdash not "linklet" (maybe that was a typo?), but they did name things exactly as in my first post.
Thanks all, it does work now, set the way @awebster first suggested. In retrospect, I feel dumb for not trying that "linknet" address for the WAN. :)
Now I'm off to read about DHCPv6, SLAAC, etc. :)
I would suggest looking at:
RFC 8504 IPv6 Node Requirements Best Current Practice 220 -
@seanmcb said in WAN IPv6 problem "gateway does not lie within one the chosen interface's subnets":
Well, back to square one I guess.
Drop by when you're in the neighbourhood. Square One is just down the road from me.
-
@awebster said in WAN IPv6 problem "gateway does not lie within one the chosen interface's subnets":
except for the /127 which is a bit unusual
That's entirely normal for a point to point link. You can have 2 devices on it. The IPv4 equivalent is a /31.
PfSense running on Qotom mini PC
i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
UniFi AC-Lite access pointI haven't lost my mind. It's around here...somewhere...
-
@seanmcb said in WAN IPv6 problem "gateway does not lie within one the chosen interface's subnets":
Thanks all, it does work now, set the way @awebster first suggested.
Actually, I suggested it in my first reply to you.
Now I'm off to read about DHCPv6, SLAAC, etc. :)
A good reference is IPv6 Essentials.
-
@JKnott said in WAN IPv6 problem "gateway does not lie within one the chosen interface's subnets":
That's entirely normal for a point to point link. You can have 2 devices on it. The IPv4 equivalent is a /31.
Yup, its just the Internet is a bit undecided about that...
One might argue that /127 is good because it very precisely identifies a PTP link, but others argue /126 is better because some vendors didn't implement /127 properly.
Yet others argue that a /64 with only 2 hosts is subject to scanning attack resource over utilisation, but that'd apply to any /64, not just PTP networks.
Further others might argue that the powers that be say everything should be a /64The point that I find truly staggering is this:
- Each /64 has 18,446,744,073,709,551,616 host addresses
- 2 hosts in a /64 leaves 99.9999999...% unused
- 255 hosts -- a decent sized network -- in a /64 leaves 99.9999999...% unused
- 1,000,000 hosts -- why you'd do that is beyond me -- in a /64 leaves 99.9999999...% unused
- 2^32 hosts --the entire IPv4 Internet as it exists today -- in a single /64 leaves 99.9999999767...% unused
So basically regardless of what configuration you choose, any /64 is pretty much 100% unused!
Consequently, IMHO there is absolutely no reason not to use /64 for any network allocation.
You just won't run out, no matter how hard you try.โA.
-
@awebster
Actually there is an RFC 6164 Using 127-Bit IPv6 Prefixes on Inter-Router Links that addresses it.You don't have to depend on a random internet person.
As far as /64 bit boundaries per RFC 4291 IP Version 6 Addressing Architecture it is mandatory for all addresses except those that start with the first 3 bits of 000 are 64 bit boundaries with the exception of RFC 6164.
-
@JKnott said in WAN IPv6 problem "gateway does not lie within one the chosen interface's subnets":
Actually, I suggested it in my first reply to you.
Not to be unappreciative (honest!), but I don't see that you did, at least not explicitly enough for my thick head. :)
Thanks all for the reading suggestions too!
-
@awebster said in WAN IPv6 problem "gateway does not lie within one the chosen interface's subnets":
One might argue that /127 is good because it very precisely identifies a PTP link, but others argue /126 is better because some vendors didn't implement /127 properly.
I've never heard of /126 being recommended, though I had heard of /30, because some operating systems (Windows) couldn't handle a /31. There are also RFCs advocating both /64 and /127 for p-p links, though the /127 one is later, IIRC.
So basically regardless of what configuration you choose, any /64 is pretty much 100% unused!
Don't forget, with SLAAC, you could have as many as 8 GUAs on an interface.
I have a /56 and a half dozen or so IPv6 capable devices on 1 /64 and another /64 for OpenVPN. However, this sparse address space makes scanning attacks pretty much a waste of time, as you're unlikely to find a device in any useful time.
-
@JKnott said in WAN IPv6 problem "gateway does not lie within one the chosen interface's subnets":
@awebster said in WAN IPv6 problem "gateway does not lie within one the chosen interface's subnets":
One might argue that /127 is good because it very precisely identifies a PTP link, but others argue /126 is better because some vendors didn't implement /127 properly.
I've never heard of /126 being recommended, though I had heard of /30, because some operating systems (Windows) couldn't handle a /31. There are also RFCs advocating both /64 and /127 for p-p links, though the /127 one is later, IIRC.
So basically regardless of what configuration you choose, any /64 is pretty much 100% unused!
Don't forget, with SLAAC, you could have as many as 8 GUAs on an interface.
I have a /56 and a half dozen or so IPv6 capable devices on 1 /64 and another /64 for OpenVPN. However, this sparse address space makes scanning attacks pretty much a waste of time, as you're unlikely to find a device in any useful time.
You can have a lot more than 8. I don't know if there is a limit. Probably each OS might have it's own limits.
Once I got a DHCP server messed up in my lab, I had a Windows PC that had over 800 ip v6 addressess. They all seemed to work as far as ping, etc.
One concept of multiple addresses on an interface is for each service on the host to have its own GUA. That way you don't have to worry about port conflicts.
That was one of the reasons they decided on 64 bits for the host part of the address so that they could be randomly generated by the service with a reasonable chance that it wouldn't be a duplicate.
-
You can have a lot more than 8. I don't know if there is a limit. Probably each OS might have it's own limits.
Both Linux & Windows have 8 addresses, after being up for a week, with a new one each day
One concept of multiple addresses on an interface is for each service on the host to have its own GUA. That way you don't have to worry about port conflicts.
There are also privacy addresses with SLAAC, which change daily
That was one of the reasons they decided on 64 bits for the host part of the address so that they could be randomly generated by the service with a reasonable chance that it wouldn't be a duplicate
Also, to work with the EUI-64 MAC addresses. EUI-48 addresses are converted to EUI-64 by inserting fffe in the middle.
On my own network, I have both GUA and ULA addresses, 8 of each.
