WAN IPv6 problem "gateway does not lie within one the chosen interface's subnets"
-
I'm trying to setup IPv6 for the first time. I'm pretty ignorant of IPv6. My ISP provided me the following info (first digits anonymized):
Network IPv6: AAAA:BBBB:8006::/48
IPv6 linknet: AAAA:BBBB:0:ffff::23/127
Gateway: AAAA:BBBB:0:ffff::22/127I'm not sure what corresponds to what in the pfsense UI. I'm especially unclear what "IPv6 linknet" is.
Everything I try seems to result in the message "The gateway address AAAA:BBBB:0:ffff::22 does not lie within one of the chosen interface's subnets".
Thanks for any clues...
-
It appears you're supposed to do a static config. Mine uses DHCPv6-PD, so I can't speak from experience. However, what WAN IPv6 configuration type have you selected? I expect it should be static IPv6. When you select that, you should see a couple of boxes appear under Static IPv6 Configuration for IPv6 address and IPv6 upstream gateway. Have you filled in those values? That should take care of the WAN side of things. You should now be able to ping things like google.com and get a reply with IPv6 address used. Otherwise it will fail to an IPv4 address.
On LAN side, you'd again select Static IPv6 for the IPv6 configuration type. Beyond that, I'm not sure, as I've never done a static config.
-
@JKnott thanks for your fast reply.
Yes, I expect I should be using a static config. This is an expensive business connection. Indeed I selected "Static IPv6" then those additional fields appeared, I set:
IPv6 address: AAAA:BBBB:8006::/48
IPv6 Upstream gateway: I pressed 'add' to create a new one and set the "gateway IPv6" to AAAA:BBBB:0:ffff::22But this results in the 'does not lie within subnet' error message.
With IPv4, my gateway is the first IP in my /28 block. So although I know nothing of IPv6, I'm sorta surprised my gateway is not AAAA:BBBB:8006::1.
-
@seanmcb said in WAN IPv6 problem "gateway does not lie within one the chosen interface's subnets":
With IPv4, my gateway is the first IP in my /28 block. So although I know nothing of IPv6, I'm sorta surprised my gateway is not AAAA:BBBB:8006::1.
While the 1st address in a block is often used, there's no rule that says it has to be. It can be any usable address within the block and some people pick the highest. On IPv6, my gateway is fe80::217:10ff:fe9a:a199, which is a link local address and fe80::1:1 on the pfSense end. I also have a routeable WAN address, but it plays no part in routing.
BTW, my LAN link local address is also fe80::1.1, but the difference is that on both interfaces, that address is followed by the interface. For example here's my LAN link local address, with interface included: fe80::1:1%bge0
With IPv6, it's entirely permissible to have the same link local address on different interfaces, as the interface is also specified.
-
@JKnott said in WAN IPv6 problem "gateway does not lie within one the chosen interface's subnets":
While the 1st address in a block is often used, there's no rule that says it has to be. It can be any usable address within the block and some people pick the highest.
OK, maybe I need more coffee, but AAAA:BBBB:0:ffff::22 isn't actually within the AAAA:BBBB:8006::/48 block, is it? I suppose that's what the error message is saying.
-
@seanmcb said in WAN IPv6 problem "gateway does not lie within one the chosen interface's subnets":
OK, maybe I need more coffee, but AAAA:BBBB:0:ffff::22 isn't actually within the AAAA:BBBB:8006::/48 block, is it? I suppose that's what the error message is saying.
I wouldn't expect it to be. Since it's a separate interface, it would be within a different prefix. The same applies to IPv4. As I mentioned, my gateway uses link local addresses, which are certainly not within my prefix.
-
Well, back to square one I guess. I still don't know how to configure this.
The 'gateway' my ISP provided seems to correspond with the 'gateway' stuff in the pfsense UI, that's probably fine.
But what should I put in "Static IPv6 Configuration > IPv6 address"? I've tried:
- AAAA:BBBB:8006::/48
- AAAA:BBBB:8006::1/48
- AAAA:BBBB:8006::/64
- AAAA:BBBB:8006::1/64
Everything results in the "The gateway address AAAA:BBBB:0:ffff::22 does not lie within one of the chosen interface's subnets". What does this message mean exactly?
-
As I mentioned, I've never needed to do a static IPv6 configuration on pfSense, though I have on Cisco. Hopefully someone else here has some ideas.
-
It looks like a transit network. Why don't you use the 'linklet' (Your ISP actually called it that?) as your WAN address, and use one of the /64's out of the /48 for you LAN side?
-
I might be missing the point here, but it seems to me that the config is fairly straightforward, except for the /127 which is a bit unusual...
WAN: Static IPv6 AAAA:BBBB:0:ffff::23/127
IPV6 default gateway: AAAA:BBBB:0:ffff::22LAN: Static IPv6 AAAA:BBBB:8006:0::1/64 (I'm putting :0 to identify the first subnet but technically not needed). If you are purist, you can use :1 to indicate VLAN 1, it doesn't matter.
Other OPT Interfaces: AAAA:BBBB:8006:2::1/64, AAAA:BBBB:8006:3::1/64, etc. Each one is a separate /64 subnet.I'm assuming your ISP has correctly routed AAAA:BBBB:8006::/48 to AAAA:BBBB:0:ffff::23, in which case it should "just work".
-
@awebster said in WAN IPv6 problem "gateway does not lie within one the chosen interface's subnets":
I might be missing the point here, but it seems to me that the config is fairly straightforward, except for the /127 which is a bit unusual...
WAN: Static IPv6 AAAA:BBBB:0:ffff::23/127
IPV6 default gateway: AAAA:BBBB:0:ffff::22LAN: Static IPv6 AAAA:BBBB:8006:0::1/64 (I'm putting :0 to identify the first subnet but technically not needed). If you are purist, you can use :1 to indicate VLAN 1, it doesn't matter.
Other OPT Interfaces: AAAA:BBBB:8006:2::1/64, AAAA:BBBB:8006:3::1/64, etc. Each one is a separate /64 subnet.I'm assuming your ISP has correctly routed AAAA:BBBB:8006::/48 to AAAA:BBBB:0:ffff::23, in which case it should "just work".
I think they have allocated 2 addresses, but your addresses are /128 each
AAAA:BBBB:0:ffff::23/128 is the pfsense WAN address
AAAA:BBBB:0:ffff::22/128 is the Gateway address. -
@IsaacFL It would have to be /127 to have the gateway address inside the allocated subnet.
/127 = exactly 2 IP addresses -
@dotdash not "linklet" (maybe that was a typo?), but they did name things exactly as in my first post.
Thanks all, it does work now, set the way @awebster first suggested. In retrospect, I feel dumb for not trying that "linknet" address for the WAN. :)
Now I'm off to read about DHCPv6, SLAAC, etc. :)
-
@seanmcb said in WAN IPv6 problem "gateway does not lie within one the chosen interface's subnets":
@dotdash not "linklet" (maybe that was a typo?), but they did name things exactly as in my first post.
Thanks all, it does work now, set the way @awebster first suggested. In retrospect, I feel dumb for not trying that "linknet" address for the WAN. :)
Now I'm off to read about DHCPv6, SLAAC, etc. :)
I would suggest looking at:
RFC 8504 IPv6 Node Requirements Best Current Practice 220 -
@seanmcb said in WAN IPv6 problem "gateway does not lie within one the chosen interface's subnets":
Well, back to square one I guess.
Drop by when you're in the neighbourhood. Square One is just down the road from me.
-
@awebster said in WAN IPv6 problem "gateway does not lie within one the chosen interface's subnets":
except for the /127 which is a bit unusual
That's entirely normal for a point to point link. You can have 2 devices on it. The IPv4 equivalent is a /31.
-
@seanmcb said in WAN IPv6 problem "gateway does not lie within one the chosen interface's subnets":
Thanks all, it does work now, set the way @awebster first suggested.
Actually, I suggested it in my first reply to you.
Now I'm off to read about DHCPv6, SLAAC, etc. :)
A good reference is IPv6 Essentials.
-
@JKnott said in WAN IPv6 problem "gateway does not lie within one the chosen interface's subnets":
That's entirely normal for a point to point link. You can have 2 devices on it. The IPv4 equivalent is a /31.
Yup, its just the Internet is a bit undecided about that...
One might argue that /127 is good because it very precisely identifies a PTP link, but others argue /126 is better because some vendors didn't implement /127 properly.
Yet others argue that a /64 with only 2 hosts is subject to scanning attack resource over utilisation, but that'd apply to any /64, not just PTP networks.
Further others might argue that the powers that be say everything should be a /64The point that I find truly staggering is this:
- Each /64 has 18,446,744,073,709,551,616 host addresses
- 2 hosts in a /64 leaves 99.9999999...% unused
- 255 hosts -- a decent sized network -- in a /64 leaves 99.9999999...% unused
- 1,000,000 hosts -- why you'd do that is beyond me -- in a /64 leaves 99.9999999...% unused
- 2^32 hosts --the entire IPv4 Internet as it exists today -- in a single /64 leaves 99.9999999767...% unused
So basically regardless of what configuration you choose, any /64 is pretty much 100% unused!
Consequently, IMHO there is absolutely no reason not to use /64 for any network allocation.
You just won't run out, no matter how hard you try. -
@awebster
Actually there is an RFC 6164 Using 127-Bit IPv6 Prefixes on Inter-Router Links that addresses it.You don't have to depend on a random internet person.
As far as /64 bit boundaries per RFC 4291 IP Version 6 Addressing Architecture it is mandatory for all addresses except those that start with the first 3 bits of 000 are 64 bit boundaries with the exception of RFC 6164.
-
@JKnott said in WAN IPv6 problem "gateway does not lie within one the chosen interface's subnets":
Actually, I suggested it in my first reply to you.
Not to be unappreciative (honest!), but I don't see that you did, at least not explicitly enough for my thick head. :)
Thanks all for the reading suggestions too!