• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Problem with 6rd feature and reported prefix

Scheduled Pinned Locked Moved IPv6
1 Posts 1 Posters 319 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    saivert
    last edited by saivert Oct 30, 2022, 1:38 PM Oct 30, 2022, 1:20 PM

    Currently the 6rd feature in PFSense 2.6 reports the prefix length of the WAN interface as the same as the prefix on the wan_stf interface which is actually doing the tunneling.

    For reference are outputs from ifconfig (with obfuscated addresses):

    [2.6.0-RELEASE][admin@saivertrouter.saivert.lan]/var/run: ifconfig wan_stf
wan_stf: flags=4041<UP,RUNNING,LINK2> metric 0 mtu 1480
	inet6 xxxx:xxxx:xxxx:xxxx:: prefixlen 30
	groups: stf
	v4net x.x.x.x/32 -> tv4br y.y.y.y
	nd6 options=101<PERFORMNUD,NO_DAD>

    As you can see the wan_stf interface is setup with a prefix length of 30 which is correct.

    [2.6.0-RELEASE][admin@saivertrouter.saivert.lan]/var/run: ifconfig igb0
igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	description: WAN
	options=8120b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER>
	ether 00:0e:c4:d4:40:15
	inet6 fe80::zzzz:zzzz:zzzz:zzzz%igb0 prefixlen 64 scopeid 0x1
	inet x.x.x.x netmask 0xfffff000 broadcast 255.255.255.255
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

    As you can see the igb0 (WAN) interface has prefix length of 64 which is correct. There is no public IPv6 assigned to this interface as the IPv6 connection is not actually terminated on this interface which it would be if using native IPv6.

    Yet PFsense pretends that the assigned WAN interface does double duty as IPv6 termination point and thus reports the same prefix as used on the wan_stf interface which is incorrect.

    This also causes problems because now the WAN interface as reported via internal configuration APIs occupies a whole /30 space and you cannot assign the other subnets to other interfaces otherwise you get an error:

    The following input errors were detected:

Address xxxx:xxxx:xxxx:xxxx:: is already configured on this firewall. [ WAN (yyyy:yyyy:yyyy:yyyy::/30) ]

    So I have to run a cron script to assign IPv6 address to my Wireguard interface for now to circumvent this issue.

    I'm not sure how the internal mechanisms work here but it seems tunnel interfaces should be ignored when doing validation of input like this. wan_stf is an implementation detail only and is not actually occupying any address space.

    1 Reply Last reply Reply Quote 0
    1 out of 1
    • First post
      1/1
      Last post
    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
      This community forum collects and processes your personal information.
      consent.not_received