[Solved] ipv6 gateway address does not lie within subnets

Started by aringking, May 04, 2021, 07:01:04 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 04, 2021, 07:01:04 AM Last Edit: May 05, 2021, 08:23:22 AM by aringking
OPNsense 21.1.5-amd64
FreeBSD 12.1-RELEASE-p16-HBSD
OpenSSL 1.1.1k 25 Mar 2021

setting up opnsense in the cloud, i have both static ipv4 and ipv6 addresses.

interfaces/wan
static ipv4
static ipv6
ipv4 upstream gateway is set to provided ipv4 gateway address
upv6 upstream gateway is set to auto-detect

ping6 udp connect no route to host

system/routes/status
there is no default gateway for ipv6

i tried adding a gateway in system/gateways/single with the provided ipv6 gateway address with checks on upstream gateway and far gateway.

the error message is:
the gateway address does not lie within one of the chosen interface's ipv6 subnets.

what did i miss or did wrong?

thanks
May 04, 2021, 11:00:23 AM #1
Impossible to tell without you telling us your configured static IPv6 address and prefix length and your gateway address that you are trying to configure.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
May 04, 2021, 08:07:03 PM #2
For static IPv6 interfaces, dynamic configuration of the upstream gateway address is not supported. Might be worth a feature request.

When configuring the gateway statically, you should use its link-local address. If your hoster only provides you with the gateway's GUA, you might be able to find out the link-local address by temporarily switching the interface to SLAAC and checking the routing table (or do a packet capture and look for Router Advertisements).

If you really have to use the gateway's GUA and it is not in the WAN subnet, the only workaround that comes to mind is expanding the WAN subnet. "Far Gateway" is indeed not supported for IPv6 gateways.

Cheers

Maurice
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
May 04, 2021, 09:09:39 PM #3
You can just extend the subnet on the WAN side until the gateway is included. It doesn't have side effects as far as we know.


Cheers,
Franco
May 04, 2021, 11:11:55 PM #4
Extending to a /64 or so, okay. But if you'd have to go all the way to a /40 or so (yes, I've encountered that), probably not a good idea. You might lose access to neighbouring subnets. Which could probably be worked around by route-to $gateway or static routes, but that seems all a bit hackish. I'd only consider this if link-local is not possible for some reason.

Cheers

Maurice
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
May 04, 2021, 11:27:44 PM #5
Quote from: Maurice on May 04, 2021, 11:11:55 PM
Extending to a /64 or so, okay.
Of course. My first suspicion was that the OP might have configured a longer prefix than /64 ...
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
May 05, 2021, 08:21:54 AM #6
the opnsense ipv6 mask was set to /128.

so i changed it to /64 and it's ok now.

thanks for all the mindshare. :)
Print
Go Up Pages1
User actions