GUI Invalid IPv6 address

[millerwissen]

So I am new to the forum but not to OPNSense/pfSense/m0n0wall etc i'm old enough to remember even that.

My usual deployment for IPv6 for security reasons and having full control is an internal /64 for the LAN properly routed with NAT66 such as:

f999:1:2:3::/64

NAT66 works fine with OPNsense, I've used in many locations without issues just like pfSense.

But in this particular machine is on hetzner which specifically wants a link local gateway for my IPv6 WAN (public ip + link local as gateway) which is fine on pfsense and freebsd in general, all you do is add the link local + scope, for this vm would be: fe80::1%vtnet0 a perfectly valid IPv6 and supported by FreeBSD in this manner.

So why does the GUI persist on giving me this error:

"Dynamic gateway values cannot be specified for interfaces with a static IPv6 configuration.
Invalid IPv6 address"

I have another machine on this same system running another gateway on pfsense and it takes the link local + scope via GUI without issues I would like to migrate to OPNsense but it seems to be 'checking' IPv6s and I really don't want it to do that I just want to disable any IPv6 checks and let me design my network as I please without having to login to SSH and hard force it to work because of some web verification script logic.

[Monviech (Cedrik)]

Shouldn't it work with just the link local address as gateway (aka no scope)?

[millerwissen]

Shouldn't it work with just the link local address as gateway (aka no scope)?

I only tested with a quick ping6 to google.com it does seem to be active yes but what doesn't make sense to me is that it outright refuses to take the scope along with the IPv6, now if is taking into account the fact that I picked the interface at the top which it applies to and automatically adds the scope then it's just me not being familiar with OPNsense but it's specifically saying 'invalid' and not 'no scope needed' and I can't seem to find any information about that anywhere.

Though if I add another gateway that is also fe80::1 to another interface then it would probably reject because the ip address already exists?

[Monviech (Cedrik)]

I think since you select interface (=scope), each fe80:: entry should be unique if its on a different interface as gateway.

[Patrick M. Hausen]

Shouldn't it work with just the link local address as gateway (aka no scope)?

Link local addresses always need a scope. How should the system tell which link it is local to without?

In the OPNsense UI on the other hand you just set the gateway LL address without the scope and OPNsense will add it according to the interface you assigned the gateway to. If you look at the routing table afterwards you will see that the scope is present. Just don't put it in the gateway address field. The interface selection takes care of that.

[franco]

I don't understand the original report:

You set something somewhere and then you get "Dynamic gateway values cannot be specified for interfaces with a static IPv6 configuration. Invalid IPv6 address" which suggests you haven't filled out the the gateway address to use for your static IPv6 setup. If you don't use SLAAC where should the gateway/router come from?


Cheers,
Franco

[millerwissen]

This is trying to create a gateway so you can then assign to the connection, yes it does 'just work' with fe80::1 but without a scope it is not clear how it is deciding what interface that belongs to i could be using multiple WANs all of which will have fe80::1 as a gateway but different subnets, scope is crucial.

Also this isn't supposed to be the first gateway, there is another machine that is the 'main' one already providing SLAAC and a separate dedicated DHCPv6 servers fully redundant, this is for a network comprised of multiple gateways some of which are static ip only nothing dynamically assigned, only the main one is dynamically assigning addresses to clients, and it's WAN is set manually and traffic is routed manually everything manual here.

A local machine can then route through different external connections this way you can have vm777 accessible through WAN A B C D E etc, route through a remote vpn with static routes and none at all which serves many purposes beyond the scope of this thread.

I don't understand the original report:

You set something somewhere and then you get "Dynamic gateway values cannot be specified for interfaces with a static IPv6 configuration. Invalid IPv6 address" which suggests you haven't filled out the the gateway address to use for your static IPv6 setup. If you don't use SLAAC where should the gateway/router come from?


Cheers,
Franco

[millerwissen]

This is exactly what I needed to know, I just assumed it was a bug, I think you should, as a suggestion, possibly add a message reminding the scope is based on the interface at the top or just allow people to add the scope as a 'peace of mind' and it changes the interface automatically in case the scope doesn't match or throws an error saying interface mismatches.

Thanks for the message :)

Shouldn't it work with just the link local address as gateway (aka no scope)?

Link local addresses always need a scope. How should the system tell which link it is local to without?

In the OPNsense UI on the other hand you just set the gateway LL address without the scope and OPNsense will add it according to the interface you assigned the gateway to. If you look at the routing table afterwards you will see that the scope is present. Just don't put it in the gateway address field. The interface selection takes care of that.