Project

General

Profile

Actions

Bug #15361

closed

Network and broadcast address input validation is incorrectly applied to IPv6 VIPs

Added by Mathis Cavalli 9 months ago. Updated 2 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Virtual IP Addresses
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
24.11
Release Notes:
Default
Affected Version:
Affected Architecture:
All

Description

There is no network address in IPv6, nor broadcasts like IPv4
When adding / editing an IP alias and putting there an address like fd00::/64 it shows the following error : "The network address cannot be used for this VIP"
It happened on my pfSense+ box but it seems the CE 2.7.2 is also affected.


Files

Screenshot_1.png (61.2 KB) Screenshot_1.png Mathis Cavalli, 03/25/2024 09:12 AM
clipboard-202404031423-s3n4d.png (40.2 KB) clipboard-202404031423-s3n4d.png Danilo Zrenjanin, 04/03/2024 12:23 PM
Actions #1

Updated by Chris W 9 months ago

What's the end goal you're looking for here?

An IP alias should take a single address you want to add to a specific interface. If instead you need to alias an entire network space for use with NAT or firewall rules, that's done in Firewall > Alias (change Type from host to network).

Actions #2

Updated by Mathis Cavalli 9 months ago

I need to add a secondary IPv6 address (fd00:0:0:1::/64) on my tun_wg0 interface and it works using the VIPs
If i put fd00:0:0:1::/128 there all the /64 subnet isn't routed to this interface, which is what i need
Is there another way to add additional IP addresses on an interface ?

Actions #3

Updated by Kris Phillips 9 months ago

In IPv6 there is a prefix ID followed by an interface, which replaces the network ID in IPv6. Assigning the prefix ID to an interface is not valid. You should choose a single address in this prefix for IP Aliases, so you should assign the ::1 or another address from the /64.

Actions #4

Updated by Jim Pingle 9 months ago

Kris Phillips wrote in #note-3:

In IPv6 there is a prefix ID followed by an interface, which replaces the network ID in IPv6. Assigning the prefix ID to an interface is not valid. You should choose a single address in this prefix for IP Aliases, so you should assign the ::1 or another address from the /64.

This is not true for IPv6. There is nothing special about the prefix ID address like there is in IPv4. In IPv6 every address in the prefix is usable, including the all zeroes and all ones addresses.

Actions #5

Updated by Danilo Zrenjanin 9 months ago

Tested against:

23.09.1-RELEASE (amd64)
built on Wed Dec 6 20:22:00 UTC 2023
FreeBSD 14.0-CURRENT

I can confirm that it is not possible to define a network address fd00::/64 in the IPv6 space for the VIP alias. An error message stating "The network address cannot be used for this VIP" is displayed.

However, it allowed me to save the VIP when I defined the same network address using 0 at the end.

Actions #6

Updated by Danilo Zrenjanin 5 months ago

I've tested and got the same results in the:

24.03-RELEASE (amd64)
built on Wed Apr 24 17:38:00 UTC 2024
FreeBSD 15.0-CURRENT

and

24.08-DEVELOPMENT (amd64)
built on Sat Jul 13 0:50:00 UTC 2024
FreeBSD 15.0-CURRENT
Actions #7

Updated by Marcos M 5 months ago

  • Status changed from Confirmed to Feedback
  • % Done changed from 0 to 100
Actions #8

Updated by Marcos M 5 months ago

  • Project changed from pfSense Plus to pfSense
  • Subject changed from Error in virtual IP aliases when using IPv6 "network" / "broadcast" addresses to Network and broadcast address input validation is applied to IPv6
  • Category changed from Virtual IP Addresses to Virtual IP Addresses
  • Assignee set to Marcos M
  • Target version set to 2.8.0
  • Affected Plus Version deleted (23.09.1)
  • Plus Target Version set to 24.08
Actions #9

Updated by Danilo Zrenjanin 5 months ago

  • Status changed from Feedback to Resolved

Tested against:

24.08-DEVELOPMENT (amd64)
built on Thu Jul 18 6:00:00 UTC 2024
FreeBSD 15.0-CURRENT

It works as expected. I am marking this ticket as resolved.

Actions #10

Updated by Jim Pingle 3 months ago

  • Subject changed from Network and broadcast address input validation is applied to IPv6 to Network and broadcast address input validation is incorrectly applied to IPv6
Actions #11

Updated by Jim Pingle 3 months ago

  • Subject changed from Network and broadcast address input validation is incorrectly applied to IPv6 to Network and broadcast address input validation is incorrectly applied to IPv6 VIPs
Actions #12

Updated by Jim Pingle 2 months ago

  • Plus Target Version changed from 24.08 to 24.11
Actions

Also available in: Atom PDF