Bug #15361
closed
Network and broadcast address input validation is incorrectly applied to IPv6 VIPs
100%
Description
There is no network address in IPv6, nor broadcasts like IPv4
When adding / editing an IP alias and putting there an address like fd00::/64 it shows the following error : "The network address cannot be used for this VIP"
It happened on my pfSense+ box but it seems the CE 2.7.2 is also affected.
Files
Updated by Chris W 8 months ago
What's the end goal you're looking for here?
An IP alias should take a single address you want to add to a specific interface. If instead you need to alias an entire network space for use with NAT or firewall rules, that's done in Firewall > Alias (change Type from host to network).
Updated by Mathis Cavalli 8 months ago
I need to add a secondary IPv6 address (fd00:0:0:1::/64) on my tun_wg0 interface and it works using the VIPs
If i put fd00:0:0:1::/128 there all the /64 subnet isn't routed to this interface, which is what i need
Is there another way to add additional IP addresses on an interface ?
Updated by Kris Phillips 8 months ago
In IPv6 there is a prefix ID followed by an interface, which replaces the network ID in IPv6. Assigning the prefix ID to an interface is not valid. You should choose a single address in this prefix for IP Aliases, so you should assign the ::1 or another address from the /64.
Updated by Jim Pingle 8 months ago
Kris Phillips wrote in #note-3:
In IPv6 there is a prefix ID followed by an interface, which replaces the network ID in IPv6. Assigning the prefix ID to an interface is not valid. You should choose a single address in this prefix for IP Aliases, so you should assign the ::1 or another address from the /64.
This is not true for IPv6. There is nothing special about the prefix ID address like there is in IPv4. In IPv6 every address in the prefix is usable, including the all zeroes and all ones addresses.
Updated by Danilo Zrenjanin 8 months ago
- File clipboard-202404031423-s3n4d.png clipboard-202404031423-s3n4d.png added
- Status changed from New to Confirmed
Tested against:
23.09.1-RELEASE (amd64) built on Wed Dec 6 20:22:00 UTC 2023 FreeBSD 14.0-CURRENT
I can confirm that it is not possible to define a network address fd00::/64 in the IPv6 space for the VIP alias. An error message stating "The network address cannot be used for this VIP" is displayed.
However, it allowed me to save the VIP when I defined the same network address using 0 at the end.
Updated by Danilo Zrenjanin 4 months ago
I've tested and got the same results in the:
24.03-RELEASE (amd64) built on Wed Apr 24 17:38:00 UTC 2024 FreeBSD 15.0-CURRENT
and
24.08-DEVELOPMENT (amd64) built on Sat Jul 13 0:50:00 UTC 2024 FreeBSD 15.0-CURRENT
Updated by Marcos M 4 months ago
- Status changed from Confirmed to Feedback
- % Done changed from 0 to 100
Applied in changeset pfsense:e48574e28f90b56fb08506c02da7d1e860e69b31.
Updated by Marcos M 4 months ago
- Project changed from pfSense Plus to pfSense
- Subject changed from Error in virtual IP aliases when using IPv6 "network" / "broadcast" addresses to Network and broadcast address input validation is applied to IPv6
- Category changed from Virtual IP Addresses to Virtual IP Addresses
- Assignee set to Marcos M
- Target version set to 2.8.0
- Affected Plus Version deleted (
23.09.1) - Plus Target Version set to 24.08
Updated by Danilo Zrenjanin 4 months ago
- Status changed from Feedback to Resolved
Tested against:
24.08-DEVELOPMENT (amd64) built on Thu Jul 18 6:00:00 UTC 2024 FreeBSD 15.0-CURRENT
It works as expected. I am marking this ticket as resolved.
Updated by Jim Pingle about 2 months ago
- Subject changed from Network and broadcast address input validation is applied to IPv6 to Network and broadcast address input validation is incorrectly applied to IPv6
Updated by Jim Pingle about 2 months ago
- Subject changed from Network and broadcast address input validation is incorrectly applied to IPv6 to Network and broadcast address input validation is incorrectly applied to IPv6 VIPs
Updated by Jim Pingle about 1 month ago
- Plus Target Version changed from 24.08 to 24.11