Network Address Parameter verification failed. (400)

[millerwissen]

Hello Everyone!

I've been trying Proxmox recently on a server and I'm having a rather unusual problem with the web management interface.

I created a 'Linux Bridge' to have an internal switch (similar to what i'm used to in Hyper-V) and I want to assign a local ipv4 and ipv6 to that interface that will be routed through a complex internal vpn network that has dual-stack internal ips.

If i try to setup a 10.0.0.x ip address alone it will accept it just fine but whenever I try to setup a local ipv6 i get this error:

Parameter verification failed. (400)

address: fc:99::a:1:1 with type 'RESERVED', cannot be used as host IPv6 address

This makes no sense to me as it stops me from using a local ipv6 range but that's the entire point of it..

Is there any way to override this behaviour or is this a bug to be reported?

 

[millerwissen]

bump

 

[Kornelius777]

Any update on this?
Just running into the same situation...

 

[floh8]

Präfix is wrong

 

[Kornelius777]

Indeed. Stupid me.
fd != fd00

Found my mistake.

 

[millerwissen]

I forgot to update here, but basically if you use NAT66 or internal IPv6 it's simply a /usr/share/perl5/PVE/API2/Network.pm part of the code that does that check, you have 2 options obviously you can edit /etc/network/interfaces manually to bypass but it may not be as convenient as using the GUI.

So here's a script that basically kills that function altogether for Proxmox VE 8.3 but keep in mind this may be changed in future updates and the file can be overwritten so either adapt the script as needed or hopefully the devs that be will finally understand some people don't want to use public IPv6 on their hypervisors, and remember to use the code with caution don't brick a live production server please

One more trick you can also do, if you don't want to use the script, is a mix of nano + gui, just add your internal ip such as f5::3:1/64 as 21f5::3:1/64 then save and manually edit the file to remove the 21 but it's quicker than typing the whole thing for every interface and bridge etc

Copy the following to a server using ssh:

nano fix-ipv6.sh
=============================================================================================
#!/bin/bash

# IPv6 Fix Script for Proxmox
set -e

# File Paths
TARGET_FILE="/usr/share/perl5/PVE/API2/Network.pm"
BACKUP_FILE="${TARGET_FILE}.bak"

# Validate the existence of the target file
if [ ! -f "$TARGET_FILE" ]; then
    echo "Error: Target file $TARGET_FILE does not exist."
    exit 1
fi

# Create a backup if it doesn't already exist
if [ ! -f "$BACKUP_FILE" ]; then
    echo "Creating a backup of the original file..."
    cp "$TARGET_FILE" "$BACKUP_FILE"
    echo "Backup created at $BACKUP_FILE"
else
    echo "Backup already exists at $BACKUP_FILE"
fi

# Locate and modify the IPv6 validation logic
echo "Patching IPv6 validation logic to allow RESERVED addresses..."
awk '
/my \$check_ipv6_settings = sub {/ { inside_function = 1; print; next }
/^\};$/ && inside_function { inside_function = 0; print; next }
inside_function && /if \(defined\(\$type\)/ {
    print "    # Allow RESERVED IPv6 addresses explicitly";
    print "    if (defined($type) && $type eq \"RESERVED\") { return; }";
    print; next;
}
{ print }
' "$TARGET_FILE" > "${TARGET_FILE}.tmp" && mv "${TARGET_FILE}.tmp" "$TARGET_FILE"

# Validate the patched file
echo "Validating syntax of the patched file..."
if ! perl -c "$TARGET_FILE"; then
    echo "Syntax error detected in $TARGET_FILE. Restoring the backup."
    cp "$BACKUP_FILE" "$TARGET_FILE"
    exit 1
fi

# Restart Proxmox services
echo "Restarting Proxmox services..."
systemctl restart pveproxy || { echo "Failed to restart pveproxy. Check logs for details."; exit 1; }
systemctl restart pvedaemon || { echo "Failed to restart pvedaemon. Check logs for details."; exit 1; }

echo "IPv6 validation patch applied successfully!"


=============================================================================================
Save

bash fix-ipv6.sh

 

[millerwissen]

Sorry everyone been busy but here's the new updated code, this really shouldn't be happening and I can only hope the proxmox devs will stop doing this because it is irritating and people will go out of their way to stop nonsense like this and this is how you start conflicts in the world.

Also for people interested more on Local IPv6 and NAT66 please read this: https://forum.opnsense.org/index.php?topic=47644.0 on the OPNSense forums.

As always

nano fix-ipv6-8.4.14.sh

(paste the contents inside the file) and run with:

bash fix-ipv6-8.4.14.sh

#!/bin/bash
# Proxmox 8.4.14: bypass IPv6 "type" gating in GUI (allow all syntactically valid IPv6)
# Reluctantly made by Miller Wissen with AI help and syntax check
# Keeps only basic IPv6 syntax and 0..128 mask checks in $check_ipv6_settings
# This should not exist to begin with, it's ridiculous users have to do this and devs waste their time blocking people who use internal f000::/4 ULA and non-ULA GUA NAT66/Local IPv6
# To whoever cares stop doing this or the Proxmox project will end up being forked to address these very problems you keep introducing for no reason if your paying
# customers want this nonsense for whatever reason then let this be an option somewhere and not the default either, this is a perfectly valid use case even for Enterprise customers.
# STOP TELLING PEOPLE HOW THEY'RE ALLOWED TO USE THEIR fking SERVERS WITH OPEN SOURCE SOFTWARE AND FOCUS ON FIXING BUGS AND OPTIMISING VIRTUALISATION INSTEAD
# Sadly this may not work in future versions of proxmox so if it doesn't come back to the forum and eventually i'll post a follow up or a link to the new Fork..
# Last Update: 11 Oct 2025

set -euo pipefail

TARGET="/usr/share/perl5/PVE/API2/Network.pm"
BACKUP="${TARGET}.bak"

[ -f "$TARGET" ] || { echo "ERR: $TARGET not found"; exit 1; }

# One-time backup
if [ ! -f "$BACKUP" ]; then
  cp -a "$TARGET" "$BACKUP"
  echo "Backup: $BACKUP"
else
  echo "Backup already exists: $BACKUP"
fi

# Skip if already patched
if grep -q 'bypass type gating (Proxmox)' "$TARGET"; then
  echo "Already patched; nothing to do."
  exit 0
fi

# Ensure we start from a known-good baseline (in case of previous failed edits)
if ! grep -q 'my \$check_ipv6_settings = sub' "$TARGET"; then
  echo "Unexpected file contents; restoring backup for safety."
  cp -a "$BACKUP" "$TARGET"
fi

# Insert early return between the syntax check and the first use of $binip.
# We DO NOT remove 'my $binip = ...', we only add a return before it.
perl -0777 -pe '
  my $ok = 0;
  $ok ||= s{
    (raise_param_exc\(\{\s*address\s*=>\s*"\$address\s+is\s+not\s+a\s+valid\s+host\s+IPv6\s+address\."\s*\}\)\s*\n\s*if\s*!Net::IP::ip_is_ipv6\(\$address\);\s*\n)
    (\s*my\s+\$binip\s*=\s*ipv6_tobin\(\$address\)\s*;)
  }{$1    return; # bypass type gating (Proxmox)\n$2}xms;

  # Fallback: if the exact context changed, insert before first my $binip line.
  $ok ||= s{
    (\n\s*)my\s+\$binip\s*=\s*ipv6_tobin\(\$address\)\s*;
  }{$1return; # bypass type gating (Proxmox)\n$1my $binip = ipv6_tobin($address);\n}ms;

  $ok or die "Patch marker not found; aborting without changes.\n";
' "$TARGET" > "${TARGET}.tmp"

mv "${TARGET}.tmp" "$TARGET"
echo "Patch inserted."

# Verify syntax
perl -c "$TARGET" >/dev/null || { echo "Perl syntax failed; restoring backup."; cp -a "$BACKUP" "$TARGET"; perl -c "$TARGET" || true; exit 1; }
echo "Perl syntax OK."

# Restart GUI daemons
systemctl restart pveproxy
systemctl restart pvedaemon
echo "Done. GUI now accepts any syntactically valid IPv6 (including f000::/4, e.g. f117::/64 f35::/64 etc ...)."