IPv6

IPv6 Dynamic Prefix Delegation -> Stable ULA Assignment

bfisher — Fri, 24 Apr 2026 21:12:02 GMT

@JKnott said in IPv6 Dynamic Prefix Delegation -> Stable ULA Assignment: Why not give them global addresses? It's not as though there was a shortage of addresses, as there was on IPv4. When using SLAAC, it seems that you either need to accept that your machines will use Temporary (Private) addresses for all outbound connections (effectively making it impossible to target a specific device) or you need to disable Privacy Extensions on each device you want to target, enabling that device to be tracked across the internet. Neither option seems great to me. I might be able to use Managed instead of SLAAC, but I think that this still enables tracking of a device across the internet (correct me if I'm wrong). It seems to me that the best of both worlds would be to use SLAAC and Privacy Extensions (Temporary Addresses) for GUA (which will be prioritized for outbound connections destined for the internet) while using Managed for ULA (which will be prioritized for local traffic and enable targeting of specific devices).

Toob (UK) IPV6 NDP Table Issues

Rewels — Fri, 24 Apr 2026 08:46:18 GMT

@Gertjan said in Toob (UK) IPV6 NDP Table Issues: Don't tell me you are still using "Unbound mode" ^^ Thanks for pointing this out, to be honest I had no idea as this was set by default when installing the add-on devel version too. I have since changed this and that has resolved that issue thank you. @Gertjan said in Toob (UK) IPV6 NDP Table Issues: Btw : not using DHCPv6 servers at all for your pfSense LAN(s), and rely on SLAAC if you use Android devices. We have a few android devices in the house so SLAAC is the best option. I believe I may have found the culprit now as I have now reverted all the settings I listed above. Currently using the ISP router in Bridge Mode to provide WiFi in the house whilst I sort out my UniFi shopping list (not long moved in). If I connect a Windows Laptop directly to the PFSense Firewall I get an IPv6 address instantly which is expected and subsequently if I disconnect and reconnect the cable I get another address instantly. I believe the Router running in Bridge mode is blocking ICMP6 Router Advertisement and Router Solicitation packets (even though there are no settings available on the Web UI in Bridge Mode and it suggests that all items have been disabled relating to Security. I was able to prove this by running a Packet Capture on the PFSense Firewall for ICMP6. Otherwise the only other way I was able to get this to work via the Bridge Mode router is to wait for the Interval timeout or to restart Router Advertisements Service in PFSense for it to force issue IPs. Didn't think it could be that purely cause IPv6 was working on that unit when it was the active Router and assumed Bridge Mode would work, clearly not the case. Thanks for all your help :) Maybe I will look into DHCPv6 in the future but for now SLAAC will do.

IPv6 Address

jdhutchin — Mon, 20 Apr 2026 01:51:20 GMT

I found my problem- I had an outbound NAT rule that applied to both IPv6 and IPv6 that was rewriting the source of UDP packets to the WAN address (not the link local address) [image: 1776748520552-efc1ad6d-3b8d-4b6b-8976-b92b583dbd9c-image.png] When the ISP saw the packets from the GUA they were ignored- these are supposed to come from link-local. I guess the initial request went through because there was no WAN address for them to be rewritten to. Updating this rule to only affect ipv4 seems to have fixed my issue- I will have to wait a few hours to tell for sure but I see replies in packet captures. WAN firewall allows ipv4+ipv6 UDP port 546, 547 MAC address on WAN is set to the address on the ATT gateway "Do not allow PD/Address release" is unchecked. "Prefer IPv4 over IPv6" is checked I found this by comparing packets from my primary ISP and my backup ISP- primary: 5 28.595589 2001:XYZ::1 ff02::1:2 DHCPv6 156 Renew XID: 0x1ff509 CID: 0001000131609bcc0cc47a6cef34 IAA: 2001:XYZ:::::1 I eventually did a packet capture on my failover wan and saw these renew packets that did get a response: 1 0.000000 fe80::ec4:7aff:fe6c:ef36 ff02::1:2 DHCPv6 130 Solicit XID: 0xd90503 CID: 0001000131609bcc0cc47a6cef34 Note these are coming from the link-local address instead of the GUA (2001::.XYZ)- this was the clue I needed to figure out the problem.

MSS has to be set manually for IPv6 to work correctly with PPPoE

IonutIT — Sat, 21 Mar 2026 13:34:14 GMT

@chrcoluk said in MSS has to be set manually for IPv6 to work correctly with PPPoE: Just to confirm, you are saying when you set MTU to 1500, IPv6 can not deliver unfragmented 1500 byte packets? Yup. I can send 1500 bytes over IPv4 no issue, but can't send more than 1492 bytes over IPv6. Tried contacting my ISP, just got a Level 1 boilerplate answer "It's a feature that will be implemented at some point".

NAT64 and UDP-with-zero-checksum

IonutIT — Tue, 03 Mar 2026 10:48:54 GMT

@Napsterbater Yeah, considering I'm stuck and even though it seems that pfSense does pass the zero-checksum packet, VoWiFi still does not work, which makes me thing you might be right and it's HOW it passes it. So far I can't get it to work when using pfSense NAT64 setup...

Help needed - ISP configuration IPv6 DS-Lite

ijobs — Sun, 01 Mar 2026 12:07:16 GMT

Hi folks,

my new ISP uses the below interface details.
What are the right configuration steps in pfsense 2.8.1. ?
Especially for ipv4 connectivity.
I read different messages about Option Code 64 , AFTR and GIF tunnel.

Thanks in advance

Interface details:
• VLAN ID: 10
• PPPoE
• Authentication via PAP/CHAP

• TCP/IP with IPv6 DS-Lite with the following parameters:

• IPv6 Configuration: SLAAC according to RFC 4862
• IPv6 Assignment: DHCPv6 according to RFC 3315
• DHCPv6 Option: DHCPv6 IAPD (DHCPv6 Identity Association for Prefix Delegation) according to RFC 3633
• AFTR: via DHCP Option Code 64

Netflix and HE tunnel broker

Gertjan — Sat, 28 Feb 2026 04:14:30 GMT

@johnpoz said in Netflix and HE tunnel broker: No gua, no ula - not even a link-local, so why and the F would it ask for AAAA for?? Lazy freaking programing if you ask me. Good question. If there are no local IPv6 interfaces to talk to, I'm curious what the advantage is knowing that an AAAA exists for a host that will be contacted over A anyway. I've a possible reason in front of me, the one and only Firefix plugin I use : [image: 1773127237304-4cc14808-f093-4491-9b04-2d62263ab906-image.png] edit : the plugin is he.net powered. It shows me for every web site I visit what I'm using : A or AAAA, and it also shows what other sites are visited when the page was retrieved. [image: 1773127312570-36fdb069-8ff7-4888-a2ce-c2c8e65d6013-image.png] I can image that when this Firefox plugin is used, these AAAA requests are made. But if it isn't used ? @SteveITS said in Netflix and HE tunnel broker: Edit: also FWIW we found HE tunnels were rate limited. I mean they are free, so hard to complain, but bandwidth was about 1/3 of our IPv4 connection speed. Because the POPs have cost involved Some of them are marked as "can't add any new clients anymore" == they are 'full'. If they would throw hardware on it, tunnel.he.net would become a real, free VPN alternative **, which would need even more hardware. ** he.net uses a tunnel = IPv6 packets are encapsulated into a IPv4 packets = the GIF protocol, which is, afaik, not encrypted. Not a big deal as all traffic is TLS already anyway.

Gif interface question

JonathanLee — Sun, 08 Feb 2026 02:12:55 GMT

Hello fellow Netgate community member can you please help?

Should we add a firewall rule to allow IPv6 ICMP traffic from the GIF interface for the Hurricane Electric Tunnel Broker? This would include ICMPv6 types such as Echo Request/Reply, Neighbor Solicitation/Advertisement, Router Solicitation/Advertisement, Parameter Problem, Time Exceeded, Packet Too Big, and Destination Unreachable.

Chicken-Egg: Disabled VLAN Interface Impedes Disabling Router Advertisements

tinfoilmatt — Sat, 07 Feb 2026 23:44:46 GMT

@Mission-Ghost If we're asking the important questions, why use a packet filter to transport Ethernet frames?

IPV6 Custon Rules Snort and HE tunnel broker

tinfoilmatt — Fri, 06 Feb 2026 23:34:25 GMT

@JonathanLee Interesting. What we're living through now is the partial realization of what I somewhat mistakenly believed Web 3.0's 'semantic web' concept from a quarter-century ago was all about. I.e., tell the 'search engine' what you're looking for in natural human language, and it will deliver. Berners-Lee originally expressed his vision of the Semantic Web in 1999 as follows: I have a dream for the Web [in which computers] become capable of analyzing all the data on the Web – the content, links, and transactions between people and computers. A "Semantic Web", which makes this possible, has yet to emerge, but when it does, the day-to-day mechanisms of trade, bureaucracy and our daily lives will be handled by machines talking to machines. The "intelligent agents" people have touted for ages will finally materialize.

IPv6 Prefix Delegation Host-Address

Bob.Dig — Tue, 03 Feb 2026 19:59:26 GMT

@Gertjan said in IPv6 Prefix Delegation Host-Address: Ask them Here you go (about 4 years ago): https://redmine.pfsense.org/issues/12600 https://redmine.pfsense.org/issues/12602 Btw. I add ASN for the ISPs in question to the TS-forward via pfBlocker. This works good for IPv6, but still, it would be nice to have even more control...

When using NAT64 does pfSense block routing in internal VLANs?

jimp — Wed, 28 Jan 2026 15:57:42 GMT

@IonutIT Check "NAT64 Prefix Override" on System > Advanced, Firewall/NAT

How I set up prefix delegation to carve out /60 subnets from a /56 prefix

JKnott — Sat, 17 Jan 2026 12:32:24 GMT

@citroklar said in How I set up prefix delegation to carve out /60 subnets from a /56 prefix: But as those /64 subnets cannot be split further, I wanted larger Prefix Delegations - /60s, for both of my internal networks to be precise. (A /56 can be split into 16 /60 subnets.) I couldn't find a way to do this in the gui, so please enlighten me if I missed something there. Take a look on the System / Routing / Gateways page.

Yet Another IPv6 Post

user_not_found — Wed, 14 Jan 2026 23:09:18 GMT

@JKnott Yeah, agreed it's a CC thing. I've already registered a tunnel through HE/tunnelbroker because as much as I'm a masochist for the things I want to try and do on my home network just because I can and find them fun to play with... trying to even contact Comcast let alone actually get to more than first tier support is a form a masochism that just doesn't excite me. It's Comcastic! [vent] Add to this that my Netgear M7 Pro drops out in IP-Passthrough mode and now it doesn't offer an IPv4 address anymore, in either IP-PT or NAT mode [end vent] .... yeah, I've go all the masochism I could want right now. ...and that's exactly the response opcode that I get. Identity Association for Prefix Delegation Option: Identity Association for Prefix Delegation (25) Length: 71 IAID: 00000000 T1: 0 T2: 0 Status code Option: Status code (13) Length: 55 Status Code: NoPrefixAvail (6) Status Message: No prefix available on Link 'ca-sanrafael-acr07-link' [Edit: trying to determine why the forum keeps saying this is spam and refusing to post]

25.11 IPv6 gateway pending

mcury — Wed, 31 Dec 2025 13:24:06 GMT

Credits to Grok (xAI) – Full IPv6 Boot Watchdog Script with Daily Reboot Limit Thanks to Bob.Dig, Gertjan, and the community for all the help and ideas along the way. But in the end, I went full nuclear with Grok's help to solve the annoying "IPv6 gateway pending" / DHCPv6 fails at boot issue on 25.11 (and earlier versions) with ixgbe/ix interfaces. Grok helped build, debug, refine, and harden this script over dozens of iterations — from parsing issues in ash, ambiguous redirects, long shutdown delays, false positives, to daily reboot protection and input validation. Big thanks to Grok for turning a frustrating problem into a reliable workaround! What the script does Runs automatically after boot Checks if all specified interfaces (INTERFACES=) have at least one global IPv6 address (2000::/3 range, non-link-local) If yes → exits cleanly (no reboot) If no → waits a timeout period (default 120 s of checking) → reboots pfSense Safety: max 2 reboots per calendar day — prevents endless loops if ISP has outage Counter resets automatically at midnight Manual reset: rm /var/db/ipv6_watchdog_reboot_count Extra: Early exit if any interface is physically down (no carrier) Quiet: Logs only important events to syslog (via logger) — no spam Robust: Validates config (interfaces exist, no spaces, numbers valid, etc.) Recommended Installation (fast shutdown, no delays) Save the script (anywhere, e.g. /usr/local/etc/ipv6_watchdog.sh):vi /usr/local/etc/ipv6_watchdog.sh #!/bin/sh # /usr/local/etc/ipv6_watchdog.sh # IPv6 Global Address Watchdog for pfSense - Built with Grok (xAI) # Daily reboot limit (max 2/day), quiet syslog logging, input validation, early exit if link down # More info at: https://forum.netgate.com/topic/199716/25.11-ipv6-gateway-pending/11?_=1767700010718 # ================= CONFIG ================= TIMEOUT=120 # seconds (min 30) INITIAL_DELAY=60 # seconds (min 10) CHECK_INTERVAL=20 # seconds (min 5) INTERFACES="ix2,ix3" # comma-separated, NO spaces! MAX_REBOOTS_PER_DAY=2 LOG_TO_SYSTEM_LOGS=1 # 1 = syslog (recommended), 0 = file # ================= VALIDATION & LOGGING ================= validate_positive_int() { local var="$1" name="$2" min="${3:-1}" if ! echo "$var" | grep -qE '^[0-9]+$'; then logger -t ipv6_watchdog "ERROR: $name must be positive integer (got '$var')" exit 1 fi if [ "$var" -lt "$min" ]; then logger -t ipv6_watchdog "ERROR: $name >= $min (got $var)" exit 1 fi } validate_positive_int "$TIMEOUT" "TIMEOUT" 30 validate_positive_int "$INITIAL_DELAY" "INITIAL_DELAY" 10 validate_positive_int "$CHECK_INTERVAL" "CHECK_INTERVAL" 5 validate_positive_int "$MAX_REBOOTS_PER_DAY" "MAX_REBOOTS_PER_DAY" 1 if [ "$LOG_TO_SYSTEM_LOGS" != "0" ] && [ "$LOG_TO_SYSTEM_LOGS" != "1" ]; then logger -t ipv6_watchdog "ERROR: LOG_TO_SYSTEM_LOGS must be 0 or 1" exit 1 fi if [ -z "$INTERFACES" ]; then logger -t ipv6_watchdog "ERROR: INTERFACES is empty" exit 1 fi if echo "$INTERFACES" | grep -q '[[:space:]]'; then logger -t ipv6_watchdog "ERROR: INTERFACES contains spaces (use 'ix2,ix3')" exit 1 fi OLD_IFS="$IFS"; IFS=','; set -- $INTERFACES; IFS="$OLD_IFS" for iface; do iface=$(echo "$iface" | tr -d '[:space:]') if ! ifconfig "$iface" >/dev/null 2>&1; then logger -t ipv6_watchdog "ERROR: Interface '$iface' does not exist" exit 1 fi done # ================= DETECTION ================= has_global_ipv6() { local iface="$1" local addrs addrs=$(ifconfig "$iface" 2>/dev/null | grep 'inet6 ' | grep -v 'fe80::' | \ sed -E 's/.*inet6[[:space:]]+([0-9a-fA-F:]+).*/\1/') [ -z "$addrs" ] && return 1 echo "$addrs" | grep -qE '^(2|3)' return $? } # ================= MAIN ================= START=$(date +%s) # Early exit if any interface down for iface; do iface=$(echo "$iface" | tr -d '[:space:]') if ! ifconfig "$iface" 2>/dev/null | grep -q 'status: active'; then logger -t ipv6_watchdog "Interface $iface DOWN → watchdog exiting early" exit 0 fi done current_date=$(date '+%Y-%m-%d') if [ -f "$COUNT_FILE" ]; then read saved_date saved_count < "$COUNT_FILE" 2>/dev/null || { saved_date=""; saved_count=0; } else saved_count=0 fi if [ "$saved_date" != "$current_date" ]; then logger -t ipv6_watchdog "New day ($current_date) → reset count to 0" saved_count=0 fi logger -t ipv6_watchdog "IPv6 watchdog starting (count: $saved_count / $MAX_REBOOTS_PER_DAY)" if [ "$saved_count" -ge "$MAX_REBOOTS_PER_DAY" ]; then logger -t ipv6_watchdog "Daily limit reached ($MAX_REBOOTS_PER_DAY). Skipping today." exit 0 fi sleep "$INITIAL_DELAY" while [ $(( $(date +%s) - START )) -lt "$TIMEOUT" ]; do all_good=1 for iface; do iface=$(echo "$iface" | tr -d '[:space:]') if ! has_global_ipv6 "$iface"; then all_good=0 break fi done [ $all_good -eq 1 ] && exit 0 sleep "$CHECK_INTERVAL" done logger -t ipv6_watchdog "CRITICAL TIMEOUT after ${TIMEOUT}s - no global IPv6" new_count=$((saved_count + 1)) if [ "$new_count" -le "$MAX_REBOOTS_PER_DAY" ]; then logger -t ipv6_watchdog "Rebooting ($new_count of $MAX_REBOOTS_PER_DAY today)" echo "$current_date $new_count" > "$COUNT_FILE" /sbin/shutdown -r now "IPv6 watchdog timeout (daily $new_count/$MAX_REBOOTS_PER_DAY)" else logger -t ipv6_watchdog "Daily limit reached. No reboot today." fi exit 1 Make it executable: chmod +x /usr/local/etc/ipv6_watchdog.sh Install Shellcmd package if not present (System → Package Manager → Available Packages → shellcmd) Add Shellcmd entry (Services → Shellcmd → Add):Command (paste exactly): /bin/sh -c 'nohup /usr/local/etc/ipv6_watchdog.sh >/dev/null 2>/dev/null' & Customization Tips Increase TIMEOUT=300 (5 min) if your modem takes longer to restore IPv6 Change INITIAL_DELAY if needed (give more time for interfaces to come up) Set LOG_TO_SYSTEM_LOGS=0 if you want file logging instead Add more WAN interfaces if needed: INTERFACES="ix2,ix3,igb0"

How to Set Up Local IPV6 Network

JKnott — Wed, 24 Dec 2025 17:30:51 GMT

One thing I should have mentioned, instead of creating a virtual IP, configure the interface as static and enter the address there. Since you don't want access to the Internet, you don't have to worry about tracking the interface, etc..

DHCP6 EUI-64 Interface ID Setting

louiseanton — Wed, 24 Dec 2025 06:35:56 GMT

@Bob.Dig My ISP Information AS 3462 HINET Chunghwa Telecom Co., Ltd. Taiwan https://db-ip.com/as3462

IPv6 connectivity lost on prefix change

SteveITS — Thu, 18 Dec 2025 17:53:55 GMT

FWIW happened across this from several years ago: https://redmine.pfsense.org/issues/10822 (Deprecated IPv6 prefix won't be announced as deprecated to clients)

ICMPv6 firewall rules for interfaces

Bob.Dig — Wed, 17 Dec 2025 19:00:55 GMT

@jarmo pfSense and dynamic IPv6 don't go to well together, sad but true. Other routers (for example Fritz Box) can do a much better job out of the box.

IPv6 Gateway problems on 25.11

gseidler — Mon, 15 Dec 2025 18:59:28 GMT

@Gertjan I did both and it didn't work. You can see the second solution (Prefer to use IPv4...) activated on one of my screenshots. Reinstalling did work and things are running smoothly now.

new pc can't access dotnet.microsoft.com ?ipv6

Gertjan — Sun, 23 Nov 2025 05:19:34 GMT

@ahole4sure A Plan B exists. Make a list with known sites that don't want you to use (your) IPv6. The issue is known for years and as already mentioned reasons above, some sites don't 'like' the he.net IPv6s If you have pfBlockerng installed, go here : Firewall > pfBlockerNG > DNSBL First, be sure you use Python mode, not the unbound mode. Next : [image: 1764058931964-7cc5259a-1778-4c85-a9a1-aacb3a6f1fae-image.png] Check 'No AAAA', and fill in thelist with host names (site) that you do'nt want to visit using IPv6. After all, before one of your devices connects to a site, it will resolve the destination host name first. As most if not all devices prefer AAAA (IPv6) they will ask that first, and if needed, to fall back, the A record (IPv4). If there is a AAAA (Ipv6) addresses, that's what gets used. Now comes the trick : pfBlockerng does DNSBL, so it can block AAAA for listed sites. You device will fall back to IPv4 - and all is well. In the past, Netflix was one of those sites : it didn't want you to use the he.net IPv6 networks. Plan A would be of course : Frontier fiber internet does not have ipv6 Break your commercial relations with this frontier ISP. If they ask for a reason, tell them.

Fios DHCPv6 Issues

jmpalacios — Wed, 19 Nov 2025 22:45:19 GMT

@aivxtla Not being able to check your own IPv6 address for something like DDNS would lead be to believe that your IPv6 routes were not properly setup, because for that to work you need AAAA DNS resolution for the IP check service (1) and a fully IPv6-based route to it; but, needless to say, all of this is quite the guessing game. In any case, I'm glad it's working for you now! (1) Perhaps ironically, performing DNS resolution for AAAA records does NOT require IPv6 to be working, because you can always contact a DNS resolver over IPv4 and ask it for a AAAA record: -> drill -Q www.google.com IN AAAA @1.1.1.1 2607:f8b0:4006:803::2004 And, of course, you can also do the opposite: drill -Q one.one.one.one IN A @2001:4860:4860::8888 1.0.0.1 1.1.1.1

Floating rule to allow ICMPv6, is that the right way...

luckman212 — Mon, 17 Nov 2025 17:21:02 GMT

After some firewall/NAT rule cleanup and organizing I was browsing my Firewall logs and saw a fair bit of ICMPv6 traffic from :: to ff02::16 (LL multicast) being blocked:

I suppose this is "normal" as I wouldn't expect this multicast traffic to be routed anywhere, but it's cluttering the logs a bit and I don't remember seeing this before.

Is this expected behavior? I created this Floating rule and that seems to quell it but I don't know if this is what I should be doing...

IPV6 with Zen, not receiving an IP Address

milonic — Fri, 14 Nov 2025 19:04:47 GMT

Finally got this sorted. Zen offered a loan router as I couldn't find the original and it arrived next day, which was nice. Then, after spending over an hour on the phone to a tech person they finally passed the issue over to their IPv6 team who rebuilt the connection and all is now fine. Well, I say all is fine - After I configured everything I started receiving reports that xbox was not working and sure enough xbox.com is painfully slow to load when connecting with IPv6 - I'll look into that one day, could be DNS related. All I really needed to do was get some servers connected so I can play with DNS AAAA records and get some web servers running IPv6. Had to disable the local DHCPv6 server as it either leases addresses to all or nothing. Couldn't find a way of only releasing the static entries so ended up with static IPv6 addresses for just the servers I wanted. Everything seems to be OK for now. Thanks all for your replies and help.