@CatSpecial202 said in Setting up IPv6 on my Netgate:

Interfaces → WAN

DHCPv6 Prefix Delegation size 64

WIth Prefix Delegation size 64 you can't get any valid smaller prefix for lan or other local networks.

What is the prefix size your ISP offers you: usually they offer /56 (at least here in Germany), sometime /48 or /60 and seldom just /64
If your ISP offers you a /56 you shall also ask for a /56 if you are directly connected to the ISP. If you have a Router inbetween (eg. ISP -> router -> pfsense) you shall then ask for a /57 prefix, since the router will use the /56 prefix.

Here you will find more helpfull informations:
https://docs.opnsense.org/manual/how-tos/ipv6_dsl.html
https://docs.opnsense.org/manual/how-tos/ipv6_fb.html

And this seems to be comcast specific:
https://forum.netgate.com/topic/165929/comcast-residential-64-delegation

@jwt Definetly looking forward to it and be glad to test it out in first snapshots/betas that will have it. We can easily hook up an v6 only network in the lab (there should already be one) and give it a spin :)

@johnpoz
How on earth did you come to these conclusions about my knowledge level?? Of course I know how to setup a CA in pfSense. I have a CA running just fine since years. Three hosts in my network use it's server certificates. I know how to run multiple services as virtual hosts on one machine. I'm actually doing this on multiple machines (BSD and Linux) in my network. Of course I do use RFC 1918 addresses (who doesn't) and I'm totally aware of how I can assign private addresses.

I just as well know how to configure a browsers to not use Doh. But I won't reconfigure other users' browsers.

You are correct in this assumption: I have no specific need for IPv6. Because I have as many public IP addresses as I need and I'm not forced to access any public services which are not available in IPv4. (I can't speak for my users of course.) This may however be the wrong mind set to look at IPv6 in general. This way IPv6 will probably never take the place it should have.

I WAS wrong about names mandatory for http protocol, thank's for correcting this.

@Bob-Dig I’m not seeing any settings on the “Dynamic DNS Clients” page to configure IPv4 vs IPv6. What am I missing?

@Bob-Dig I can't really tell without going to the office and testing by booting the Comcast router, which kicks everyone off, but I think Comcast doesn't keep the routes after their router boots. They have a "static IPv6" /56 as they label it but it's handed out to their router automatically by them, and if I configure our pfSenses with all static then there isn't a way for me to configure a static route for the "self-delegated" IPV6, on the Comcast device. It only allows IPv4 routes.

Currently it's working with:
building WAN: DHCP6
building LAN: Track Interface
office WAN: static IPv6
office LAN: static IPv6
building router: needs static route for office LAN
building router: DHCPv6 Server off
building router: RA off

I suspect when I was banging on it a month ago the Comcast router kept the route for the delegated prefix, until it booted. So having the building router Track Interface and request a /62 prefix hopefully will keep that route in the Comcast router. Guess I'll find out in the next few months if/when it restarts. And then the fix and that point is probably just to reacquire the building LAN IPv6.

Done automatically I expect it will all work just fine, the problem is we need control over how to hand out addresses.

There's also some sort of a bug I ran into again where if I add an IPv6 gateway on the WAN interface page, it flips the IPv4 gateway to Automatic and disconnects Internet (even though there's only one IPv4 gateway). But that's another story...

@smaxwell2 I would suggest you start a new post as this is now off topic and not your post to begin with.

For anyone finding this in 2024, I had to enable "Multicast Enhancement" for the Unifi Wifi network AND I had to disable Hotspot 2.0. Only then did the Router Advertisements flow down to wifi clients. I was sitting in wireshark on a MacOS 14.6 laptop client and suddenly there was a flurry of traffic.

Pro-tip: You may have to wait for the RA interval for the Unifi change to make a difference. Default is 200 seconds, you can change this in the RA Server settings. I set mine to 10 seconds then clicked the button to restart the RA server.

This worked!

Screenshot 2024-11-06 084436.png

Screenshot 2024-11-06 084835.png

For sure Netgate needs to fix it.
Problem: Invalid auto-configured (Stateless Address Auto-Configuration (SLAAC)) Pv6 addresses are not marked deprecated after an IPv6 prefix change on LAN Interfaces.

In our network it's a valid workaround for now until it will be fixed because we are not using Android based mobile phones. Windows, Linux, MacOS, iPadOS and iOS devices are working fine.

@JKnott That's true... I don't know what else to use. Never had this issue before. But if the IP from my LAN works, then I use that!

@patient0
You were on the right track.
After an additional nudge from Netgate support (going above and beyond), I changed PD from 62 to 56 and it's working now.

Moderators: please delete this post
I will follow-up in my original post

It seems this is is what I'm looking for essentially but pfSense doesn't have anything yet at least sadly:
https://forum.netgate.com/topic/185114/does-pfsense-have-an-equivalent-feature-to-opnsense-s-ipv6-dynamic-hosts-or-negative-masks-in-iptables

Edit:
I found what I needed in opnsense and wish pfSense would bring it over too. Allow tracking of interfaces for the NPT6 table and it works just fine.
Set the inside to track the WAN and then in the NPT settings track the LAN prefix and it will nat if the WAN subnet offered changes.

@mystic330 said in IPv6 over Starlink:

It seems like I'm getting delegated /64s through DHCPv6 (LAN hosts are getting non local-link addresses)

Does Starlink provide a prefix through DHCPv6-PD? Or just the one /64? My cell phone does the latter.

@Gertjan Okay thank you.

That means by incident I have the same TLS error in LibreSSL on Mac OS and in OpenSSL on the Fire TV Stick (Android) which only affects IPv6 connections.

Seems to be the only explanation.

@Gertjan

This does it!

Thank you all, you are may today's champions! 🎖

@Papa-Midnight found it … “ Seeing the same here on multiple third-party sites using google's recaptcha backend. I had to re-enable blocking of AAAA for .google.com and .googleapis.com to temporarily resolve it.”

I ultimately suspected as much myself, which is also why I haven't taken any further action yet. It's now a question of when I feel like sitting on the phone with AT&T support for however long it takes to convince them to send me a new gateway and then taking the time to configure one from scratch to my liking. It seems like the final outcome is, like @ronv42 said, that the NVG589 is just far too obsolete at this point, and the solution is to replace it.