• IPv6 Tutorials

    Pinned Locked
    2
    5 Votes
    2 Posts
    34k Views
    J

    Thanks for the tutorial :)

  • IPv6 test sites

    Pinned
    33
    0 Votes
    33 Posts
    54k Views
    JonathanLeeJ

    @johnpoz https://k6usy.net/

  • Should my dhcpv6 clients also get a /64 address?

    14
    0 Votes
    14 Posts
    77 Views
    GertjanG

    @jarmo said in Should my dhcpv6 clients also get a /64 address?:

    clients get one /64 address

    a /64 addresses isn't an addresses, it's more an 'network' (imho).

    I asked my NAS to renew its Ipv6 lease :

    10:49:34.954022 00:11:32:a7:d5:88 > 33:33:00:01:00:02, ethertype IPv6 (0x86dd), length 129: (hlim 1, next-header UDP (17) payload length: 75) fe80::211:32ff:fea7:d588.546 > ff02::1:2.547: [udp sum ok] dhcp6 solicit (xid=123d36 (client-ID hwaddr type 1 001132a7d588) (option-request DNS-server DNS-search-list) (elapsed-time 0) (Client-FQDN) (IA_NA IAID:849859976 T1:3600 T2:5400)) 10:49:34.954799 90:ec:77:29:39:2c > 00:11:32:a7:d5:88, ethertype IPv6 (0x86dd), length 207: (hlim 64, next-header UDP (17) payload length: 153) fe80::1:1.547 > fe80::211:32ff:fea7:d588.546: [udp sum ok] dhcp6 advertise (xid=123d36 (client-ID hwaddr type 1 001132a7d588) (server-ID hwaddr/time type 6 time 753711221 90ec7729392a) (IA_NA IAID:849859976 T1:6750 T2:10800 (IA_ADDR 2a01:dead:beef:a6e2::c2 pltime:13500 vltime:21600)) (DNS-server 2a01:dead:beef:a6e2:92ec:77ff:fe29:392c) (DNS-search-list bhf.tld.) (Client-FQDN)) 10:49:34.955219 90:ec:77:29:39:2c > 00:11:32:a7:d5:88, ethertype IPv6 (0x86dd), length 207: (hlim 64, next-header UDP (17) payload length: 153) fe80::1:1.547 > fe80::211:32ff:fea7:d588.546: [udp sum ok] dhcp6 advertise (xid=123d36 (client-ID hwaddr type 1 001132a7d588) (server-ID hwaddr/time type 6 time 753711221 90ec7729392a) (IA_NA IAID:849859976 T1:6750 T2:10800 (IA_ADDR 2a01:dead:beef:a6e2::c2 pltime:13500 vltime:21600)) (DNS-server 2a01:dead:beef:a6e2:92ec:77ff:fe29:392c) (DNS-search-list bhf.tld.) (Client-FQDN)) 10:49:35.965351 00:11:32:a7:d5:88 > 33:33:00:01:00:02, ethertype IPv6 (0x86dd), length 175: (hlim 1, next-header UDP (17) payload length: 121) fe80::211:32ff:fea7:d588.546 > ff02::1:2.547: [udp sum ok] dhcp6 request (xid=ac6158 (client-ID hwaddr type 1 001132a7d588) (server-ID hwaddr/time type 6 time 753711221 90ec7729392a) (option-request DNS-server DNS-search-list) (elapsed-time 0) (Client-FQDN) (IA_NA IAID:849859976 T1:3600 T2:5400 (IA_ADDR 2a01:dead:beef:a6e2::c2 pltime:7200 vltime:7500))) 10:49:35.968124 90:ec:77:29:39:2c > 00:11:32:a7:d5:88, ethertype IPv6 (0x86dd), length 207: (hlim 64, next-header UDP (17) payload length: 153) fe80::1:1.547 > fe80::211:32ff:fea7:d588.546: [udp sum ok] dhcp6 reply (xid=ac6158 (client-ID hwaddr type 1 001132a7d588) (server-ID hwaddr/time type 6 time 753711221 90ec7729392a) (IA_NA IAID:849859976 T1:6750 T2:10800 (IA_ADDR 2a01:dead:beef:a6e2::c2 pltime:13500 vltime:21600)) (DNS-server 2a01:dead:beef:a6e2:92ec:77ff:fe29:392c) (DNS-search-list bhf.tld.) (Client-FQDN)) 10:49:35.970710 90:ec:77:29:39:2c > 00:11:32:a7:d5:88, ethertype IPv6 (0x86dd), length 207: (hlim 64, next-header UDP (17) payload length: 153) fe80::1:1.547 > fe80::211:32ff:fea7:d588.546: [udp sum ok] dhcp6 reply (xid=ac6158 (client-ID hwaddr type 1 001132a7d588) (server-ID hwaddr/time type 6 time 753711221 90ec7729392a) (IA_NA IAID:849859976 T1:6750 T2:10800 (IA_ADDR 2a01:dead:beef:a6e2::c2 pltime:13500 vltime:21600)) (DNS-server 2a01:dead:beef:a6e2:92ec:77ff:fe29:392c) (DNS-search-list bhf.tld.) (Client-FQDN))

    Windows PC : same thing.
    iPhone : same thing.
    A ricoh printer : same thing.

    No where a /64 to be seen.
    It obtained a IPv6 : 2a01:dead:beef:a6e2::c2 for my syno. That could be considered as a /128.
    and that's correct as 2a01:dead:beef:a6e2::0 -> 2a01:dead:beef:a6e2::ffff:ffff:ffff:ffff - the entire /64 block) where my 'e2' prefix used on my LAN

    My IPv6 DHCP server pool is way shorter, of course :

    ab92d454-029d-447c-8fa6-5d326d58f477-image.png

    and I'm using static IPv6 leases for most of my network devices. These leaves are outside of the pool, just above.
    Static leases as I don't want them to have these kind of addresses : "2a01:dead:beef:a6e2:92ec:77ff:fe29:392c".

    SLAAC : never used it. I'm a DHCP-man, as it worked well for IPv4, so I tend to believe it works fine for my IPv6 stuff also.
    Android : never saw or had one ...

    All my iPhone, iPad, printers, PCs etc etc that are IPv6 capable, work just fine like this.

    A suggestion : maybe you Fedora box is asking for a 'prefix', which would be a /64 ?
    (but in that case the pfSense LAN DHCPv6 server would have to be set up to delegate these prefixes downstream.)

  • Firewall gateway address in ipv6

    4
    0 Votes
    4 Posts
    71 Views
    J

    Hi @SteveITS.

    That was an excellent tip, I had missed the "self" target completely. This allowed me to get rid of all of my firewall aliases I needed earlier.

    Thanks!

  • Router advertisement not sending default gateway

    21
    0 Votes
    21 Posts
    389 Views
    P

    @Euroguy said in Router advertisement not sending default gateway:

    So, followup after a reinstallation of the system

    Short answer is, things now seem to work.

    Glad to see you got it up and running :)

    I get both DHCP4 and 6 clients with leases now (although status of lease seems broken, always showing black down arrow even though lease is active and remote machine is up and active

    I see that from time to time too. I think there are some timers that you can tweak (can't recall which ones though) that determines how long it takes without a "sign of life" before the client is marked as offline. For IPv4 there's an ARP timer ... and for v6 it should be an equivalent NDP timer. Can be set in System / Advanced / Tunables once you find out what they are called :)

    DHCP6 server fails as DHCP requests / Discovery is done on fe80::/10 and that is not considered to be LAN it seems. I had to add a LAN allow rule for fe80::10 to ff02::/16 like this for DHCP6 to work:
    e98b2093-2534-4c7e-9c09-6d54251d537d-image.png

    That rule shouldn't be needed, it is part of the automatic rule set added by pfSense. I get those by means of pfSense magic: (check in /tmp/rules.debug)

    pass in quick on $WAN proto udp from fe80::/10 port = 546 to fe80::/10 port = 546 ridentifier 1000000463 label "allow dhcpv6 client in WAN" pass quick on $LAN inet6 proto udp from fe80::/10 to fe80::/10 port = 546 ridentifier 1000002551 label "allow access to DHCPv6 server" pass quick on $LAN inet6 proto udp from fe80::/10 to ff02::/16 port = 546 ridentifier 1000002552 label "allow access to DHCPv6 server" pass quick on $LAN inet6 proto udp from fe80::/10 to ff02::/16 port = 547 ridentifier 1000002553 label "allow access to DHCPv6 server" pass quick on $LAN inet6 proto udp from ff02::/16 to fe80::/10 port = 547 ridentifier 1000002554 label "allow access to DHCPv6 server" <snip>

    Update:
    the timer tweak I used a long time ago was

    net.link.ether.inet.max_age=60

    which make the cached ARP-entry lifetime 60 seconds, I wanted clients to go offline faster. Default is 1200s. See https://man.freebsd.org/cgi/man.cgi?query=arp&sektion=4

    24319ba3-b5d5-4add-b251-9993249ff5a6-image.png

  • 0 Votes
    3 Posts
    90 Views
    bmeeksB

    @JonathanLee said in Seeking Insight on IPV6 Suricata Alerts – "Excessive Retransmissions" and "Wrong Direction First Data":

    SURICATA Applayer Wrong direction first Data

    Here is the link in the Suricata docs for this stream rule alert: https://docs.suricata.io/en/latest/rules/app-layer.html#applayer-wrong-direction-first-data.

    The short version of the story is that even today, after several attempted fixes within Suricata, the coders of client/server software apps seem to still be able via crappy coding to craft network flows that trip up the Suricata parser. This is basically a harmless error.

    As @SteveITS said, the best thing is to disable all the Suricata stream event rules. They are informational anyway and don't necessarily indicate malicious traffic.

  • Snort VS Suricata

    1
    0 Votes
    1 Posts
    128 Views
    No one has replied
  • Do the default RA's need tweaking.

    27
    0 Votes
    27 Posts
    6k Views
    RobbieTTR

    @bearhntr

    I would presume not, at least not yet.

    ☕️

  • pfSense DHCP6 Client does not pick up address offered on WAN from ISP

    3
    0 Votes
    3 Posts
    78 Views
    C

    @Gertjan Yes I'm running in debug mode

    Jul 11 16:29:49 dhcp6c 82560 extracted an existing DUID from /var/db/dhcp6c_duid: 00:01:00:01:2b:8f:81:6a:20:7c:14:a1:bf:06
    Jul 11 16:29:49 dhcp6c 82560 failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory
    Jul 11 16:29:49 dhcp6c 82560 failed initialize control message authentication
    Jul 11 16:29:49 dhcp6c 82560 skip opening control port
    Jul 11 16:29:49 dhcp6c 82560 <3>[interface] (9)
    Jul 11 16:29:49 dhcp6c 82560 <5>[igb0] (4)
    Jul 11 16:29:49 dhcp6c 82560 <3>begin of closure [{] (1)
    Jul 11 16:29:49 dhcp6c 82560 <3>[script] (6)
    Jul 11 16:29:49 dhcp6c 82560 <3>["/var/etc/dhcp6c_wan_dhcp6withoutra_script.sh"] (46)
    Jul 11 16:29:49 dhcp6c 82560 <3>end of sentence [;] (1)
    Jul 11 16:29:49 dhcp6c 82560 <3>end of closure [}] (1)
    Jul 11 16:29:49 dhcp6c 82560 <3>end of sentence [;] (1)
    Jul 11 16:29:49 dhcp6c 82560 <3>[id-assoc] (8)
    Jul 11 16:29:49 dhcp6c 82560 <13>[na] (2)
    Jul 11 16:29:49 dhcp6c 82560 <13>[1] (1)
    Jul 11 16:29:49 dhcp6c 82560 <13>begin of closure [{] (1)
    Jul 11 16:29:49 dhcp6c 82560 <3>end of closure [}] (1)
    Jul 11 16:29:49 dhcp6c 82560 <3>end of sentence [;] (1)
    Jul 11 16:29:49 dhcp6c 82560 called
    Jul 11 16:29:49 dhcp6c 82560 some IA configuration defined but not used
    Jul 11 16:29:49 dhcp6c 82560 called
    Jul 11 16:29:49 dhcp6c 82642 reset a timer on igb0, state=INIT, timeo=0, retrans=891
    Jul 11 16:29:49 dhcp6c 82642 Sending Solicit
    Jul 11 16:29:49 dhcp6c 82642 a new XID (93ca57) is generated
    Jul 11 16:29:49 dhcp6c 82642 set client ID (len 14)
    Jul 11 16:29:49 dhcp6c 82642 set elapsed time (len 2)
    Jul 11 16:29:49 dhcp6c 82642 send solicit to ff02::1:2%igb0
    Jul 11 16:29:49 dhcp6c 82642 reset a timer on igb0, state=SOLICIT, timeo=0, retrans=1091
    Jul 11 16:29:49 dhcp6c 82642 receive advertise from fe80::88ce:87ff:fec6:156a%igb0 on igb0
    Jul 11 16:29:49 dhcp6c 82642 get DHCP option client ID, len 14
    Jul 11 16:29:49 dhcp6c 82642 DUID: 00:01:00:01:2b:8f:81:6a:20:7c:14:a1:bf:06
    Jul 11 16:29:49 dhcp6c 82642 get DHCP option server ID, len 14
    Jul 11 16:29:49 dhcp6c 82642 DUID: 00:01:00:01:21:56:39:cc:fa:32:37:34:e3:9f
    Jul 11 16:29:49 dhcp6c 82642 get DHCP option identity association, len 40
    Jul 11 16:29:49 dhcp6c 82642 IA_NA: ID=1, T1=1000, T2=2000
    Jul 11 16:29:49 dhcp6c 82642 get DHCP option IA address, len 24
    Jul 11 16:29:49 dhcp6c 82642 IA_NA address: 2a06:4000:8888:ffff::2 pltime=3000 vltime=4000
    Jul 11 16:29:49 dhcp6c 82642 get DHCP option DNS, len 32
    Jul 11 16:29:49 dhcp6c 82642 get DHCP option IA_PD, len 41
    Jul 11 16:29:49 dhcp6c 82642 IA_PD: ID=1, T1=1000, T2=2000
    Jul 11 16:29:49 dhcp6c 82642 get DHCP option IA_PD prefix, len 25
    Jul 11 16:29:49 dhcp6c 82642 IA_PD prefix: 2a06:4000:8888::/48 pltime=3000 vltime=1546855634413031328
    Jul 11 16:29:49 dhcp6c 82642 server ID: 00:01:00:01:21:56:39:cc:fa:32:37:34:e3:9f, pref=-1
    Jul 11 16:29:49 dhcp6c 82642 reset timer for igb0 to 0.958394
    Jul 11 16:29:49 dhcp6c 82642 receive advertise from fe80::88ce:87ff:fec6:156a%igb0 on igb0
    Jul 11 16:29:49 dhcp6c 82642 get DHCP option client ID, len 14
    Jul 11 16:29:49 dhcp6c 82642 DUID: 00:01:00:01:2b:8f:81:6a:20:7c:14:a1:bf:06
    Jul 11 16:29:49 dhcp6c 82642 get DHCP option server ID, len 14
    Jul 11 16:29:49 dhcp6c 82642 DUID: 00:01:00:01:21:5a:37:e1:96:96:78:4c:ae:6d
    Jul 11 16:29:49 dhcp6c 82642 get DHCP option identity association, len 40
    Jul 11 16:29:49 dhcp6c 82642 IA_NA: ID=1, T1=1000, T2=2000
    Jul 11 16:29:49 dhcp6c 82642 get DHCP option IA address, len 24
    Jul 11 16:29:49 dhcp6c 82642 IA_NA address: 2a06:4000:8888:ffff::2 pltime=3000 vltime=4000
    Jul 11 16:29:49 dhcp6c 82642 get DHCP option DNS, len 32
    Jul 11 16:29:49 dhcp6c 82642 get DHCP option IA_PD, len 41
    Jul 11 16:29:49 dhcp6c 82642 IA_PD: ID=1, T1=1000, T2=2000
    Jul 11 16:29:49 dhcp6c 82642 get DHCP option IA_PD prefix, len 25
    Jul 11 16:29:49 dhcp6c 82642 IA_PD prefix: 2a06:4000:8888::/48 pltime=3000 vltime=1546855634413031328
    Jul 11 16:29:49 dhcp6c 82642 server ID: 00:01:00:01:21:5a:37:e1:96:96:78:4c:ae:6d, pref=-1
    Jul 11 16:29:50 dhcp6c 82642 picked a server (ID: 00:01:00:01:21:56:39:cc:fa:32:37:34:e3:9f)
    Jul 11 16:29:50 dhcp6c 82642 Sending Request
    Jul 11 16:29:50 dhcp6c 82642 a new XID (61396e) is generated
    Jul 11 16:29:50 dhcp6c 82642 set client ID (len 14)
    Jul 11 16:29:50 dhcp6c 82642 set server ID (len 14)
    Jul 11 16:29:50 dhcp6c 82642 set elapsed time (len 2)
    Jul 11 16:29:50 dhcp6c 82642 send request to ff02::1:2%igb0
    Jul 11 16:29:50 dhcp6c 82642 reset a timer on igb0, state=REQUEST, timeo=0, retrans=909
    Jul 11 16:29:50 dhcp6c 82642 receive reply from fe80::88ce:87ff:fec6:156a%igb0 on igb0
    Jul 11 16:29:50 dhcp6c 82642 get DHCP option client ID, len 14
    Jul 11 16:29:50 dhcp6c 82642 DUID: 00:01:00:01:2b:8f:81:6a:20:7c:14:a1:bf:06
    Jul 11 16:29:50 dhcp6c 82642 get DHCP option server ID, len 14
    Jul 11 16:29:50 dhcp6c 82642 DUID: 00:01:00:01:21:56:39:cc:fa:32:37:34:e3:9f
    Jul 11 16:29:50 dhcp6c 82642 get DHCP option identity association, len 40
    Jul 11 16:29:50 dhcp6c 82642 IA_NA: ID=1, T1=1000, T2=2000
    Jul 11 16:29:50 dhcp6c 82642 get DHCP option IA address, len 24
    Jul 11 16:29:50 dhcp6c 82642 IA_NA address: 2a06:4000:8888:ffff::2 pltime=3000 vltime=4000
    Jul 11 16:29:50 dhcp6c 82642 get DHCP option DNS, len 32
    Jul 11 16:29:50 dhcp6c 82642 get DHCP option IA_PD, len 41
    Jul 11 16:29:50 dhcp6c 82642 IA_PD: ID=1, T1=1000, T2=2000
    Jul 11 16:29:50 dhcp6c 82642 get DHCP option IA_PD prefix, len 25
    Jul 11 16:29:50 dhcp6c 82642 IA_PD prefix: 2a06:4000:8888::/48 pltime=3000 vltime=1546855634413031328
    Jul 11 16:29:50 dhcp6c 82642 dhcp6c Received REQUEST
    Jul 11 16:29:50 dhcp6c 82642 nameserver[0] 2a06:4000:0:6::6
    Jul 11 16:29:50 dhcp6c 82642 nameserver[1] 2a06:4000:0:6::5
    Jul 11 16:29:50 dhcp6c 82642 executes /var/etc/dhcp6c_wan_dhcp6withoutra_script.sh
    Jul 11 16:29:50 dhcp6c 36281 dhcp6c REQUEST on igb0 - running rtsold
    Jul 11 16:29:50 dhcp6c 82642 script "/var/etc/dhcp6c_wan_dhcp6withoutra_script.sh" terminated
    Jul 11 16:29:50 dhcp6c 82642 removing an event on igb0, state=REQUEST
    Jul 11 16:29:50 dhcp6c 82642 removing server (ID: 00:01:00:01:21:56:39:cc:fa:32:37:34:e3:9f)
    Jul 11 16:29:50 dhcp6c 82642 removing server (ID: 00:01:00:01:21:5a:37:e1:96:96:78:4c:ae:6d)
    Jul 11 16:29:50 dhcp6c 82642 got an expected reply, sleeping.

  • RADVD timer issues

    15
    0 Votes
    15 Posts
    315 Views
    JonathanLeeJ

    @Gertjan plus I have that authenticated ntp patch on that file also

  • Router Advertisements

    4
    0 Votes
    4 Posts
    218 Views
    JonathanLeeJ

    @Gertjan Fixed it. I had on the interface address both an IPv6 address and an "IPv4 address embedded in the IPv6 address (this is known as IPv6-mapped IPv4 addresses or IPv6 embedded IPv4 addresses)" before that is normally not for interfaces only the static device assignments so that is corrected my Pv6-mapped IPv4 addresses or IPv6 embedded IPv4 addresses are now only on the Lan devices and not on the firewall interfaces.

    Screenshot 2025-07-09 at 15.29.37.png

  • 0 Votes
    8 Posts
    1k Views
    T

    I ran this command after upgrading from 2.7.2 to 2.8.0, as I started experiencing significant issues with my work VPN connection behind the firewall. Upon checking the connection properties, I noticed that the VPN was attempting to connect through an IPv6 gateway.

    What’s particularly strange is that while the VPN would eventually connect, it often required multiple connection attempts before any traffic would actually pass through.

    I’m hoping this fix resolves the issue moving forward—fingers crossed for the next time I need to connect.

  • Upgrade to 2.8.0 -- seemingly created many problems.

    1
    0 Votes
    1 Posts
    147 Views
    No one has replied
  • IPV6 problem - DHCP6c file configuration issue?

    6
    0 Votes
    6 Posts
    460 Views
    K

    @koyaan134 And just to be clear - as soon as I take a look at it again, it's back up.

  • [solved] WAN gets IPv6 but LAN can't

    43
    0 Votes
    43 Posts
    4k Views
    GertjanG

    @crazypotato142 said in [solved] WAN gets IPv6 but LAN can't:

    Wouldn't that mean it has the connectivity and with a prefix translation I could use IPv6? Like Teredo or HE.

    Imho : don't invest any time in using Toredo. That's a dying concept.
    HE (tunnel broker) is something else. I've been using it for years, as they implement a clean and close to perfect, one of the best IPv6 implementations. Their services are not free ! That is, it won't cost you any money, and they even send you a free (yes) T-Shirt when you finish their IPv6 certification process. It's back to school-time-again, and do their multiple choice exam.
    They offer a /64 to start with, but don't bother, go for the whopping /48 right way 65535 prefixes.
    Your WAN will have a IPv6 GUA.
    Downsides :
    The POP needs to be close to you.
    The connection can be interpreted by the site you visit as some sort of VPN connection (there is a work around available if you use pfBlockerng).
    The POPs can be crowed, so the speed won't be stellar.

  • only ICMP protocol works !!!

    19
    0 Votes
    19 Posts
    2k Views
    T

    @johnpoz
    Dear John As I suspected, the error was with the provider, after my request they solved the IPv6 problem. I am very grateful to you for your support.

  • Verizon FIOS Business IPv6

    6
    0 Votes
    6 Posts
    905 Views
    R

    @GeorgePatches

    See the images below, maybe this can help. You could give it a try.

    2fb49e34-f096-4f24-af9e-6ac1e6487cf5-image.png

    2fe0db2f-1676-45bf-8182-717173a8742c-image.png

    Thanks!

    Raj

  • IPv6 addresses not deprecated on PPPoE periodic reset

    11
    1 Votes
    11 Posts
    2k Views
    H

    Unfortunately this issue still persists in pfsense 2.8.0. At least most European isps still hand out dynamic ipv6 prefixes to their customers which leads to the described issues with slaac.

    Refer to: https://redmine.pfsense.org/issues/15746

  • T-Mobile Home Internet IPV6

    11
    0 Votes
    11 Posts
    3k Views
    B

    @Superfletch I did using outbound NAT6, but I since switched to openwrt and no longer use pfSense

  • Alternate gateway monitoring and IPv6

    17
    0 Votes
    17 Posts
    2k Views
    G

    @BigTulsa said in Alternate gateway monitoring and IPv6:

    I'll take your word for that as my knowledge of IPv6 and how it works is limited for now.

    Just a suggestion, look up like the beginning of a current Cisco CCNA course. They cover IPv6 stuff in great detail before they start to get into the specific Cisco stuff. Really good way to get spun up on all the settings.

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.