IPv6

• D

  IPv6 Tutorials
  • dwabraxus  

  2
  1
  Votes
  2
  Posts
  27695
  Views

  J

  Thanks for the tutorial :)
• C

  IPv6 test sites
  • cmb  

  17
  0
  Votes
  17
  Posts
  38936
  Views

  

  @tyn For simple testing, I just ping ipv6.google.com. Easy to remember.
• 

  IPv6 only subnet. How to turn off logging blocked ipv4 link local?
  • IsaacFL  

  8
  0
  Votes
  8
  Posts
  67
  Views

  

  Like I said turn off default logging and only log what you want... So you can set it up to block and log your tcp stuff, but not the multicast
• D

  Ipv6 - ULA and Prefix Delegation
  • DiferMendos  

  3
  0
  Votes
  3
  Posts
  22
  Views

  

  @DiferMendos said in Ipv6 - ULA and Prefix Delegation: ith IPv6 you would have both a ULA and Global Address which need to be assigned to devices. Why do you think your devices need both? You can work just fine with just a global.. You don't have to have ULA..
• 

  Is there a process to ask for review of a Bug Fix that has already been Closed?
  • IsaacFL  

  8
  0
  Votes
  8
  Posts
  191
  Views

  

  @chrcoluk I downloaded 2.5 and tested this today. Based on my results i created https://redmine.pfsense.org/issues/9893 If you have any information you could add to the new bug it would be appreciated.
• 

  Setup NAT64 in pfSense
  ipv6 nat64 dns64 • • imcdona  

  36
  1
  Votes
  36
  Posts
  2667
  Views

  

  @chrcoluk said in Setup NAT64 in pfSense: I expect its a bug, and also that url is very old, that particular issue might even be fixed now. It be good if you look into it tho. :) I did look into it and it appears there is a bug with pfSense, as I mentioned above. This is with the current version of pfSense.
• S

  IPv6 disabled yet majority of firewall blocks are IPv6
  • sterlinggold  

  7
  0
  Votes
  7
  Posts
  80
  Views

  

  Or ignore the logs. Or make rules that suppress the logs. Whether or not you enable IPv6 really depends on whether or not you have IPv6.
• Y

  IPV6 setup with Hyperoptic (UK ISP)
  • yellowbrick  

  26
  0
  Votes
  26
  Posts
  1637
  Views

  C

  I also described how to get WAN interface assigned an ipv6 as well. So what is the problem I missed?
• B

  Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?
  • bimmerdriver  

  49
  0
  Votes
  49
  Posts
  428
  Views

  B

  @jdu-9999 You're correct, the ISP is Telus. To be honest, I had better things to do, so I basically gave up. I'm curious about who you talked to. Can we take this offline?
• B

  IPv6 With VPN
  • bin_batore  

  1
  0
  Votes
  1
  Posts
  39
  Views

  No one has replied

• T

  Which IP adress should I assign to the opt(VLAN) interfaces?
  • Thisisme  

  10
  0
  Votes
  10
  Posts
  111
  Views

  T

  @JKnott I finally figured it out. "Track Interface" is the option that seems to be the right way to solve my problem.
• A

  IPV6 working on LAN but not pfSense box itself
  • adhodgson  

  10
  0
  Votes
  10
  Posts
  90
  Views

  

  @adhodgson said in IPV6 working on LAN but not pfSense box itself: Could I potentially use one of the /64s on the WAN side? No point in doing that. You already have a /128 address on the WAN and the link local address is used for routing. That's all you need. I had a problem with my ISP a few months ago. I used Wireshark and Packet Capture to see what was happening. I also tethered my notebook computer to my cell phone so that I could test from outside my network. With that, I was able to determine that the problem was not on my network and was even able to identify, by host name, the failing system at my ISP. One thing I did, which helped is I used a 5 port switch, configured as a data tap, to monitor the traffic between my modem and firewall, when pfSense was booting up.
• 

  Lost ipv6 connectivity from one interface
  • kiokoman  

  2
  0
  Votes
  2
  Posts
  36
  Views

  

  after losing 2 days of sleep the problem was solved after disabling "Block private networks and loopback addresses" and/or "Block bogon networks" that i had on the WAN interface it was mentioned here https://redmine.pfsense.org/issues/9631
• P

  IPv6 address allocated but not working
  • pankaj13  

  18
  0
  Votes
  18
  Posts
  209
  Views

  

  @amello said in IPv6 address allocated but not working: It is u-verse, so DSL on dry line. A couple of my friends have ADSL and get IPv6. I don't know the details though. For what I read so far. It seems that that Aris can handle IP Passthrough and Default Server, and as I understood the latter is like putting a host in DMZ. Perhaps the people in the forums can help with that.
• L

  IPv6 PTR records
  • lohphat  

  10
  0
  Votes
  10
  Posts
  96
  Views

  L

  @JKnott They could set dummy addresses (albeit not practical) not needing to know if they're assigned to a host or not. But it's academic at this point. It's technically possible but not practical. It does require the ISP to delegate the reverse records but my ISP is not going to do that.
• L

  pfsense and IPv6 default behavior
  • lohphat  

  32
  0
  Votes
  32
  Posts
  194
  Views

  

  @lohphat said in pfsense and IPv6 default behavior: I understand that and agree however multicast is intrinsic to IPv6 not optional with IPv4. IPv6 internal consistency of multicast groups replacing broadcast and other functionality means that it should either be enabled fully or a clear, clean setting to enable multimedia multicast. For stuff directly on the LAN, multicast works fine and pfSense is not involved, except for it's own needs. It's only when you go beyond that you have to enable it. This is the same for every just about everything. By default, firewalls block everything coming in.
• 

  IPv6 manual PD
  • Peek  

  26
  0
  Votes
  26
  Posts
  202
  Views

  

  @Derelict Would you believe it. That was the last place I never check. Doh ! Thanks.
• L

  IPv6 working but I have to disable gateway monitoring
  • lohphat  

  36
  0
  Votes
  36
  Posts
  179
  Views

  L

  @Derelict I think it's a CPE issue not Spectrum, but that's just a guess.
• 

  [SOLVED] Can`t get provided /56 prefix
  • Kalle13  

  15
  0
  Votes
  15
  Posts
  127
  Views

  

  @johnpoz said in Can`t get provided /56 prefix: Plus multicast .... Ok, so I'm saved by the fact that DHCP traffic is passed upfront, before the bogon rule list (example). Thanks for the explanation.
• M

  IPv6 dont work after Hardware Replace
  • maydo  

  13
  0
  Votes
  13
  Posts
  90
  Views

  M

  just installed a pci network card, and RA is working out of the box :) thank you resolved.
• 

  pfsense DNS resolver not registering IPv6 addresses
  • Peek  

  27
  0
  Votes
  27
  Posts
  316
  Views

  

  @johnpoz It's a Lenovo E520 ThinkPad. It's whatever driver comes with Windows 10, as I haven't installed any other. It originally came with Windows 7. I just took a quick look and didn't see any I could download.
• T

  pfsense 2.4.4p3 - IPv6 on bridged interfaces not working...
  • tomeq82  

  20
  0
  Votes
  20
  Posts
  163
  Views

  

  @tomeq82 well aware that interfaces may be set to prefixes longer than /64 in certain router-to-router links, etc. That is not what is being discussed here. Interfaces with hosts on them need to be /64.
• X

  Is it possible to reject a specific PD, similar to DHCPv4 reject lease option?
  • xpxp2002  

  5
  0
  Votes
  5
  Posts
  84
  Views

  

  Sounds to me like the ISP has implemented a brain-damaged provisioning. I'd tell them to fix it.
• C

  IPv6 IP Alias prevents Track Interface from working with DHCPv6 and RA
  • chewie198  

  21
  0
  Votes
  21
  Posts
  722
  Views

  C

  I've updated the thread title to better reflect the current discussion.
• H

  Single WAN IPv6 and /64 prefix delegation
  ipv6 • • hlidotbe  

  8
  0
  Votes
  8
  Posts
  264
  Views

  A

  I have pretty much the same kind of setup provided by a local ISP. I found out that ISP providing static IPs is not so common practice. At least among PFSense forum users. I built up two different setup ("automatic" and "semi-automatic"). Not 100% sure those are according to best IPV6 practices, but I tried to do everything by the book. Not just something that happens to work. Hoping you get your IPV6 network to work and/or people here are able to assist you on that. Ax.
• A

  IPV6 Static IPV6 address
  • axsense2  

  57
  0
  Votes
  57
  Posts
  438
  Views

  A

  @Derelict You cannot SLAAC a routed prefix. Ok, this is clear. There is nothing like that on the configuration page either. You either set it statically or with DHCP6. Yep, done that both ways. Both methods work without issues. You also seem to be confusing assigning an address to a device out of that interface prefix I think I understand that, but that could to be true. The configuration described earlier works and it does what I expect it to do. I don't think it differs much what johnpoz suggested. Ax.
• F

  IPv6 PPPoE Telmex Wan Interface receives private address
  • fluteze  

  2
  0
  Votes
  2
  Posts
  33
  Views

  F

  Answering my own question: This post: https://forum.netgate.com/topic/112802/disable-accepting-ra-advertisements-on-an-interface has a suggestion to edit /etc/inc/interface.inc and add a minus ( - ) in front of the accept_rtadv for the WAN interface. This fixed the FC00:: problem. Had to uncheck the "Wait for RA" option in the DHCP6-PD section. Telmex also requires the DHCP6-PD queries to happen over IPv4. A side note: Telmex IPv6 uses a smaller MTU to stay stable. I used 1412 thought 1467 may work as well. Discovered this when ping -6 worked but TLS would have broken/missing packets in Wireshark.
• P

  How do I know how many IPv6 addresses I'm getting from my ISP?
  • pandalion98  

  7
  0
  Votes
  7
  Posts
  229
  Views

  

  The best thing to do is get information from your ISP. Perhaps they have a beta program or something that would result in more information. You can see what PD you are getting by saving the DUID in System > Advanced, Networking Then enable the Debug mode on WAN in the DHCP6 Client Configuration area, setting whatever secret sauce your ISP requires. This is what I use for Cox Las Vegas: Your ISP might require something completely different. Then look at Status > System Logs, DHCP and set the filter to process dhcp6c You will see exactly what is happening. My PD looks like this: Sep 1 03:55:10 dhcp6c 44071 update an IA: PD-0 Sep 1 03:55:10 dhcp6c 44071 status code for PD-0: success Sep 1 03:55:10 dhcp6c 44071 update a prefix 2600:dabb:ad00:bc00::/56 pltime=34359824768, vltime=34359824768 Sep 1 03:55:10 dhcp6c 44071 executes /var/etc/dhcp6c_wan_script.sh Sep 1 03:55:10 dhcp6c dhcp6c renew, no change - bypassing update on igb0 Sep 1 03:55:10 dhcp6c 44071 script "/var/etc/dhcp6c_wan_script.sh" terminated If you want to try new settings just increment the DUID-LLT, save, and Edit/Save WAN. That should result in a new renewal using a new DUID so it should all be fresh. Your ISP might have settings that don't like changes like this. Only they know. Ask them. We cannot know what they require here. Again, only they know.
• W

  VLAN members get assigned multiple IPv6 addresses
  • W5Ofwur1xtOmtk9ZBO  

  13
  0
  Votes
  13
  Posts
  109
  Views

  

  Are the addresses being assigned out of the same /64 or /64s from different VLANs? Perfectly normal and expected for there to be multiple if not several IPv6 addresses on an interface, but they should all be inside the interface prefix. We know pfSense is tagging the traffic properly. The problem is that switch doesn't properly isolate broadcast (multicast) domains or is misconfigured. I would never use one of those switches in any network that mattered to me. I would use it for test stuff (like a tap, as mentioned) or throw it away.
• J

  IPv6 routing issues
  • jcascante  

  12
  0
  Votes
  12
  Posts
  115
  Views

  J

  @JKnott Hi, thanks for your response. I'm checking right now the issue with my ISP, seems there are some missing routes that are causing this behavior.
• J

  IPv6/Comcast Issues with Tracking WAN
  • johnnybinator  

  7
  0
  Votes
  7
  Posts
  109
  Views

  V

  It itself isn't... but the fact is that they're providing a gateway, and unless you put it in Bridge mode, it's acting as a router rather than a modem. So pfSense is getting a single WAN address and no prefix because it's being treated as a client on the gateway's network.
• K

  Pfsense plus hurricane electric breaks netflix IPV6 - proxy error
  • kejianshi  

  30
  1
  Votes
  30
  Posts
  7842
  Views

  N

  @msf2000 @msf2000 said in Pfsense plus hurricane electric breaks netflix IPV6 - proxy error: I'm running into a situation where the Netflix app is not failing over to IPv4 with the reject rule in place for IPv6 addresses. Only solution is to disable IPv6 on the client. Has anyone had trouble with their setup since implementing the reject rules described (above)? Switch Reject for Block and see if Happy Eyeballs kicks in?
• S

  Firewall VM not reachable via IPv6 on Hetzner
  • simonszu  

  2
  0
  Votes
  2
  Posts
  59
  Views

  

  @simonszu said in Firewall VM not reachable via IPv6 on Hetzner: Where is my error? Has my interface config a mistake somewhere? Yes. Here : @simonszu said in Firewall VM not reachable via IPv6 on Hetzner: Currently i have a static IPv6 on my WAN interface, it has the first IP from the /64 subnet Hetzner gave me. On the LAN end i took another IP from this subnet The first IP from the /64 could / should be used on the LAN NIC. For the WAN, you should use some other IPv6 ... as is shown here : @simonszu said in Firewall VM not reachable via IPv6 on Hetzner: https://pratt.is/hetzner-und-proxmox-pfsense-als-gateway/ See the IPv6 page : the guy uses a DHCP6-client setup, certainly not a static WAN IPv6 setup.
• J

  IPv6 WAN Track Interface not assigning addresses to LAN/Public LAN
  • jsnl  

  42
  0
  Votes
  42
  Posts
  1620
  Views

  

  So much bad information in this thread. I'm locking it. Start another one with whatever the current problem is. Thanks.
• P

  Changing AdvLinkMTU when using NPt
  • paddy76  

  36
  0
  Votes
  36
  Posts
  1430
  Views

  

  @Napsterbater MS is so bad, they work on broken IPv4 too: tbit from 130.217.250.115 to 52.113.64.150 server-mss 1460, result: pmtud-fail app: http, url: https://meet.lync.com/ [ 0.009] TX SYN 44 seq = 0:0 b7ef [ 0.136] RX SYN/ACK 44 seq = 0:1 2774 [ 0.136] TX 40 seq = 1:1 b7f0 [ 0.136] TX 369 seq = 1:1(329) b7f1 DF [ 0.268] RX 1500 seq = 1:330(1460) 277b DF [ 0.268] RX 1500 seq = 1461:330(1460) 277c DF [ 0.268] RX 1460 seq = 2921:330(1420) 277d DF [ 0.268] TX PTB 56 mtu = 1280 [ 0.693] RX 1500 seq = 1:330(1460) 2780 DF [ 0.693] TX PTB 56 mtu = 1280 [ 1.443] RX 1500 seq = 1:330(1460) 279e DF [ 1.443] TX PTB 56 mtu = 1280 [ 2.927] RX 1500 seq = 1:330(1460) 27f7 DF [ 2.928] TX PTB 56 mtu = 1280 [ 5.896] RX 1500 seq = 1:330(1460) 2834 DF tbit from 2001:df0:4:4000::1:115 to 2603:1047:0:2::e server-mss 1440, result: pmtud-fail app: http, url: https://meet.lync.com/ [ 0.009] TX SYN 64 seq = 0:0 [ 0.232] RX SYN/ACK 64 seq = 0:1 [ 0.232] TX 60 seq = 1:1 [ 0.232] TX 389 seq = 1:1(329) [ 0.459] RX 1500 seq = 1:330(1440) [ 0.459] RX 1500 seq = 1441:330(1440) [ 0.459] RX 1500 seq = 2881:330(1440) [ 0.459] RX 80 seq = 4321:330(20) [ 0.459] TX PTB 1280 mtu = 1280 [ 0.470] TX 60 seq = 330:1 [ 1.178] RX 1500 seq = 1:330(1440) [ 1.178] TX PTB 1280 mtu = 1280 [ 2.489] RX 1500 seq = 1:330(1440) [ 2.490] TX PTB 1280 mtu = 1280 [ 5.083] RX 1500 seq = 1:330(1440) [ 5.084] TX PTB 1280 mtu = 1280 [ 10.302] RX 1500 seq = 1:330(1440)
• D

  IPv6 Route Troubleshooting
  routing ipv6 • • digitalgeek  

  19
  0
  Votes
  19
  Posts
  253
  Views

  D

  Thanks for the book link. I'll have to take a look. Yeah, it seems just having a willingness to learn will get you a lot of the way there. I've done similar troubleshooting type things for friends who otherwise would've just accepted unstable internet service as normal. Their ISP usually tells them everything is fine so the ISP doesn't have to spend the resources to figure it out and some of them won't really do much until you beat them over the head with hard data that they can act on after you have basically done their job for them. And even then it can be like pulling teeth as you know. I'm basically tech support for all my friends and family. I'm sure you know the feeling. My experience has come from a lot of tinkering, breaking things, and attempting to fix them before someone yells at me for it.
• B

  OpenVPN with IPv6 only
  • bert64  

  2
  0
  Votes
  2
  Posts
  55
  Views

  

  afaik still not possible, openvpn guys are working on it and maybe it will be available for version 2.5 (of openvpn not of pfsense)
• B

  IPv6 DNS Resolver with new Android phone failing
  • bigtfromaz  

  8
  0
  Votes
  8
  Posts
  89
  Views

  

  macOS, at least, seems to do the right thing: nameserver[0] : fe80::1:1%vlan0 Not sure whether that was received from an RA or DHCP since I am running that segment in Assisted mode (both). You will also have to specifically pass link-local traffic (fe80::/10) to fe00::1:1 tcp/udp port 53 and add fe80::/10 to an unbound access list. Link-local is not considered to be LAN Net so none of it is added automatically when you pass from LAN Net.
• 

  After reboot, the DNS resolver must be restarted before it will advertise the ipv6 address of the resolver
  • IsaacFL  

  14
  0
  Votes
  14
  Posts
  147
  Views

  

  Cool. That is the channel to get the developers (I am not one) to look at it.
• A

  DNS hostname for dynamic IPv6 address
  dns ipv6 dynamic lease • • adhawkins  

  7
  0
  Votes
  7
  Posts
  211
  Views

  

  @JeGr said in DNS hostname for dynamic IPv6 address: Newer Hosts tend to use EUI-64 if implemented so are not "predictable" by their MAC address anymore Actually, all IPv6 addresses are EUI-64. The host part can be either MAC based, random number or other. With IPv6, the EUI-48 MAC address is converted to EUI-64 by inserting FFFE in the middle and inverting bit 7.