@sn3akerz glad you got it sorted.. So you weren't crazy heheh..

So far I've been unable to wrap my head around a firewall rule to block this.

Kind of hard to block something at the firewall if its not going over the firewall ;)

@arobase13

Salut 😊

I'm not using 'Free', but 'Orange' (Livebox). My ISP has a somewhat workable these days.
IPv6 in France isn't easy - or, also possible, I didn't understand everything yet.
Look here, that me posting on a french forum : Livebox 6 mais pas très 'pro'.
https://lafibre.info has a lot of info about all ISPs.

What you probably should do, is using DHCP (v6, client !) for IPv6 on your WAN interface, not a static setup.

pfSense will ask for a prefix or delegation, which is most often a /64 'block' that you can use by "Tracking" that block on the LAN interface. Activate also the DHCPv6 server on your LAN, create a pool, etc.

If the /64 you got from the Freebox (for your LAN) is always the same, you could, as you've shown, ad a static IPv6 on your LAN interface.
The first xxxxx::1 will be the LAN IPv6 of pfSEnse, and, for example, xxxx:2 to xxxxx:100 as a IPv6 pool on your LAN. That's what I'm doing right now.

Btw, as @bob above, IPv6 is advised, as IPv4 is old (stupid, and a burden to support and we love it) but not mandatory.

Far more important is : is your reverse of your IP identical to the host (domain) name you use mail server ? Can Free offer you that ?
Exampe :
If have a mail server with the domain : "test-domaine.fr" :

root@ns311465:~# host test-domaine.fr test-domaine.fr has address 5.196.43.182 test-domaine.fr has IPv6 address 2001:41d0:2:927b::15 test-domaine.fr mail is handled by 10 mail.test-domaine.fr.

Now, the other way around :

root@ns311465:~# host 5.196.43.182 182.43.196.5.in-addr.arpa domain name pointer mail.test-domaine.fr. root@ns311465:~# host 2001:41d0:2:927b::15 5.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.7.2.9.2.0.0.0.0.d.1.4.1.0.0.2.ip6.arpa domain name pointer mail.test-domaine.fr.

I doubt if Free can do 'reverse' for you (I doubt it)
If you want to receive - or send mail to - from gmail, or the others, like hotmail, yahoo, this is not an option.
You'll find out that a mail server doesn't belong on a ISP 'home' IPv4 or IPv6 connection.

@jbannister

SLAAC .... NPT ....
Never used these, as they are 'not needed' ( ? )

I followed the pfsense documentation as mentioned above, and was a happy IPv6 user for many years.

I advise you to validate the pfsense documentation. There is no SLAAC, even as it promises beautiful things. No NPT.
This boils down to : set up a DHCPv6 server on every LAN - with a pool, so you can static DHCP map, as the old DHCPv4 days, your devices.

I'm saying this with any in depth knowledge, but : as soon as I read NPT, there are issues .... so, it must be a complex thing.
And I tend to keep things "simple", especially my Ethernet networks and everything that is related to it.

@jasonreg
Sometimes after doing a lot of configuration changes, giving a reboot on the firewall gets everything running perfectly at last.
It could also mean your IPv6 upstream gateway doesn't respond to monitoring. In that case you either mark the GW always up, or get a valid IPv6 address for the Gateway monitor to reach and define its state.

About my previous attempts to figure this out and following up on @mhillmann's conversation;

I have data from over a year back where I can see my IPv6 gateway with this ISP. My IPv6 address is always one of a /40 pool, and the upstream gateway is always the same. I checked this extensively.

So the WAN interface was using DHCPv6 but in Routing the selected IPv6 gateway was the static one I created. I actually went a step further and disabled the dynamic gateway on the routing table.

So the static gateway was up but no traffic from the machines which had an IPv6 correctly attributed by tracking WAN interface setup.

So I left this at a standstill waiting for a fix to the issue here. I resigned to "no IPv6" for a while.
The other day I opened a site which accused me of being using IPv6.

Made an IPv6 test: IPv6 working.
Tested on other machines: IPv6 working.

Checked the firewall, have the Static IPv6 gateway selected, the same configuration I left before when IPv6 wasn't working. And wasn't for many days.

Currently 17 days uptime, have no idea how the issue resolved by itself.

So in the meanwhile, tried just rebooting the firewall to see how'd it would go.
After reboot, no IPv6 again.

@jasonreg

I used the first GUA that appeared in the list.

@jasonreg
It's up to you. If you can get the monitor working fine, otherwise disable it and rely on IPv4.

@mlohr said in IPv6 Firewall rules with dynamic prefixes:

In my understanding, my NAS will always be at "the same interface" from the perspective of pfSense, e.g., an interface configured to be the LAN port or DMZ.

The "problem" is that your NAS is not on your WAN, so that will not work for your WAN rule that you need because pfSense doesn't know to which interface this host address belongs (as far as I have understand this, try it for yourself)

But what does work is to make a DHCP static mapping on your prefix delegated "LAN" and to create an alias for that hostname you define there.
Now every time the prefix changes, the alias will be changed too.

In theory. There are still problems when the prefix actually changes but they can be mitigated by doing this at night times and rebooting pfSense via cron and so on.

@yobyot

There is one SLAAC address that does not change. Point the DNS to that address.

I was able to reproduce it here and it did create a textdump for me. We're looking into it now.

ehhh, so I made the config change and it worked fine, but some time after I made the change (maybe an hour?) my pfSense system crashed and rebooted with a kernel panic/page fault :-/

(haven't had that happen on me ... ever I think? and I've been a longtime user)

Basically I just set my manual Outbound NAT rules to IPv4 only, and only applicable to one of my internal subnets and everything seemed fine until it suddenly crashed. I did check the General and System logs and nothing useful or noteworthy was found there. Maybe the attached debug files are useful to somebody, though (I censored my info)

info.0

textdump.tar.0

@bob-dig You're right on this, I don't use two GUA prefixes simultaneously pointing to the same internal ULA prefix, only as failover from one to the other if either ISP gets disconnected, as this is fairly common here. As far as I've tested, this works correctly if the primary ISP fails with pfSense changing the default GW to the next one in its Gateway Group after dpinger detects the failure of the previous one. You have to take care to arrange NPt rules in the same order (from top to bottom) as the matching GW's (1 to n), otherwise it won't work. It even fails back correctly when the previous ISP comes back online.

Also just read some of this: No IPv6 after upgrade to 23.01. You did mention you upgraded...
I am on 2.6 still.

Thanks for all the input; I think I'm nearly there but it is still not routing any traffic over IPv6.
I set up as above, including the virtual IP as a3sx, and finally the WAN_DHCP6 has come up and is green (it wouldn't without the virtual IP). Amazing, never worked before. I took the address from configuring 'none' on WAN ip6 and seeing the loopback address after reboot (where does this come from??) it starts fe80::

My devices on the LAN are getting IP6 addresses and I can see leases on 'DHCPv6 Leases' status screen.
My devices are getting IPv6 addresses starting with 2002:89dc... etc, could this be based on my delegated prefix? (Where do I see the prefix I got?)

Yet when I open browser and do an IPv6 test all IPv6 tests fail. If I ping 'google.com' over ipv6 on diagnostics on the webUI it fails as well.

Feels like it's close but there is still something wrong.
Pfsense+ 23.01

If somebody would be able to look at my screenshare I'd send them money for a beer in the pub!

thanks B

Appears the problem was related to a secondary WAN interface we have configured in the firewall. As soon as that WAN interface was disabled, the GIF tunnel would work without the filtering disabled. When the secondary WAN interface was enabled again, the tunnel still worked, so probably some messed up routing.

@meluvalli

I have never set up NAT on IPv6. No need for it here.

@steveits OK, thanks. If I can ever get registered on Redmine, I'll file a bug report.

@gwabber

No, you route the traffic, just as you do with your default gateway.

@r4ptor

Your win dhcpdv6 client is working :
467e835f-706e-4d56-9b18-38360a17e76c-image.png

Parts sound alike the problem described here

https://forum.netgate.com/topic/177981/no-ipv6-after-upgrade-to-23-01

@tanya-0 I believe those decisions are made either from a performance standpoint (must be cheaper resource-wise to not having to handle network prefixes greater than half the address), a security standpoint (most pfsense subsystems, which are dependent on the specific implementation of the BSD kernel would IM ignorant O have to be re-written to change the long-standing in-code "assumptions" about the IPv6 netstack, which would introduce bugs and vulnerabilities that would take a lot of revisions to be ironed out and would reduce customer trust in the product) and a demand standpoint (not many of us, either pros like you, or enthusiasts like me) ask for that specific thing (I think).

Thanks for the hint.
Maybe it could be related to my Post here

@defunct78 unfortunately that is not my issue. I have a IPv6 Gateway Group selected the same as before.

Thinking about it, it makes sense, that it is only working for the first entry because no router will make many connections from one.
So to get this working better it would need a dialog like for port forwarding where the router can be instructed what to do for what port.

@lurick Seems to have been an issue with the probe I have. I setup a VM version of the probe on the same network as the physical probe, no issues after 48 hours and counting.

@leres

That /128 is not used for routing. You can use it for connecting directly to the pfSense box.

@bob-dig said in [solved] NPt doesn't let me do that, why?:

I don't immediately update my DDNS-records.

Are you talking about internal or external DNS? If internal, ULA is all you need for static addresses.

@bob-dig This is in Denmark, and the ISP is called Kviknet.
I know My used settings at this time works with kviknet in other parts of the country (i have a friend using pfsense with kviknet), and more than One OPNsense uses them as Well.

So what things could influence this and cause My dhcp6c Client to behave so irradically?

The Netgate 6100 interface on the fd04:2240::/48 segment has the following flags:

nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

I did a bit of research and I think the following might solve the issue:

ifconfig inet6 accept_rtadv

It's a production setup so I'm reluctant to try it.

Does adding the accept_rtadv make sense?

@jknott

# netstat -r Routing tables (output omitted) Internet6: Destination Gateway Flags Netif Expire localhost link#10 UH lo0 tunnel814714.tunne link#17 UH gif0 tunnel814714-pt.tu link#17 UHS lo0 fe80::%mvneta1/64 link#2 U mvneta1 fe80::208:a2ff:fe0 link#2 UHS lo0 fe80::%mvneta2/64 link#8 U mvneta2 fe80::208:a2ff:fe0 link#8 UHS lo0 fe80::%lo0/64 link#10 U lo0 fe80::1%lo0 link#10 UHS lo0 fe80::%mvneta1.10/ link#13 U mvneta1. fe80::208:a2ff:fe0 link#13 UHS lo0 fe80::%mvneta1.7/6 link#14 U mvneta1. fe80::208:a2ff:fe0 link#14 UHS lo0 fe80::%mvneta1.8/6 link#15 U mvneta1. fe80::208:a2ff:fe0 link#15 UHS lo0 fe80::%ovpns1/64 link#16 U ovpns1 fe80::208:a2ff:fe0 link#16 UHS lo0 fe80::%gif0/64 link#17 U gif0 fe80::208:a2ff:fe0 link#17 UHS lo0

Looks like there is a tunnel setup. not sure how to connect to the other side without using the software and in the cli. The goal here is Dual stacking ipv4/6.