IPv6

• D

  IPv6 Tutorials
  • dwabraxus  

  2
  1
  Votes
  2
  Posts
  27039
  Views

  J

  Thanks for the tutorial :)
• C

  IPv6 test sites
  • cmb  

  15
  0
  Votes
  15
  Posts
  38152
  Views

  M

  I created ipv6.getmyip.com to test my IPv6 connectivity. It only has an AAAA record and it only returns your IPv6 address if your IPv6 stack is working properly (otherwise it doesn't return anything). It works great with curl (which is the main reason I built it).
• P

  A looped back NS message is detected during DAD
  • pfsensier  

  19
  0
  Votes
  19
  Posts
  7374
  Views

  V

  I encountered this same problem on Hyper-V on Windows Server 2019. After finding this thread and disabling VMQ in the virtual machine NICs, it solved the problem like it had for others. I went a step further and replaced the stock Microsoft drivers for the Intel X520-T2 NIC with the latest version from Intel's web site. I was then able to re-enable VMQ without any side effects. It would appear there is a bug in the stock Intel driver from Microsoft in Windows 2019 as it relates to VMQ. I hope this helps anyone else that might run into this issue as well.
• 

  FIOS users waiting for IPv6... script to let you know when it's ready
  • luckman212  

  6
  1
  Votes
  6
  Posts
  498
  Views

  P

  Any dhcp6-pd packet captures from the G1100? I am having trouble determining the correct advanced DHCP6 settings for pfSense
• H

  [Solved] Static IPv6 setup, State issue when traffic comes from pfSense itself
  • hege  

  1
  0
  Votes
  1
  Posts
  24
  Views

  No one has replied

• 4

  PPPoE IPv6 + Hurricane Electrics IPv6 - Assymmetric routing / no ping from External to pppoe assigned IPv6 Adddress possibile, despite that, everything is working...?
  • 4920441 0  

  11
  0
  Votes
  11
  Posts
  173
  Views

  4

  Simple: because its a pppoe related bug. I got another IPv6 network on another interface propagated via SLAAC and it is also routet, this one is pingable without any problems. Only pppoe Connections via DHCP over pppoe behave strange... Cheers,
• 

  Rogers pfSense configuration
  • JKnott  

  39
  0
  Votes
  39
  Posts
  6707
  Views

  

  @mjnr said in Rogers pfSense configuration: Can anyone validate these settings still work? Trying to get IPV6 running on an XB6 Gateway in bridge mode running on PFSense 2.4 and no joy on getting the WAN interface to draw an IP. I've tried the settings above and various other combinations with no success. Those settings are still good. Try connecting a computer directly to the modem, to see if that works. You should get an IPv6 address.
• E

  IPv6 default route disappears
  • entrader  

  19
  0
  Votes
  19
  Posts
  223
  Views

  

  @derelict said in IPv6 default route disappears: Vote with your deutchemarks, people. They are called Euros for years, ya' know? Problem is, that those small little pearls are mostly local ISPs in specific regions or cities. Even if I'd wanted to go all out and "shut up and take my money", it won't get me far. In most non-crowded places you're happy if you can get DSL with PPPoE or Cable from the same few companies. There are only some like e.g. DG / Deutsche Glasfaser / "german fiber" that will get you FTTH or FTTB. So more often then not, voting with ones wallet isn't possible as no other/better service is available.
• 

  FYI: Ipv6 users should use 2.pool.ntp.org as their NTP server
  • IsaacFL  

  1
  2
  Votes
  1
  Posts
  81
  Views

  No one has replied

• W

  Setting up Comcast Business Class IPv6 & IPv4 with Static Allocations to PFsense
  • WB3FFV  

  9
  0
  Votes
  9
  Posts
  1260
  Views

  K

  With the exception of the DHCP setup, the following works for me for a little while, but I suspect the issue on my end is something else. https://techielibrarians.com/index.php/2017/06/08/native-ipv6-with-comcast-business-and-pfsense-2-3/ Those instructions are for the old gateway modem type, but I'm on the Cisco and it seems to work.
• P

  Help me with IPv6 SLAAC on Android
  ipv6 android slaac • • pixielark  

  29
  0
  Votes
  29
  Posts
  426
  Views

  P

  Ok, so the final update, I have everything fixed now (at least till now) So the final trick is to set my switch to tag port 5-8 which connect to my 4 APs apparently the tp-link APs will receice packages on it's selected wirelss VLAN + anything that's untagged (without vlan header) after change my switch to tag vlan1 on port 5-8 it ensures all the vlan1 tag won't be removed when outbound the port, which fixes the RA flood issue. Thanks everyone for the help
• S

  Using IPv6 on LAN without IPv6 on WAN?
  ipv6 lan • • stb  

  13
  0
  Votes
  13
  Posts
  185
  Views

  B

  Even if your ISP doesn't provide IPv6, you can still have it, using a tunnel from hurricane electric. They are free, they perform well, they are very reliable and they work. I used one for years before my ISP implemented IPv6. There are lots people here who can help you set it up.
• M

  tunnel over slash 48
  • msf2000  

  3
  0
  Votes
  3
  Posts
  85
  Views

  M

  Thanks for the sanity check. I got a few IPv6 digits reversed. Fixing the typo fixed the routing. :)
• L

  IPv6 Native with Telstra, Australia
  • Larrikin  

  165
  0
  Votes
  165
  Posts
  4129
  Views

  L

  @Derelict I am certain I have come across some sort of bug in pfsense that when IPv6 is enabled, IPv4 performance decreases by about 2mb/s both up and down. I have done lots of testing tonight and Telstra's router does not suffer this issue, only pfsense. The moment I turn off IPv6, I get my full speeds back. The moment I turn on IPv6, I lose 2mb/s down and up on IPv4. I cannot replicate that on Telstra's router. I maintain full speeds on IPv4 with IPv6 enabled on Telstra's router. What additional information would you need to help isolate what this bug would be?
• Q

  IPv4 over IPv6
  • QED  

  4
  0
  Votes
  4
  Posts
  178
  Views

  Q

  I guess this feature is not available on pfSense. It is a sad news as the situation will become worse over time. IPv6 over IPv4 was the 1st phase of IPv6 implementation. Now we are on the second phase were we are moving to IPV4 over IPv6, as ISP started increasing their IPv6 capable gear. We will see this increasing and this phase will last years IPv4 will eventually go away. However, looking at the trend, I wont be surprised if it takes over 30 years to get there.
• L

  Commercial opportunity for Netgate - IPv6
  • Larrikin  

  1
  0
  Votes
  1
  Posts
  116
  Views

  No one has replied

• L

  rapid-commit support
  • Larrikin  

  3
  0
  Votes
  3
  Posts
  118
  Views

  L

  Thanks. I realised I could put the rapid commit command via the GUI using https://imgur.com/a/IdxTJAr The problem I have is that I just cannot get IPv6 working at all with Australia's largest ISP Telstra. They only issue PD's (/56), but they don't respond to solicit commands at all. I think they only broadcast initially an IPv6 Neighbourhood advertisement which pfsense doesn't initially pick up. I've tried everything. All my config files are found here: https://forums.whirlpool.net.au/thread/2784659
• N

  Dynamic IPv6 Prefix assignment issue in xDSL users
  ipv6 • • niloofar  

  44
  0
  Votes
  44
  Posts
  1470
  Views

  

  See if using a scheme like this using both ULA and GUA-PD on the inside interfaces helps with that sort of problem. That is the recommended way to operate when an ISP insists on changing the PD. https://forum.netgate.com/post/825770 If that doesn't help you'll need to post specific details as to exactly what the ISP is doing and exactly what is causing your problems. Not a description, but screen shots and real, actual troubleshooting output. https://www.ripe.net/publications/docs/ripe-690#5--end-user-ipv6-prefix-assignment--persistent-vs-non-persistent Note that's RIPE - as in Europe. So it's their own RIR telling them they're doing it wrong, too. RFC7368 is about as close as we have to a controlling document here. https://tools.ietf.org/html/rfc7368 ULAs should be used within the scope of a homenet to support stable routing and connectivity between subnets and hosts regardless of whether a globally unique ISP-provided prefix is available. In the case of a prolonged external connectivity outage, ULAs allow internal operations across routed subnets to continue. ULA addresses also allow constrained devices to create permanent relationships between IPv6 addresses, e.g., from a wall controller to a lamp, where symbolic host names would require additional non-volatile memory, and updating global prefixes in sleeping devices might also be problematic.
• C

  Cannot Ping pfSense ULA From Subnet Without ULA Assigned to Firewall
  • chewie198  

  10
  0
  Votes
  10
  Posts
  425
  Views

  

  Unfortunately, since pfSense doesn't currently support multiple IPv6 prefixes per tracked interface I am doing exactly this. DHCP6 serves the delegated prefix based on track interface settings: RA Serves BOTH the tracked interface prefix and the configured ULA: ETA: Forgot about the VIPs: My Mac's LAN interface looks like this: vlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 options=3<RXCSUM,TXCSUM> ether a8:60:b6:19:15:fe inet6 fe80::14ea:9daa:af44:6b3d%vlan0 prefixlen 64 secured scopeid 0xb inet6 2600:beef:cafe:ab01:1092:8d9e:537d:5207 prefixlen 64 autoconf secured inet6 fd8c:9857:66db:1:4c9:e132:ee:396a prefixlen 64 autoconf secured inet 192.168.223.6 netmask 0xffffff00 broadcast 192.168.223.255 inet6 2600:beef:cafe:ab01::145a prefixlen 64 dynamic inet6 2600:beef:cafe:ab01:edf8:e8af:4a5c:da72 prefixlen 64 deprecated autoconf temporary inet6 fd8c:9857:66db:1:edf8:e8af:4a5c:da72 prefixlen 64 deprecated autoconf temporary inet6 2600:beef:cafe:ab01:b95b:1aa2:a178:32c9 prefixlen 64 deprecated autoconf temporary inet6 fd8c:9857:66db:1:b95b:1aa2:a178:32c9 prefixlen 64 deprecated autoconf temporary inet6 2600:beef:cafe:ab01:b0f0:e7fb:d671:c1e prefixlen 64 deprecated autoconf temporary inet6 fd8c:9857:66db:1:b0f0:e7fb:d671:c1e prefixlen 64 deprecated autoconf temporary inet6 2600:beef:cafe:ab01:91f5:785f:2283:21fc prefixlen 64 deprecated autoconf temporary inet6 fd8c:9857:66db:1:91f5:785f:2283:21fc prefixlen 64 deprecated autoconf temporary inet6 2600:beef:cafe:ab01:b1d6:45a3:c20:1d15 prefixlen 64 deprecated autoconf temporary inet6 fd8c:9857:66db:1:b1d6:45a3:c20:1d15 prefixlen 64 deprecated autoconf temporary inet6 2600:beef:cafe:ab01:4c01:bf7b:6079:299b prefixlen 64 deprecated autoconf temporary inet6 fd8c:9857:66db:1:4c01:bf7b:6079:299b prefixlen 64 deprecated autoconf temporary inet6 2600:beef:cafe:ab01:347d:50ed:27e3:2de9 prefixlen 64 autoconf temporary inet6 fd8c:9857:66db:1:347d:50ed:27e3:2de9 prefixlen 64 autoconf temporary nd6 options=201<PERFORMNUD,DAD> vlan: 223 parent interface: en0 media: autoselect (1000baseT <full-duplex>) status: active The IPv6 stack in the Mac sources from a global address to global destinations and a ULA address to ULA destinations. $ ping6 -c1 www.google.com PING6(56=40+8+8 bytes) 2600:beef:cafe:ab01:347d:50ed:27e3:2de9 --> 2607:f8b0:4005:80b::2004 16 bytes from 2607:f8b0:4005:80b::2004, icmp_seq=0 hlim=55 time=21.027 ms $ ping6 -c1 nc.mydomain.com PING6(56=40+8+8 bytes) fd8c:9857:66db:1:347d:50ed:27e3:2de9 --> fd8c:9857:66db:4::c0a8:e012 16 bytes from fd8c:9857:66db:4::c0a8:e012, icmp_seq=0 hlim=63 time=0.695 ms I use split DNS to give ULA addresses to inside queries. It's been working great. And now my inside network no longer breaks in the unlikely event Cox changes my PD. One thing I have not tried is pinging ULA from an interface with only global addresses and pinging global from interfaces with only ULA addresses. A lot of the burden there is on the client's stack. Considering, with a /56, I don't have any problem assigning GUA and ULA to every IPv6 interface it has never come up. Let me try something real quick: From LAN to the LAN GUA $ ping6 -S fd8c:9857:66db:1:347d:50ed:27e3:2de9 2600:beef:cafe:ab01:208:a2ff:fe0a:593f PING6(56=40+8+8 bytes) fd8c:9857:66db:1:347d:50ed:27e3:2de9 --> 2600:beef:cafe:ab01:208:a2ff:fe0a:593f 16 bytes from 2600:beef:cafe:ab01:208:a2ff:fe0a:593f, icmp_seq=0 hlim=64 time=0.352 ms 16 bytes from 2600:beef:cafe:ab01:208:a2ff:fe0a:593f, icmp_seq=1 hlim=64 time=0.391 ms 16 bytes from 2600:beef:cafe:ab01:208:a2ff:fe0a:593f, icmp_seq=2 hlim=64 time=0.325 ms From LAN to another interface's GUA: $ ping6 -S fd8c:9857:66db:1:347d:50ed:27e3:2de9 2600:beef:cafe:ab02:208:a2ff:fe0a:593f PING6(56=40+8+8 bytes) fd8c:9857:66db:1:347d:50ed:27e3:2de9 --> 2600:beef:cafe:ab02:208:a2ff:fe0a:593f 16 bytes from 2600:beef:cafe:ab02:208:a2ff:fe0a:593f, icmp_seq=0 hlim=64 time=0.455 ms 16 bytes from 2600:beef:cafe:ab02:208:a2ff:fe0a:593f, icmp_seq=1 hlim=64 time=0.292 ms 16 bytes from 2600:beef:cafe:ab02:208:a2ff:fe0a:593f, icmp_seq=2 hlim=64 time=0.298 ms ^C --- 2600:beef:cafe:ab02:208:a2ff:fe0a:593f ping6 statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.292/0.348/0.455/0.075 ms From LAN to a host on DMZ GUA: $ ping6 -S fd8c:9857:66db:1:347d:50ed:27e3:2de9 2600:beef:cafe:ab04::c0a8:e012 PING6(56=40+8+8 bytes) fd8c:9857:66db:1:347d:50ed:27e3:2de9 --> 2600:beef:cafe:ab04::c0a8:e012 16 bytes from 2600:beef:cafe:ab04::c0a8:e012, icmp_seq=0 hlim=63 time=0.775 ms 16 bytes from 2600:beef:cafe:ab04::c0a8:e012, icmp_seq=1 hlim=63 time=0.612 ms 16 bytes from 2600:beef:cafe:ab04::c0a8:e012, icmp_seq=2 hlim=63 time=0.629 ms ^C --- 2600:beef:cafe:ab04::c0a8:e012 ping6 statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.612/0.672/0.775/0.073 ms So it looks like it's all working as expected. There are GUA and ULA addresses on the configured interfaces. Rebooting based on the trouble description in that redmine: Yeah. it all just works here. GUA and ULA /64s on all interfaces configured as such. All the above pings still work. Seems fine. For completeness, this is how I did one of the linux servers (nextcloud - accessible on GUA from the outside and ULA from the inside): auto ens18 iface ens18 inet static address 192.168.224.18 netmask 255.255.255.0 gateway 192.168.224.1 dns-search example.com admin.example.com dns-nameservers 192.168.223.1 iface ens18 inet6 auto privext 2 accept-ra 2 up ip -6 addr add 2600:beef:cafe:ab04::192.168.224.18/64 dev $IFACE label $IFACE:0 down ip -6 addr del 2600:beef:cafe:ab04::192.168.224.18/64 dev $IFACE label $IFACE:0 up ip -6 addr add fd8c:9857:66db:4::192.168.224.18/64 dev $IFACE label $IFACE:0 down ip -6 addr del fd8c:9857:66db:4::192.168.224.18/64 dev $IFACE label $IFACE:0 (Please do not use ULA prefix fd8c:9857:66db::/48. Please generate your own.)
• 

  Getting new IPv6 prefix
  • JKnott  

  28
  0
  Votes
  28
  Posts
  633
  Views

  

  While there is no doubt this problem is occurring at the ISP, I've continued investigating. I'm examining the DHCPv6 XID advertise packet. What I've found it this: Status Message: No prefix available on Link 'CMTS89.WLFDLE-BNDL1-GRP3' I assume this means the ISP is not providing the prefix to my network. The full packet is listed below. Any ideas? Frame 66: 214 bytes on wire (1712 bits), 214 bytes captured (1712 bits) on interface 0 Ethernet II, Src: Casa_9a:a1:99 (00:17:10:9a:a1:99), Dst: Trendnet_2b:ed:ea (00:14:d1:2b:ed:ea) Internet Protocol Version 6, Src: fe80::217:10ff:fe9a:a199, Dst: fe80::214:d1ff:fe2b:edea User Datagram Protocol, Src Port: 547, Dst Port: 546 DHCPv6 Message type: Advertise (2) Transaction ID: 0x557257 Client Identifier Option: Client Identifier (1) Length: 14 Value: 0001000123eb5e12001617a7f2d3 DUID: 0001000123eb5e12001617a7f2d3 DUID Type: link-layer address plus time (1) Hardware type: Ethernet (1) DUID Time: Feb 4, 2019 15:33:22.000000000 EST Link-layer address: 00:16:17:a7:f2:d3 Server Identifier Option: Server Identifier (2) Length: 14 Value: 00010001159bb6e50021285fd2b7 DUID: 00010001159bb6e50021285fd2b7 DUID Type: link-layer address plus time (1) Hardware type: Ethernet (1) DUID Time: Jun 27, 2011 17:47:17.000000000 EDT Link-layer address: 00:21:28:5f:d2:b7 Identity Association for Prefix Delegation Option: Identity Association for Prefix Delegation (25) Length: 72 Value: 000000000000000000000000000d003800064e6f20707265... IAID: 00000000 T1: 0 T2: 0 Status code Option: Status code (13) Length: 56 Value: 00064e6f2070726566697820617661696c61626c65206f6e... Status Code: NoPrefixAvail (6) Status Message: No prefix available on Link 'CMTS89.WLFDLE-BNDL1-GRP3' DNS recursive name server Option: DNS recursive name server (23) Length: 32 Value: 2607f7980018001000000640712552042607f79800180010... 1 DNS server address: 2607:f798:18:10:0:640:7125:5204 2 DNS server address: 2607:f798:18:10:0:640:7125:5198
• C

  Ipv6 Comcast
  • clifford64  

  2
  0
  Votes
  2
  Posts
  130
  Views

  C

  Ok, so it appears I was getting a PD, but I wasn't seeing it in the logs because the DHCP6c debugging wasn't turned on. After turning it on, it was showing me the full PD of /60 being given to me and then the router handling the tracking. So, what I have done is enabled tracking only on one of my 3 vlan interfaces (the guest). Then after receiving the prefix, I can set statics on the other interfaces that I care about.
• G

  Prevent logging of a specific IPv6 blocked address
  • ghostnet  

  4
  0
  Votes
  4
  Posts
  144
  Views

  

  The default deny rule logs by default. There is a checkbox to stop this logging but it will affect ALL traffic hitting default deny not just the traffic you are specifically asking about. A specific rule higher in the list can block the traffic, not log, and processing will stop. The default deny rule (and the logging) will never be hit/processed.
• X

  IPv6 no longer working after updating to 2.4.4
  • xero9  

  20
  0
  Votes
  20
  Posts
  1447
  Views

  D

  I have exactly the same issue. SLAAC on the PPPoE WAN interface seems to work, but I can't ping6 any host on the internet. Also, clients seem to not getting RA's. But before 2.4.4 I was able to ping6 google.com when I logged in to pfSense via SSH. Don't have a solution unfortunately.
• X

  IPv6 unable to access internet on LAN interface
  • xayumi  

  17
  0
  Votes
  17
  Posts
  387
  Views

  

  @xayumi said in IPv6 unable to access internet on LAN interface: @derelict Hi yes, I understand, they just assigned me a ipv6 address with mark /64 on my WAN, instead of a ipv6 and /64 subnet to me. I am new to IPv6 just really does spent some hours to figure it out! Thanks for your help! NAT for IPv6 is current a solution for me :) One thing a lot of people have to figure out is the WAN address is not used for routing. It's a /128, which means it's to identify an interface only. It cannot be used to communicate with another device, without going through a router (pfSense). On IPv6, link local addresses are normally used for routing. Link local addresses start with fe80.
• E

  IPv6 WAN interface not getting prefix, only single IPv6 address
  • earlish  

  12
  0
  Votes
  12
  Posts
  1667
  Views

  G

  @earlish Hi, Do you still use pfsense? I'm facing the same problem as you using AsashiNET provider. Only the WAN gets the prefix, LAN It is not getting anything. Please let me know if you found a solution because my provider doesn't support PPPoE for IPv6. Thanks in advance.
• M

  IPv6 and Ip renumbering
  • maybeageek  

  3
  0
  Votes
  3
  Posts
  138
  Views

  M

  Hi, thanks for the quick response! actually, I don't need IPv6, but, as we in Germany say, it is sort of a chicken - egg problem. If nobody uses it, then no services will be made available. If no services are available, no one will use it. Anyhow, the German Telekom started DualStack quite some time ago, and I want to use, if only for the reason of it being the future, and no immediate need. I expect current devices to use it where possible. But you are right, no necessary need has arisen, yet. To solve my problem: A guy in the german telekom forum asked the same questions, to which somebody else posted screenshots. They work perfectly for my setup. So I will leave the link here for documentation purposes: German Telekom Forum This setup does exactly what I want and it works without further config need. All the best, Thomas
• 

  Forwarding traffic: quitting NAT
  • skilledinept  

  1
  0
  Votes
  1
  Posts
  98
  Views

  No one has replied

• 

  Comcast IPv6 WAN address and delegated prefix added, then removed seconds later
  • rohrej  

  12
  0
  Votes
  12
  Posts
  652
  Views

  

  So, turning off suricata for the WAN interface did not fix this. It doesn't happen every day now, but still pretty often. root 2183 0.0 0.0 6340 2380 - Is 21Jan19 0:02.81 /usr/local/sbin/dhcp6c -d -n -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_igb0.pid igb0 root 11215 0.0 0.0 6340 2376 - Is 27Jan19 0:01.57 /usr/local/sbin/dhcp6c -d -n -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_igb0.pid igb0 root 13704 0.0 0.0 6968 2804 - S 18:53 0:00.00 sh -c ps uxawww | grep dhcp6c 2>&1 root 14116 0.0 0.0 6564 2460 - S 18:53 0:00.00 grep dhcp6c root 38355 0.0 0.0 6340 2400 - Ss 19Jan19 0:11.03 /usr/local/sbin/dhcp6c -d -n -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_igb0.pid igb0 root 41023 0.0 0.0 6340 2376 - Is 15:15 0:00.04 /usr/local/sbin/dhcp6c -d -n -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_igb0.pid igb0 root 60339 0.0 0.0 6340 2376 - Ss 22Jan19 0:02.64 /usr/local/sbin/dhcp6c -d -n -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_igb0.pid igb0 root 83791 0.0 0.0 6340 2376 - Is 24Jan19 0:02.28 /usr/local/sbin/dhcp6c -d -n -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_igb0.pid igb0 root 98049 0.0 0.0 6340 2380 - Is Thu03 0:00.79 /usr/local/sbin/dhcp6c -d -n -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_igb0.pid igb0
• N

  IPV6 not working on pfSense but does on opnsense
  • norffc  

  9
  0
  Votes
  9
  Posts
  392
  Views

  N

  @derelict yes, ping 6 working fine. [2.4.4-RELEASE][admin@pfSense]/root: ping6 fe80::21d:aaff:fe92:775c%hn1 PING6(56=40+8+8 bytes) fe80::215:5dff:fe01:20c%hn1 --> fe80::21d:aaff:fe92:775c%hn1 16 bytes from fe80::21d:aaff:fe92:775c%hn1, icmp_seq=0 hlim=255 time=0.755 ms 16 bytes from fe80::21d:aaff:fe92:775c%hn1, icmp_seq=1 hlim=255 time=0.739 ms 16 bytes from fe80::21d:aaff:fe92:775c%hn1, icmp_seq=2 hlim=255 time=3.010 ms 16 bytes from fe80::21d:aaff:fe92:775c%hn1, icmp_seq=3 hlim=255 time=1.028 ms 16 bytes from fe80::21d:aaff:fe92:775c%hn1, icmp_seq=4 hlim=255 time=0.840 ms 16 bytes from fe80::21d:aaff:fe92:775c%hn1, icmp_seq=5 hlim=255 time=1.603 ms
• T

  IPv6 Static IP with track interface
  • tortue  

  6
  0
  Votes
  6
  Posts
  1791
  Views

  M

  @inq Thanks. That was really helpful!
• I

  Dynamic prefix assignment with static subnet host addresses
  • ijdod  

  2
  0
  Votes
  2
  Posts
  116
  Views

  V

  I'm pretty sure that the only way this could be done in pfSense is with a virtual IP (Firewall > Virtual IPs) on the respective interface... but if your ISP ever delegates a different prefix to you, that virtual IP would need to be manually updated with the new prefix in order to function again.
• F

  DHCP6C not requesting prefix / Confused
  • FTLN46  

  12
  0
  Votes
  12
  Posts
  523
  Views

  

  A packet capture on that provider would be interesting to see. One from a device that works and one that doesn't. As has been said, it works great but every ISP IPv6 deployment cannot possibly be tested. Some reliance on the community is required. I, personally, know that dhcp6c works flawlessly with Cox Las Vegas and it works in my lab with DHCPv6 served by pfSense. Unfortunately, ISPs take great liberties here and some seem to need special sauce to make it work. It's too bad ISPs are less-than-helpful when you try to get the recipe for THEIR SERVICE out of them.
• C

  Router advertisement problem: wrong dns server when dns forwarder or resolver is enabled.
  • correajl  

  6
  0
  Votes
  6
  Posts
  217
  Views

  

  It says unless your running forwarder/resolver.. Prob could be worded a bit more precise - or actually check to see if listening on actual interface if you have strict set. Normally people that run resolver/forwarder want their dhcp clients to talk to pfsense. This is what like 99% of use cases (number just pulled out of my ass <grin>) If you have a lot of interfaces pick the way you want to go about it that is least amount of work ;) I will try and duplicate so can put in request to have wording updated, or option changed so that if strict and not bound to interface don't hand out pfsense IP.
• B

  What is expected behaviour of pfSense if ISP edge router does not send periodic RA?
  • bimmerdriver  

  9
  0
  Votes
  9
  Posts
  378
  Views

  B

  @derelict Thanks for your reply. This ISP has made some of possibly questionable implementation decisions in their network. First, the DHCP before RA feature was tested on this network. Their edge routers will not respond to an RS until after the DHCP solicit/advertise and DHCP request/reply sequence is complete. After that, the edge router will respond to an RS with an RA. I just fired up wireshark and captured some packets. The router lifetime in the is 4500 seconds (75 minutes), the reachable time is 0 and the and the retrans timer is 100 ms. These values are also used in the unsolicited RA messages, which leads to another interesting implementation decision. Second, the time between the unsolicited RA messages ranges from approximately 15 minutes to approximately 30 minutes. I determined this by capturing RA messages over several hours. This is longer than usual, but according to RFC 2461, MaxRtrAdvInterval is 1800 seconds, so they are operating within the allowable limit. I also looked at the DHCP reply. T1 and T2 in the IA for PD are 300 and 480. The preferred lifetime and valid lifetime in the IA Prefix are 600 and 900, respectively. The above are from my router which is working properly. Apparently on some fiber networks, the unsolicited RA messages are not being sent at all. This is a known problem that they are working with the router vendor on. I'm trying to help someone else figure out why pfsense is behaving as I described above. Based on these timers, I would think it should work for 75 minutes (or whatever the prefix lifetime is) until the prefix expires, then it should stop working. However, it seems to fail once after initially getting a prefix, then if the interface is restarted, it keeps working. I don't understand why it would keep working if prefix expiration is causing it to stop working after the interface is started. Maybe something else is going on. I don't have packets captured from this network, but I'll try to get some.
• K

  When 6to4 ipv6 is enabled, facebook mobile does not fully load all videos and pictures (IOS and Android)
  • kjstech  

  21
  0
  Votes
  21
  Posts
  1137
  Views

  K

  I know this is old but even on 2.4.4-p2 ipv6 only works for about 1 to 2 days and then all Facebook videos stop loading until I turn ipv6 off. I guess I will just have to give up on ipv6 with my ISP.
• A

  Splitting a static /48 from Mediacom into subnets
  • alankeny  

  15
  0
  Votes
  15
  Posts
  410
  Views

  

  @alankeny said in Splitting a static /48 from Mediacom into subnets: With their static IPv6 allocation, the WAN side is basically a bridged network that can have 1,208,925,819,614,629,174,706,176 IPv6 hosts on it, and that's the only configuration option available. That's nonsense. A /48 is not usable in that manner. It's supposed to be split up into /64s, which are what is used on a LAN. For example, I have a /56. One /64 is used for my main LAN, a 2nd for a test interface and a 3rd for my VPN. MY ISP uses DHCPv6-PD to provide my prefix and WAN interface address. As Derelict mentions, take a look at what's on the wire. You might want to see if you can talk to 2nd level support. Maybe they might have a clue about how IPv6 works.
• D

  OSPF6 over IPv6 VTI Tunnel Interfaces
  • Davidkmessenger  

  3
  0
  Votes
  3
  Posts
  263
  Views

  

  @pete35 said in OSPF6 over IPv6 VTI Tunnel Interfaces: some months ago i run into a similar problem. It looks like, that all the tunnels (openvpn, ipsec) doesnt provide the Link Local adresses of IPv6. OSPF needs them to work. I think, assigning the RFC4193 Address to the tunnels doesnt help in this case. Fire up Wireshark or Packet Capture and see what's actually happening. IIRC, OSPF announces itself via mulitcast. There should also be Neighbour Advertisements advising of the address in general. Do you see those? Also, the tunnels don't provide the link local addresses, the end devices do. However, link local addresses will not be routed. Are there any routers in between? It must be a direct connection between OSPF routers, which could include a tunnel.
• H

  IPv6 not working on LAN
  • heartofrainbow  

  4
  0
  Votes
  4
  Posts
  290
  Views

  

  @heartofrainbow said in IPv6 not working on LAN: The WAN and LAN IPv6 addresses have the same prefix Doesn't work that way.. your so called passthru mode would be a bridge.. Why don't you call your isp and ask what they support or what is your ISP so we can look it up. What are you wanting to do with IPv6 exactly? If you don't even know how your ISP does it, why does it even matter... If you want IPv6 - just get a free tunnel from HE.. Then you can have a /48 and clickity clickity done... Doesn't matter what your ISP supports or doesn't support.
• N

  IPV6 on more than one NIC
  • Nthly  

  25
  0
  Votes
  25
  Posts
  884
  Views

  

  @nthly Glad to help.
• C

  Ipv6 setup for Telus
  • cdx304  

  8
  0
  Votes
  8
  Posts
  380
  Views

  B

  @eternalglue said in Ipv6 setup for Telus: This is what worked for me: Navigate to Interfaces -> WAN IPv6 configuration should be DHCPv6 Under the DHCP6 config, select “Request only an IPv6 prefix”, prefix size 56, “Do not wait for a RA”, and “Do not allow PD/Address release”. Under the DHCP config, select advanced configuration and add “supersede dhcp-lease-time 1800;” under Option modifiers. I found this necessary to keep the IPv6 prefix working for longer than a few hours. Under your LAN interface, select track interface for IPv6, and pick a prefix ID of 0. Other interfaces can use nonzero IDs but I found if I didn’t use zero I would eventually lose the prefix and pfsense wouldn’t recover. You could also add some rules to allow the relevant ICMPv6 packets through the firewall. Just noticed this thread about Telus. Telus has played with lease times quite a bit. Lately, at least for DSL, the lease time is 10 minutes, so you will see it renew every 5 minutes. This happens in the background, so it makes no difference to the service. The only mandatory settings for Telus are: request prefix only, /56 prefix, and do not wait for ra. It's not strictly necessary to use do not allow pd release, unless you want the dynamic prefix to be as stable as possible. Telus will delegate the same prefix to the same DUID, unless another system requested a prefix while there was no active lease on it. The only difference do not allow pd release makes is that the prefix won't go back into the queue immediately, it will go back in after it expires. That's 10 minutes (BFD). In practice, if you keep your system running, the prefix won't change. As long as you keep an active lease on it, the prefix will stay the same.