@ahole4sure A Plan B exists. Make a list with known sites that don't want you to use (your) IPv6. The issue is known for years and as already mentioned reasons above, some sites don't 'like' the he.net IPv6s If you have pfBlockerng installed, go here : Firewall > pfBlockerNG > DNSBL First, be sure you use Python mode, not the unbound mode. Next : [image: 1764058931964-7cc5259a-1778-4c85-a9a1-aacb3a6f1fae-image.png] Check 'No AAAA', and fill in thelist with host names (site) that you do'nt want to visit using IPv6. After all, before one of your devices connects to a site, it will resolve the destination host name first. As most if not all devices prefer AAAA (IPv6) they will ask that first, and if needed, to fall back, the A record (IPv4). If there is a AAAA (Ipv6) addresses, that's what gets used. Now comes the trick : pfBlockerng does DNSBL, so it can block AAAA for listed sites. You device will fall back to IPv4 - and all is well. In the past, Netflix was one of those sites : it didn't want you to use the he.net IPv6 networks. Plan A would be of course : Frontier fiber internet does not have ipv6 Break your commercial relations with this frontier ISP. If they ask for a reason, tell them.

@b_chris Thx, had he same problem, for example with www.daiichisankyo.com (which resolves to part-0032.t-0009.t-msedge.net - 2620:1ec:46::60) Setting the MSS to 1452, resolves this issues... And yes, it does not feel quite right. :-/

@rpm5099 said in Fios DHCPv6 Issues: I'm assuming you are using the LLT method where your DUID is based on MAC and timestamp? I don't think the MAC is used. In those 7 years, I've changed both the computer I run pfSense on and my cable modem. Also, when my prefix changed, almost 7 years ago, it was because there was a problem at my ISP that messed up IPv6 for everyone connected to the CMTS I was. In my testing, I had identified the failing CMTS, but it took some effort to get them to fix it.

@jarmo I'm not quite sure how the lan clients get different prefixes although they will be different than your wan prefix. As far as I know, the ISPs only assign one prefix for lan usage so unless you are configuring your lan to subnet the prefix into multiple smaller networks, they should all have the same prefix. If your lan is using SLAAC for IPv6 addresses, your clients will have multiple IPv6 addresses: an Ipv6 address, a "temporary" ipv6 address, and a link local ipv6 address. The routable lan IPv6 address should have the same prefix and different suffixes. In my case, I found using "Diagnostics->Packet Capture" that my router was sending IPv6 renew requests to the ISP and never getting a response (as shown in my previous response). Once the ISP fixed the issue, I started seeing the rc.newwanipv6 entries in the system log. My only suggestion is to try and use either Packet Capture or Wireshark to capture RA packets or the prefix delegation packets and see if they match what your clients are reporting.

@stephenw10 That is correct. The adding of the second WAN/LAN was what caused it. I have not encountered this with only one WAN/LAN in play, which is why I ultimately pulled the second WAN/LAN completely and am (for the temporary present) not running it through pfSense.

Finally got this sorted. Zen offered a loan router as I couldn't find the original and it arrived next day, which was nice. Then, after spending over an hour on the phone to a tech person they finally passed the issue over to their IPv6 team who rebuilt the connection and all is now fine. Well, I say all is fine - After I configured everything I started receiving reports that xbox was not working and sure enough xbox.com is painfully slow to load when connecting with IPv6 - I'll look into that one day, could be DNS related. All I really needed to do was get some servers connected so I can play with DNS AAAA records and get some web servers running IPv6. Had to disable the local DHCPv6 server as it either leases addresses to all or nothing. Couldn't find a way of only releasing the static entries so ended up with static IPv6 addresses for just the servers I wanted. Everything seems to be OK for now. Thanks all for your replies and help.

I got caught up in work and dropped this for a while. I'm back now and I've made a little progress. Xfinity / Comcast is give me a /60 (16 /64 subnets). I have the LAN interface tracking WAN using hex 0. This gives my LAN the address of 2601:abc:abcd:fd00:a236:9fff:fef2:383a . This is the last 0 in fd00. I want to pass down to my layer 3 switch a /61 to split among the other VLANs/subnets on that switch. FYI, the L3 switch is the only device on that VLAN. In pfSense, I've changed to the KEA DHCP backend. In SERVICES > DHCPv6 SERVER, on the LAN interface, I see: PRIMARY ADDRESS POOL: PREFIX: Delegated Prefix: WAN/0 (2601:0abc:abcd:fd00::/64)/64 [image: 1763432218723-72bc82e2-4a51-4a05-be4b-ec46d865e660-screenshot-from-2025-11-17-18-00-07.png] In PREFIX DELEGATION POOL I'm trying to serve out a /61 (which should be 8 /64 subnets) to the downstream layer 3 switch. I ran a packet capture on the LAN interface and cleared out the IPV6 DHCP client on that VLAN/LAN interface. It looks like pfSense is only sending a single /64 address. [image: 1763432238823-07003cd3-c7c3-470a-be07-c4097fc66713-screenshot-from-2025-11-17-18-06-47-sanitized.png] I'm not sure where to go from here. I think I've got the DHCP server configured correctly. Does anyone have any thoughts on this? Thanks!

So, it wasn't until I got down to 0 unblocked IOT clients that the problem resolved. Meaning, the problem wasn't caused by a specific client. I went to check the IOT SSID setting in the Unifi controller. It had something called "Proxy ARP" enabled. I disabled it. Miraculously, all problems with IPv6 on the wired Windows hosts went away. This is really crazy.

Ok, I don't know if it is the action of turning off "Use if_pppoe kernel module for PPPoE client", or the subsequent required reboot, but afterwards IPv6 is working as expected. All my interface with enabled IPv6 are getting assigned IPv6 addresses and the "readjusting of services" only happens when I change a rule on the firewall or pfBlockerNG reloads on it's schedule.

@SteveITS Thanks, I will remove those rules.

@louis2 said in Filter an IPV6-address not possible !!?? :(: No idea why I had this trouble ! Note that I still can not enter an address where the text states 'alias or address' Mmmh, if I set the 'Address Familty' to 'IPv6' it does work for me (but not if set to 'IPv4+IPv6')

The original settings in this thread worked fine for me a few years ago when Verizon began rolling this out. Then they seemed to roll everything back in late 2023 and I went the whole of 2024 with no ipv6. I noticed this summer that I was seeing ipv6 addresses again and when looking into it, they appeared to have enabled it all again in Jan. of this year. But by the time I noticed over the summer, I had upgraded to the latest pfsense version and also switch over to KeaDHCP server. I tried using it for an online game and was noticing that I was getting dropouts for 15 minutes about every hour, so I just went back to using ipv4. This weekend I started looking at it more closely and found that every 1 hour 15 minutes, I would lose the ability to use ipv6. These are the entries I would see in my logs. The period from 9:52-10:04, I would have no ipv6 connectivity. IPv4 would renew the leases fine and connectivity there was unaffected. Oct 12 10:04:40 dhcp6c 55217 dhcp6c Received INFO Oct 12 10:04:39 dhcp6c 55217 Sending Renew Oct 12 10:04:36 dhclient 40170 bound to <redacted ip> -- renewal in 3600 seconds. Oct 12 10:04:36 dhclient 18404 Creating resolv.conf Oct 12 10:04:36 dhclient 17251 RENEW Oct 12 10:04:36 dhclient 40170 DHCPACK from <redacted ip> Oct 12 10:04:36 dhclient 40170 DHCPREQUEST on igb0 to <redacted ip> port 67 Oct 12 09:52:27 kea-dhcp6 21138 WARN [kea-dhcp6.alloc-engine.0x1c3afd017400] ALLOC_ENGINE_V6_ALLOC_FAIL_CLASSES duid=[<redacted>], [no hwaddr info], tid=0x6b0e2c: Failed to allocate an IPv6 address for client with classes: ALL, pool_lan_0, UNKNOWN Oct 12 09:52:27 kea-dhcp6 21138 WARN [kea-dhcp6.alloc-engine.0x1c3afd017400] ALLOC_ENGINE_V6_ALLOC_FAIL_NO_POOLS duid=[<redacted>], [no hwaddr info], tid=0x6b0e2c: no pools were available for the lease allocation Oct 12 09:52:27 kea-dhcp6 21138 WARN [kea-dhcp6.alloc-engine.0x1c3afd017400] ALLOC_ENGINE_V6_ALLOC_FAIL_SUBNET duid=[<redacted>], [no hwaddr info], tid=0x6b0e2c: failed to allocate an IPv6 lease in the subnet <redacted ip>::/64, subnet-id 1, shared network (none) Oct 12 09:52:27 kea-dhcp6 21138 WARN [kea-dhcp6.alloc-engine.0x1c3afd016d00] ALLOC_ENGINE_V6_ALLOC_FAIL_CLASSES duid=[<redacted>], [no hwaddr info], tid=0x6b0e2c: Failed to allocate an IPv6 address for client with classes: ALL, pool_lan_0, UNKNOWN Oct 12 09:52:27 kea-dhcp6 21138 WARN [kea-dhcp6.alloc-engine.0x1c3afd016d00] ALLOC_ENGINE_V6_ALLOC_FAIL_NO_POOLS duid=[<redacted>], [no hwaddr info], tid=0x6b0e2c: no pools were available for the lease allocation Oct 12 09:52:27 kea-dhcp6 21138 WARN [kea-dhcp6.alloc-engine.0x1c3afd016d00] ALLOC_ENGINE_V6_ALLOC_FAIL_SUBNET duid=[<redacted>], [no hwaddr info], tid=0x6b0e2c: failed to allocate an IPv6 lease in the subnet <redacted ip>::/64, subnet-id 1, shared network (none) After fooling around with various settings and searching online, I came to the conclusion that pfsense's implementation of KeaDHCP did not appear to handle renewals of the prefix delegation. I don't know if that is the right conclusion, but the config that was being generated looked to have hard coded subnet ranges and never used Kea's pd-pools config block. Ultimately, all I did to "fix" this was to disable the KeaDHCP service on my LAN interface and change the Router Advertisment-->Router Mode from Managed to Assisted and let my clients sort ipv6 themselves instead of having the router do DHCP. I could set it to Stateless but if someone can tell me what I was doing wrong I'll try and set up DHCP6 again. As I could not find others online having this problem, I assume I did not have the DHCP server configured correctly, but at least for my use case, I don't actually need DHCP6. [image: 1760369517889-beb9b838-c78b-496e-813b-653f044d6232-image.png] Since making that change, my ipv6 dropouts ceased. Also, an unexpected 1.5-2ms reduction in ping time to the target I was using. [image: 1760369744926-42176401-a3c8-4d22-b829-a9b5c0b4516a-image.png] Hopefully this helps others who might end up in a similar boat. This and the now lost thread on dslreports.com were tremendous resources for getting this working originally.

@Gertjan said in IPv6 prefix delegation not working on Netgate 3100 with Free (France ISP): @ggpf said in IPv6 prefix delegation not working on Netgate 3100 with Free (France ISP): the problem with Orange we don't have any info how they implement IPV6, we have to snif Remplacer la LiveBox par un routeur The very first pinned forum thread (you have to read the 116 pages !!) [image: 1759313272826-a195f719-e565-41bf-bc96-737dd80ffb91-image.png] Explained is how to set up the dhcp6c (DHCPv4 and IPv6 client process), as the DHCPclient has to communicate during the IPv4 and IPv6 lease request the orange /fti/xxx and the password, and mandatory DHCP options, etc. As promised : this won't be a "click and play" solution. But the orange livebox replacement with pfSense only works for IPv4 as Orange requires several DHCP6 options that the builtin DHCP6c client in pfSense cannot handle. While pfSenses kea DHCP6 server supports most things or can be costumized in the UI to do so, the same cannot be said of the DHCP6c client. That has to be the worst/least compatible DHCP6 client implementation across all known operating systems at this point. I have tried 4 different ISP’s and only one works out of the box in pfSense, another can be brought to works with special settings. The rest just won’t work with pfSense. Any linux flavor I test works just fine.

@JKnott I'll try it again later today. Unfortunately no, I don't have a managed switch.

@Gertjan said in IPV6 not working since my yesterday update !! :( :(: Btw : about your WAN_PPPOE upstream IP that the monitoring uses to 'ping' : is that your ISP router sitting a couple of feet away from your pfSense, or your connection really that good (0,3 ms is 'not far' away) ? I doubt if that the time matches reality, despite I do have a 1Gbit fiber connection to a high quality provider. Note that my actual google DNS ping time is only 2ms! Every thing shown in the widget related to IPV6 is .... not ok! And in fact that is all ready the case since the new PPOE version was introduced months ago. Note that also he old PPOE version was sometimes showing 'no connection' (in the past year(s)), where luckily in reality there was an connection And that is the big issue now. Up to very very recent, the widget was indication nonsense as related to IPV6, but in reality IPV6 was working. Not now !! There is no IPV6-connection to the network at all !! @Gertjan said in IPV6 not working since my yesterday update !! :( :(: When you upgrade to 25.07.1 there are no 'system patches' anymore that are 'network' (WAN) related. Afaik, these are quality of live patches for other things : I did revert those patches, which did not solve the problem! @Gertjan said in IPV6 not working since my yesterday update !! :( :(: It looks like you have a double set of WAN gateways, two for IPv4 and two for IPv6 : was that like before ? More normal is : That is nonsense. I did see this today for the first time !! A few things to add I did upgrade HA-proxy to the new version. Perhaps that caused the problem I did make a lot of changes in the pas few days, but absolutely not related to the WAN. This makes that I do not want / can revert to an old boot environment I think that boot environments are nothing more or less than ZFS snapshots. The problem is that I do not know how disk and datasets are organized! And as a consequence of that, I do not know which data is affected / is in the snapshot. That should be documented much better! I can not install the system from zero with a boot-usb and a config usb like I could do before. I understand Netgate, but I absolutely do not like it! I am running this snapshot now [image: 1759257077828-d1709c83-73c2-42a8-a58f-71398531e599-image.png]

@ggpf it’s extremely rare to run your own DHCP server on WAN. If you are, pfSense creates hidden rules to allow that. If you are not, you need open no ports on WAN. For the permission error see https://forum.netgate.com/topic/195602/transmit-failed-permission-denied …and ensure IPv6 is enabled.