@Kenneth_H

I see you're requesting and receiving a /48 prefix. However, I also see you have some release XID packets. That's your system releasing the prefix you've been assigned. I have never seen that in my system. Also, did you restart the system, before you did the packet capture, as described in my instructions? The first line should be a solicit, as shown in mine.

DHCPv6-PD.cap

Here mine starts with a solicit and only has 4 packets, ending with the reply. In this, IPv6 works just like the IPv4 DHCP sequence, with only 4 packets for normal operation.

@Spaylia

Well, I don't know what to say. It's a really strange system you have there. The MAC address comes from the NIC, not pfSense. So, if you're seeing the MAC, that is the 48 bit hardware address, on the LAN side, there must be some other path involved. This is why I asked you to provide the Packet Capture file, so that I can examine it in Wireshark.

@ttmcmurry btw, I finally got dhcp6 working pfsense+ (23.09-RELEASE) on my home network. My architecture - ATT modem (Pace 5268) in DMZ Plus mode, Netgate 1100, using upgraded Kea DHCP, GS110TPV3 poe switch, WAN, LAN + 4 VLANS (Admin, Guest, IoT, IPCam), 3 wireless APs. I found out the hard way, reading error logs, that the Guest WAP was not ipv6 enable so it kept failing for everything. Once I remove PD request for that interface everything worked (of course no ipv6 for the Guest interface I'll upgrade the device later). This works and thanks for all of the ground work you've done on this.

interface mvneta0.4090 {
send rapid-commit;
send ia-na 0;
send ia-pd 0;
send ia-pd 1;
send ia-pd 2;
send ia-pd 3;
send ia-pd 4;
send ia-pd 5;
send ia-pd 6;
send ia-pd 7;
request domain-name-servers;
request domain-name;
#script "/var/etc/dhcp6c_wan_dhcp6withoutra_script.sh";
script "/var/etc/dhcp6c_wan_script.sh";
};

id-assoc na 0 { };
id-assoc pd 0 {
prefix-interface mvneta0.4091 {
sla-id 0;
sla-len 0;
};
};
id-assoc pd 1 {
prefix-interface mvneta0.20 {
sla-id 0;
sla-len 0;
};
};
id-assoc pd 2 { };
id-assoc pd 3 {
prefix-interface mvneta0.40 {
sla-id 0;
sla-len 0;
};
};
id-assoc pd 4 { };
id-assoc pd 5 { };
id-assoc pd 6 { };
id-assoc pd 7 { };

@regiolis said in IPv6 not working on LAN:

hat's my case..... so i don't know how to do

Describe your Internet connection. For example, I'm on a cable modem, which I put into bridge mode. This allows DHCPv6-PD to reach my pfSense firewall, which will then provide IPv6 to the LAN.

I've just put pfsense 2.7 in for my parents Toob connection, it's a IPV4 CGNAT / IPV6 service and I think they allocate /56. Not needed to carve up VLANs etc. it's a flat network. I must check the log file myself to confirm what they had out.

@elbombo

Editing /conf/config/xml worked... ``` <dhcrelay> <interface>lan,opt3,opt4,opt8,opt25</interface> <server>10.200.0.233</server> <carpstatusvip>none</carpstatusvip> <enable></enable> </dhcrelay> <dhcrelay6> <interface>lan,opt3,opt4,opt8,opt25</interface> <server>xxxx:xxxx:x:xxxx::233</server> <carpstatusvip>none</carpstatusvip> <enable></enable> </dhcrelay6>

@chill_out said in Router solicitations not working on vlans (2.7.1-RC):

My understanding is that with ipv6 there's no more broadcasts, everything is either unicast or multicast

That is correct. The closest thing to a broadcast is the all hosts multicast. There are some differences, such as the scope can be specified and for some things, the hop count can be set to 255 as protection against a bogus packet being sent through a router.

Edit:

I found the solution, I disabled the DHCPv6 server, RA on Assisted and Priority on High, and on the LAN interface I left it on Track Interface. It works without problems even after the restart.

Thanks! @JKnott

@asdjklfjkdslfdsaklj said in Feature idea/request: GUI prefix delegation display:

@jimp What kind of logic do you use for LAN IPv6 addressing tracks?

We don't apply any logic/code there because we can't -- the DHCPv6 client places the addresses on the tracking interfaces directly when receiving the delegation.

@Lurick said in Do not allow PD/Address release - Specific Interface Only?:

needs it checked otherwise your IPv6 prefix will change

Yeah for sure could see that.. Because it would release it.. But not sure how some ISP would need a release from you - for stuff to work.. They might give you a different prefix anyway even if you don't release.. But not sending a release should have nothing to do with getting a prefix in the first place. you sure can not send a release when your first asking for one.

@Dough29 said in Subneting my /56 prefix to multiple internal LANs:

forum lafibre.info

That's where I go to check if any progress exists 👍

@FOOLiSH86 said in IPV6 on pfsense WAN:

I wanted to understand how to properly set up full ipv6 support on my pfsense

You might want to mention your ISP, as some might have issues. As for pfSense, you need the modem in bridge mode, as gateway mode won't work for this. Then you need to enable dhcpv6 on the WAN interface. Normally, you use SLAAC on the LAN side. I used unmanaged for RA mode. Try getting started and ask about any issues as you come across them. Also, someone might have already posted configuration for your ISP or similar. Here's the info for mine.

@JKnott

I appreciate your knowledge and input. Getting that deep with the ISP customer support is my fear. I don't know if its worth the effort. It would probably be easier changing ISPs :).

Luckily, the problem fixed itself after several days! I didn't change my PfSense configuration but I did bring the WAN interface down and back up again today. I guess whatever was hanging up the CMTS is fixed as it decided to honor the prefix delegation it supplied me. IPv6 traffic within that prefix range is finally routing back.

Thank you again.

@yobyot

My IPv4 address is so "durable" it's virtually static. Also, the host name, provided by my ISP, is based on the modem and router MAC addresses, so it never changes, unless I change hardware.

@Gremlin said in Cannot enable the "Allow IPv6" setting:

Looking at the is_bogonsv6_used() function, it looks like this does the opposite of what is expected. I think this function returns true if the "Block bogon networks" setting is true on any enabled interface?

The function iterates of "all interfaces" (it does so, because $force is set to true)
=> For every interface, if 'blockbogons' is set, then set $usebogonsv6 = true;

$usebogonsv6 is returned.

So : what happens when you don't use/check blockbogons on any interface ?
The function, is_bogonsv6_used(true) returns always false, no matter what..

So, I think (still brainstorming here) : If you managed to de select IPv6 usage, good luck turning it on 😊

The solution is : activate bogons on a WAN interface, and you'll be fine.

Btw : bogons is/uses an IPv4 file, and a IPv6 file.

And yes :

94d169bf-9c69-491d-8369-84dc5c9874a7-image.png

has to be set to "400000" (400K) at least.
It can be set lower, if you've been upgrading from older pfSense version where this parameter was lower.
Or you try to run pfSense on a "512 Mbytes RAM" system - something like that.

What I did notice : the "Save" operation silently fails without the error message. That's not good.

@Mats

I was really excited by your comment and went and created an alias that points to ::/56 then created an inverted pass rule for this alias. Unfortunately it seemed that I could still access my other networks via IPv6, so something was weird.

But then I've switched from using the alias "::/56" to actually defining the network ::/56 in the firewall rule and it magically started working. So it seems that you're right you can block by using this.

Thank you, this has been very useful!

@bmeeks said in Why do I have to 'Track Interface' on LAN to WAN for IPv6 to work?:

The correct way to handle this is to use a separate sub-domain for your internal AD setup. Something like mydomain.com for the public IP domain name and internal.mydomain.com for the Windows AD network in RFC1918 space. That can work. A quick Google search will lead you to a Microsoft best practices and how-to article on this configuration. I highly recommend you restructure you AD configuration to match what is described at this older Microsoft link here: https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx. And here is a slightly newer document showing the same thing: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc772970(v=ws.10).

Thanks for the links - one of them I had looked already (as a Google search pointed to it). My public domain name has a - {dash} in it, and apparently my old ass NAS does not like that. I have tried and tried to get it to recognize the domain-name that I first setup as ad.{mypublicdomain} - even a chat session with them for over an hour (nothing worked - they plan no updates to it. It also only does CIFSv1/SMBv1 - FTP (no sFTP) and NFS (but only to Linux boxes) - and some form of iSCSI. I have over 6TB of files and stuff on there, and they "SEAGATE" is not even willing to 'help' me with another NAS to replace it. One of my IT buddies said I should use {mypublicdomain}.loc for my AD/DS...but still going to resolve the - {dash} in there unless I remove it completely. I have considered creating (renaming my public-facing-domain) as only HomeAssistant uses it (well their app on my phone and the ALEXA and GOOGLE links do too).

My older post you referenced was assuming the network was IPv4 only with no IPv6 in use. You want to use IPv6, but your ISP is not guaranteeing you a static assignment (they use prefix delegation which means the IPv6 space might change unexpectedly). That's going to be an issue unless you use both ULA and GUA IPv6 addresses. My post also assumed that your Active Directory domain was never going to be accessed from outside. Sounds like that is not what you intend as you mentioned somewhere up above about using some type of home automation with LDAP authentication I believe (unless I'm confusing this thread with another one).

Pretty much what I am going to. Every guide that I have read says not to DISABLE the IPv6 on a DC. I am going to leave it at its default settings and let pfSense take care of it. Same for DHCPv4 - going to only do DNS on AD/DS and I am guessing that pfSense is RESOLVER with the FORWARDING option turned on. I would also need a Domain Override setup to point to AD/DS name and IPv4 address as well. Still trying to grasp the REV LOOKUP (setup in pfSense) thing and the HOST OVERRIDE too.

The LDAP stuff that I want to do is not really for Home Automation, per se. I do have HomeAssisitant - what I want to do is sign-ins to the various parts with LDAP credentials so that I do not have to keep up with (currently 22) separate login accounts. All of that stuff is 'inside' my pfSense Firewall - only Alexa and Google can access from outside and their app. I got that working, and hoping that I do not have to go through that again. WHEW!!!

I tried and I tried...it's my ISP that's keeping me in the dark,,,their static IPv6 on the Fast5688w doesn't appear to allow pfSense LAN to communicate with WAN so RA cannot give out ULA's...

@mauropc

????

DHCPv6-PD is the normal way for ISPs to provide IPv6 to home users. You get an IPv6 address for your WAN interface and a prefix with at a minimum 18.4 billion, billion addresses and probably a lot more.

Maybe you can describe what you're trying to do and problems you're having.

@bearhntr
I've no idea, sorry!

☕️

@Gertjan Yeah i clicked submit then noticed my screenshot error (took it while testing) and then had a server issue at work so had to stop "playing".

Thats really helpful info and gives me something to work on, i'm a simple man of PPPoE so this is a new config type for me so it's all weird and wonderful.

@JKnott IPv6 works fine with their gateway.

AT&T goes out of their way to make sure that you only use their gateway and pay for it for as long as you have their service, even though is absolutely terrible and unreliable.

I’ve been able to bypass it entirely for over 2 years now, but only over IPv4. From what I read, some folks have been able to get IPv6 leases with some additional work, but I’m stuck.

I occurred to me that I might have some weird config since I was importing config from a chain of older routers so who knows what might have been lurking in that XML.

So I did a factory reset on the 6100 and only set the needed things. Same problem.

At this point, if someone had a procedure to downgrade the 6100 to 22.5, I would absolutely do that right now.

@catonic said in 2.4.4 ICMPv6 Firewall Rules?:

because ICMPv6 is not an option on the drop-down

Sure it is.. What do you think ICMP is when you select IPv6?

icmpv6.jpg

Here created a test rule

[23.05.1-RELEASE][admin@sg4860.local.lan]/root: cat /tmp/rules.debug | grep "test icmpv6" pass in quick on $TEST inet6 proto ipv6-icmp from any to any ridentifier 1695465595 keep state label "USER_RULE: test icmpv6" label "id:1695465595" [23.05.1-RELEASE][admin@sg4860.local.lan]/root

This thread is 3 some years old - if you are having a problem, it would be best if you actually give details of what your trying to accomplish, how and what you have done to test it.

There are also hidden rules that allow some icmpv6

# Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep) pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} ridentifier 1000000108 keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} ridentifier 1000000109 keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} ridentifier 1000000110 keep state pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} ridentifier 1000000111 keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} ridentifier 1000000112 keep state pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type {128,133,134,135,136} ridentifier 1000000113 keep state

Here I created a icmpv6 echo request rule, then sent some ipv6 pings..

echreq.jpg

And the counter goes up.

I recently upgraded to Verizon Fios 2Gbit service and it looks like I lost IPv6 capability in the process. The settings described in this thread had been working fine on the prior 1Gbit service, but with the new service I'm unable to get a IPv6 prefix delegated to me (using the same settings). Enabling debug mode on dhcpv6 I see the solicit (RS) going out, but unfortunately no advertisements (RA) follow. Does anyone with the 2Gbit Fios service have IPv6 working for them? The service is still relatively new so perhaps that capability (IPv6) is not yet enabled and will be made available later on. Thanks in advance.

Just to close this out... To avoid any issues at the next upgrade I backed out the two changes in the patch and uninstalled the dhcpleases6 package.

Then I added a new gateway on my external router that points to the hyper-v router's ipv6 address on its WAN side (the external router's LAN side), and added a static route to direct the delegated prefix subnet to that gateway. This configuration also works to allow IPv6 to work from the internal hyper-v router's LAN side. These two configuration items will be easy to back out at upgrade, assuming the issue is addressed in the next release.

@kiokoman said in HE Tunnelbroker:

but the most important thing of all is that they give you a t-shirt if you became a SAGE

That's certainly sage advice! 😉

So nobody has any clue on how you can achieve individual interface assignment?

@netgate_etagten said in ipv6 dns opcode: QUERY, status: REFUSED:

why dhcp6c needs to reacquire the address.

Did you try setting this

https://docs.netgate.com/pfsense/en/latest/config/advanced-networking.html#do-not-allow-pd-address-release

@JKnott

https://docs.netgate.com/pfsense/en/latest/firewall/ethernet-rules.html#ethernet-layer-2-rules
pfSense® Plus software versions 23.05 and later include support for rule-based pass/block filtering of packets based on Ethernet (Layer 2) header attributes.

If you want to play with it, get the FREE + home license..

https://shop.netgate.com/products/pfsense-software-subscription

plus2.jpg