@Gertjan Yeah i clicked submit then noticed my screenshot error (took it while testing) and then had a server issue at work so had to stop "playing".

Thats really helpful info and gives me something to work on, i'm a simple man of PPPoE so this is a new config type for me so it's all weird and wonderful.

I occurred to me that I might have some weird config since I was importing config from a chain of older routers so who knows what might have been lurking in that XML.

So I did a factory reset on the 6100 and only set the needed things. Same problem.

At this point, if someone had a procedure to downgrade the 6100 to 22.5, I would absolutely do that right now.

@catonic said in 2.4.4 ICMPv6 Firewall Rules?:

because ICMPv6 is not an option on the drop-down

Sure it is.. What do you think ICMP is when you select IPv6?

icmpv6.jpg

Here created a test rule

[23.05.1-RELEASE][admin@sg4860.local.lan]/root: cat /tmp/rules.debug | grep "test icmpv6" pass in quick on $TEST inet6 proto ipv6-icmp from any to any ridentifier 1695465595 keep state label "USER_RULE: test icmpv6" label "id:1695465595" [23.05.1-RELEASE][admin@sg4860.local.lan]/root

This thread is 3 some years old - if you are having a problem, it would be best if you actually give details of what your trying to accomplish, how and what you have done to test it.

There are also hidden rules that allow some icmpv6

# Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep) pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} ridentifier 1000000108 keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} ridentifier 1000000109 keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} ridentifier 1000000110 keep state pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} ridentifier 1000000111 keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} ridentifier 1000000112 keep state pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type {128,133,134,135,136} ridentifier 1000000113 keep state

Here I created a icmpv6 echo request rule, then sent some ipv6 pings..

echreq.jpg

And the counter goes up.

Just to close this out... To avoid any issues at the next upgrade I backed out the two changes in the patch and uninstalled the dhcpleases6 package.

Then I added a new gateway on my external router that points to the hyper-v router's ipv6 address on its WAN side (the external router's LAN side), and added a static route to direct the delegated prefix subnet to that gateway. This configuration also works to allow IPv6 to work from the internal hyper-v router's LAN side. These two configuration items will be easy to back out at upgrade, assuming the issue is addressed in the next release.

@kiokoman said in HE Tunnelbroker:

but the most important thing of all is that they give you a t-shirt if you became a SAGE

That's certainly sage advice! 😉

So nobody has any clue on how you can achieve individual interface assignment?

@netgate_etagten said in ipv6 dns opcode: QUERY, status: REFUSED:

why dhcp6c needs to reacquire the address.

Did you try setting this

https://docs.netgate.com/pfsense/en/latest/config/advanced-networking.html#do-not-allow-pd-address-release

@JKnott

https://docs.netgate.com/pfsense/en/latest/firewall/ethernet-rules.html#ethernet-layer-2-rules
pfSense® Plus software versions 23.05 and later include support for rule-based pass/block filtering of packets based on Ethernet (Layer 2) header attributes.

If you want to play with it, get the FREE + home license..

https://shop.netgate.com/products/pfsense-software-subscription

plus2.jpg

@Gertjan Your usecase is "dynamic-DNS". I wish pfSense would let you do what you did but with the DDNS-Clients onboard.
My usecase is a host-alias for firewall rules, which can be private IPs for v4. And it has worked in the past, now it only works partially.

Thanks for all your support guys, but nothing seems to work on my Qotom pfsense box with this release. Did a new install with CE2.7 and there it works fine. As soon as I upgrade to 23.05.1 the IPv6 network doesn't get any IP addresses. Therefor will put by Qotom box on the shelf for now and re-use my Dell R320-II for the time being. Looking forward for an improved pfsense release.

@johnpoz

Yup, that seems to fix it. NDP Table loads up on webUI after setting my current GUA PD as local-zone.

So yeah, an option to always set the PD as local-zone would be nice...

@guardian said in Does anybody use Bell/FibeTV (in Canada) with pfSense:

My understanding (but am not 100% sure), is that you are not behind NAT

Then they will have to provide multiple IPv4 addresses and I doubt they do.

@Gertjan said in How to diagnose IPv6 delegation issues:

Putting the ISP router in 'bridge' mode isn't possible anymore in France.

Do those routers provide DHCPv6-PD to the customer? That's what pfSense requires to provide IPv6 to the LAN.

I'm on Rogers, in Canada, and if I had a fibre connection, I could completely eliminate all their equipment, other than the optical terminal, and install my own router. As I'm on cable, I have to put their modem in bridge mode.

Maybe you can do a capture of what's happening on the pfSense WAN port and post it here.

@johnpoz It has a link local now. I don't know why just reassigning the interfaces in the same exact way changed it, but I'm happy with it as long as its working.

bce0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 description: WAN options=800bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,LINKSTATE> ether 00:26:b9:8b:fc:4f inet6 fe80::226:b9ff:fe8b:fc4f%bce0 prefixlen 64 scopeid 0x1 inet6 2001:558:6040:52:4d97:8d28:xxxx:xxxx prefixlen 128 inet 73.x.x.x netmask 0xfffffe00 broadcast 255.255.255.255 media: Ethernet autoselect (1000baseT <full-duplex,master>) status: active nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>

@JKnott said in ISP offering and testing an IPv6 BETA program, but it's not working and need some ideas:

@bmeeks said in ISP offering and testing an IPv6 BETA program, but it's not working and need some ideas:

I'm talking about lines #31 and #32 in the top window of the Wireshark display at times 140.049081 and 140.071568. Notice that reply from my ISP side that is sourced from port 547 (which is correct) and destined for port 547 (which is incorrect as I think it should be 546). Note also this says it is a Relay-reply message type.

I see that replay reply, which I have never seen before. I have no idea what it's about.

Yeah, me neither. I've sent your capture and mine to the consulting engineer for my ISP. I think perhaps setting all this up is new for him as well. Hence the BETA program. So, likely a learning curve for the both of us 🙂.

Thank you for your input. You validated what I thought I understood. Just wanted another more experienced IPv6 user's view.

@myfamilydeservesbetter said in Editing the PHP SOURCECODE to enable ipv6 ?! // block in log inet6 all ridentifier 1000000105 label "Default deny rule IPv6":

I also have a green check mark

The green check mark means : this is a pass rule.
Bytes "0" means : the rule hasn't matched (yet ) with traffic passed into the interface.

Editing the PHP SOURCECODE to enable ipv6

Something really strange is going on.

@JKnott yea weird. :( I guess we’ll see but everything seems to be okay. I do appreciate your help through this.

@Bob-Dig

Given the pictures are already there, what would it accomplish to provide more? I often post pictures when I think it would help.