@jimp I understand, that this is the case however I think it's sad that CE is neglected in this way.

@guardian said in WAN Firewall Rules for IPv6:

Will IPv6 go through a bridge the same way as IPv4?

Yep, as will IPX, NetBIOS, SNA, DECNet, etc..

@Gertjan
Yes this would work if I not disable IPv6 in Advanced Settings and then catch the IPv6 with my own rules as you suggest.
However, by allowing IPv6 in Advanced Settings, pfSense automatically add rules to allow any icmpv6, because this is needed for ipv6 to work.
These rules cannot simply be overruled.
It's not a big problem, at least I can control the logs a little better, but at least icmpv6 will be allowed and that is not something I wanted to begin with.

@asdjklfjkdslfdsaklj said in DHCPv6 PD not installing route after 23.05-RELEASE upgrade:

new bug report.

That link is also a bug ....
I mean : click on it and enjoy.
More edits :
Since 5 days or so :
If the patchs is applied
and you "pkg install dhcpleases6"
does it work ?

@matthewgcampbell

Again, pfSense has to know the route to that subnet. It knows where that interface is, but not what's beyond it.

Here's an example, though it's for IPv4 only.

67e12ab2-1f09-4074-ab90-d157cad78d48-image.png

In order to access that 172.16.2.0 network, I had to tell pfSense where to find it. You may see your pings go out, but how far do you see the replies coming pack? You can use Packet Capture to watch for them. I bet you see them come into pfSense, but then what??? Without a route, pfSense cannot send them where they're supposed to go.

I assume that delegated prefix is provided by your ISP.

@s0ulf3re

I had a similar issue, now resolved (for the most part):

Resolved: Did v23-05 break ipv6?

👍

@Bob-Dig not dynamic prefixes but ULA prefixes which are mapped to a routable IPv6 NAT 1:1

like you set fc08::1000 to a client then you can route it with NPt to whatever prefixes you own you just map ULA/64 to native /64 used to do it many times you can do this with he.net native IP and have failover links and choose which interface to use.

So all the IPv6 are static but not in the range of the routable IPv6 prefix

However never done it with double NAT seems to be tricky

I should add that the only difference between my custom config and the default (non-advanced) config was that request refreshtime; was added and the DNS related request lines were removed.

This why I have a suspicion that adding in request refreshtime might be the thing that actually helped.

@johnpoz
I mostly do, except some university classes require we use it.
R.png

@insmod active just means the cache has expired ie no traffic. IPv6 uses NDP, arp for IPv6..

There is little point to trying to create traffic to keep that listing as "active"

@johnpoz Before my ISP offered IPV6, I used a tunnel from HE. It worked very well. Admittedly it's been a while since I have used HE, but I agree that you can't go wrong with them.

@keyser said in DHCPv6 on WAN works but pf uses SLAAC address:

I'll need some time without users on my net to do some proper testing. But I did do a packet capture, and the ICMP6 flow looked normal. When my pfSense transmitted packet from the SLAAC GUA address to the fe80 default gateway, they were simply blackholed.

When pinging link local addresses, you have to specify the interface with the -I option. You could also try capturing the full DHCPv6 sequence and posting the file here.

I have similar messages from radvd and want to debug dhcp6c messages, but I don't see debug option anywhere, how can I start dhcp6c in debug mode? PfSense version is 23.05 WAN is PPPoE and LAN is set to track IPv6 on WAN.