@johnpoz said in What If ISP can only provide a /64: The point is that you can subnet a /64. Um not according the the specification - breaking up a /64 is going to be problematic for sure.. If everyone stuck to the specifications and best practice then there would be zero need to have such conversations. To be clear, I'm not an advocate of splitting up a /64 and certainly not an advocate of anyone receiving just a /64 or worse, not being served by IPv6 at all. None of these limitations are applicable to my situation either. This is just a conversation for those stuck in the gap between what should be happening and what is actually happening when stupid strikes. ️

@robbiett Great information. I will definitely look into this, as i am still new to all this.

You might compare the content in /var/dhcpd/var/db/dhcpd6.leases when it works and when it doesn't. See if maybe there is a particular lease present when it fails to parse, or check the file size when it works vs when it doesn't.

@dobby_ Thanks, switches aren't the issue (I have several). I'm just trying to minimize electricity costs. At $0.50/kWh it adds up.

solved, wasn't a pfsense issue

@wentoo Do you get a bigger prefix than /64 from your ISP? If so, you have to split off some chunk of it for a downstream router to further split. You can use a manual configuration for the link between pfSense and the next router and not worry about using DHCPv6-PD there. As I mentioned above, you can split a /64, but not for a LAN, which must be a /64 for things to work right.

@jknott I know

@chase My wording isn't the best, glad you figured it out.

@arobase13 said in How to configure dhcp6 service?: Only Android devices, don't seem to have ipv6. Yep, as I mentioned above, some genius at Google decided Android users don't want to use DHCPv6. Use SLAAC on your LAN

@jordanp123 Likely related to this... https://redmine.pfsense.org/issues/14072

@sn3akerz glad you got it sorted.. So you weren't crazy heheh.. So far I've been unable to wrap my head around a firewall rule to block this. Kind of hard to block something at the firewall if its not going over the firewall ;)

@jbannister SLAAC .... NPT .... Never used these, as they are 'not needed' ( ? ) I followed the pfsense documentation as mentioned above, and was a happy IPv6 user for many years. I advise you to validate the pfsense documentation. There is no SLAAC, even as it promises beautiful things. No NPT. This boils down to : set up a DHCPv6 server on every LAN - with a pool, so you can static DHCP map, as the old DHCPv4 days, your devices. I'm saying this with any in depth knowledge, but : as soon as I read NPT, there are issues .... so, it must be a complex thing. And I tend to keep things "simple", especially my Ethernet networks and everything that is related to it.

@jasonreg I used the first GUA that appeared in the list.

@jasonreg It's up to you. If you can get the monitor working fine, otherwise disable it and rely on IPv4.

@mlohr said in IPv6 Firewall rules with dynamic prefixes: In my understanding, my NAS will always be at "the same interface" from the perspective of pfSense, e.g., an interface configured to be the LAN port or DMZ. The "problem" is that your NAS is not on your WAN, so that will not work for your WAN rule that you need because pfSense doesn't know to which interface this host address belongs (as far as I have understand this, try it for yourself) But what does work is to make a DHCP static mapping on your prefix delegated "LAN" and to create an alias for that hostname you define there. Now every time the prefix changes, the alias will be changed too. In theory. There are still problems when the prefix actually changes but they can be mitigated by doing this at night times and rebooting pfSense via cron and so on.