@thiamata

You can add prefixes on the Router Advertisement page, but if you do that you will also have manually add the original prefix, as for some reason it's no longer automatically added.

@ofloo route get -inet6 default show the correct gateway, .. I've disabled the rule from the firewall that is making it use a this gateway.

Still it uses the wrong interface.

So I removed he.net from that gateway group. And still it uses he.net.

Even when route get -inet6 default shows a different IPv6 gateway. This is not just broken, but seems impossible to me.

@fabrizior Nope, no setting for IAID in static mappings in 2.5.0...Sounds like a good feature request though... assuming dhcp6d has a way to use it...

@virgiliomi said in Configuration IPV6:

Easier until you start assigning IP ..........
I don't see any case where DHCPv6-PD would be desirable over a static IPv6 block. But maybe that's just me.

Noop, you got a point.

I have to add that I'm using a static IPv6 setup myself, as my ISP

doesn't know what IPv6 is. and if they do, they come up with a single /64 or a /56 but only the first /64 is routable or ..... (whatever, their BOX has just one LAN so they don't understand the fuzz - not even that some clients are actually companies and they could have more then 1 LAN ....)

with he.net, the one I'm using, the price is : not worlds fastest ISP, but free and rock solid. And very static.

@virgiliomi said in Configuration IPV6:

My prefix was rock solid on my last ISP (Comcast). .....
unplugging the interface or rebooting.

A pretty solid proof that '$$$€€€' and 'Mbits/sec' is just a part of the equation.
Good 'protocol' support is as important. And this one doesn't need the reading of their promises on paper. It will always be "Hands on testing for 6 months" ;)

@virgiliomi said in Configuration IPV6:

But they don't. Because my DUID hasn't changed...

They probably cleared out their DHCPv6 server cache and settings.
As you said : they are probably in the implementing phase.

@pmisch Well that's the thing. More and more the answer is "just use a competing product". What is Pfsense even for anymore if they can't fix years old bugs and they can't do IPv6 under realistic real world scenarios? Pfsense looks like a dying project to me so I've personally been steering people away from it.

No further issues since upgrading to 2.5.0. Looks like the bugs have been squashed!

@viktor_g I have a static IP (via DHCP4/6) from my ISP. The IPv4 works with no problems. IPv6 gets an IP ok, but the resolv.conf.never updates.
Rebooted multiple times.
The other day I was looking at the scripts that update the resolv.conf for IPv6.
If I am not mistaken, they only do so if the IP changes.
Which it won't with a static IP.
Although I could be misinterpreting.
I gave up and added the DNS entries via the General Setup to get around this issue for now.

@tadao I forgot to mention that the WAN Interface Address of the pfSense must be set to DMZ IP on the ISP router/modem.

@jknott Thanks for your help! I am gonna try that when I have the day off. I'll let you know if I got it to work!

I upgraded this morning my main 'company' pfSense to 2.5.0.
I'm using he.net for my my IPv6 'needs'.

I had nothing to do.

Everything came up and was working fine.
( + captive portal using FreeRadius - OpenVPN server for my remote access).

Even a non-native package I installed many years ago was upgraded and kept on running.

@virgiliomi said in Updated to 2.5 everything went smooth except for WAN IPv6 status being stuck on "Unknown" and "Pending" - Have Comcast, despite multiple Cable Modem restarts, and PFSense restarts:

There's a bug in 2.5.0 that has been found that requires a monitoring address to be manually added in the System > Routing settings for the IPv6 gateway. The gateway will show as "Pending" until a monitoring address is manually set. For whatever reason, 2.5.0 is not automatically getting the gateway address and monitoring it. Try adding a monitoring address (you can make it anything valid/reachable for the purpose of testing) and see if that fixes things for you.

If you want to add the exact gateway address as the monitor address, go to Diagnostics > Routes and copy the default gateway from the IPv6 table. Just know that this could change if your ISP does maintenance before the bug is fixed.

Hopefully that helps...

This worked for me, thanks!

@andrew_241 Yeah, those look like "policy routing" rules since you were specifying a gateway (rather than letting pfSense use the default gateway). But if you only have one WAN connection, or you don't want to route specific traffic in a specific way, you don't really need those rules, because everything can just route through the default gateway.

But since you had those rules... there is a deeper issue with the IPv6 gateway behind the scenes, so the IPv6 rule was not functional because of the bug, and was preventing your IPv6 traffic from flowing as a result.

I got it working again, by restoring a previous config.

@virgiliomi does re-saving the interface fix the issue? That seems to be the case with me.

Edit: did some testing and it seems that my interface got corrupted, deleted it and re made it and now its all good, survives reboots, looked in the logs and saw that the dhcp6c precess couldn’t find the interface and then it would quit.

I just did another test with a second LAN Track Interface on WAN2.

There i used Prefix 1 and after a reboot (why is this necessary?) the second LAN also get it's IPv6 prefix.

So it seems you just can use it with increasing values. So why is this the case?

@jefftee
If I unblock private networks and loopback addresses on my WAN, the gateway comes back as up.
Try that

@gary201 The issue from July 2019 was resolved without them really going into detail about what was happening during their large maintenance/migration. When I got in touch with them they were still in the "putting out fires" mode. They made a note of my issue, emailed me a few days later when they had a fix in place for me to verify, and all was good.

Around December 2nd of 2020 I did have an IPv6 outage after a maintenance window. No IPv6 traffic was routing. I also tried different machines directly wired to the ONT at that time to verify it wasn't something on my end (not that I had changed anything). I reached out to them and they were able to in their words, "remove a filter" and it fixed my issue. I'm not sure how helpful that is, but it's all they told me.

@viktor_g said in IPv6 PPPoE MSS incorrect:

@bm118

Could you test this patch: 135.diff

You need to install System Patches pkg:
https://docs.netgate.com/pfsense/en/latest/development/system-patches.html

Works a treat, thank you very much!

Redmine issue created:
https://redmine.pfsense.org/issues/11415

@hescominsoon

I'm not sure what to say other than maybe try Comcast's forums or other ISP community sites on the internet for settings that will work. It's been over a year since I had Comcast service, but I used pfSense with IPv6 and had no issues for over four years using the settings I provided earlier.

If you have a gateway (modem+router) in gateway mode, pfSense won't work for IPv6 because the gateway will acquire a single /64 for its own use. I don't know if their gateways will sub-delegate additional /64's or not.

If you have a gateway that is in bridge mode, or have just a regular modem (I used both Motorola/Zoom and Arris modems over my time on Comcast), you should be able to request a /60 unless they've changed things since I left.

@jwj said in ipv6 disable on Pfsense:

my LG TV

Hmmm So I looked in more detail to my TCL TV (roku based).. And even shit it asks for that is blocked.. Which is quite a bit ;)

I don't see it asking for any AAAA..

Yeah plex asks for it. And so does NAS - but no IPv6 there at all.. Just stupid.. Like asking for chopsticks to drink your beer with..

And if that chrome article about their stupid dns queries shows us anything - the mentality of oh its a just a simple small little thing, couple of bits here, couple of bits there. In the big picture multiplied by millions or billions of devices doing it.. Its not such a little thing any more..

Even locally this can be a problem - stupid windows boxes and their VAST amount of nonsense noise they put out.. Yeah its not a big deal when you have a few of them.. But when you have say 200 of them on the same L2 - it works out to be a lot of freaking noise on the wire.. That serves no purpose!!

OK i think I found the "issue". The first interface I ipv6 enabled gave itself the entire /56 delegation, I had to change the prefix id and change it back to make it only grant itself a /64.

@jknott said in Blocking InterVLAN with IPv6:

The sooner the world moves to IPv6, the sooner we can get rid of IPv4 and all those hacks.

Yup and this 1 guy is holding it up... JFC dude the world is waiting for you to get IPv6 running on your local network already..

Amazon is waiting for you to give them the green light so they can finally move to it, same with twitter.. Shoot of the top like 1 million sites, 28% or so are ipv6.. All the others been waiting for you to give them the go! ;)

I think my ISP is waiting on you as well - since they don't provide it.. Nor do they have it even on their road map.. So make sure you call them when you done so they can get started..

In what year do you think this graph will hit even 50%?

graph.png

The world is waiting on you dude - would you hurry up already ;)

I think once you give the green light this graph is just going to shoot to the moon.. Just like gamestop stock prices ;)

graph2.png

@jknott
A Unifi Switch has its Ports set to the profile "All" by default.
In Cisco terms this would mean that every Port is set to Trunk Mode with native VLAN 1 and every other VLAN tagged

What helped was to set a specific Profile where only one VLAN is selected.
In other words, the port now is in Access Mode and has no tagged VLANs

@bob-dig I have tried assisted and stateless. I rebooted each time after I change the mode, the monitor will say pending and unknown. If I restarting dpinger the gate monitoring says offline. pinging google via IPV6 i have 100% fail. Does not matter between mode assisted and stateless. What mode should I use?

@mushymiddle said in Switch from /64 to /48:

There is very little information about how to deal with /48's and handing-out /64's in general on the Internet.

When you configure a LAN or VLAN interface, you have to specify a unique prefix ID. With a /48, the range is 0 - ffff.

I know this is an old post but in case anybody else finds it and need a possible solution:

For me it was because I had Snort running, and it blocked the Tunnel IPv4 endpoint. I had to add it to the alias list that I use to whitelist IPs for Snort (and restart Snort!)

@bob-dig said in IPv6 Dynamic Prefix with static suffix for LAN interface:

@foerkede Why would you? Best compatibility is to assign one /64 to your LAN via track interface. Then in the DHCPv6 Server on LAN you add a static mapping for one machines DUID together with a hostname and an interface identifier of your liking. Now you can use that hostname in firewall rules, even after your prefix changed.

Yes that's a good way to manage the clients in the network and I will probably do that.
My idea was to set the LAN Interface IPv6 to a memorable address, like <prefix>::1 as you do in IPv4, so you can configure static IPv6 addresses more easily (gateway and DNS config).
But I forgot that if the prefix changes, I have to change all the static addresses on the machines too. So the DHCPv6 solution seems to be the only good one if you don't get a static prefix from your ISP.

Thanks for your fast and helpful input!

@bob-dig Yes, which is why I encouraged to connect directly. Which worked. Still going to only get a /64. Many ISPs do that for reasons known only to them. Makes no sense at all...

@JKnott @Derelict
Thank you guys.

I am passed this issue, everything is almost fine, after I added that specific link local, the ISP has sent me. My only problem is that the interface clients don't communicate between each other (for the time being, ping). The internet communicates with them, from anywhere, they communicate with the internet, but not between each other. I mean clients from one interface with clients from another interface. Clients within the same subnet talk to each other just fine.
The very first thing I tried is adding an allow from any to any firewall rule on IPv6 for both interfaces, all protocols, first rule from top to bottom, but nothing..

@JKnott ok sorry.
Noob more in regard of IPv6 itself. I'm not a networking guy, I got a fair understanding of IPv4, but not so much about IPv6. And to that I must say: still a noob, and looking to learn.

About the HOW, I'm sorry if that wasn't clear and I didn't get the hints to explain that part better, but its out in the clear now I guess. I may have missed mentioning it was a Datacenter I just said "provider" my bad and I'm sorry for the confusion.

I have 4 dedis with 2 pfSense routers. WAN is only connected to the pfSenses via vSwitch. All vm's get their connectivity through pfSense and are not host-bound.

@Derelict I didn't mean to offend probably as much as you meant me. I already explained the "noob" part, but consider saying to someone:

You should also probably paste EXACTLY what they are telling you instead of your interpretation of the same.

Its like people (or me in this case) are stupid and can't interpret what were told. Your comment was specifically about one's ability to understand a message and pass it on. People who can't understand a simple message and repeat it fall in such categories. Maybe you could have phrased better. Anyway, please note I said it seemed, I am sure that's not what you meant, yet I felt the remark was due. I have been working with IT and customers for 14 years and I never made such a remark to any, despite how dumb I may think they are sometimes.

Anyway I don't want to derail the topic to this, was just a comment.

I'm still insisting with the DC so they give me a bigger prefix.

@virgiliomi said in Add setting for "Use excluded prefix for WAN":

Especially if the WAN address is on the opposite end of my prefix from where my LAN and other networks are.

My WAN address has absolutely nothing to do with my prefix. However, as you mentioned, you could pick any address within your prefix. For example, with my /56, I use prefix ID ff for OpenVPN. There's no reason it couldn't also be used as a target. However, I haven't tried that.

@gertjan said in IPv6 when LAN goes down:

@peter-fyri

Like https://redmine.pfsense.org/issues/10966 ?

Right :)
Well, it sounds very similar to my issue, it's just the trigger that it's different, but with the same effect.

Thank you :)

@beremonavabi

I have never been able to understand the reasons for not supporting DHCPv6 on Android. The reasons I've read could equally apply to SLAAC.

@virgiliomi Thanks. That's a really helpful answer. I appreciate it.

@jknott . It is working now. Apparently it needed a reboot. Helped by a power outage in my suburb. Thanks for your help!

@hemachayart It's been like a month... I remember setting it back to regular Unbound mode as a test, then rebooting it and it came back up with my IPV6. I then set it back to Python and restarted Unbound again if memory serves and it came back up OK. That was when version 3 first came out. I've upgraded it with those small incremental updates since and haven't had any other issue like that. I suspect if I were to power cycle the modem or disconnect it I would probably have to restart Unbound again, as I have left it in Python mode. It's like a weird timing thing between the modem and router when it's in python mode.

A cron-job (/usr/bin/nice -n20 /etc/rc.reload_all) seems to do the job.

You could set firewall rules to only allow traffic to the servers' IPv6 addresses, and not allow connections to other PCs.

You might double check your ISP's router as well...many block inbound IPv6 by default.