Easier until you start assigning IP ..........
I don't see any case where DHCPv6-PD would be desirable over a static IPv6 block. But maybe that's just me.
Noop, you got a point.
I have to add that I'm using a static IPv6 setup myself, as my ISP
doesn't know what IPv6 is.
and if they do, they come up with a single /64
or a /56 but only the first /64 is routable
or ..... (whatever, their BOX has just one LAN so they don't understand the fuzz - not even that some clients are actually companies and they could have more then 1 LAN ....)
with he.net, the one I'm using, the price is : not worlds fastest ISP, but free and rock solid. And very static.
My prefix was rock solid on my last ISP (Comcast). .....
unplugging the interface or rebooting.
A pretty solid proof that '$$$€€€' and 'Mbits/sec' is just a part of the equation.
Good 'protocol' support is as important. And this one doesn't need the reading of their promises on paper. It will always be "Hands on testing for 6 months" ;)
@pmisch Well that's the thing. More and more the answer is "just use a competing product". What is Pfsense even for anymore if they can't fix years old bugs and they can't do IPv6 under realistic real world scenarios? Pfsense looks like a dying project to me so I've personally been steering people away from it.
@viktor_g I have a static IP (via DHCP4/6) from my ISP. The IPv4 works with no problems. IPv6 gets an IP ok, but the resolv.conf.never updates.
Rebooted multiple times.
The other day I was looking at the scripts that update the resolv.conf for IPv6.
If I am not mistaken, they only do so if the IP changes.
Which it won't with a static IP.
Although I could be misinterpreting.
I gave up and added the DNS entries via the General Setup to get around this issue for now.
There's a bug in 2.5.0 that has been found that requires a monitoring address to be manually added in the System > Routing settings for the IPv6 gateway. The gateway will show as "Pending" until a monitoring address is manually set. For whatever reason, 2.5.0 is not automatically getting the gateway address and monitoring it. Try adding a monitoring address (you can make it anything valid/reachable for the purpose of testing) and see if that fixes things for you.
If you want to add the exact gateway address as the monitor address, go to Diagnostics > Routes and copy the default gateway from the IPv6 table. Just know that this could change if your ISP does maintenance before the bug is fixed.
@andrew_241 Yeah, those look like "policy routing" rules since you were specifying a gateway (rather than letting pfSense use the default gateway). But if you only have one WAN connection, or you don't want to route specific traffic in a specific way, you don't really need those rules, because everything can just route through the default gateway.
But since you had those rules... there is a deeper issue with the IPv6 gateway behind the scenes, so the IPv6 rule was not functional because of the bug, and was preventing your IPv6 traffic from flowing as a result.
@virgiliomi does re-saving the interface fix the issue? That seems to be the case with me.
Edit: did some testing and it seems that my interface got corrupted, deleted it and re made it and now its all good, survives reboots, looked in the logs and saw that the dhcp6c precess couldn’t find the interface and then it would quit.
@gary201 The issue from July 2019 was resolved without them really going into detail about what was happening during their large maintenance/migration. When I got in touch with them they were still in the "putting out fires" mode. They made a note of my issue, emailed me a few days later when they had a fix in place for me to verify, and all was good.
Around December 2nd of 2020 I did have an IPv6 outage after a maintenance window. No IPv6 traffic was routing. I also tried different machines directly wired to the ONT at that time to verify it wasn't something on my end (not that I had changed anything). I reached out to them and they were able to in their words, "remove a filter" and it fixed my issue. I'm not sure how helpful that is, but it's all they told me.
I'm not sure what to say other than maybe try Comcast's forums or other ISP community sites on the internet for settings that will work. It's been over a year since I had Comcast service, but I used pfSense with IPv6 and had no issues for over four years using the settings I provided earlier.
If you have a gateway (modem+router) in gateway mode, pfSense won't work for IPv6 because the gateway will acquire a single /64 for its own use. I don't know if their gateways will sub-delegate additional /64's or not.
If you have a gateway that is in bridge mode, or have just a regular modem (I used both Motorola/Zoom and Arris modems over my time on Comcast), you should be able to request a /60 unless they've changed things since I left.
Hmmm So I looked in more detail to my TCL TV (roku based).. And even shit it asks for that is blocked.. Which is quite a bit ;)
I don't see it asking for any AAAA..
Yeah plex asks for it. And so does NAS - but no IPv6 there at all.. Just stupid.. Like asking for chopsticks to drink your beer with..
And if that chrome article about their stupid dns queries shows us anything - the mentality of oh its a just a simple small little thing, couple of bits here, couple of bits there. In the big picture multiplied by millions or billions of devices doing it.. Its not such a little thing any more..
Even locally this can be a problem - stupid windows boxes and their VAST amount of nonsense noise they put out.. Yeah its not a big deal when you have a few of them.. But when you have say 200 of them on the same L2 - it works out to be a lot of freaking noise on the wire.. That serves no purpose!!
The sooner the world moves to IPv6, the sooner we can get rid of IPv4 and all those hacks.
Yup and this 1 guy is holding it up... JFC dude the world is waiting for you to get IPv6 running on your local network already..
Amazon is waiting for you to give them the green light so they can finally move to it, same with twitter.. Shoot of the top like 1 million sites, 28% or so are ipv6.. All the others been waiting for you to give them the go! ;)
I think my ISP is waiting on you as well - since they don't provide it.. Nor do they have it even on their road map.. So make sure you call them when you done so they can get started..
In what year do you think this graph will hit even 50%?
The world is waiting on you dude - would you hurry up already ;)
I think once you give the green light this graph is just going to shoot to the moon.. Just like gamestop stock prices ;)
@bob-dig I have tried assisted and stateless. I rebooted each time after I change the mode, the monitor will say pending and unknown. If I restarting dpinger the gate monitoring says offline. pinging google via IPV6 i have 100% fail. Does not matter between mode assisted and stateless. What mode should I use?
@foerkede Why would you? Best compatibility is to assign one /64 to your LAN via track interface. Then in the DHCPv6 Server on LAN you add a static mapping for one machines DUID together with a hostname and an interface identifier of your liking. Now you can use that hostname in firewall rules, even after your prefix changed.
Yes that's a good way to manage the clients in the network and I will probably do that.
My idea was to set the LAN Interface IPv6 to a memorable address, like <prefix>::1 as you do in IPv4, so you can configure static IPv6 addresses more easily (gateway and DNS config).
But I forgot that if the prefix changes, I have to change all the static addresses on the machines too. So the DHCPv6 solution seems to be the only good one if you don't get a static prefix from your ISP.
I am passed this issue, everything is almost fine, after I added that specific link local, the ISP has sent me. My only problem is that the interface clients don't communicate between each other (for the time being, ping). The internet communicates with them, from anywhere, they communicate with the internet, but not between each other. I mean clients from one interface with clients from another interface. Clients within the same subnet talk to each other just fine.
The very first thing I tried is adding an allow from any to any firewall rule on IPv6 for both interfaces, all protocols, first rule from top to bottom, but nothing..
@JKnott ok sorry.
Noob more in regard of IPv6 itself. I'm not a networking guy, I got a fair understanding of IPv4, but not so much about IPv6. And to that I must say: still a noob, and looking to learn.
About the HOW, I'm sorry if that wasn't clear and I didn't get the hints to explain that part better, but its out in the clear now I guess. I may have missed mentioning it was a Datacenter I just said "provider" my bad and I'm sorry for the confusion.
I have 4 dedis with 2 pfSense routers. WAN is only connected to the pfSenses via vSwitch. All vm's get their connectivity through pfSense and are not host-bound.
@Derelict I didn't mean to offend probably as much as you meant me. I already explained the "noob" part, but consider saying to someone:
You should also probably paste EXACTLY what they are telling you instead of your interpretation of the same.
Its like people (or me in this case) are stupid and can't interpret what were told. Your comment was specifically about one's ability to understand a message and pass it on. People who can't understand a simple message and repeat it fall in such categories. Maybe you could have phrased better. Anyway, please note I said it seemed, I am sure that's not what you meant, yet I felt the remark was due. I have been working with IT and customers for 14 years and I never made such a remark to any, despite how dumb I may think they are sometimes.
Anyway I don't want to derail the topic to this, was just a comment.
I'm still insisting with the DC so they give me a bigger prefix.
Especially if the WAN address is on the opposite end of my prefix from where my LAN and other networks are.
My WAN address has absolutely nothing to do with my prefix. However, as you mentioned, you could pick any address within your prefix. For example, with my /56, I use prefix ID ff for OpenVPN. There's no reason it couldn't also be used as a target. However, I haven't tried that.
@hemachayart It's been like a month... I remember setting it back to regular Unbound mode as a test, then rebooting it and it came back up with my IPV6. I then set it back to Python and restarted Unbound again if memory serves and it came back up OK. That was when version 3 first came out. I've upgraded it with those small incremental updates since and haven't had any other issue like that. I suspect if I were to power cycle the modem or disconnect it I would probably have to restart Unbound again, as I have left it in Python mode. It's like a weird timing thing between the modem and router when it's in python mode.
We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.
Subscribe to our Newsletter
Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.