@ethereal said in IPv6 DHCPv6 Delegation Range: @bob-dig probably his setup is a bit more complex and using the firewall as firewall - rather than a router for his lan. @simple0ne I have a similar setup at home and I was thinking to go ahead and try to implement it. Will give it a go next weekend or so. @Ethereal sounds good. I will get back to testing this further in the next few days hopefully, so I'll let you know if I discover any thing interesting. @Bob-Dig, yep two use separate use cases. One is where the firewall is basically already just serving as firewall (+ proxy for some services on IPv4) as @Ethereal mentioned. The second scenario is actually a little different and has two flavours (though they are quite similar to each other): The pf is serving as the outside firewall of a dual vendor DMZ, but the pf is also providing some services to devices/networks living within the DMZ. Similar to the first, but the pf is the only firewall, but is providing some services to downstream clients. There are a few networks, each with a lot of WAPs (that are actually routing) on them, which are managed separately, but wish to have IPv6 routed to them for allocation to wireless clients. Part of the problem here isn't purely technical, it's that the administrative domains for different devices/parts of the network are owned by different parties. This makes for some additional headwinds when it comes to adopting wider changes that could make everything a bit easier to resolve.

@bob-dig said in Block fc00::/7 out WAN just like RFC1918?: @jknott said in Block fc00::/7 out WAN just like RFC1918?: Yep. My ISP's gateway has a link local address. Mine too. Mine three.

@jimp I believe I had set it to DHCPv6 only but what is the setting I need to disable SLAAC?

@jpvonhemel You might want to allow ping. Most of the ICMP6 stuff is used on the local LAN and on the WAN side, pfsense is the "client". As for sparse addresses, the standard LAN size is a /64, which has as many addresses as the entire IPv4 address space squared. In that huge space, you might have a few dozen working addresses at any time, most of which are temporary. Bottom line, you're not much of a target. Did that test site list which ICMP6 it was testing?

@viktor_g I created a redmine ticket for this here: https://redmine.pfsense.org/issues/12280

@jbattermann I haven't done load balancing, so I can't help with that. Are you saying you have 2 prefixes on the LAN side of one network? Also, load balancing on the WAN side shouldn't have any effect on the LAN.

thank you!

@xyz By having another router ahead of pfsense, you're creating your problem. ISPs typically use DHCPv6-PD to pass the prefix on to the subscriber. That first router blocks that. This means you have to route the prefix to pfsense and I don't know that the first router is capable of that. BTW, one of the reasons for a firewall/router such as pfsense is to keep the trash out.

@chrisjmuk ::1 is the loopback address, just like 127.0.0.1 with IPv4. If you ping that address, the ping won't leave the device you're on. For this sort of thing, you could use the link local address, if you don't have global or unique local addresses available. Link local addresses start with fe80:.

@jknott found the issue, was stuck in the state, needed to clear. another issue is that i can cant ping a certain ip on my cisco and it cant ping the pfsense, ::1 but can ping ::20 no idea why.

@uzairali001 said in How do I configure ipv6 on pfsense: Set DHCPv6 Prefix Delegation size to 64 Set that to whatever the ISP provides. Mine gives me a /56. DHCPv6 Server check DHCPv6 Server Use SLAAC unless you need DHCPv6. Assisted I have unmanaged.

@j-koopmann With SLAAC, you have 1 address that's consistent and up to 7 privacy addresses, with a new 1 every day. You configure DNS for the consistent address. If your ISP does not provide a consistent prefix, you can use ULA addresses, in addition to GUA, to have a consistent address for DNS. '

@virgiliomi One other point about VPNs. I use my IPv4 address for it for 2 reasons. One is I only use the VPN from my notebook computer, which I might be using from a location that only has IPv4 and the other has to do with DNS. I use a public DNS server which is configured for the IPv6 addresses that I want to make available on it. But my public IPv4 address is an alias that points to the host name provided by my ISP and is based on my cable modem and firewall MAC addresses. With the alias, the IPv6 address is never used. I could directly configure the IPv4 address, so that the IPv4 or IPv6 address would be used as appropriate, but that would then fail on the very rare occasion that my address changes.

@shootify You don't have to use a DHCPv6 server on the LAN. As I mentioned, Android devices won't work with it. SLAAC does all you need, unless you have a specific requirement that needs DHCPv6. I have both GUA and ULA here and only use SLAAC.

@johnpoz One work around for those with changing prefixes would be to use Unique Local Addresses, as I describe here. Then they could still use DNS to point to local addresses.

@jknott Windows doesn't use configured DNS servers in order, it remembers the "last success" and prefers that one. It's not new in W10. People get in trouble all the time by listing their domain controller IPs first and public DNS "as a backup" and end up having network problems when the PC can't find the domain on the public DNS. @cmcqueen Can you ping the router LAN IPv6 when in the "bad" state? This is probably not your issue but after setting up a Hurricane Electric tunnel recently, I found the PCs could connect out over IPv6 but could not ping the LAN IPv6 nor resolve DNS until the router was restarted. Couldn't seem to duplicate it afterwards which is odder.