@johnpoz Done

https://redmine.pfsense.org/issues/12600

@almodovaris

DHCPv6 does not work with Android. You'll have to switch to SLAAC.

Ok i just gave up on getting pfSense to generate a working configuration...
If something in my ISP's weird setup is causing it, a bug or the position of the moon i have no idea.

But it works when writing the config file manually and adding the interfaces. The interface still shows nothing about the delegated prefix but everything is working.
RA's set to unmanaged on the local interfaces.

The config file that works with my setup (on Kviknet in denmark):

interface xn3 { send ia-pd 1; send ia-na 1; script "/var/etc/dhcp6c_wan_script.sh"; }; id-assoc na 1 { }; id-assoc pd 1 { prefix ::/48 infinity; prefix-interface xn0 { sla-len 16; sla-id 1; }; prefix-interface xn1 { sla-len 16; sla-id 2; }; };

@abcdefabcdef were you able to resolve telmex's IPv6 connection in bridge mode?

@johnpoz i installed the cert and added it to the trust store 🤷 so i'm assuming i did lol

cool ill take a look

So my config was perfectly fine. rebooted the server and it just suddenly started working. guessing something getting cached

Anyone of Netgate team could explain if t's now possible and how to proceed ? Maybe from the CLI ? It can be done under linux but I don't know with BSD. I guess so.
Or if it's a futur feature ?
Or something I better forget ?
Thanks

Well... Actually i had quite the same problem as in the referenced thread: The issue was also caused by the WLAN infrastructure (but ExtremeNetworks AP130 AP250 Firmware 10.3.x). I have connected the conspicuous devices to the "WIFI VLAN" via USB-RJ45 adapter and have not seen any problems in the IPv6 connectivity.

I also made a case to the WIFI vendor.... Sorry for the noice.

@hmf said in IPv6 and internal DNS registration:

Version 21.05.2-RELEASE (amd64)

I'm on 2.5.2 (amd64), which is the latest for non Netgate gear. I didn't know there was a version 21 for AMD.

@johnpoz

You may not need it now, but the more people procrastinate, the longer it will take to move to IPv6 and the world as a whole will suffer for it. The shortage of IPv4 addresses was obvious many years ago and even to me, when I was just learning about IPv4. I remember sitting in the class and thinking to myself that 4B addresses wasn't enough.

We need more mandates to provide IPv6, just as happened in India, China and elsewhere. The move to IPv6 is being driven by the 3rd world, when we should be leading, not following. In Canada, many companies are providing IPv6, but for some reason not Bell Canada, where even on their cell network, where IPv6 is mandatory for 4G, they do a poor job of it.
Curiously, Telus, which is Bell's partner (they even shared cell networks) in the western part of the country, was one of the first to provide IPv6, even before Rogers, which I'm on. All the Canadian cable companies I'm aware of provide IPv6, as do some of the resellers that use Bell's ADSL network or Rogers' cable.

Sticking with IPv4 is crippling the Internet.

@jknott Thank you so much for pointing that out. The presense of the 192.168.0.0/24 address should have been a clue. Stupid me didn't think of bridge mode. I was able to enable bridge mode and everything is working as expected.

@linuxtracker I tried but still the same problem 😢
The name resolution works but I cannot ping nor access a LAN device in IPv6.

Thanks

I realized my /60 prefix from Xfinity had changed, once I updated the NPt mapping all is well again. I was thinking that if the prefix changed, the v6 gateway would go down - but, that didn't happen. If anyone has any suggestions for how I might monitor a prefix change without using DHCP6 I'd be very appreciative. Unfortunately, I don't think I can have two interfaces each pulling prefixes with DHCP6: https://redmine.pfsense.org/issues/6880

My workaround was to get the prefix through DHCP6 on the Xfinity interface, then use the assigned ipv6 address, gateway and prefixes to for a static configuration. Can't figure out a better way...

@bob-dig

Windows is my home's Domain Controller, DHCP (DHCPv6) and DNS -- soon to be LDAP.

I make all address reservations in Windows Server 2019.

I am hoping that once I get to the LDAP configuration - I can set pfSense to use LDAP credentials to login - rather than the local account I use now. 😊

@jpvonhemel

COMCAST support forums are a huge Joke!!! You got all the COMCAST Staff in there telling you their favorite answer "that configuration is 'not supported'" Trust me - I have B.T.D.T (been there done that).

I think I got it working in another way - back to 19/20 - still cannot figure out why I cannot get Hostname for ipv6 to show on the test. I can ping the IPv4 and IPv6 address of the DC and pfSense with name resolution - and they come back with the name from the DC.

b9bcc81a-ac80-4924-ba03-21e23fd72d2e-image.png

From other machines on my network I get this

900cfeeb-31b2-4629-81d9-091153f2d818-image.png

It resolves the NAME - but get ping failure.

I checked the Firewall on that workstation and ICMP is on - otherwise it would not have resolved the name or pinged at all.

@mrsunfire I'm running 2.5.2 and this is still an issue. Disable the 2nd wan and ipv6 just works.

My comment keeps getting auto-flagged as spam (not the first time) so here's an image of it.

reply.jpg

This all worked for a couple of years but we have had some Hyperoptic upgrade done in the area and it has broken IPV6 connectivity using DHCPV6 (default configuration). Trying to work out what is best to do at the moment but wondering if anyone else has seen this? Only way of getting IPV6 right now is using the ISP provided kit which isn't giving much away about configuration.

I'm not hopeful of a solution right now as I've seen several other forum posts where people have either been able to get IPV6 working on their connection or not and if it works it seems to just work in the way described above but if it isn't working nothing seems to get it on, but will be trying a couple of options with PFSense over the next few days as we have a lot more info from the logs than on most of the other routers out there.

@jegr said in Setup NAT64 in pfSense:

Just FYI: the issue https://redmine.pfsense.org/issues/2358 got that pull request #4405 so it should go into review now.

Unfortunately this didn't make it. 😓

We will have to start all over.

Success!

Thanks so much for the help.
Very much appreciated.

@jknott

Enough.

I got my first "computer" when we could buy the parts at Radio Shack, 1973...

Had you told me I won't see anything in the captured file going in, maybe different result.

OR had you told me how to use Wireshark so I could see...I can certainly figure out Wireshark.

Again being smarter than me about operating systems does not mean you get to be... never mind.

I have IPV6 working fine now by the way if your interested.

Dropped using 2.6.0, back to 2.5.2 and found a guy in this area also using Comcast who has a "IF you use Comcast here's how you setup PFSense" step by step.

IPV6 fine. Have to wait until this evening to test Nintendo Switch on-line game access.

@rodrigocamargo said in Endereço IP:

1 Digamos que a pessoa irá criar uma rede na empresa dela e usará o IP 192.168.0 a 192.168.0.255, ou seja, colocará num total 256 hosts na empresa, este endereço de IP ele é exclusivo da empresa, ou seja, ninguém que for criar uma outra rede com o mesmo propósito não poderá usar este endereço de IP?

Não são 256 hosts, o primeiro e o último não pode usar pois o primeiro 192.168.0.0 é a network, e o útlimo é 192.168.0.255 que é o broadcast.
São 8 bits para host, 2 elevado a n -2, onde n é o número de bits, ou seja 256 -2 = 254 hosts.

2 Eu vi alguns roteadores e modems que eu tenho em casa, por exemplo da Tp-link que o endereço de IP é 192.168.68.102 este endereço é só dá Tp-link? E se eu fosse utilizar o endereço de rede no item 1 eu teria que utilizar somente hosts da mesma marca ou posso ter de marcas diferentes?

Não é assim, pesquise sobre RFC1918.
Esses endereços podem ser usados em todas as redes internas.
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

E é para isso que NAT serve, pois o NAT transforma seu IP público, que é único, no IP privado que você tem ai dentro.

@skilledinept

If you know the issue isn't local, check alsways this page https://www.tunnelbroker.net/status.php. the he.net.ipv6 POPs can have issues.
For example, right now, the a UK-LONDON POP has been moved to Dusseldorf, Germany.
While we can't see the 'load' of these servers, it will be a factor.

All my IPv6 traffic goes out over the he.net.ipv6 link, and it's pretty stable. I'm using their services for many years now.

edit : also check out the he.net support forum.

Using it as as just a AP behind pfsense will be fine - and then sure be able to look into sure.

As to sniffing - on pfsense, do a packet capture on your opt interface you were using for wireless. In promiscuous mode.. set it for just arp on the protocol

Do you see arp traffic from the internet? For example.. This is my actual wan interface - I tried to run some wireless network here it would be directly connected to the internet no matter what "ip" Layer 3 range I ran on it..

arp.jpg

This interface is connected to the internet.. Running some AP on your isp device that you put into bridge mode and tried to run wireless on - "could" very well just be bridging that wifi to the internet.. Be it you running as some rfc1918 network or not.

That sniff ran for 5 seconds - that is just small portion of what it saw, none of those IPs are my pfsense wan IP.. Those are just other isp clients on the same L2 as my wan.

@andicniko

EDIT: After a factory reset and trying again, it seems it will work if 1) I state the DHCPv6 range in full (including the prefix), and 2) I state the subnet in the router advertisements settings.

For anyone else struggling to make this work, the specific settings are:

Services / DHCPv6 Server & RA / LAN / DHCPv6 Server
Range = [your desired IPv6 range in full, e.g. 1000:1000:1000:1000::2000 to 1000:1000:1000:1000::3000]

Note: DO NOT omit the prefix when stating the range. This is one of the issues that seemed to prevent my DHCPv6 server working properly (if the LAN interface is set to IPv6 Configuration Type = Static IPv6). By default, the range is stated excluding the prefix, e.g. ::2000 to ::3000. I'm not sure why this should matter, if the subnet field is already populated and aware of 1000:1000:1000:1000::, and omitting the prefix does no harm when the LAN interface is set to IPv6 Configuration Type = Track interface. Also note: I also had some trouble keeping the "Provide DNS servers to DHCPv6 clients" checkbox ticked. It is ticked by default, but seemed to untick by itself when changing and saving settings on this page. When ticking it again and saving, it would just disappear. However, it was ticked after navigating to another page and coming back. So I didn't have an issue in the end.

Services / DHCPv6 Server & RA / LAN / Router Advertisements
Subnets = [your IPv6 prefix 1000:1000:1000:1000::/64]

Note: DO NOT leave this blank. This is one of the issues that seemed to prevent my DHCPv6 server working properly (if the LAN interface is set to IPv6 Configuration Type = Static IPv6). By default this is blank, and it does no harm leaving it blank when the LAN interface is set to IPv6 Configuration Type = Track interface. I'm not sure why this should matter.

I don't know if the above are supposed to be necessary or not - apologies if I'm posting something that should be obvious. But I hope that helps someone!

@csoban

A big part of the problem are those who think an inadequate address space + hacks is a good idea, even though it's holding back many things. One thing I was reading about recently was how China plans to be single stack IPv6 only by 2030. This means if you want to reach sites there, you will need IPv6. There are other parts of the world, where they won't hand out IPv4 addresses to anyone who's not also running IPv6. I don't know how things are in Eastern Europe, but in North America it's still possible to get by with only IPv4 because we have so many of the addresses here. In Canada, some of the major IPs are providing IPv6, but Bell Canada, which used to be a world leader in telecom, is falling behind.

@sts-134 did you actually get /56? Maybe they only allow you to ask for specific sizes went doesn't give you what you ask for it confuses pfsense? Which I agree is no ideal.

@johnpoz said in IPv6 configuration for LAN only when no IPv6 from ISP?:

name 1 resource just 1, that your typical user would need ipv6 to access?

As I mentioned, there are many who are stuck behind CGNAT. They cannot connect to their networks from outside.

@bigtfromaz Ahh interesting, i don't have an xbox but my brother is a pretty obsessive xbox player and has 2 xbox ones plus several older models and i set up a pfsense firewall for him.

He basically has a dedicated vlan and switch for the xboxes, as he often has friends visiting. The ISP routes a /56 so i assigned a dedicated /64 to the "xbox network" and just configured it to allow everything in/out. I never checked on the rotating DUIDs. How about SLAAC - does the xbox get the same address every time from SLAAC? I will have to double check.

As i understand it, the xbox one pretty much requires IPv6 and will use teredo tunnelling if native IPv6 is not present.
I believe the 360 and original xbox don't support IPv6 at all, but i'm not sure if the online features for these consoles are even still active.

According to the traffic graphs on pfsense 99.9% of the traffic is using IPv6, and there seems to be no problems having multiple xboxes online at the same time. In the area my brother stays the two largest ISPs both provide IPv6 by default and it's enabled by default on the routers they supply.

An increasing number of people are behind CGNAT these days and don't have the possibility to forward ports. IPv6 is the only way forward.

@johnpoz

I originally used fe80::/16, which you told me was incorrect (which is true... it should be fe80::/10 like you mentioned). But then you said this:

An alias for any specific "net" using the space of /16 wouldn't be a specific net, it would be a huge chuck of the whole space FE80::/10, where did you come up with using /16 anyway?

The way I interpreted that, was that using /10 also wasn't ideal, and using a /64 would use less space (and would be closer to a * net). Both /64 and /10 both work, so I can update the Redmine ticket if you think /10 should be the correct default.

224.0.0.0/3 is the multicast address space. Originally I created individual rules for each specific address, but decided to "simplify" doing that and instead creating an alias that included the entire multicast address space. My alias is called MULTICAST_SUBNET, and includes the network of 224.0.0.0/3 which is technically correct right? I use more then just mDNS requests fall into that subnet. But you are 100% correct that I should update that ticket and make it 224.0.0.251, since that is unique to mDNS and is the only destination required for Avahi.

Something else related to this thread... some of my devices on some VLANS make requests for SSDP. They have an IPv4 destination of 239.255.255.250. However, IPv6 traffic is blocked by default unless this rule is created:

source: fe80::/10
destination: ff02::c
Port: 1900

Another example would be the same source and destination above, but for port 3702 which is WSDD (used by a Windows 10 device).

These are examples of traffic where I would assume (incorrectly based on your feedback) the * net source rule to cover when IPv6 is enabled on on a network.

And no offense taken. I'm far from an expert here. I've already solved this myself, although you may see the way I've done it is less then ideal. I created this post to hopefully help others.

@thondwe said in WAN_DHCP6 Pending - Pfsense 2.5.2:

but the dpinger command uses -B "Gateway Address" as an option

Not a gateway.

type

dpinger

without any options, and you see what it want : the local address to bind to :

bind (source) address

Like "192.168.1.1" if you want to "dpinger" to a device on your LAN (seems absurd, but I do just that).
So it knows from what address ( and interface) to start pinging from.

@thondwe said in WAN_DHCP6 Pending - Pfsense 2.5.2:

for the Hurricane Electric Tunnel -B address is different to the final ping target at the end..

he.net give us static IPv6's for our "our side' and their side
2001:470:1f12:5cx::1/64 == their side
2001:470:1f12:5cx::2/64 == pfSense side.

Thus "2001:470:1f12:5cx::2" is the address used for dpinger == the address to bind to.

Btw :

here is the "GIF" tunnel info :

gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1480 description: HeNetv6 options=80000<LINKSTATE> tunnel inet 192.168.10.3 --> 216.66.84.42 inet6 2001:470:1f12:5cx::2 --> 2001:470:1f12:5cx::1 prefixlen 128 inet6 fe80::215:17ff:fe77:d119%gif0 prefixlen 64 scopeid 0xa groups: gif nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

I do have a "fe80::215:17ff:fe77:d119" but it's not use any where..

@tarbash

Results match is as follows:

good %IP%|nochg %IP%

@code4food23

It means you have to assign an address to the interface. With SLAAC, addresses are created automagically.

@lordsandwurm I made a cronjob in pfsense to reboot it every night, that mostly fixed it for me. I wish that wouldn't be necessary...

@chrisjmuk did you create that route via the gui, with gateway setup? or trying to just add the route from the cmd line?

@ethereal said in IPv6 DHCPv6 Delegation Range:

@bob-dig probably his setup is a bit more complex and using the firewall as firewall - rather than a router for his lan.

@simple0ne I have a similar setup at home and I was thinking to go ahead and try to implement it.
Will give it a go next weekend or so.

@Ethereal sounds good. I will get back to testing this further in the next few days hopefully, so I'll let you know if I discover any thing interesting.

@Bob-Dig, yep two use separate use cases. One is where the firewall is basically already just serving as firewall (+ proxy for some services on IPv4) as @Ethereal mentioned.

The second scenario is actually a little different and has two flavours (though they are quite similar to each other):

The pf is serving as the outside firewall of a dual vendor DMZ, but the pf is also providing some services to devices/networks living within the DMZ. Similar to the first, but the pf is the only firewall, but is providing some services to downstream clients. There are a few networks, each with a lot of WAPs (that are actually routing) on them, which are managed separately, but wish to have IPv6 routed to them for allocation to wireless clients.

Part of the problem here isn't purely technical, it's that the administrative domains for different devices/parts of the network are owned by different parties. This makes for some additional headwinds when it comes to adopting wider changes that could make everything a bit easier to resolve.

@bob-dig said in Block fc00::/7 out WAN just like RFC1918?:

@jknott said in Block fc00::/7 out WAN just like RFC1918?:

Yep. My ISP's gateway has a link local address.

Mine too.

Mine three.