IPv6

• 

  Setup NAT64 in pfSense
  ipv6 nat64 dns64 • • imcdona  

  37
  1
  Votes
  37
  Posts
  4064
  Views

  M

  Any news on this? I need NAT64. Is it possible in any way with pfSense?
• M

  IPv6 Gif /60 and VLAN
  • mikekoke  

  1
  0
  Votes
  1
  Posts
  89
  Views

  No one has replied

• F

  IPv6 tunnels and failover configuration troubleshooting
  • FoolishlyWise  

  1
  0
  Votes
  1
  Posts
  53
  Views

  No one has replied

• T

  Packet Loss on IPV6 Gateway
  • tim h  

  6
  0
  Votes
  6
  Posts
  190
  Views

  

  You can packet capture the pings going out. If there is no response there's nothing you can do about it - they have to fix it. If absolutely necessary (as in they still blame the firewall), put a managed switch (or some kind of network tap) between the WAN and the ISP and capture on a mirror port there. Then you're definitely looking at what's out on the wire, outside of the firewall. Set the monitored port to the one connected to the modem, not pfSense. If you see the echo requests and no replies there, there is certainly nothing more you can do. Press them hard for an escalation. If you can get to the right person/group you might be able to get it fixed.
• T

  IPv6 no routing from DMZ to internet
  • tku  

  10
  0
  Votes
  10
  Posts
  202
  Views

  

  @tku said in IPv6 no routing from DMZ to internet: But, I'm using PfBlocker which I configured (in all my enthusiasm) to add (blocking)rules to all interfaces, for some reason the ipv6.google.com-IPv6 address is on the list. So some kind of logical that connecting to the IPv6 website didn't work. I'm using pfBlockerNG-devel - and some IPv6 lists. ipv6.google.com never was problem for me. What is the IPv6 that google uses - the one you use to connect to ? Is this IPv6 (network) really present on a list ? What is this list ? IPv6_known_search_engines ?
• M

  dhcp6c config not working?
  • misch  

  7
  0
  Votes
  7
  Posts
  1233
  Views

  J

  Hi The reason this is happening is because you have id-assoc na but not id-assoc pd. This is because the config is not complete just from the WAN interface. You have to also set a LAN interface to track the WAN interface. This is where the rest of the configuration is set and it defines id-assoc pd with the values you set there.
• U

  Need some instructions for getting started with IPv6
  • Ulysses_  

  51
  0
  Votes
  51
  Posts
  936
  Views

  

  @johnpoz said in Need some instructions for getting started with IPv6: That is not the point if the end user can not get an IPv4... Can freaking promise you the end user ISP has given them some way to get to IPv4.. Because sorry - at best there is 30% of the top websites on the world that even support IPv6... Here's an article, in today's Toronto Star, that seems to imply IPv6 will be needed on cell phones: Internet-based 911 calling on the horizon in Canada "Essentially, every connected phone will have an internet protocol address, which will be cross-referenced with key data sets mostly supplied by municipalities. The database will comprise every street address in an area and the entry location of buildings. Emergency service boundaries will also be accessible to ensure the right responders are dispatched. The result should allow the 911 system to pinpoint the location of callers to within centimetres." I haven't found much in the way of details, but giving phones unique addresses will probably require IPv6. I also don't understand how they'll be able to determine location within centimetres. There is this document, which has on page 68, page 3 of Appendix 2: "North American Network Operators Group (NANOG) A governing body that provides guidance and instructions for the design of an IP network. NANOG is typically involved in the best current operational practices for IPv6 planning." This system is apparently supposed to be implemented all over Canada and U.S. My Pixel 2 certainly gets IPv6 from my carrier, but not all phones or carriers support it yet.
• B

  Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?
  • bimmerdriver  

  50
  0
  Votes
  50
  Posts
  957
  Views

  J

  It appears that if you add a cron job to run "/sbin/rtsol -a" once an hour it'll keep the IPv6 connection. I suspect someone read RFC 6275 and decided that "Router advertisements in such networks SHOULD be sent only when solicited" also applied to this network, despite it not technically being a mobile network. (Telus are also a mobile carrier, so it's possible this is where the confusion came from.)
• 

  IPv6 prefix Cloudflare DDNS
  • Bob.Dig  

  6
  0
  Votes
  6
  Posts
  135
  Views

  

  @lifespeed One has nothing to do with the other. The do not release only affects whether the prefix will change. SLAAC has to do with sending the prefix out to the LAN, whether it changes or not.
• A

  IPv6 and VLAN sanity check
  • alnico  

  7
  0
  Votes
  7
  Posts
  187
  Views

  

  @alnico Don't forget, you can configure OpenVPN to carry both IPv4 and IPv6.
• M

  TCP-ACK blocked when using IPV6 over GIF over IPSec
  • mix_room  

  10
  0
  Votes
  10
  Posts
  160
  Views

  

  @mix_room said in TCP-ACK blocked when using IPV6 over GIF over IPSec: Why are you even using that GIF tunnel? Why don't you run IPv6 directly over IPSec? Because the documentation states that you can not do this with IPsec. One other thing, IPSec was originally designed for IPv6 and back ported to IPv4. So, it's highly unlikely it would not support IPv6.
• L

  IPv6 setup with Fido Home Internet
  • lobotiger  

  9
  0
  Votes
  9
  Posts
  206
  Views

  L

  No not yet as I doubt I'd get anyone on the phone who would even know what IPv6 is. Plus my online account is having problems so I can't post on their forums either at the moment.
• 

  Local Network can't ping VPN IPv6 remote
  • maverickws  

  14
  0
  Votes
  14
  Posts
  248
  Views

  

  Yeah for sure. Next time try to be useful bc nothing you say is a solution, nor with such a genius you have exposed how to attain the correct configuration without adding the routes to NAT. But you won't, cause all you do is noise. Take the bicycle and have a merry xmas, i'm done with you. ffs.
• D

  deprecated IPv6 address
  • da370338  

  16
  0
  Votes
  16
  Posts
  274
  Views

  D

  Yep, the gateway address is the address of the AVM box (fe80: ...). Man, things could be so easy. Let's get rid of that old IPv4 crap and move on to the future. Can't understand why this causes so much trouble at the ISP's site. Thank you all for your help and thanks to @JeGr for describing the prefix delegation config. I will walk trough this once more to see if I find some config that works for me. But yes, I will check out what other providers can offer. If I find one that is not too expensive and provides a static prefix, I'm gone. Have a nice weekend!
• L

  setup for server behind Comcast dynamic IPV6, VLANs, publicly reachable
  • lifespeed  

  4
  0
  Votes
  4
  Posts
  127
  Views

  

  @lifespeed said in setup for server behind Comcast dynamic IPV6, VLANs, publicly reachable: Yes, I am well aware that Comcast's residential service with dynamic IP keeps the same IP address for months or even longer. There's a setting on the WAN page "Do not allow PD/Address release" that should be selected to prevent getting a different prefix. Have you selected it?
• E

  MSS Clamping - distinguish between IPv4 / IPv6
  • entrader  

  1
  0
  Votes
  1
  Posts
  83
  Views

  No one has replied

• A

  radvd.conf - invalid all-zeros prefix
  • aljames  

  5
  0
  Votes
  5
  Posts
  535
  Views

  

  @aljames said in radvd.conf - invalid all-zeros prefix: I’ll need to educate myself more on it. IPv6 Essentials is an excellent reference. In addition to the things mentioned above, there are also some things that go to improved performance, such as fixed length headers and more. Here is another excellent reason to move to IPv6. Despite clear warnings, Europe is out of IP addresses—again There haven't been enough IPv4 addresses for several years and the situation is getting worse.
• C

  IPv6 strangeness
  • cmpsalvestrini  

  24
  0
  Votes
  24
  Posts
  286
  Views

  C

  Dear all, Thank you. I will keep plugging at this; will keep posted as need arises. Cheers!
• D

  Provider IP address can't be set as interface IP
  • DraNick  

  4
  0
  Votes
  4
  Posts
  156
  Views

  

  @DraNick The link local address normally comes from the MAC, but can be changed, for example my LAN gateway address. However, what you can try is changing the MAC address, so that it will provide the correct link local address. That can be done on the WAN interface page. I suspect what you're seeing is pfSense is not allowing you to set a 2nd link local address, as only one is allowed. I don't know if there's a way to change the WAN link local address directly, as happens on the LAN side. When a link local address is created from the MAC, fffe is inserted in the middle and the 7th bit is inverted. Also, the link local address only has to be unique on the local connection. You could use the exact same one on another interface. For example, I have fe80::1:1 on 2 interfaces as shown below. inet6 fe80::1:1%em0 prefixlen 64 scopeid 0x2 inet6 fe80::1:1%bge0 prefixlen 64 scopeid 0x1 The difference is the interface ID. As I mentioned, link local addresses are often used for routing, as a router only has to know how to reach the next hop. In fact, with point to point links you don't even need any IP address. All you need is the interface that connects to the next router.
• 

  IPv6 only subnet. How to turn off logging blocked ipv4 link local?
  • IsaacFL  

  8
  0
  Votes
  8
  Posts
  148
  Views

  

  Like I said turn off default logging and only log what you want... So you can set it up to block and log your tcp stuff, but not the multicast
• D

  Ipv6 - ULA and Prefix Delegation
  • DiferMendos  

  3
  0
  Votes
  3
  Posts
  136
  Views

  

  @DiferMendos said in Ipv6 - ULA and Prefix Delegation: ith IPv6 you would have both a ULA and Global Address which need to be assigned to devices. Why do you think your devices need both? You can work just fine with just a global.. You don't have to have ULA..
• 

  Is there a process to ask for review of a Bug Fix that has already been Closed?
  • IsaacFL  

  8
  0
  Votes
  8
  Posts
  255
  Views

  

  @chrcoluk I downloaded 2.5 and tested this today. Based on my results i created https://redmine.pfsense.org/issues/9893 If you have any information you could add to the new bug it would be appreciated.
• S

  IPv6 disabled yet majority of firewall blocks are IPv6
  • sterlinggold  

  7
  0
  Votes
  7
  Posts
  155
  Views

  

  Or ignore the logs. Or make rules that suppress the logs. Whether or not you enable IPv6 really depends on whether or not you have IPv6.
• Y

  IPV6 setup with Hyperoptic (UK ISP)
  • yellowbrick  

  26
  0
  Votes
  26
  Posts
  2498
  Views

  C

  I also described how to get WAN interface assigned an ipv6 as well. So what is the problem I missed?
• T

  Which IP adress should I assign to the opt(VLAN) interfaces?
  • Thisisme  

  10
  0
  Votes
  10
  Posts
  233
  Views

  T

  @JKnott I finally figured it out. "Track Interface" is the option that seems to be the right way to solve my problem.
• A

  IPV6 working on LAN but not pfSense box itself
  • adhodgson  

  10
  0
  Votes
  10
  Posts
  242
  Views

  

  @adhodgson said in IPV6 working on LAN but not pfSense box itself: Could I potentially use one of the /64s on the WAN side? No point in doing that. You already have a /128 address on the WAN and the link local address is used for routing. That's all you need. I had a problem with my ISP a few months ago. I used Wireshark and Packet Capture to see what was happening. I also tethered my notebook computer to my cell phone so that I could test from outside my network. With that, I was able to determine that the problem was not on my network and was even able to identify, by host name, the failing system at my ISP. One thing I did, which helped is I used a 5 port switch, configured as a data tap, to monitor the traffic between my modem and firewall, when pfSense was booting up.
• 

  Lost ipv6 connectivity from one interface
  • kiokoman  

  2
  0
  Votes
  2
  Posts
  79
  Views

  

  after losing 2 days of sleep the problem was solved after disabling "Block private networks and loopback addresses" and/or "Block bogon networks" that i had on the WAN interface it was mentioned here https://redmine.pfsense.org/issues/9631
• P

  IPv6 address allocated but not working
  • pankaj13  

  18
  0
  Votes
  18
  Posts
  700
  Views

  

  @amello said in IPv6 address allocated but not working: It is u-verse, so DSL on dry line. A couple of my friends have ADSL and get IPv6. I don't know the details though. For what I read so far. It seems that that Aris can handle IP Passthrough and Default Server, and as I understood the latter is like putting a host in DMZ. Perhaps the people in the forums can help with that.
• 

  IPv6 PTR records
  • lohphat  

  10
  0
  Votes
  10
  Posts
  193
  Views

  

  @JKnott They could set dummy addresses (albeit not practical) not needing to know if they're assigned to a host or not. But it's academic at this point. It's technically possible but not practical. It does require the ISP to delegate the reverse records but my ISP is not going to do that.
• 

  pfsense and IPv6 default behavior
  • lohphat  

  32
  0
  Votes
  32
  Posts
  688
  Views

  

  @lohphat said in pfsense and IPv6 default behavior: I understand that and agree however multicast is intrinsic to IPv6 not optional with IPv4. IPv6 internal consistency of multicast groups replacing broadcast and other functionality means that it should either be enabled fully or a clear, clean setting to enable multimedia multicast. For stuff directly on the LAN, multicast works fine and pfSense is not involved, except for it's own needs. It's only when you go beyond that you have to enable it. This is the same for every just about everything. By default, firewalls block everything coming in.
• 

  IPv6 manual PD
  • Peek  

  26
  0
  Votes
  26
  Posts
  420
  Views

  

  @Derelict Would you believe it. That was the last place I never check. Doh ! Thanks.
• 

  IPv6 working but I have to disable gateway monitoring
  • lohphat  

  36
  0
  Votes
  36
  Posts
  484
  Views

  

  @Derelict I think it's a CPE issue not Spectrum, but that's just a guess.
• 

  [SOLVED] Can`t get provided /56 prefix
  • Kalle13  

  15
  0
  Votes
  15
  Posts
  306
  Views

  

  @johnpoz said in Can`t get provided /56 prefix: Plus multicast .... Ok, so I'm saved by the fact that DHCP traffic is passed upfront, before the bogon rule list (example). Thanks for the explanation.
• M

  IPv6 dont work after Hardware Replace
  • maydo  

  13
  0
  Votes
  13
  Posts
  157
  Views

  M

  just installed a pci network card, and RA is working out of the box :) thank you resolved.
• 

  pfsense DNS resolver not registering IPv6 addresses
  • Peek  

  27
  0
  Votes
  27
  Posts
  1042
  Views

  

  @johnpoz It's a Lenovo E520 ThinkPad. It's whatever driver comes with Windows 10, as I haven't installed any other. It originally came with Windows 7. I just took a quick look and didn't see any I could download.
• T

  pfsense 2.4.4p3 - IPv6 on bridged interfaces not working...
  • tomeq82  

  20
  0
  Votes
  20
  Posts
  376
  Views

  

  @tomeq82 well aware that interfaces may be set to prefixes longer than /64 in certain router-to-router links, etc. That is not what is being discussed here. Interfaces with hosts on them need to be /64.
• X

  Is it possible to reject a specific PD, similar to DHCPv4 reject lease option?
  • xpxp2002  

  5
  0
  Votes
  5
  Posts
  129
  Views

  

  Sounds to me like the ISP has implemented a brain-damaged provisioning. I'd tell them to fix it.
• H

  Single WAN IPv6 and /64 prefix delegation
  ipv6 • • hlidotbe  

  8
  0
  Votes
  8
  Posts
  367
  Views

  A

  I have pretty much the same kind of setup provided by a local ISP. I found out that ISP providing static IPs is not so common practice. At least among PFSense forum users. I built up two different setup ("automatic" and "semi-automatic"). Not 100% sure those are according to best IPV6 practices, but I tried to do everything by the book. Not just something that happens to work. Hoping you get your IPV6 network to work and/or people here are able to assist you on that. Ax.
• A

  IPV6 Static IPV6 address
  • axsense2  

  57
  0
  Votes
  57
  Posts
  782
  Views

  A

  @Derelict You cannot SLAAC a routed prefix. Ok, this is clear. There is nothing like that on the configuration page either. You either set it statically or with DHCP6. Yep, done that both ways. Both methods work without issues. You also seem to be confusing assigning an address to a device out of that interface prefix I think I understand that, but that could to be true. The configuration described earlier works and it does what I expect it to do. I don't think it differs much what johnpoz suggested. Ax.
• F

  IPv6 PPPoE Telmex Wan Interface receives private address
  • fluteze  

  2
  0
  Votes
  2
  Posts
  69
  Views

  F

  Answering my own question: This post: https://forum.netgate.com/topic/112802/disable-accepting-ra-advertisements-on-an-interface has a suggestion to edit /etc/inc/interface.inc and add a minus ( - ) in front of the accept_rtadv for the WAN interface. This fixed the FC00:: problem. Had to uncheck the "Wait for RA" option in the DHCP6-PD section. Telmex also requires the DHCP6-PD queries to happen over IPv4. A side note: Telmex IPv6 uses a smaller MTU to stay stable. I used 1412 thought 1467 may work as well. Discovered this when ping -6 worked but TLS would have broken/missing packets in Wireshark.