Thank you @jknott

here is what i was able to see in the logs:

Jan 6 17:59:53 dhclient 28090 exiting.
Jan 6 17:59:53 dhclient 28090 connection closed
Jan 6 17:59:42 dhclient 38390 Cannot open or create pidfile: No such file or directory
Jan 6 17:59:39 dhcp6c 32952 failed to parse configuration file
Jan 6 17:59:39 dhcp6c 32952 /var/etc/dhcp6c.conf:21 invalid interface (bridge0): Device not configured
Jan 6 17:59:39 dhcp6c 32952 failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory

@nevolex It is in System/Advanced/Networking if you are on plus.

@pfaai said in WAN doesn't get IPv6:

I’m using my home connection to serve public services,

Then you only need an address on your LAN, which you apparently have. That is I hope you're not planning on providing those services from pfSense. Also, better check your terms of service. Some ISPs don't like consumers providing public servers.

I get a GUA on my WAN interface, but rarely use it. I use the IPv4 address for my VPN, but everything else has a LAN address, which I provide via my DNS server.

@jknott said in IPv6 routing over VPN:

Can you spare another? Also, you can always use Unique Local Addresses for the tunnel.

No. But the tunnel is not the problem. Here I already use Unique Local Adresses.

Here is my IPv6 configuration, maybe it helps to solve my problem:

Wireguard Server:

[Interface] Address = 10.56.0.1/24, fe00::1/64 PrivateKey = ******************** ListenPort = 51820 [Peer] PublicKey = ******************** AllowedIPs = 10.56.0.5/32, fe00::2/128, 2001:********************::/64

At the wireguard client side (the pfSense) I use the fe00::2. This works.

But the routing/NAT between my DMZ server and the pfSense is not working:

On the pfSense DMZ interface (which I gave no IPv6 ip) I have the following static route:

2001:******************** 3c:ec:ef:70:6d:ba UHS igb2

On the DMZ server (with the ip 2001:********************:21/128) I configured the route back as the host route:

[::]/0 fe80::3eec:efff:fe70:6dba UGH 1024 3 0 ens18

And here comes my problem:
Direct ping to fe80::3eec:efff:fe70:6dba (the pfSense's link local address) works. But no NAT or routing to other targets.

I am now getting IPv6 addresses assigned by Starlink again. I didn't change anything but just noticed it today. I enabled WAN ping and can ping it from the mobile network. I am running rtsol every two minutes.

This hasn't worked for over six months, but today I noticed it was working again.

@buzzman said in Spectrum config for IPv6:

the IPv6 default gateway is not accessible.

You're using a link local address, which does not work. Find a GUA somewhere beyond the gateway and use that. I did a traceroute to Google and used the first GUA that turned up.

Link local addresses are commonly used for routing with IPv6.

@jknott Well I just learned something new today, thanks!

@mcbrown90
The FDxx... address range is private so it's not going anywhere on the internet no matter how hard you try. FE80 is link local. I don't see in your screenshot any internet routable IPV6 addresses being blocked.
If you are using Windows computers, open a command prompt (type CMD on the start menu search box) and type "ipconfig /all" to see what IP addresses your computer is getting. You should have multiple IPV6 addresses, not just the link local and the private FD.
246f174f-82a2-4596-bcd0-0d6028dd33b7-image.png
You would have had to setup how IPV6 addressing is accomplished via router advertisements under SERVICES/DHCP6 SERVER AND RA. Choose ROUTER ADVERTISEMENTS and set the ROUTER MODE to either UNMANAGED or SLAAC. I set mine to SLAAC and input my two DNS servers in the DHCP6SERVER section, so that my devices get my DNS server addresses while also setting their own IPV6 addresses automatically without using DHCP6. UNMANAGED should work if you don't have DNS server addresses you wish to push to the clients. But in the end, your clients need to have Internet routable IPs, not just ULA (unique local FC/FD) addresses.

@maanbsat First thing to try is to turn on DHCP6 Debug and then look in the logs.

Solved. I had to reboot the pfSense after enabling IPv6 track interface on LAN2.

@jknott said in Just flipped from Spectrum to FiOS in NYC and have IPv6 out of the box FINALLY:

While they provide a global WAN IP, it's not used for routing.

Same here. That is why I think using one part of the prefix for WAN wouldn't be a technical problem, just waste of one /64.

@jknott Because GUA with a dynamic prefix is problematic, especially for hosts that don't get notified that the prefix has changed. So for now, only pfSense has to know for its WAN interface. That does work better, as long as pfSense is the first router.

@lolo54000 said in Ipv6 configured but unable to ping internet:

In my ovh account i have 6 physical server and each have it's own ipv4 and it's own ipv6 /64 ipv6

To have a router in front, you would need:

an IPv6 for the router WAN an IPv4 for the router WAN OVH to route your other IP addresses to those IPs your servers to use your router LAN IPv4/IPv6 as their gateway

It sounds like they are simply not set up to handle a router, like you're asking for.

@casperghst42-real-one working here on a 2.6

workshere.jpg

You can't just leave ::1000 and :2000

You have to set the full range.. Those are just place holders..

That range is quite large 2a06:4004:1234:1:: to 2a06:4004:1234:1:ffff:ffff:ffff:ffff

Maybe you want to hand out

2a06:4004:1234:1:42::1000 to 2a06:4004:1234:1:42:2000

so those ::1000 to ::2000 are just place holders for the actual IPs that could be handed out in your selected range. So you have to be specific on your actual range you want to use.

@mariog Thanks for the link. I'll keep an eye on this.

Is there any way to re-initiate a dhcp6c request for an address without rebooting?

@areckethennu This is my first post on this site... not sure if it's kosher to respond to a thread this old rather than create a new topic but this isn't a new topic.

I've been using pfSense for about a year and decided recently to redo my install from scratch and watch the router logs from the onset to at least get a baseline.

I'm on 22.05 with a fresh installation and still getting the following message in my routing log:
warning: AdvDNSSLLifetime <= 2*MaxRtrAdvInterval would allow stale DNS suffixes to be deleted faster

It appears from looking at the redmine johnpoz referenced that this matter was closed with this log entry still being created. Is that the final status? Is there anything we should do with this or just ignore?

Updating stale DNS entries in a timely manner would seem to be important?

Should I attempt the config file update suggested in redmine - 11105)?
RDNSS 2001:470::1::3 2001:470::2::8 {
AdvRDNSSLifetime 3060
};

@cyth

The gateway is part of the basic RA. The DNS server is an optional part of it and NTP server would require stateless DHCPv6. If needed, you could still rely on IPv4 for those too. However, using DHCPv6 for device addresses will fail for Android devices. Unmanaged is fine, unless you need stateless DHCPv6. The prefix for the alias is the first 56 bits of the addresses (assuming /56).

Like @nogbadthebad

I've :

ee3c2974-942b-413f-86ef-40816c315c2d-image.png

and added all the devices that I wanted to give a DHCP static IPv6 lease, like @NogBadTheBad

Apple devices play very well with this. Zero issues for the last ... decade or so ?!
( I never had to use an Android based device in my life )
Even if the DUID are not added to the DHCPv6 static mappings list, it works well, an Ipv6 from the pool is used.

@jknott

99a04cc3-fb1d-4f02-b4c7-cff09faa9eb0-image.png

No. Time Source Destination Protocol Length Info
6370 183.350531899 fe80::208:a2ff:fe12:49f2 ff02::1 ICMPv6 198 Router Advertisement from 00:08:a2:12:49:f2
29679 664.793636676 fe80::208:a2ff:fe12:49f2 ff02::1 ICMPv6 198 Router Advertisement from 00:08:a2:12:49:f2
32056 1034.144777006 fe80::208:a2ff:fe12:49f2 ff02::1 ICMPv6 198 Router Advertisement from 00:08:a2:12:49:f2

@mrsunfire I just upgraded to 2.6 and this is STILL an issue....

@mikev7896

Thanks. The setting you recommend was set. I don't recall setting it. Maybe in CE 2.6.0 it's a default?

More things to learn...RDNSS, etc. Sigh.

@jknott

I went for the nuclear option and rebooted pfSense and it's working fine now.

5293d4c1-c90f-469b-a961-d55af208eeec-image.png

@mariatech Maybe this will be helpful

luckman212/assign-gua-from-iapd - GitHub

@ddbnj I'm on FIOS too (NYC) and spent just about the entire week messing around with and learning the ins and outs of Verizon's implementation. There are definitely some sharp edges but I'm pretty happy now with the way things are working.

You might want to check out my helper script to assign a routable IP (GUA) to your WAN from one of the delegated prefix subnets. Link below

luckman212/assign-gua-from-iapd - GitHub

I realized the problem was my bridge so I am in the middle of a complete redesign of my network. Will post back when I know more. Hopefully the family wont object too much to the down time.

@johnpoz said in odd ipv6 routing issue:

Been in the business for some 30 years, before there was even switches.

So, you're a newcomer. I've been in the LAN business since early 1978, before there was Ethernet or IP. It was on the Air Canada reservation system, where the LAN used time division multiplexing over coax @ 2 Mb or triaxial cable @ 8 Mb. I started in telecom in May 1972.

@roycethebiker

Did you select 56 for the prefix size?

Looks like a bug has been filed by the dev team.

It is set on for me per my above post. But, I am on 2.6.0 (which is 22.2 config rev).

@pfadmin

Assuming you want access from elsewhere, how would that help? You still have to allow the outside world to know what the address is.

@jagdtigger

You said an ordinary computer doesn't work. Try complaining about and see what they say. I know it can sometimes be difficult to get through support.

@jknott works like a charm now! thanks!

@ddbnj said in Site to Site ipv6 best practice GUA vs ULA:

I'm still using IPv4 tunnels but am transmitting IPv6 packets across.

I do the same. I don't run the tunnel over IPv6 due to DNS issues. My IPv4 address is an alias that points to the ISP provided host name. Using the alias prevents the DNS server from returning the IPv6 address, which is a regular AAAA record. However, pfSense is configured to allow either IPv4 or IPv6.

@jarhead said in xfinity/comcast ipv6 issue:

But the CGNAT issue I agree with and is valid. Other than that, no reason for IPv6.

When NAT first came out, it broke FTP clients.
It breaks VoIP and some games, requiring STUN to get around it.
It breaks IPSec authentication headers.
It adds work load to routers.
IPv6 provides far more than enough addresses.
IPv6 adds security features.
IPv6 improves router performance.
Etc..