• Multiple /64 ULA subnets sharing same WAN /64 prefix via NPTv6?

    6
    1 Votes
    6 Posts
    727 Views
    H

    @JKnott said in Multiple /64 ULA subnets sharing same WAN /64 prefix via NPTv6?:

    It's amazing how CHEAP some ISPs are, considering the IPv6 address space is so vast. While my ISP initially provided a single /64, that was only temporary and they soon moved to /56. Then there's he.net, which will provide a /48 for free! Before my ISP offered IPv6, I used a tunnel and got a /56 again for free.

    BTW, the address space is so vast that every single person on earth could have over 4000 /48s and that's with only 1/8th of the entire address space assigned to anything.

    My ISPs don't even offer more expensive plans, not that I'd accept paying. A tech even told me that only government companies are forced to follow IPv6 standards. As it's a private ISP company, they can use proprietary protocols, and it's my problem if Internet doesn't work fully. Another one told me that I'm "welcome" to cancel the contract if I want to.

    Indeed, according to IPv6 standard, every ISP receives at least a /32 prefix. With it, these 2 ISPs have more /56 prefixes than IPv4 addresses.

    @nva said in Multiple /64 ULA subnets sharing same WAN /64 prefix via NPTv6?:

    My ISP only route single /64 subnet to resident connection. I'm planning to deploy ULA for each of my VLANs and then NPT to that public /64 prefix assigned by ISP. Do I need to worry about suffix conflict?

    Is there any drawbacks (e.g. latency...) in deploying ULA + NPt compared to just GUA via Track interface? The only problem i can think of is that I would need to manually adjust NPt entries every time my ISP routed prefix change and will try to get it working.

    Were you able to get it to work? That's what I was considering doing on my OpenWRT a couple years ago but got tired after 2 long fights with both ISPs. Now I'm considering moving to pfSense because of some BusyBox limitations.

    Are you able to update your VLANs prefixes when your ISP changes it?

    One ugly thing I consider doing is choosing a random /60 prefix from one of my ISPs /32 and setting it as base for my VLANs. ALAIK, some OSs will use IPv4 if only ULA is provided for them, because it implies that no Internet is available on IPv6, even if router manages ULA to GUA correctly.

    Using a global prefix that's not delegated to me breaks me from reaching out any device that's on that prefix, but I don't access any residential IP other than mine anyway.

  • 0 Votes
    7 Posts
    1k Views
    DerelictD

    @JKnott You can delegate prefixes. An address is assigned and the delegated prefix is routed to it.

    e25444ec-ae09-48a2-883d-650b75f7ff52-image.png

    https://docs.netgate.com/pfsense/en/latest/services/dhcp/ipv6.html#dhcpv6-prefix-delegation

  • FIOS users waiting for IPv6... script to let you know when it's ready

    9
    2 Votes
    9 Posts
    3k Views
    MikeV7896M

    Don't lose hope... it's been just less than a month since it started working for me, so they may have re-started testing.

  • IPV6 No internet access - Mobile tethering / VM

    1
    0 Votes
    1 Posts
    318 Views
    No one has replied
  • NPt not working on 6RD tunnel delegated addresses?

    16
    0 Votes
    16 Posts
    2k Views
    viktor_gV

    Fixed in upstream, see https://redmine.pfsense.org/issues/10757

  • IPv6 SLAAC only

    3
    0 Votes
    3 Posts
    518 Views
    JKnottJ

    @carloabelli

    Unlike IPv4, ICMP is essential with IPv6. I have a rule on my WAN that allows all ICMP on both 4 & 6.

  • "kernel: cannot forward..." errors in system log

    5
    0 Votes
    5 Posts
    1k Views
    MikeV7896M

    Well... in the packet capture, the MAC address of the Ethernet frame matches the MAC address of the default gateway from my ISP (which is not unusual when dealing with packets being routed to you). But the IPv6 address is definitely not the same, and it doesn't appear to be an EUI64 address, so I can't match it to a MAC address. I do realize that I masked part of the address that would have identified that fact.

    It's likely a misconfiguration on my ISP's part... they only just got IPv6 up and running about a week ago, and it may not even be completed yet (But I've figured out how to make it work with pfSense, not knowing whether their own routers even work with it).

    It's kind-of annoying that this is logged in the general system log though...it'd be nice if it were in the routing log... but I assume since it's the kernel generating these messages, that's why it's in the system log.

  • pfSense box cannot access anything over ipv6, LAN clients can

    3
    0 Votes
    3 Posts
    579 Views
    A

    That was exactly what I needed. Thank you so much!

  • 0 Votes
    12 Posts
    639 Views
    M

    I have been working on a similar setup. Dual WAN IPv4+IPv6. I get native IPv4 from my ISP. For IPv6 I have been using Hurricane Electric for at least a decade. Recently, I stumbled upon a tunnel service that does both IPv4 and IPv6. This makes it possible to rather easily move services, yet keeping IPs the same, both IPv4 and IPv6.

    But that's more of a backstory. I have been researching quite the same problem you describe. Packets that are generated on the router (e.g. ICMP TTL Exceeded when doing a traceroute) should be sent back through the same interface they entered, but for IPv6, this doesn't work.

    It seems that in FreeBSD, the backing operating system for pfSense, this is simply not implemented for IPv6. There is code in review for this, but it may take some more time before that reaches FreeBSD itself, and consequently pfSense.

    Hope this helps.

  • Static IPv6rd but no joy with DHCPv6 RA

    4
    0 Votes
    4 Posts
    470 Views
    chaseC

    With thanks to Netgate tech support, the solution was to turn off my interface's Block private networks and loopback addresses. Upon reflection, this does make sense and with it disabled, my DHCPv6 server with RA set to either managed or assisted is now responding to DHCPv6 client requests and issuing assignments.

    And yet, I will submit a feature request such that when the DHCPv6 Server is enabled, an alert should be posted saying "but you need to disable Block private networks and loopback addresses on the interface, otherwise the DHCPv6 server will never receive the incoming IPv6 client's request for a local RA server..."

  • Massive HTTP IPv6 connectivity issues

    Locked
    19
    0 Votes
    19 Posts
    5k Views
    N

    This thread was 6 years old fyi.

  • IPv6 behind Xfinity gateway

    14
    0 Votes
    14 Posts
    2k Views
    JKnottJ

    @rajeshh
    That's called "dual stack" and will be needed for a while yet. If the games support IPv6, then it will work that way for you. The operating systems prefer IPv6, but will use IPv4 when necessary.

  • CARP IP not replying to NDP solicitations.

    2
    0 Votes
    2 Posts
    284 Views
    R

    Of course as soon as I post this I redid it with a new vhid and a FULLY expanded ipv6 address. No :: no :0: and no :3: was done, that fixed it and my routes came up with the upstream router.

    I still would like to find that redmine issue so I can track the fix. If anyone knows the # I would appreciate it.

    Thanks

  • Sa6_recoverscope: embedded scope mismatch: sin6_scope_id was overridden

    6
    0 Votes
    6 Posts
    2k Views
    yon 0Y

    me too, what this is?

    Aug 24 05:38:00 kernel sa6_recoverscope: embedded scope mismatch: fe80:c::f298:38ff:fe93:d380%13. sin6_scope_id was overridden

  • IPv6 connectivity from LAN is lost after PPPoE reconnect

    18
    0 Votes
    18 Posts
    2k Views
    JKnottJ

    @HG

    You also have to look at how often DHCPv6-PD executes and whether it does after PPPoE comes up. I have a capture of DHCPv6 at boot up and the first renewal and it's over 22 hours between them.

  • IPv6 Gateway always: Statyus:Unknown and RTT,RTTsd & Loss: Pending.

    2
    1 Votes
    2 Posts
    635 Views
    T

    Hey, I'm not sure if this is still relevant but restarting the service at status>gateways fixed it for me. However, I was already able to ping my IPv6 gateway from the diagnostics>ping tool.

    Untitled (2).png

  • Delegating IPv6 networks to a downstream router

    15
    2 Votes
    15 Posts
    2k Views
    F

    @johnpoz

    Config is done and working as expected.

    Got a /48 from HE and /50 subnets to LAN.

    9fc6b336-5d05-4538-b512-87464720b176-image.png

    DHCPv6 Server & RA (/56 to downstream CPEs)

    8466e9df-c67d-489c-a7cf-09743b7f7b14-image.png

    RA

    3bffbe77-935e-49ce-b134-6c532079aa6b-image.png

    Tested with Android 8/9, Android TV 7.1.2, iOS 9.3.6, Windows 10, Arch Linux, OpenWRT, and some others Home Gateways.

  • Cannot ping fe80::1 / discover a gateway in some KVM environments

    2
    0 Votes
    2 Posts
    768 Views
    No one has replied
  • NDP not populating for Android devices on pfSense - no ipv6 access

    4
    0 Votes
    4 Posts
    521 Views
    N

    @qsystems If you are using Unifi APs (Multicast Enhancement, rings bell for those) make sure you have the latest firmware loaded, they have had some issues with multicast recently and supposedly corrected with newer firmware.

  • Planning for IPv6 /48 allocation

    9
    0 Votes
    9 Posts
    650 Views
    JKnottJ

    @kesawi said in Planning for IPv6 /48 allocation:

    My question for anyone who may know, is it possible to have two separate concurrent DHCPv6 scopes with pfSense and Windows? If so what do I need to do to get it to work?

    I doubt it, as there would be no way to determine which DHCPv6 server was desired.

    I assume if I give up on DHCPv6 and just go to SLAAC for both then ULA and GUA will still co exist?

    That's what I have. Also, if you have Android devices, you don't want to use DHCPv6. For some idiotic reason, Android doesn't support it.

    I have two internal DNS severs. Do I need to specify both their respective ULA and GUA addresses in the RA settings, or can I just specify the ULA addresses?

    You can use either GUA or ULA address. However, you don't have to specify an address as pfSense does that by default. It uses it's own address, unless you specify otherwise.

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.