@johnpoz Thanks! This may prove useful!

@IsaacFL

You can have a lot more than 8. I don't know if there is a limit. Probably each OS might have it's own limits.

Both Linux & Windows have 8 addresses, after being up for a week, with a new one each day

One concept of multiple addresses on an interface is for each service on the host to have its own GUA. That way you don't have to worry about port conflicts.

There are also privacy addresses with SLAAC, which change daily

That was one of the reasons they decided on 64 bits for the host part of the address so that they could be randomly generated by the service with a reasonable chance that it wouldn't be a duplicate

Also, to work with the EUI-64 MAC addresses. EUI-48 addresses are converted to EUI-64 by inserting fffe in the middle.

On my own network, I have both GUA and ULA addresses, 8 of each.

@Overclock said in Non local gateway IPv6:

I let you inform about OVH response.

Ask them how SLAAC is supposed to work with a /56. You may be able to get a single /64 to work, but the other 255 will be unusable.

I suggest you post exactly what the ISP provided to you regarding how they provisioned IPv6 to you.

@bin_batore Well maybe you're right but fortunately, I'm not facing such issues.

@fabrizior said in IPv6 Sanity Check - delegated prefixes & inbound icmp questions:

Why is the WAN IPv6 Gateway Address a link-local address (fe80::201:5cff:fea3:b846)?

For the LAN IPv6 configs set to Track Interface (WAN), is there any way to customize/set a preferred host address rather than the seemingly randomly assigned address? call me old-fashioned... I'd prefer them to be ::1

Link local addresses are often used for routing. All a router needs to know is how to get to the next hop. A link local address is fine for that. If you're also assigned a WAN address, it will likely not be used for routing.

With SLAAC, there is one consistent address, based on the MAC, or a random number. You can spoof the MAC to give you what you want. You can also use manual configuration. If you're using DHCPv6 on the LAN, you can create specific mappings to what you want.

You can packet capture the pings going out. If there is no response there's nothing you can do about it - they have to fix it.

If absolutely necessary (as in they still blame the firewall), put a managed switch (or some kind of network tap) between the WAN and the ISP and capture on a mirror port there. Then you're definitely looking at what's out on the wire, outside of the firewall. Set the monitored port to the one connected to the modem, not pfSense. If you see the echo requests and no replies there, there is certainly nothing more you can do. Press them hard for an escalation. If you can get to the right person/group you might be able to get it fixed.

@tku said in IPv6 no routing from DMZ to internet:

But, I'm using PfBlocker which I configured (in all my enthusiasm) to add (blocking)rules to all interfaces, for some reason the ipv6.google.com-IPv6 address is on the list. So some kind of logical that connecting to the IPv6 website didn't work.

I'm using pfBlockerNG-devel - and some IPv6 lists.
ipv6.google.com never was problem for me.

What is the IPv6 that google uses - the one you use to connect to ?
Is this IPv6 (network) really present on a list ?

What is this list ? IPv6_known_search_engines ?

Hi

The reason this is happening is because you have id-assoc na but not id-assoc pd. This is because the config is not complete just from the WAN interface. You have to also set a LAN interface to track the WAN interface. This is where the rest of the configuration is set and it defines id-assoc pd with the values you set there.

@johnpoz said in Need some instructions for getting started with IPv6:

That is not the point if the end user can not get an IPv4... Can freaking promise you the end user ISP has given them some way to get to IPv4.. Because sorry - at best there is 30% of the top websites on the world that even support IPv6...

Here's an article, in today's Toronto Star, that seems to imply IPv6 will be needed on cell phones:

Internet-based 911 calling on the horizon in Canada

"Essentially, every connected phone will have an internet protocol address, which will be cross-referenced with key data sets mostly supplied by municipalities. The database will comprise every street address in an area and the entry location of buildings. Emergency service boundaries will also be accessible to ensure the right responders are dispatched.

The result should allow the 911 system to pinpoint the location of callers to within centimetres."

I haven't found much in the way of details, but giving phones unique addresses will probably require IPv6.

I also don't understand how they'll be able to determine location within centimetres.

There is this document, which has on page 68, page 3 of Appendix 2:

"North American Network Operators Group (NANOG)

A governing body that provides guidance and instructions for the design of an IP network. NANOG is typically involved in the best current operational practices for IPv6 planning."

This system is apparently supposed to be implemented all over Canada and U.S. My Pixel 2 certainly gets IPv6 from my carrier, but not all phones or carriers support it yet.

It appears that if you add a cron job to run "/sbin/rtsol -a" once an hour it'll keep the IPv6 connection. I suspect someone read RFC 6275 and decided that "Router advertisements in such networks SHOULD be sent only when solicited" also applied to this network, despite it not technically being a mobile network. (Telus are also a mobile carrier, so it's possible this is where the confusion came from.)

@lifespeed

One has nothing to do with the other. The do not release only affects whether the prefix will change. SLAAC has to do with sending the prefix out to the LAN, whether it changes or not.

@alnico

Don't forget, you can configure OpenVPN to carry both IPv4 and IPv6.

@mix_room said in TCP-ACK blocked when using IPV6 over GIF over IPSec:

Why are you even using that GIF tunnel? Why don't you run IPv6 directly over IPSec?

Because the documentation states that you can not do this with IPsec.

One other thing, IPSec was originally designed for IPv6 and back ported to IPv4. So, it's highly unlikely it would not support IPv6.

No not yet as I doubt I'd get anyone on the phone who would even know what IPv6 is. Plus my online account is having problems so I can't post on their forums either at the moment.

Yeah for sure. Next time try to be useful bc nothing you say is a solution, nor with such a genius you have exposed how to attain the correct configuration without adding the routes to NAT. But you won't, cause all you do is noise. Take the bicycle and have a merry xmas, i'm done with you. ffs.