@jimp I believe I had set it to DHCPv6 only but what is the setting I need to disable SLAAC?

@jpvonhemel

You might want to allow ping. Most of the ICMP6 stuff is used on the local LAN and on the WAN side, pfsense is the "client".

As for sparse addresses, the standard LAN size is a /64, which has as many addresses as the entire IPv4 address space squared. In that huge space, you might have a few dozen working addresses at any time, most of which are temporary. Bottom line, you're not much of a target.

Did that test site list which ICMP6 it was testing?

@viktor_g

I created a redmine ticket for this here:
https://redmine.pfsense.org/issues/12280

@jbattermann

I haven't done load balancing, so I can't help with that. Are you saying you have 2 prefixes on the LAN side of one network? Also, load balancing on the WAN side shouldn't have any effect on the LAN.

thank you!

@jknott said in Ipv6 setup for Telus:

@jrbenito

The thing to bear in mind is that everything on pfsense or behind it arrives on the same link local address. Does it really matter which internal address? If you have an address on the WAN interface, it behaves the same as any other address. Also, the WAN address has absolutely nothing to do with your prefix. So, what is it you're hoping to achieve by putting an address on the WAN port. As far as I can tell, you need a destination address. Does it really matter what that address is, so long as it's always there? Perhaps I'm missing something. Again, if you absolutely need a WAN address, you can do it at the FreeBSD level.

As for time zones, Rogers covers 5.5 of them, all the way from the Atlantic to the Pacific. I'm not sure how far east Telus goes. Do they provide Internet outside of B.C. and Alberta. I've only worked with them on jobs in Edmonton, Calgary and Vancouver. I'm near Toronto. About the only thing Telus around here is cell phone service and that's often over Bell's network.

I'm surprised Telus isn't providing a WAN address. Are you sure that's the case? Or are you just following the instructions above to only request a prefix?

Telus definitely does not provide a WAN address. The settings for pfSense to work with Telus are:

Request only an IPv6 prefix is mandatory. It will not work otherwise.

The prefix delegation size must be /56. Nothing else will work.

Do not wait for RA is mandatory. It will not work otherwise.

Do not allow PD/Address release is recommended, but not necessary. Telus will delegate the same prefix to a given DUID, unless it was reallocated in the interim. This should only happen if the router is offline for quite a while. Note also that Telus will not delegate a prefix if there is currently an active lease on the same MAC.

@xyz

By having another router ahead of pfsense, you're creating your problem. ISPs typically use DHCPv6-PD to pass the prefix on to the subscriber. That first router blocks that. This means you have to route the prefix to pfsense and I don't know that the first router is capable of that.

BTW, one of the reasons for a firewall/router such as pfsense is to keep the trash out.

@chrisjmuk

::1 is the loopback address, just like 127.0.0.1 with IPv4. If you ping that address, the ping won't leave the device you're on. For this sort of thing, you could use the link local address, if you don't have global or unique local addresses available. Link local addresses start with fe80:.

@jknott found the issue, was stuck in the state, needed to clear.

another issue is that i can cant ping a certain ip on my cisco and it cant ping the pfsense, ::1 but can ping ::20 no idea why.

@uzairali001 said in How do I configure ipv6 on pfsense:

Set DHCPv6 Prefix Delegation size to 64

Set that to whatever the ISP provides. Mine gives me a /56.

DHCPv6 Server check DHCPv6 Server

Use SLAAC unless you need DHCPv6.

Assisted

I have unmanaged.

@j-koopmann

With SLAAC, you have 1 address that's consistent and up to 7 privacy addresses, with a new 1 every day. You configure DNS for the consistent address. If your ISP does not provide a consistent prefix, you can use ULA addresses, in addition to GUA, to have a consistent address for DNS.
'

@virgiliomi

One other point about VPNs. I use my IPv4 address for it for 2 reasons. One is I only use the VPN from my notebook computer, which I might be using from a location that only has IPv4 and the other has to do with DNS. I use a public DNS server which is configured for the IPv6 addresses that I want to make available on it. But my public IPv4 address is an alias that points to the host name provided by my ISP and is based on my cable modem and firewall MAC addresses. With the alias, the IPv6 address is never used. I could directly configure the IPv4 address, so that the IPv4 or IPv6 address would be used as appropriate, but that would then fail on the very rare occasion that my address changes.

@shootify

You don't have to use a DHCPv6 server on the LAN. As I mentioned, Android devices won't work with it. SLAAC does all you need, unless you have a specific requirement that needs DHCPv6. I have both GUA and ULA here and only use SLAAC.

@johnpoz

One work around for those with changing prefixes would be to use Unique Local Addresses, as I describe here. Then they could still use DNS to point to local addresses.

@jknott Windows doesn't use configured DNS servers in order, it remembers the "last success" and prefers that one. It's not new in W10. People get in trouble all the time by listing their domain controller IPs first and public DNS "as a backup" and end up having network problems when the PC can't find the domain on the public DNS.

@cmcqueen Can you ping the router LAN IPv6 when in the "bad" state? This is probably not your issue but after setting up a Hurricane Electric tunnel recently, I found the PCs could connect out over IPv6 but could not ping the LAN IPv6 nor resolve DNS until the router was restarted. Couldn't seem to duplicate it afterwards which is odder.

@dr_tech If you're actually on 2.5.0 there was this IPv6 fix in 2.5.1: Gateway value for DHCP6 interfaces missing after RA events triggered script without gateway information

@dr_tech

Then use those routers as APs, one on each subnet. Again, no need for routing. However, have fun with finding clear WiFi channels on 2.4 GHz.

@operations

No, DHCPv6-PD is used to assign addresses and prefixes. The DHCPv6 part is similar to DHCP in IPv4, in that it provides an interface address. The PD part provides the prefix for use on the local networks. DS-Lite refers to a method for providing IPv4 over an IPv6 only network. It encapsulates the IPv4 packets in IPv6 and uses carrier grade NAT to provide the IPv4 addresses.

@johnpoz Argh! Now I see what you were referring to. I just thought you were generally wanting to confirm if I was referring to Netgear or Netgate.

NETGEAR support stinks. I never reached out to NETGATE because I don't think the problem is the 8860 or pfSense. Ugh....

I tried to edit the post but says too much time has elapsed. Can you edit, John?

Netgate support is great the few times I have reached out!!! :P

@vabello It would be nice if the guide for installing pfsense on Hyper V included this issue.

I have run into it and trying basically everything in this thread and whatever sleuthing turns up to get these errors to go away.

I am working with Hyper V 2019 and the NICs (for now) are Intel X722 (10 Gbe) ones. I know the physical NICs have VMQ enabled (power shell command spit that out). The console messages though were for two virtual devices and it kept spamming (so I was unable to continue setup after initial install from iso).

If I figure anything out, I will share it.

@evolve-0

I don't see that being a problem. No matter how the random number is generated, duplicate address detection is used to avoid collisions. As long as there is a 64 bit random number, it's actual value is irrelevant. If it matches with an address on a different subnet, so what? The prefix will be different, so the address will still be unique.

I think some people worry too much about "privacy". While there may be some concern about tracking people where they go through their MAC address, there's no reason to worry about it for the stable address. It would only be used for reaching a computer, so the address must be known. If it's always in one location, then there's nothing to track. Further, once you're off the local network, there's no way to tell if it's a MAC or random number based address.

Nope. Solution for tonight is just disable IPv6 completely and live in IPv4 land. Thankfully this is a small network, I can reboot (or release/renew, or disconnect/reconnect) everything pretty quickly.

I'll try non-VLAN, non-LAG ports tomorrow.

Many years ago, ther were question like this https://forum.netgate.com/topic/118566/netflix-and-he-net-tunnel-fixed-using-unbound-python-module?_=1622934995649

These days, the package pfBlockerNG can work with lists of AAAA domain names, that can be blocked (no AAAA returned on a DNS request) so the A record gets used == IPv4.

For my site the issue has been resolved now. Been running smoothly for more than a week after increasing Router Lifetime in services_router_advertisements.php?if=lan

@jknott It is a router for around 100 bucks. It only has one switch and one guest network, so the rest will get passed on I guess.

@sts-134

You allow only what you want to. In this case, I didn't want to block anything. On the other hand, my guest WiFi VLAN is configured to allow only pinging the interface or going out to the Internet.

c703fd7b-51cd-4e17-8cd4-8bd8d81345ed-image.png

@gertjan

I feel a bit silly. I missed the step on assigning an address to LAN first.

Thank you the detailed explanation.

Lesson learned is do not attempt IPv6 when tired.

@ddbnj

Then I can only assume you didn't reboot pfsense. That's pretty much necessary to get the full sequence. Otherwise, you only get renewals.

@spacey

SLAAC is the normal way to configure IPv6.

Look on Services > DHCPv6 Server & RA > LAN > Router Advertisements. If you have things configured correctly, a prefix will be automatically provided and the suffix is provided by the device.

@ofloo

Sorry, I have never used TAP, but I can see problems in trying to bridge between networks.

@wineguy

Yeah, using a sniffer is a good idea. When I had the problem with my ISP, I made a data tap with a managed switch.

@tzvia said in WAN DHCP6 gets addresses, but no connectivity:

@jackthesmack said in WAN DHCP6 gets addresses, but no connectivity:

@tzvia said in WAN DHCP6 gets addresses, but no connectivity:

@jackthesmack Do IPV6 IPs show in your INTERFACES on the dashboard now, because your post showing your INTERFACES only lists IPV4 addresses.

No they don't, despite the IPv6 addresses showing in the Status / Interfaces page.

In your screenshot I only see the link local and gateway which looks to be an FE80. I don't see an IPV6 address assigned, that's why I am asking. You would think that if your router was getting functional IPV6 from the ISP and was set correctly and was assigned, you would have IPs assigned from the ISP, not just a link local address.
a9377e67-27bf-48f5-ab46-0a18e80ca677-image.png

Well this seems like an ISP issue now, because I plugged in my PC directly into the modem and now IPV6 doesn't work anymore.

6735661e-e88a-408a-a8ab-d548b473e5b3-image.png

03291491-d272-465a-abe3-3935b888ecd4-image.png

@jknott

One thing I forgot to mention. You'll need to create a DNS Access List entry to cover the range of ULA addresses used. This can be done individually for each interface or block of ULA used on your network. I used a /56 block to cover any ULA on my network.

2a109afe-1f55-4731-94c2-d022a8604f95-image.png