@johnpoz Somewhat thought that I already made some publicity for he.net here .. but it was somewhere else.

@bmeeks @bmeeks said in IPv6 Multi-LAN Problem: My ISP moved me behind CGNAT That, NAT, shouldn't break the tunnel to the HE pop, but he.net has a condition : your 'WAN IPv4' as seen by them must answer to ICMP (ping). And yous doesn't .... so it's game over for you. For me, he.net isn't possible anymore for another reason : my new "state of the art newest ISP router" that has an ONT integrated for the fiber access can't handle the '6in4' protocol (41), so pfSense can't connect to the he.net pop server 6in4 isn't ICMP (1), isn't TCP (6), isn't UDP (17), neither GRE (4) but something else. So, I contacted them. This took me weeks to get in contact with someone who could actually understand my question. They : We've dropped protocol 41 support on our newest models because ... here it comes .... We, Orange, in France (10+ million subscribers) are now proposing IPv4 and IPv6. Me : Yeah, right, but your IPv6 for my usage is broken !? They : You have a static IPv4 and your IPv6 works, I can see that from here. Me : Yeah, sure, but as the (my) subscription implies : I'm using the Pro subscription as I'm a company, I would like to actually use the /56 as advertised. Your router, needed to connect to the Orange fiber, only has one (1) LAN, and I have a company with several LAN's - not just one. They : Wow, what ? Multiple LANs ? But that's not supported. Me : I have that covered : I chained on to a pfSense router, and it wants prefixes - your (my) prefixes. They [10+ minutes on hold, waiting while listing Cherry FM] : Right, there is a issue that only one prefix gets announced by our router. Me : Then why announcing /56 as only one /64 works ? Then they told me to do what others already do : "ditch our ISP router, use an FTP RJ45 to Fiber plug", as my 4100 supports such a connection, create some serious DHCP 4 and 6 options and behold, now I can tap into the full IPv6 /56 advertised. Champagne ! Of course, I'll loose all the ISP "TV" facilities and/or phone support (one phone line, but who cares, we have 6 lines on a PABX), I don't need these. So, I - and many, many other, are waiting for the router update that delivers us the needed IPv6 support. edit : let it be known : In France, ISP Orange : less people then you have fingers on your hand know that there is more then "UDP" and "TCP" ....

I could tell my routing tables were screwed up, but I didn't really know why. After a while, I stumbled on the System/Routing/Gateways settings and noticed the "Default gateway IPv6" was set to "none." After setting it to WAN_DHCP6, it started working. I'm not sure how that got screwed up, given that my clients were working before.

@JKnott said in IPv6 subnet lan vs wan: Another issue might be how he's connected. Correct. And also it is an issue what device manage the connection between pfsense and ISP. A device in modem mode or one in router mode. A device in router mode must also support the prefix delegation to devices in its subnet. Not all do provide that. For example the Draytek Vigor 167 provide router mode and modem mode. But the router mode does not support prefix delegation to devices in the subnet. So for prefix delegation the Vigor 167 needs to be in modem mode then the pfsense will manage the prefix delegation, or it wont work.

@JKnott I cannot answer your question "why?"... :) But I can report that here in Germany ISPs I know do that as well. Maybe not every 24 hours, but often enough that using those prefixes breaks everything after a change. So: don't know why they still do it (I guess it's just another dumb implementation of v6 as seen so often), but they do it anyways.... That's why I use those global prefixes that change thanx to my German ISP as well as my "own"(not changing) unique locals....for rules and such. It's depressing but that how some big players really make it tedious to use v6 in my opinion...

@snipleeagle8 As I mentioned, it normally happens with SLAAC in the router advertisements. I have never used DHCPv6 on the LAN side, but I expect it would be the same. Are you using SLAAC or DHCPv6? Can you do a packet capture, filtering on ICMPv6, and post the capture file here?

@Jung-Fernmelder What you can do is use Unique Local Addresses, in addition to global addresses. You then use the local DNS to point to the ULA address, rather than GUA.

@tuanson84uk Are those clients Android devices? They don't work with DHCPv6. Any reason you need it? I've been running IPv6 on my home network for over 14 years and have never needed it.

@DataIdeas-Josh said in Force RA to send different IPv6 gateway.: Is there a way to force the RA to send a different IPv6 rather than the pfsense's routers IP? It's supposed to use it's own address. I'm not quite sure what you're trying to do, but you can have multiple gateways on a LAN and give them a priority, up to 3 of them. You can set priority on the Router Advertisement page.

Hi, I was seeing the same error, mostly with this IP list: https://api.gcore.com/cdn/public-ip-list Since ASN are currently not resolved and for reliability, I'm loading the lists from an internal repo anyway and tried my best to remove or reformat "problematic" IPs - without success. Then I had a closer look at /usr/local/share/pear/Net/IPv6.php and compared it to the public source. It seems that, at least in my case with pfBlocker 3.2.0_8 on CE 2.7.2, the file is missing an old fix for this problem: https://github.com/pear/Net_IPv6/commit/70080426d3ac9da4908f9277824694e5eda68985 After changing line 684 from $fill = str_repeat(':0:', 6-$c2-$c1); to $fill = str_repeat(':0:', max(1, 6-$c2-$c1));, the error is gone.

@JKnott said in WAN with /64 Delegation: BTW, I've had the same prefix for around 5.5 years. I have the same prefix since my parents met.

@Bob-Dig said in IPv6 tunnel broker websites showing in German: french guy Who ? There are some here.

I am not sure why everything is working, but it's working. Perhaps my configuration will be of assistance in the future.

@JKnott said in Services / Router Advertisement - DHCPv6 server - strange behavior: Thanks to some genius at Google, Android does not support DHCPv6 Same genius at Google for its Chrome OS ;-) Does also not fully support RFC 3315 See: https://en.wikipedia.org/wiki/Comparison_of_IPv6_support_in_operating_systems

@NickyDoes yeah a /56 is lot of /64s for testing and playing with ;) Best practice is /64 for any segment you want to break out.. Even if it only has a couple of devices on it.. It seems insane when you first start playing with Ipv6 to be honest.. Since a /64 is so freaking huge when it comes to how many IPs..

Following the info on the link provided worked so i'm all good to go. Thanks again

@ChrisJenk Well, I you'll have to see what the flags are when whatever fails.

@the-other Success! This issue was a layer 2 issue: I hadn't configured one VLAN switch port's VLAN ID, a simple oversight. Return traffic wasn't reaching the pfSense interface. Whittling away the unknowns.

@guardian said in Very Basic IPv6 security question.: Hi - I have been using pfSense for several years, but just with IPv4 since I have yet to get my head around what I need to do to secure IPv6. At the moment I have IPv6 disabled on all interfaces including the WAN. I am being forced into IPv6 by my ISP due to changes in the cable TV system which is moving from a legacy RF system to an IPTV system that uses IPv6. (Rogers in Canada-Ignite TV-I was told it is a similar system to Comcast in the US-I think it is called Xfinity or something like that.) IIUC, I should be able to enable IPv6 on the WAN and get an IPv6 address (I think it uses DHCP6, but I'm not sure so I need to experiment), and since none of the other interfaces have IPv6 enabled there should be no traffic flow to/from the network. Am I correct, or do I need to take measures to protect my network? My initial goal is just to get IP connectivity to the router. Once I have done that to see if I can pipe IPv6 traffic over a VLAN. P.S.: Any suggestions as to helpful learning resources would be much appreciated. You can access the web gui over IPv6. So make sure you sure that fyi Example every interface can access the firewall gui unless you block it... [image: 1722224655273-screenshot-2024-07-28-at-20.40.46.png] Test it and see..