@JonathanLee don't use bang rules.. If you don't want lan net to talk to opt net, then put in a block rule for opt net above your allow. Yes the network/subnet aliases would be the ipv4 or ipv6 networks on said interfaces.

@lmat said in Static IPv6 "gateway does not lie within one the chosen interface's subnets":

I ran the packet capture for several minutes: tcpdump -vvv -ttt -i igb0 icmp6; and got the following:

Use the packet capture that's in pfSense. You may have to install it. Then post the capture file here. It's a lot easier to examine the capture with Wireshark that what packet capture displays.

Here's what a router advertisement looks like in Wireshark:

ae550191-613d-491b-bc38-83746130322c-image.png

And when expanded, selecting IPv6 info:

1f6587bd-bae2-4ff2-8f09-66e18495c283-image.png

@Shack

Why not just go with IPv6 and get rid of all the crap that's become necessary to keep IPv4 going? Stuff like NAT break things and CGNAT even more things. Because of NAT we need STUN for VoIP and some games. So, it's hack upon hack just to get around the IPv4 address shortage. On top of this, IPv6 cleans up some of the things in IPv4. For example, ARP predates IPv4 and was used because it was available. With IPv6, the functionality of it has been rolled into ICMPv6 with some other features added. Other things improve security and more. According to Vint Cerf, the guy who created it, IPv4 was intended only as a proof of concept and he expected the final protocol would have a much larger address space.

With my ISP, I have a single IPv4 address which requires NAT to support multiple devices. With IPv6, I get a /56 prefix, which provides 256 /64s, each of which contains 18.4 billion, billion addresses. NAT also breaks the end to end transparency, which the network gods had intended. 😉

@JacktheSmack said in If internet goes down, IPV6 won't work until reboot:

The release cadence has slowed down significantly from when I started using pfSense in 2014 or 2015.

Slow down doesn't mean going away.. The product has come a long way since then, lots more to it.. Plus there is + and TNSR, their release schedule has always been when it ready really.

If you want faster releases, move to plus.. ;)

@patrickdickey52761 yeah understanding where the split is for prefixes can be tricky.. Glad you got it sorted.. Now what you going to do with IPv6 to be honest? I have yet to find an actual need for it.. There is not 1 single resource on the internet I would want to get to that requires IPv6 ;) Its just a play thing to be honest, I mostly just leave it off. I can turn it on with a click if need to test something..

Yeah sure if you were behind a cgnat or something and you wanted others to be able to get to some resources on your network..

But it is the future and never hurts to learn new things - If you are actually interested in ipv6, I would check out the free cert you can get from HE.. You can get a pretty nice tshirt once you get to sage level.

I still have mine from 2011 when I did it.. You would of thought IPv6 would of actually gotten somewhere by now - sadly nope.. Other than great use for the billions of phones on the planet. My isp doesn't even provide it..

@luckman212

Hi,

I am using pFsense plus 24.03, I am still having same issue where WAN interface only got a local IPv6 and not a IPv6 assigned by FIOS, is a problem when I configured CoDel Limiters for Bufferbloat, limiters work fine for IPv4 but not for IPv6 since it doesn't have a IPv6 and can identify traffic going through the WAN.

I tried your patch and I was unable to make work.

Are you aware if pFsense plus 24.03 already fixed this issue, and let me know what is the configuration we have to use to make WAN to obtain and IPv6 or how to make the onfiguring CoDel Limiters for Bufferbloat to work with IPv6 traffic.

Thanks.

@SteveITS It's a home account with an owned Netgear Nighthawk CM2000.

There were times where it would work AS IS, didn't need to specify the WAN for a /64 and no RA check.

But most of the times, I'd have to specify /64 and Don't wait RA checked or else I'd get no IPv6 on LAN.

Weird...

I have Fidium fiber they said it’s still on IPv4 so I stated using HE tunnel broker service.

Forgive me if I'm misunderstanding what you're wanting to do, but on pfSense you can set up a Prefix Delegation Pool in the DHCPv6 Server settings for the interface to which the UDM is connected. Assuming the UDM supports PD it should request a prefix from pfSense which will then take care of the routing.

Also, as you might already be aware, an easy way to disable NAT for IPv4 is to switch to Hybrid Outbound NAT and add a "NO NAT" rule for IPv4 for the interface the ISP device is connected to.

after a bunch of screwing around, I have it working. I wrote up what I found here:
https://forum.netgate.com/topic/188676/ipv6-dhcp-client-with-att-fiber-without-gateway-working

In particular:
In the instructions at [https://docs.netgate.com/pfsense/en/latest/recipes/authbridge.html], section Add Modem-WAN Bridge Rule, the instructions say to set Protocol
Any. If you do this, the DHCP6 requests from the modem will be forwarded through PFSENSE to the ONT and cause XID mismatch errors. This should instead be set for Protocol IEEE 802.1X.

and a lot of rebooting or it will not work.

If it helps, the 6rd parameters are received in option-212 response of the DHCP server response.
I can send tcpdump captures if needed.

@peuga i took your word, and set the ISP device in router mode. apparently it isn't getting ipv6 either, and connecting to it via WI-FI and trying a ipv6 test, it fails.

3c76df44-86a3-44df-9770-aa700610bf4b-tim2.png

imma try calling them, apparently it's a problem on their side (tho, even then, i might have some config problems later)

@marcg Thank you for the tip. When I get some free time, I will check out the auto generated interface addresses prefix's.

Nobody has anything that could help us here? Are we posting in the wrong place?