Just to keep you updated… It works, today morning IPv6 was up and running, but there is one thing strange: The "Dynamic DNS" panel shows the wrong (old) IP in red. But I just saw, that there were some fixes for the upcoming 2.2, so I am relaxed.

@mjtrainor:

Interesting that em0 would have a IPv4 problem, since that's been problem free. Is miniupnpd strictly UPnP? If so, it's possible that's not working, it's not something we use very often.

Yes, that's for UPnP (and NAT-PMP) only, so probably doesn't matter for you. Could just be a timing-related issue.

And suggestions on what to look at for this?

I'd fire up packet captures on your pfSense box's WAN and LAN interface and then try to ping an external address from a LAN client. I'm assuming you do have a firewall rule that allows IPv6 traffic from "LAN network" (as opposed to something hard-coded)?

How do you enable both DHCP-PD and the DHCP6 server? Any interfaces configures as "track interface" (i.e., use delegated prefix) don't even show up in the DHCP6 server configuration for me at all…

@hda:

My understanding of IPv6. Don't route other or larger (i.e. /48) than a /64. And static IP's are a /128.

Nope. Being static has nothing to do with how large a subnet is.

IPv6 must be assigned in /64s per interface. So a /64 for LAN, a /64 for DMZ, a /64 for WIFI. You can assign smaller subnets than that, but it's not recommended (auto configuration breaks, since it expects to be able to fit the mac address in the IP address). And with the large number of /64s in a /48 you'll run out of rack space before you can allocate all the /64s, trust me  ;)

ah, found out the issue.

we have a /56 (256 IPv6 /64 blocks

so I have changed IP6v subnet on lan of pfsense from

2A00:xxxx:xxxx:5:21D:AAFF:FEB9:F000

to

2A00:xxxx:xxxx:4:21D:AAFF:FEB9:F000

I can now ping 2A00:xxxx:xxxx:4:21D:AAFF:FEB9:F000 from the internet

Problem solved.

Turns out it was a setting on my NIC.

I needed to change "Large Send Offload v2 (IPv6)" to disabled.

This is found in Device Manager > Network Adapters > <right click="" your="" adapter="">Properties > Advanced

Hope this helps someone!
Todd</right>

Hi jyppy65

I also have two ipv6 link local address on my pppoe0 interface but I can't report any problems with that.

Do you have any problem with that ?

regards

supermega

Pretty much what it says: When that option is enabled, the DHCP request sent out by pfSense will include info on what size prefix we would like to have delegated to us (which the DHCP server may or may not honor – hence, "hint"); without that option, the DHCP request will just ask for a prefix without specifying the desired length, so the DHCP server will generally just delegate a prefix with some default size, and that obviously may not match what you selected as "prefix delegation size" in pfSense.

You can add it as an IP Alias VIP. It will exist along with the auto-generated version. That can also be disabled with a sysctl, but it's not recommended to do so since it could have unintended consequences.

I know this is an old thread – but I had a similar problem.  I am using DHCPv6;  Windows 7 would obtain an address from DHCPv6 and the default route from the router.  The default route would be there (as seen via "route print") for 30 minutes.  Then it would disappear.

I found that the default Windows Firewall allows ICMPv6 ONLY from fe80::/64.  Normally, this is fine, however, in our infinite wisdom, we set the router's link-local address to be fe80:42::1  (which isnt part of the fe80::/64 subnet).  If we let it pick its own link-local, (the default) it would have been OK.

Thus, the initial default gateway appeared because Windows requested it via Router Solicitation.  But it was unable to hear the periodic Router Advertisement messages after that in order to keep that default route alive.  It timed out after 30 minutes and disappeared.

We've since changed our router's link-local address to be fe80::42:1 (which IS part of fe80::/64).

Well - If you have a default ipv6 gateway, all the IPV6 traffic on the lan will try to go there.

So, I think if you put a pass-all firewall rule on the lan for anything originating from a 2002 ip and then at the bottom in the advanced section of that rule change the gateway from default top the correct gateway, your traffic will go out over the correct gateway.

I have not tried this with IPV6 but seems it should work.

So i was playing with MikroTik RotuerOS and it picks up and distributes ip6 address right away, only config needed is enabling ip6.

What is different about how RouterOS is requesting the address vs. pfsense?

Having your ipv6 subnet and IPs become dynamic doesn't make it useless - Just much less useful as a server.

Which is probably the intent.

Dump the native IPV6 if it becomes annoying and grab a hurricane electric /48 that never changes.

Can you just put them on different LANs or VLANs? Comcast will give you up to 16 /64 prefixes, so you could just put the "open" hosts in one (basically, a DMZ) and the locked down ones in another.

Some more info.

I enabled DHCP6 on my WAN side, then went to check the interface status. Turns out the IPv6 of fe80::213:5fff:fe05:bde2 is actually my Gateway IPv6.

Should I allow this traffic to go through from my Gateway IPv6?

Thanks!

I finally get my IPv6 connexion working with pfSense 2.1.4-RELEASE (i386) . Here are the steps I followed :

checked "Allow IPv6" in "System: Advanced: Networking" enabled "Static IPv6" on the WAN interface and set IPV6_ADDR with /128 prefix let "IPv6 Upstream Gateway" to "none" run "route change -inet6 default IPV6_ADDR" (without %pppoe) enabled "Static IPv6" on LAN interface and set IP with /64 prefix checked "Enable DHCPv6 server on LANX interface" in "Services: DHCPv6 server" let "Router Advertisement" to "Disabled" added some IPv6 rules for LANX traffic

Right.. seemingly working when i did the following:

Put a notch on "Only request a IPv6 prefix, do not request a IPv6 address " on my WAN dhcp6 setting.

Also followed the other advice around and put LAN on "Track interface", added a WAN firewall rule to allow inbound source UDP 547, destination UDP 546

Internal clients get ipv6 address, and get 10/10 on the test-ipv6.com page.

Well.. guess every ISP is different perhaps?

C

@avink:

This very much resembles the thing I have.
I always have to start the DHCPv6 by hand. In my opinion it is because the PPPoE isn't stable when the DHCPv6 is starting.

I actually got the dhcp6c command from your bugreport on redmine, thanks for that  ;)
Running dhcp6c in a tmux by hand now, seems stable so far.

If i set the WAN interface to DHCP6 and delegation size to 48 (according to my ISP), and LAN interface to "Track Interface:WAN", my WAN gets a address like this:

IPv6 Link Local fe80::202:1eff:fef2:8981%xl0  IPv6 address 2001:4610:a:b::xxx  Subnet mask IPv6 128 Gateway IPv6 fe80::2a0:a50f:fc7a:8b00

And my LAN gets:

IPv6 Link Local fe80::1:1%bge0  IPv6 address 2001:4641:7766:0:21a:a0ff:xxxx:xxxx  Subnet mask IPv6 64

And internal clients also gets a IPV6 address..

However, im unable to ping anything related to IPV6.

ping6 ipv6.google.com PING6(56=40+8+8 bytes) 2001:4641:7766::34cf:6c49:85df:9bb8 --> 2a00:1450:400f:803::1001 ^C --- ipv6.l.google.com ping6 statistics --- 3 packets transmitted, 0 packets received, 100.0% packet loss

Ive added a WAN firewall rule to allow IPV6 UDP Source Port:547 Destination Port: 546. I also added WAN rule to allow IPV6 ICMP.

What am i doing wrong? :)

C