Atlantisman: I know this might not be much, but I might have some info you can use.

Well, first of all, try to take whatever IPv6 (global unicast) address e.g. your computer might have within your google routers IPv6 network.
Then visit e.g.:
http://ipduh.com/ipv6/whois/
or
https://www.ultratools.com/tools/ipv6InfoResult

And then copy/paste your IPv6 address and see what subnet prefix (length) you get returned (as well as your ISPs /32 route).

Now what is interesting is if the subnet prefix is e.g. /48,  /56, /60 or something else. Because even though the google router might give your LAN a /64 prefix it is probably to let SLAAC work. Your actually provided network might be larger e.g. a /56 subnet prefix.

What you then could do is to setup your pfsense box manually without any fancy configuration but where you just configure your WAN address to be the wan address of your google router (even though you are not going to use the google router of course)
Your google routers WAN might have a /64 subnet. But the actual provided network to you might be larger e.g. /48 or /56.
If you are not provided with the WAN address e.g. by a google manual or a web interface then simply try to:

The first print out is likely the address of your own router/the google router (your LAN subnet). Then right after this subnet the WAN address of your WAN gateway (not your google router, but the gateway your google router uses) is printed.
It might have an address that ends with ::1. Then you are likely to use the same subnet address, but instead it should probably end with ::2 - anyway it does not matter a lot if the WAN subnet is /64 - but it could be /127 - in that case i am not sure how well pfsense works.
(pfsense 2.1 does not seem to support /127 addresses when configuring static routes on the LAN site - but that is a whole other story.)

Thereafter try to setup your LAN. Now if you want to use SLAAC in your LAN you have to use /64 prefix which means you limit your network e.g. if the entire network provided is e.g. /48 or /56. But anyway - you can try to see if it works taking the lower /64 part of the larger network. If it works you can try to take the next /64 prefix and see if that also works and let you have traffic route out and into your network.

Remember to set https://your_router/services_router_advertisements.php?if=lan (Services DHCPv6 Server/RA - Router Advertisements) to either Managed or assisted (depending on what you want).

Else you might want to use wireshark again on the WAN interface but this time searching for http://wiki.wireshark.org/ICMPv6 ICMPv6 packets regarding http://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol#Technical_details .

If some of it works then fine else try to see if your google router has a web interface (located as the default route address - perhaps some:address::1 ) with some configuration info.
E.g. if the google router uses PPP. Actually here is a site that has a PPP example with ICMPv6 with a screen shot from something that looks like wireshark:
https://sites.google.com/site/amitsciscozone/home/ppp/ipv6-ipv4-over-ppp

Hopy you can use at least some of it :-)

Cheers

Anders

@bruor:

….
This almost seems like a routing issue.  If anyone can help suggest ways to narrow this down or find any changes that may have caused this glitch I'd be grateful.  I'm willing to reboot my firewall a few times in the name of making this a better product!

pfSense-Full-Update-2.1.1-PRERELEASE-amd64-20140221-1118.tgz fixes this for me - outbound connections now get sent to the default IPv6 gateway via teh PPPoE interface, not via re0_vlan10 (which is my "physical" interface that PPP packets arrive on.)

Hasn't fixed the IPv6 connections coming in from the internet, like email delivery or web browsing into my server yet.

Give a try with a snapshot from late tomorrow since behaviour should be improved.

Never mind. Apparently apinger was restarting after being stopped. Just disabled it for each of the gateways and all is good now.

Happy to hear it worked out in the end :)

Hi Pertan,

I'm not sure you will be able to get 6RD working with 2.1.

I'm using 6RD with a 2.1 build from way back in January 2013 & it works great, but sometime after that there were some changes made that broke 6RD and I was never able to get it working again.

Here's the ticket I have open on this problem:

https://redmine.pfsense.org/issues/2882

There are some allusions to a mis-configuration but I was never able to divine out what that mis-configuration might be. Currently the problem, whatever it might be, is scheduled to be in pfsense 2.2 but I'm afraid that proper ipv6 will be in general use before that ships.

-Will

"I think deafult ftp access is passive mode."

Well that would depend on the client now wouldn't it - If I ftp from command line in windows defaults to active.  If I type ftp on my ubuntu server its active. Unless I use -P

-p    Use passive mode for data transfers. Allows use of ftp in environments where a firewall prevents con‐
          nections from the outside world back to the client machine. Requires that the ftp server support the
          PASV command. This is the default if invoked as pftp.

Why do you think ftp helper should be doing anything in pfsense on ipv6?  There is no nat in ip6 - so why would the helper be needed.

How are you sure your hitting the ipv6 address?  That site resolves ipv4 as well

ftp.arnes.si.          7200    IN      A      193.2.1.88

What I can tell you is I can connect just fine to that server via IPv6 be it passive or active. Snipped a bit out for brevity

–--
05:49:25 Status: Connecting to [2001:1470:8000::88]:21…
05:49:25 Status: Connection established, waiting for welcome message...
05:49:25 Response: 220-
05:49:25 Response: 220-  Hello!
05:49:25 Response: 220-
05:49:25 Response: 220-  Welcome to the ARNES archive,  Please login as `anonymous' with

05:49:26 Response: 230 Login successful.

05:49:26 Status: Connected
05:49:26 Status: Retrieving directory listing...
05:49:26 Command: PWD
05:49:27 Response: 257 "/"
05:49:27 Command: TYPE I
05:49:27 Response: 200 Switching to Binary mode.
05:49:27 Command: EPSV
05:49:27 Response: 229 Entering Extended Passive Mode (|||24597|)
05:49:27 Command: LIST
05:49:27 Response: 150 Here comes the directory listing.
05:49:27 Response: 226 Directory send OK.
05:49:27 Status: Directory listing successful
–-

active with the right firewall rule to allow the traffic.

05:53:22 Status: Connecting to [2001:1470:8000::88]:21…
05:53:22 Status: Connection established, waiting for welcome message...
05:53:23 Response: 220-
05:53:23 Response: 220-  Hello!
05:53:23 Response: 220-
05:53:23 Response: 220-  Welcome to the ARNES archive,  Please login as `anonymous' with
05:53:23 Response: 220-  your E-mail address as the password to access the archive.

05:53:23 Response: 220
05:53:23 Command: USER anonymous
05:53:23 Response: 331 Please specify the password.
05:53:23 Command: PASS **************
05:53:23 Response: 230 Login successful.

05:53:24 Status: Connected
05:53:24 Status: Retrieving directory listing...
05:53:24 Command: PWD
05:53:24 Response: 257 "/"
05:53:24 Command: TYPE I
05:53:24 Response: 200 Switching to Binary mode.
05:53:24 Command: EPRT |2|2001:xx:xx:xx::666|2309|
05:53:24 Response: 200 EPRT command successful. Consider using EPSV.
05:53:24 Command: LIST
05:53:24 Response: 150 Here comes the directory listing.
05:53:25 Response: 226 Directory send OK.
05:53:25 Status: Directory listing successful
05:53:29 Status: Retrieving directory listing…
05:53:29 Command: CWD arnes
05:53:29 Response: 250 Directory successfully changed.
05:53:29 Command: PWD
05:53:29 Response: 257 "/arnes"
05:53:29 Command: EPRT |2|2001:xx:xx:xx::666|2310|
05:53:29 Response: 200 EPRT command successful. Consider using EPSV.
05:53:29 Command: LIST
05:53:30 Response: 150 Here comes the directory listing.
05:53:30 Response: 226 Directory send OK.
05:53:30 Status: Directory listing successful
–-

If I don't allow the unsolicited traffic that would be coming from the ftp server in a active mode connection it would fail..  So added this rule real quick to open my ipv6 client up.

Now what I noticed is that the source port for for the active connection to my ports that I sent in the EPRT (port command for ipv6 ftp) is not 20, not normally in ipv4 ftp in active source is 20..  But seems with this ftp server when I tell it hey come connect to me in an active connection his source port is random?  But if you allow the traffic for your ipv6 it works fine.

You need to know if your doing active or passive, allow the rules if active.  And double check your own ipv6 connection.  I use he to tunnel since not real happy with comcast native as of yet and pfsense - and tracking seems to change ipv6 range you get all the time..  Guess could prob filter out one of their dhcp servers.. But anyway clearly you can see that site works fine with ipv6.  And pfsense allows it just fine - there would be no helper in IPv6 to change anything.  Look at your firewall log and see what is not working.

ipv6rules.png
ipv6rules.png_thumb
logsofrules.png
logsofrules.png_thumb

Hi razzfazz,
Indeed, I messed up another rule!  :-X
Tx!

Note that he said '"Allow IPv6" unchecked' – he specifically does not want IPv6.

To answer some of my own questions.

Till now I have not been able to use DHCP-PD on the LAN side of pfSense. Well the client routers (CPEs) get the info but I do not know if the DHCP-PD service of pfSense actually works in creating some dynamic routes, but right now I have kind of given up on trying.
If any of you know how to utilize DHCP-PD correctly as well as "Services - Router Advertisements - RA Subnet(s)" (from Services - DHCPv6/RA - Router Advertisements) then I will be thrilled to hear about it! :-)

But in my pursuit in getting the D-LINK DIR-860L to work I have this to report:
A) I have changed the LAN from a /48 to a /64 network.
B) I have created an alias for a /56 network (a subnet of the /48 network).
C) I have created a firewall rule, so that the /56 network can gain access from the LAN of pfSense and out in the world
as well as a firewall rule on the WAN so traffic can get into that network.
D) Then I have made a route from the LAN of the pfSense router and onto the /56 network. I have used "System - Routing - Routes".
E) And then I statically configure the d-link router (meaning no use pfSenses DHCPv6/DHCP-PD).

You can see me write about it here in some posts:
http://forums.dlink.com/index.php?topic=57422.msg225586#msg225586

So the d-link router works. I have however one outstanding issue:
That is the d-link router can only gain access to the world (=Internet) and not the LAN of pfSense, which is kind of annoying, because it is then unable to access local services like other servers or computers through IPv6.

Does anyone of you have some suggestions about how to fix that without using more routers, NICs or VLANs?
And do you have an idea if the culprit is pfSense, the d-link router or me? ;-)

Hi Zeon,
Thank you for your reply!
However, to enable SLAAC on LAN side, pfSense tells me that the LAN interface must have static IP addresses.
My ISP provides me dynamic addresses (also configured via SLAAC on the WAN side). I'm confused!?

/x

On my box it doesn't work at all for IPV6, and I had to resort to traffic shaping queues which are much less practical in my application.

I compared the PPP and IPv6 exchanges between the connection with pfSense and the connection with Debian.

The PPP client is sending a PPP IPV6CP Configuration Request with 5043:b158:000:0000 in both case and the PPP server 0000:0000:0000:0001.
Then the server is sending a "Router advertisement from" fe80::1 to ff02::1

For Debian :
PPP client is sending a "Router Solicitation" from fe80:5043:b158:0:0 to ff02::2
PPP server is sending a "Router advertisement" from fe80::1 to fe80:5043:b158:0:0

For pfSense
PPP client is sending a "Neightbor Solicitation" from fe80:200:24ff:fecf:28f4 to fe80::1
PPP client is sending a "Router Solicitation" from fe80:200:24ff:fecf:28f4 to ff02::2
I don't see any new "Router advertisement" from the PPP server.

The issue seems coming from the fact there are 2 IPv6 local link  on pfSense pppoe interface:
pppoe0: flags=88d1 <up,pointopoint,running,noarp,simplex,multicast>metric 0 mtu2
        inet6 fe80::200:24ff:fecf:28f4%pppoe0 prefixlen 64 scopeid 0xd
        inet6 fe80::5043:b158:0:0%pppoe0 prefixlen 64 scopeid 0xd

I don't how to fix it.</up,pointopoint,running,noarp,simplex,multicast>

"Your CMTS is not supported at this time."

Oh well…