You're right… sure I've made a mistake the first time I tried...

But, there are still some updates problems. When my box reboots, for example, dynamic IP updates fail. So the tunnel doesn't work without my intervention.
DNS updates fails two.

Another message that appears and need acknowledge is: There were error(s) loading the rules: pfctl: DIOCXCOMMIT: Device busy - The line in question reads {0}

@clinta:

After struggling with this thinking I was having the DHCP6 won't renew issue others are seeing, I discovered that the firewall was actually blocking the DHCPv6 responses from my ISP (Comcast). Checked the firewall logs and it was the block bogon networks rule. Disabled that option on the wan interface and immediately got my DHCPv6 address and and my internal track interface started working.

Just wanted to save anyone else the trouble of discovering this.

THanks for letting me in on that tip. I will have to try this tonight when I get home. I was also having other issues with my Comcast device and that is now fixed. So hopefully I can get this working as I would love to start playing with some firewall rules.

More Updates:

I'm also seeing this error occasionally now as well. It's under my System Logs > General.

"php: /services_dhcpv6.php: The command '/usr/local/sbin/dhcpd -6 -user dhcpd -group _dhcp -chroot /var/dhcpd -cf /etc/dhcpdv6.conf -pf /var/run/dhcpdv6.pid em0 gif0' returned exit code '1', the output was 'Internet Systems Consortium DHCP Server 4.2.5-P1 Copyright 2004-2013 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Wrote 0 leases to leases file. Bound to *:547 Unsupported device type 240 for "gif0" If you did not get this software from ftp.isc.org, please get the latest from ftp.isc.org and install that before requesting help. If you did get this software from ftp.isc.org and have not yet read the README, please read it before requesting help. If you intend to request help from the dhcp-server@isc.org mailing list, please read the section on the README about submitting bug reports and requests for help. Please do not under any circumstances send requests for help directly to the authors of this software - please send them"

No idea what this error message is trying to tell me, or if it's even causing a problem.

I took a few screenshots. The only thing I keep reading is that if you can ping an ipv6 address from your pfsense machine everyone keeps saying you don't have a ipv6 allow rule set under firewall rules.

I have set an ipv6 allow all rule under my WLAN ruleset. My WLAN network is what i'm trying to configure for IPv6.

IPv6 ping from pfsense box - success:

My WLAN network, showing IPv6 allow all rule:

My WAN ruleset, I put an IPv6 allow all rule, though it shouldn't be needed as i'm using a HE tunnel, WAN shouldn't see any IPv6, only IPv4, mabye?

Checked Diagnostics > pfInfo, this em0 interface is my WLAN network. It shows v6 out working, but v6 in isn't having any data/traffic. I think this is the problem here, problem is I don't know what would control that v6 in flow, as I said I already have an ipv6 allow all rule set on my WLAN firewall ruleset.

Any ideas based off these images?

ETA:You may now notice different IPv6 address structure in this post than previous post. I found a post, sorry closed link & don't know where it is anymore, but someone was having trouble with a HE tunnel & he had to delete his tunnel & remade it & his issue was magically fixed. My original tunnel was made Sept 2011, so i deleted it & made another w/o success.

Update:Tried setting up IPv6 on a server I have on a wired interface to rule out equipment problems. My WLAN uses a powerline network adapter which then runs to the wireless router. I think the powerline network adapter isn't playing nice with IPv6. I believe it's blocking IPv6 communication. I'm going to try running my router w/o that to fix that particular problem. However now on the server I can see the link local talking to my router, but it's still not getting a IPv6. Here is a packet capture of what I see.

Yes, checked my powerline network adapter. It doesn't support IPv6. So that's why WLAN was having issues. However I can see my server talking to the pfSense router about LL addresses. So i'm not sure why the server isn't getting ipv6.

For reference the "d0a8" address is the LL of the server. Also now the pfinfo chart shows ip6 in on the server interface. So that's fixed. Any possibilities why i'm still not getting IPv6?

09:59:02.395087 IP6 fe80::b5e8:eb2c:47d1:d0a8 > ff02::2: ICMP6, router solicitation, length 16 09:59:02.395296 IP6 fe80::20e:4ff:feb7:6c77 > ff02::1: ICMP6, router advertisement, length 120 09:59:02.414326 IP6 fe80::b5e8:eb2c:47d1:d0a8.546 > ff02::1:2.547: UDP, length 86 09:59:03.413791 IP6 fe80::b5e8:eb2c:47d1:d0a8.546 > ff02::1:2.547: UDP, length 86 09:59:05.413737 IP6 fe80::b5e8:eb2c:47d1:d0a8.546 > ff02::1:2.547: UDP, length 86 09:59:09.030341 IP6 fe80::20e:4ff:feb7:6c77 > ff02::1: ICMP6, router advertisement, length 120 09:59:09.413743 IP6 fe80::b5e8:eb2c:47d1:d0a8.546 > ff02::1:2.547: UDP, length 86 09:59:14.740678 IP6 fe80::20e:4ff:feb7:6c77 > ff02::1: ICMP6, router advertisement, length 120 09:59:17.419506 IP6 fe80::b5e8:eb2c:47d1:d0a8.546 > ff02::1:2.547: UDP, length 86 09:59:23.399642 IP6 fe80::20e:4ff:feb7:6c77 > ff02::1: ICMP6, router advertisement, length 120 09:59:33.423158 IP6 fe80::b5e8:eb2c:47d1:d0a8.546 > ff02::1:2.547: UDP, length 86 09:59:35.516024 IP6 fe80::20e:4ff:feb7:6c77 > ff02::1: ICMP6, router advertisement, length 120 09:59:45.561251 IP6 fe80::20e:4ff:feb7:6c77 > ff02::1: ICMP6, router advertisement, length 120 10:00:05.152375 IP6 fe80::20e:4ff:feb7:6c77 > ff02::1: ICMP6, router advertisement, length 120 10:00:05.422338 IP6 fe80::b5e8:eb2c:47d1:d0a8.546 > ff02::1:2.547: UDP, length 86 10:00:20.486835 IP6 fe80::20e:4ff:feb7:6c77 > ff02::1: ICMP6, router advertisement, length 120 10:00:36.010342 IP6 fe80::20e:4ff:feb7:6c77 > ff02::1: ICMP6, router advertisement, length 120 10:00:48.593356 IP6 fe80::20e:4ff:feb7:6c77 > ff02::1: ICMP6, router advertisement, length 120 10:01:00.057210 IP6 fe80::20e:4ff:feb7:6c77 > ff02::1: ICMP6, router advertisement, length 120

That is a huge topic.  It would probably be best to do a little background reading, then come back if you have specific questions related to pfSense.

To get you started:

IPv6 Comparison with IPv4: http://en.wikipedia.org/wiki/IPv6#Comparison_with_IPv4
IPv4 and IPv6: A Comparison: http://www.myitforum.com/articles/1/view.asp?id=6720
Side-by-Side Difference: http://www.techsutram.com/2009/03/differences-ipv4-vs-ipv6.html

@Ofloo:

Listen, I can understand if you didn't "know", but these issues are there from august we are November, I'm not saying there's any way they should donate their time or whatever, just don't label it stable which was done in September ! Even when there where still issues, regarding ipv6.

You certainly come across as very wound-up by this!  I'm nothing to do with the project. I'm just a fellow user, who is also vaguely disappointed by the quality of the IPv6 support in 2.1-release.  I don't have the time to join the project and fix things, either.

Stop ranting, because it will achieve nothing, other than possibly to demotivate the one or two people who might be persuadable to actually fix this stuff.

If you can't live with pfSense for what it is and always will be (very cheap, not very stable) then you should find something better.

Our rent contract forces us to use this provider and our provider forces the router. Basically we are fucked. I don't want to move just because of this. So I have to live with it.

Sure, I'd thought of the m0n0wall alternative. It looked like a good alternative, until I discovered it does not support the more advanced schedule features that I require.

I just tried to wipe everything and try again but same issue. Nothing is being encapsulated. It's a perfectly new install, latest updates.

I followed this guide:
http://xtropx.blogspot.cz/2012/07/pfsense.html

To get it installed on Hyper-V I obviously had to use the legacy network adapter and added this to rc.local:
ifconfig de0 down
ifconfig de0 up
ifconfig de1 down
ifconfig de1 up

Oh and I should state that this is Windows 8.1 Hyper-V.

So, after speakign briefly to someone who knows IPv6 very well, I am going about it all wrong. Currently I am trying to NAT my IPv6 traffic, when I should supposedly have a /64 address space from my ISP. I should just set up a DHCP server in that space, and just firewall the traffic.

I have alot more research to do before I fully dive in. I am mostly doing this for knowledge sake, I don't hope to obtain anything else by enabling IPv6 just yet.

Anyone else with knowledge on the subject, please feel free to chime in.

Sorry for the late reply, I just now noticed a notification for some reason.

Anyway here is the command i run

C:>nslookup google.com
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  2001:470:20::2

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out

I get a score of 9/10 on http://test-ipv6.com/ checking my network adapter it says internet for both ipv4 and ipv6, its getting the proper ipv6 DNS server however im not sure that the ipv6 default gateway is correct

here is the details of my test on test-ipv6.com
Test with IPv4 DNS record
ok (0.080s) using ipv4
Test with IPv6 DNS record
ok (0.104s) using ipv6
Test with Dual Stack DNS record
ok (0.100s) using ipv6
Test for Dual Stack DNS and large packet
ok (0.225s) using ipv6
Test IPv4 without DNS
ok (0.263s) using ipv4
Test IPv6 without DNS
ok (0.253s) using ipv6
Test IPv6 large packet
ok (0.231s) using ipv6
Test if your ISP's DNS server uses IPv6
timeout (10.247s)
Find IPv4 Service Provider
ok (0.211s) using ipv4 ASN 30036
Find IPv6 Service Provider
ok (0.132s) using ipv6 ASN 6939

Connection-specific DNS Suffix:
Description: Intel(R) 82579V Gigabit Network Connection
Physical Address:XX:XX:XX:XX:XX
DHCP Enabled: Yes
IPv4 Address: 10.0.0.51
IPv4 Subnet Mask: 255.255.255.0
Lease Obtained: Sunday, October 27, 2013 10:56:38 AM
Lease Expires: Sunday, October 27, 2013 1:09:45 PM
IPv4 Default Gateway: 10.0.0.1
IPv4 DHCP Server: 10.0.0.1
IPv4 DNS Server: 10.0.0.1
IPv4 WINS Server:
NetBIOS over Tcpip Enabled: Yes
IPv6 Address: 2001:470:XXXX:XX::ff38
Lease Obtained: Sunday, October 27, 2013 11:09:42 AM
Lease Expires: Sunday, October 27, 2013 1:09:43 PM
Link-local IPv6 Address: fe80::a0e1:b6bd:1eff:72e1%10
IPv6 Default Gateway: fe80::21c:c4ff:fe1c:2eeb%10
IPv6 DNS Server: 2001:470:20::2

@gadams999:

In my attempt to obfuscate info, I didn't describe what was in the two fields. The IPv6 address is the same for both the IP Address/Prefix (first two fields) and the same in the unselected user defined prefix. I wish there was more (any) information on that screen, but nothing back from Comcast yet.

Oops, my bad; I see now that the "IPv6 address/prefix" fields all refer to the LAN interface on the gateway device.

@gadams999:

This is the weird part. If the WAN is set to delegation of /56, I have the ability to select 00-ff on the tracked interface segment. But in that mode, the LAN never gets a 2006:: address, radv doesn't run, etc.

As I was trying to say earlier, that makes perfect sense: you will use at least part of that /56 on the segment between the Comcast gateway and the pfSense box, so pfSense wouldn't be able to re-delegate the entire /56, and the code doesn't deal well with getting a different prefix size than what's indicated in the prefix delegation size field.

@gadams999:

However, if I change the WAN delegation back to a /64 and don't change the prefix on the LAN segment, the above addressing is set and radv starts. The reason I cannot modify the LAN interface at this point is that there are not PD's open, only 0-0 available, which also makes sense since the WAN asked for a /64 which it used.

If it does actually pick up a valid prefix on the LAN side in this case, I guess I'm not quite sure what the problem is?!

@gadams999:

If the Comcast router is presenting a /56, can the pfSense box take that full delegation for it's own use while they both still use the negotiated /64. For instance, if the prefix is:

The segment between the two is going to use part of the /56, so pfSense will at most be able to further delegate whatever's left after that.

@gadams999:

Could it look like this and be valid?

Internet – Comcast router <-- 2601:0:9:800::/64 --> (WAN) pfsense (LAN) --> 2601:0:9:880/64

Yes, this looks fine. In theory, pfSense could re-delegate up to 2601:0:9:880/57 (the largest sub-prefix of 2601:0:9:800/56 that does not include 2601:0:9:800::/64), any of the sub-prefixes contained therein, or any other sub-prefix of 2601:0:9:800/56 that does not overlap with 2601:0:9:800::/64.

@gadams999:

What concerns me about this one is that the fe80::1:1 is the only link-local address on the LAN. the EUI-64 link-local address is no longer there. Is it okay that the EUI-64 address has been replaced with just the fe80::1:1 address?

Yes; at least that's what I see on my (working) setup.

If you go into the Firewall -> Virtual IP screen and add the entire /48 as an Other type Virtual IP on the tunnel interface, hopefully things will then start to work.

who game you a patch, and where?

In this case you should check the "Use IPv4 connectivity as parent interface" option.

Regarding the WAN address display issues, I have pointed out the issue to the devs in one of the bug reports some time before release, but I guess it was not fixed in time.

Finally I reinstall a new PF 2.1, restore the config and its works now

I have the same issue, same hardware and version, different ISP (Hughesnet Gen4).  I have native IPv6, I get a /64 on the WAN side, I can't get the right allocation on the LAN side because they hand out a /61 and that isn't a choice in the pull down menu, but if I pick /62 it all seems to look right.  none of my hosts on the LAN side (pretty much all apple devices at the moment) get an address.

radvd is running in services, but because I have track interface for LAN, not a static, I can't set anything for the RA, and I don't know what the defaults are.

I see the RAs in tcpdump from fe80::1:1, which is the LAN interface address, and they have a /63 prefix in 2001: that matches the LAN address on the pfsense box,  but the host never gets an autoconfig address.  I use autoconfig on the same laptop at work every day, and it's fine there.

I'm new to pfsense, and I've only done IPv6 routing on enterprise-level gear, not home network stuff, but it's the only public address I can get out of Hughesnet, so any ideas are greatly appreciated.

Ah, ok… makes sense then.