@JKnott said in IPv6 Dynamic Prefix Delegation -> Stable ULA Assignment: Why not give them global addresses? It's not as though there was a shortage of addresses, as there was on IPv4. When using SLAAC, it seems that you either need to accept that your machines will use Temporary (Private) addresses for all outbound connections (effectively making it impossible to target a specific device) or you need to disable Privacy Extensions on each device you want to target, enabling that device to be tracked across the internet. Neither option seems great to me. I might be able to use Managed instead of SLAAC, but I think that this still enables tracking of a device across the internet (correct me if I'm wrong). It seems to me that the best of both worlds would be to use SLAAC and Privacy Extensions (Temporary Addresses) for GUA (which will be prioritized for outbound connections destined for the internet) while using Managed for ULA (which will be prioritized for local traffic and enable targeting of specific devices).

@Gertjan said in Toob (UK) IPV6 NDP Table Issues: Don't tell me you are still using "Unbound mode" ^^ Thanks for pointing this out, to be honest I had no idea as this was set by default when installing the add-on devel version too. I have since changed this and that has resolved that issue thank you. @Gertjan said in Toob (UK) IPV6 NDP Table Issues: Btw : not using DHCPv6 servers at all for your pfSense LAN(s), and rely on SLAAC if you use Android devices. We have a few android devices in the house so SLAAC is the best option. I believe I may have found the culprit now as I have now reverted all the settings I listed above. Currently using the ISP router in Bridge Mode to provide WiFi in the house whilst I sort out my UniFi shopping list (not long moved in). If I connect a Windows Laptop directly to the PFSense Firewall I get an IPv6 address instantly which is expected and subsequently if I disconnect and reconnect the cable I get another address instantly. I believe the Router running in Bridge mode is blocking ICMP6 Router Advertisement and Router Solicitation packets (even though there are no settings available on the Web UI in Bridge Mode and it suggests that all items have been disabled relating to Security. I was able to prove this by running a Packet Capture on the PFSense Firewall for ICMP6. Otherwise the only other way I was able to get this to work via the Bridge Mode router is to wait for the Interval timeout or to restart Router Advertisements Service in PFSense for it to force issue IPs. Didn't think it could be that purely cause IPv6 was working on that unit when it was the active Router and assumed Bridge Mode would work, clearly not the case. Thanks for all your help :) Maybe I will look into DHCPv6 in the future but for now SLAAC will do.

I found my problem- I had an outbound NAT rule that applied to both IPv6 and IPv6 that was rewriting the source of UDP packets to the WAN address (not the link local address) [image: 1776748520552-efc1ad6d-3b8d-4b6b-8976-b92b583dbd9c-image.png] When the ISP saw the packets from the GUA they were ignored- these are supposed to come from link-local. I guess the initial request went through because there was no WAN address for them to be rewritten to. Updating this rule to only affect ipv4 seems to have fixed my issue- I will have to wait a few hours to tell for sure but I see replies in packet captures. WAN firewall allows ipv4+ipv6 UDP port 546, 547 MAC address on WAN is set to the address on the ATT gateway "Do not allow PD/Address release" is unchecked. "Prefer IPv4 over IPv6" is checked I found this by comparing packets from my primary ISP and my backup ISP- primary: 5 28.595589 2001:XYZ::1 ff02::1:2 DHCPv6 156 Renew XID: 0x1ff509 CID: 0001000131609bcc0cc47a6cef34 IAA: 2001:XYZ:::::1 I eventually did a packet capture on my failover wan and saw these renew packets that did get a response: 1 0.000000 fe80::ec4:7aff:fe6c:ef36 ff02::1:2 DHCPv6 130 Solicit XID: 0xd90503 CID: 0001000131609bcc0cc47a6cef34 Note these are coming from the link-local address instead of the GUA (2001::.XYZ)- this was the clue I needed to figure out the problem.

@cybercare this is the answer!

@chrcoluk said in MSS has to be set manually for IPv6 to work correctly with PPPoE: Just to confirm, you are saying when you set MTU to 1500, IPv6 can not deliver unfragmented 1500 byte packets? Yup. I can send 1500 bytes over IPv4 no issue, but can't send more than 1492 bytes over IPv6. Tried contacting my ISP, just got a Level 1 boilerplate answer "It's a feature that will be implemented at some point".

@Napsterbater Yeah, considering I'm stuck and even though it seems that pfSense does pass the zero-checksum packet, VoWiFi still does not work, which makes me thing you might be right and it's HOW it passes it. So far I can't get it to work when using pfSense NAT64 setup...

FWIW happened across this from several years ago: https://redmine.pfsense.org/issues/10822 (Deprecated IPv6 prefix won't be announced as deprecated to clients)

@lufu83 thank you for that unifi post from years ago. This was the most stupid issue I had the displeasure of fixing. I could not get my windows machines to ping6 cross vlan because of this and spent hours trying to fix it until I come across your post.

@johnpoz said in Netflix and HE tunnel broker: No gua, no ula - not even a link-local, so why and the F would it ask for AAAA for?? Lazy freaking programing if you ask me. Good question. If there are no local IPv6 interfaces to talk to, I'm curious what the advantage is knowing that an AAAA exists for a host that will be contacted over A anyway. I've a possible reason in front of me, the one and only Firefix plugin I use : [image: 1773127237304-4cc14808-f093-4491-9b04-2d62263ab906-image.png] edit : the plugin is he.net powered. It shows me for every web site I visit what I'm using : A or AAAA, and it also shows what other sites are visited when the page was retrieved. [image: 1773127312570-36fdb069-8ff7-4888-a2ce-c2c8e65d6013-image.png] I can image that when this Firefox plugin is used, these AAAA requests are made. But if it isn't used ? @SteveITS said in Netflix and HE tunnel broker: Edit: also FWIW we found HE tunnels were rate limited. I mean they are free, so hard to complain, but bandwidth was about 1/3 of our IPv4 connection speed. Because the POPs have cost involved Some of them are marked as "can't add any new clients anymore" == they are 'full'. If they would throw hardware on it, tunnel.he.net would become a real, free VPN alternative **, which would need even more hardware. ** he.net uses a tunnel = IPv6 packets are encapsulated into a IPv4 packets = the GIF protocol, which is, afaik, not encrypted. Not a big deal as all traffic is TLS already anyway.

@aivxtla Not being able to check your own IPv6 address for something like DDNS would lead be to believe that your IPv6 routes were not properly setup, because for that to work you need AAAA DNS resolution for the IP check service (1) and a fully IPv6-based route to it; but, needless to say, all of this is quite the guessing game. In any case, I'm glad it's working for you now! (1) Perhaps ironically, performing DNS resolution for AAAA records does NOT require IPv6 to be working, because you can always contact a DNS resolver over IPv4 and ask it for a AAAA record: -> drill -Q www.google.com IN AAAA @1.1.1.1 2607:f8b0:4006:803::2004 And, of course, you can also do the opposite: drill -Q one.one.one.one IN A @2001:4860:4860::8888 1.0.0.1 1.1.1.1

yup, the issue still persists also with 2.8.1. According to RIPE (https://www.ripe.net/publications/docs/ripe-690/) no such feature would be needed, but ISPs assigning dynamic prefixes make this feature a must-have to not loose IPv6 connection for the preferred lifetime of the SLAAC RA (which is 4h by default)

@JonathanLee Interesting. What we're living through now is the partial realization of what I somewhat mistakenly believed Web 3.0's 'semantic web' concept from a quarter-century ago was all about. I.e., tell the 'search engine' what you're looking for in natural human language, and it will deliver. Berners-Lee originally expressed his vision of the Semantic Web in 1999 as follows: I have a dream for the Web [in which computers] become capable of analyzing all the data on the Web – the content, links, and transactions between people and computers. A "Semantic Web", which makes this possible, has yet to emerge, but when it does, the day-to-day mechanisms of trade, bureaucracy and our daily lives will be handled by machines talking to machines. The "intelligent agents" people have touted for ages will finally materialize.

@Gertjan said in IPv6 Prefix Delegation Host-Address: Ask them Here you go (about 4 years ago): https://redmine.pfsense.org/issues/12600 https://redmine.pfsense.org/issues/12602 Btw. I add ASN for the ISPs in question to the TS-forward via pfBlocker. This works good for IPv6, but still, it would be nice to have even more control...

@Mission-Ghost If we're asking the important questions, why use a packet filter to transport Ethernet frames?