BTW the Redmine mentioned PR (https://redmine.pfsense.org/issues/6626) is also available at github at https://github.com/pfsense/pfsense/commit/7c4b3d3c8d2d15b1e59d1d262cc295a848434355 So, the :: feature expands the $rule['interface']'s prefix to the host portion. Useless in my case. Okay, lets make my target v6 a complete one: it works! Assuming the Do not allow PD/Address release is being ignored and I get a new prefix, then all my rules are dead. Correct me if Iam wrong, but pfSense misses a dropdown for that :: case, allowing me to select the target interface for auto-prefix-determination at https://github.com/pfsense/pfsense/blob/9fd4cb962ad28b0e03c8c755a80b20ad7c867d9e/src/etc/inc/filter.inc#L3247

Our data center set up a /125 IIRC for our IPv6 WAN and routes our LAN subnet to a specific IP. (We have a HA setup so two IPs plus the shared IP) Like this but IPv6: https://docs.netgate.com/pfsense/en/latest/recipes/route-public-ip-addresses.html#ip-assignments

@SteveITS If I leave it blank, my devices don't get IPs. I followed the @JKnott procedure and now it's running well.

I was able to locate the device using: netsh int ipv6 show neighbors This gave me the MAC address for the link local ipv6 addresses.

@Gertjan So if it's disabled by default then why does it work if I don't change that setting and it shows a green tick in the services. All clients pass the IPv6 tests and if I ping google.co.uk it uses the google IPv6 address.

@Sevi said in Delegated prefix in firewall rules?: patch should also be included in upcoming releases ref: https://docs.netgate.com/pfsense/en/latest/releases/24-03.html#aliases-tables @Sevi said in Delegated prefix in firewall rules?: address ::123 Hmm, thanks, will try that. Our IPv6 prefix at home changed recently and my main client (wife) was annoyed for a while without telling me. @johnpoz said in Delegated prefix in firewall rules?: free Hurricane Electric tunnel We did that once because of a specific setup...it functions, but the throughput is throttled, about 35 Mbps as I recall. And there are sites that consider HE IPs like a VPN and block access, for instance sites that can only show video or sports content to certain regions due to licensing.

@Bob-Dig I will definitely take a peek at that, thank you bringing it to my attention

@Bob-Dig said in Interface groups and IPv6 GUA subnets: Interesting that it does work for you without problems. A difference might be that I'm only testing VLANs right now, no physical interfaces? I can try it later on the 4100, but for now I was testing on an 1100 with the switched ports. (I did have to use the ol' Save&Apply on the WAN interface to trigger the prefix delegation for any new interface though... but I also had to do that before the patch.)

For years instead of the comcast router for gateway up detection I use their v6 DNS server. 2001:558:feed::2 or 2001:558:feed::1 As I had to set IPv6 to DNS server for monitoring...I also use their IPv4 DNS servers for the same. System - Routing - Gateways - Edit ... 75.75.76.76 and the 2001:558:feed::2 have worked swimingly. I don't use those servers for actual DNS...but it proves that my local routers and equipment are up and that I can reach the core of their public services ok. (edited for clarity)

SOLVED: The issue has been solved by checking "Do not wait for a RA" option in WAN interface.

To close this out... Apparently a firewall rule has to be manually added to allow IPv6 traffic to pass between the LAN and the WAN. And I completely missed that requirement in my "research". Having added said rule, things are working swimmingly. Thanks for your patience and sorry for the noise.

Been working on a patch for dhcp6c. I have gotten to the point where I can collect all the information needed in one place and easily parsable by a script: grep "prefix allocated" /var/log/dhcpd.log Mar 23 17:04:09 pfSense dhcp6c[70335]: prefix allocated 2001:db8:4000::/64 iaid=0 ifname=vmx2 Mar 23 17:04:09 pfSense dhcp6c[70335]: prefix allocated 2001:db8:4001::/64 iaid=1 floating=true Mar 23 17:04:09 pfSense dhcp6c[70335]: prefix allocated 2001:db8:4002::/64 iaid=2 floating=true Mar 23 17:04:09 pfSense dhcp6c[70335]: prefix allocated 2001:db8:4003::/64 iaid=3 floating=true Mar 23 17:04:09 pfSense dhcp6c[70335]: prefix allocated 2001:db8:4005::/64 iaid=4 floating=true Mar 23 17:04:09 pfSense dhcp6c[70335]: prefix allocated 2001:db8:4006::/64 iaid=5 floating=true Mar 23 17:04:09 pfSense dhcp6c[70335]: prefix allocated 2001:db8:4007::/64 iaid=6 floating=true Patch is below. Pretty sure it can be optimized further. If any expert in C happens to know why I can't seem to use struct ia *ia's copy of ia->conf->iaid that would save me having to pass the dhcp6_ia struct. I get: prefixconf.c:231:6: error: incomplete definition of type 'struct ia' diff --git a/dhcp6c_ia.c b/dhcp6c_ia.c index 9f9ca84..473fc58 100644 --- a/dhcp6c_ia.c +++ b/dhcp6c_ia.c @@ -152,7 +152,7 @@ update_ia(iatype, ialist, ifp, serverid, authparam) case DHCP6_LISTVAL_PREFIX6: /* add or update the prefix */ iapdc = (struct iapd_conf *)iac; - if (update_prefix(ia, &siav->val_prefix6, + if (update_prefix(ia, &iav->val_ia, &siav->val_prefix6, &iapdc->iapd_pif_list, ifp, &ia->ctl, callback)) { d_printf(LOG_NOTICE, FNAME, diff --git a/prefixconf.c b/prefixconf.c index bbb4d6e..582f192 100644 --- a/prefixconf.c +++ b/prefixconf.c @@ -119,8 +119,9 @@ extern struct dhcp6_timer *client6_timo __P((void *)); static int pd_ifaddrconf __P((ifaddrconf_cmd_t, struct dhcp6_ifprefix *ifpfx)); int -update_prefix(ia, pinfo, pifc, dhcpifp, ctlp, callback) +update_prefix(ia, iinfo, pinfo, pifc, dhcpifp, ctlp, callback) struct ia *ia; + struct dhcp6_ia *iinfo; struct dhcp6_prefix *pinfo; struct pifc_list *pifc; struct dhcp6_if *dhcpifp; @@ -197,6 +198,7 @@ update_prefix(ia, pinfo, pifc, dhcpifp, ctlp, callback) in6addr2str(&pinfo->addr, 0), pinfo->plen, pinfo->pltime, pinfo->vltime); + int allocated = 0; /* update prefix interfaces if necessary */ if (sp->prefix.vltime != 0 && spcreate) { for (pif = TAILQ_FIRST(iac_pd->pifc_head); pif; @@ -215,10 +217,21 @@ update_prefix(ia, pinfo, pifc, dhcpifp, ctlp, callback) continue; } + allocated = 1; + d_printf(LOG_INFO, FNAME, "prefix allocated %s/%d iaid=%u ifname=%s", + in6addr2str(&pinfo->addr, 0), pinfo->plen, + iinfo->iaid, + pif->ifname); add_ifprefix(sp, pinfo, pif); } } + if (allocated == 0) { + d_printf(LOG_INFO, FNAME, "prefix allocated %s/%d iaid=%u floating=true", + in6addr2str(&pinfo->addr, 0), pinfo->plen, + iinfo->iaid); + } + /* * If the new vltime is 0, this prefix immediately expires. * Otherwise, set up or update the associated timer. diff --git a/prefixconf.h b/prefixconf.h index dcff695..3dd5986 100644 --- a/prefixconf.h +++ b/prefixconf.h @@ -32,7 +32,7 @@ typedef enum { PREFIX6S_ACTIVE, PREFIX6S_RENEW, PREFIX6S_REBIND} prefix6state_t; -extern int update_prefix __P((struct ia *, struct dhcp6_prefix *, +extern int update_prefix __P((struct ia *, struct dhcp6_ia *, struct dhcp6_prefix *, struct pifc_list *, struct dhcp6_if *, struct iactl **, void (*)__P((struct ia *)))); extern int prefix6_add __P((struct dhcp6_if *, struct dhcp6_prefix *, Next steps for me will be looking at adding a custom DHCPv6 server configuration file field to the UI, like can be done for the interface DHCPv6 client configuration.

@gwabber allright. Girlfriend went to bed. I went behind my pc. I set, for testpurposes, the gateway on "Disable Gateway Monitoring Action". I pulled the plug. My GUA's were gone again. I visited one of my servers with the ULA. I could reach it... same for my pi and stuff. One weird thing. My pings to those servers became slower and timed out once in a while.... What that's about... I don't know. So it works, like most of it, but not what it's supposed to be I think... EDIT never mind... it was a fluke. It broke down again. I don't get it anymore EDIT2: With the fake gateways it works! I still have the feeling that it should be easier then creating a fake gateway per LAN, but it works for now :)

@gwabber hey all, I was having problems with my ULA routing when my track interface goes down, for example when my internetconnection has an error. Since you guys helped me with setting up ULA routing in the first place, I refer you to this New topic I started. Maybe you experience the same problem. @NightlyShark helps me with the issue in this topic: https://forum.netgate.com/topic/186787/ula-routing-stops-when-trackinterface-is-down?_=1710756586659

I am still having this issue, does anyone have any other ideas ? I really don't want to be forced back to my slow ASA 5512's ha!

@MHall-0 double NAT will cause problems. I have held off with IPv6 with both ISPs I am with. The Smarthub I have doesn’t have Bridge mode support. Can you get IPv6 working if you use a Windows or Linux ? That would be something to test.

@JKnott The local firewall address ends up being different on each interface, and subsequently is not easily identifiable in packet traces. It's not an unreasonable thing to want this in a managed network. It is achievable for all hosts in the network except the firewall itself.

@Bob-Dig said in ISP Delegates /64 Multiple Times But No /56 or /60: Someone has to test this. I just did and I can reach ULA from GUA. I tested from my VPN, which only has GUA to my desktop computer and it's ULA address.