@hsv

I don't have that problem. However I'm on 2.7.0.

@Bob-Dig said in Network Prefix Translation (NPt) prefix translation bug:

That is true for everything, not only ping.

It's good to know that the behavior isn't only for ICMP6 packets.

@Bob-Dig said in Network Prefix Translation (NPt) prefix translation bug:

NPt doesn't solve this problem (unsolicited inbound traffic) on pfSense.

Good to know. Perhaps I'll open a bug report on redmine for this issue, see what the devs have to say.

I seem to have managed to get this to work by going into "Advanced DHCP6 Client Configuration" and setting the "Prefix Interface" to an enabled but otherwise inoperative "LAN2"

@Bob-Dig sorry for my late reaction. Work was busy. The gateway rule does the trick with me!

@marcosm indeed... without the reboot, my interface still doesnt get an IPv6 address on " track"

Per @Bob-Dig suggestion, I connected a Cisco SG200 switch to the IGC2 port as a trunk VLAN and connected the MacBook Air to a VLAN 40 port on the switch. Same results, IPv4 works correctly, as soon as IPv6 is turned on the IGC2 port bounces. This is what I expected, as macOS Sonoma has full support for VLAN's built-in, which is how the MacBook Air was previously configured sans intermediary switch.

Any thoughts on how to get this to work would be appreciated, since it is working for other VLANs on the other ports of the Netgate 6100.

Thanks,
Brent

@shamrock for starters why would you ever put a /56 on an interface? /64 is the only thing that should be on an interface. Maybe a /128 in some circumstances.. But an interface on a device/router/firewall etc.. should and would only be /64

You can use other larger prefixes in say a firewall rule or route.. Or a delegation to some downstream device that will break up that larger prefix..

2nd - that is the correct /56.. it would run from..

fd00:fd00:246:200:: - fd00:fd00:246:2ff:fff:ffff:ffff:ffff

A prefix is going to start on specific net break, if you put an address that is in the middle of the network, that doesn't change the network address.

Its easier to read with IPv4 as example..

Lets say you are using a 192.168.0.0/22

This range is 192.168.0.0- 192.168.3.255

If You put an address of say 192.168.2.1/22 on your interface.. The network that is on is still 192.168.0.0- 192.168.3.255

If you used 192.168.1.1, or 192.168.1.254 or 192.168.3.254 or 192.168.2.27, etc.. the network is still that 192.168.0/22 that runs from 192.168.0.0 to 192.168.3.255, does not matter where in that space the address you put on the interface lands.

A prefix or netblock/network is always going to start and end at specific addresses.. Just because you put an IP that is in that range on the interface, doesn't change the the network boundaries

If you wanted to use 246:246, that would be like the 71st subnet out of your /56

fd00:fd00:246:246::/64
fd00:fd00:246:246:0000:0000:0000:0000-fd00:fd00:246:246:ffff:ffff:ffff:ffff

@Bob-Dig You are the best!
Thanks for the info, i really appreciate it

@mathais

I haven't configured a bridge in pfSense, so I can't speak from experience, however physical bridges don't have any addresses. They're supposed to be transparent. Do the actual interfaces have a link local address.

@DrPhil said in Configure IPv6 on multiple LAN interfaces:

Hi,

I am trying to configure IPv6 on multiple LAN interfaces (LAN and DMZ).

Did you ever get this sorted? The thread seemed to peter out at the end...

What works for me on Verizon FIOS

Interfaces / Wan

IPv4 Configuration Type dhcp IPv6 Configuration Type dhcp6 DHCPv6 Prefix Delegation size 56 Send IPv6 prefix hint checked Do not wait for a RA checked

it ends up looking a bit weird -- only a link local (FE80::something) configured on the Wan interface, but it works (you can probably find the RFC about using only ipv6 link local addresses on routers - I'm not going to bother searching)

Then on the LAN interfaces

IPv6 Configuration Type Track interface
and under "Track IPv6 Interface" IPv6 Interface WAN IPv6 Prefix ID <pick a unique number -- I like using the vlan #>

Then under "Services / DHCPv6 Server"

DHCPv6 Server gets checked Range pick something Prefix Delegation Size is 64 Default lease time I used the 7200 default Max lease time I went with 28800. I started with one day but the dhcpv6 address occasionally showed up as deprecated and 'valid_lft forever preferred_lft 0sec'

Hopefully that's a good enuf description :)

@DrPhil said in IPv6 static leases when ISP changes the prefix:

Under System > Advanced > Networking, there's a setting Do not allow PD/Address release. Is that selected? If not, your prefix will change for something as simple as disconnecting & reconnecting the WAN cable.

Thank you!
That's exactly what I was hoping to hear. I've now checked that box, and will monitor. If the ISP still changes the prefix on me, I'll just call them.

I'm on Verizon FIOS and they do change the prefix all too often. Even without a reboot or anything that would cause the interface to bounce the delegated prefix can change :(
The good news is that if you leave the prefix off of the IPv6 address in the DHCPv6 config the server will supply the prefix for you.

I haven't figured out how to predict the DUID so I just let the system assign an ipv6 address from the free pool & then go to the ' Status / DHCPv6 Leases' page, find the entry that I want to convert to a static address, and under Actions click the 'Add static mapping' button. That brings up the ' Services / DHCPv6 Server & RA / LAN / DHCPv6 Server / Edit Static Mapping' page and then I put just the "::host addr" in the IPv6 address field. The system will fill in the delegated prefix part of the address when it gives out the DHCPv6 address later on.
.

@Martin_D said in IPv6 seems to break unbound 23.09.1:

local-data: "pfSense.home.arpa. AAAA fe80::2694:cbff:fedd:4bd1%igc0"

That's the one I do not have :

local-data: "pfSense.brit-hotel-fumel.net. AAAA 2a01:cb19:dead:beef:92ec:77ff:fe29:392c"

I've no "%igc0" (the network name part) and for ùme, unbound has troubles this "%igc0".
I've no "fe80" IPv6, but a 'real' "2a01:xxx" as that's part of the prefix DHCPv6 client on WAN obtained.
For me, 2a01:cb19:dead:beef:92ec:77ff:fe29:392c was assigned as the LAN IPv6.

The error :

Conversion error, ip6 addr expected

makes me thing that unbound doesn't understand the "%igc0" part.

Probably not related, but this one

Request only an IPv6 prefix Yes

The prefix or prefixxes (multiple /64) are for your LAN(s).
You don't want an Ipv6 for your pfSense WAN ? I tend to not check that option.

Another one : what do you have here :

e7358334-fd04-4b7b-a20f-74042557b554-image.png

@shaunmccloud
Yeah, the ISP's delegated prefix can change - it's a pain sometimes. Instead, I use DHCPv6 to allocate ULA's (which don't depend on the ISP's delegated prefix). If you're interested, here's what I did for my PiHole.

Using the DHCPv6 server, set up a ULA prefix delegation for your LAN, say fd01:2345:ef01:2345:: / 64 (use the same prefix in both the 'from' and the 'to' boxes). Then under Firewall, give the LAN port a VIP (virtual IP) alias of fd01:2345:ef01:2345::1 / 64. (You may need to reboot to get these to stick.) Then see what ULA your Pi uses (SSH in and enter 'ifconfig' - you'll see an address that starts with that fd01... prefix). Enter that full address as the static v6 address in the Pi's /etc/dhcpcd.conf, and also enter it as the DNS server address in pfSense's DHCPv6 server (provided to clients). It also can't hurt to run 'pihole -r' on your pi, and go through the setup again to make sure it spots the ULA as your IPv6 static address.

If you have more than one LAN port (OPT1, OPT2, etc), you'll want to set them up with ULA's of their own (including their own VIPs). And if you have multiple ports, in the PiHole's DNS settings tab, tell it to respond only to the physical interface (ethernet or wifi) that you use on the Pi. (If you tell it to only allow local requests, it won't respond to client requests from a different port on the router.) There is a patch for 2.7.2 to make ULA routing work between multiple LAN ports - see https://forum.netgate.com/topic/184867/ula-routing-broke-after-2-7-2-update/29 (This patch is also scheduled to be included in 2.8.) Also note, when you do a pihole -r, it will reset PiHole to respond only to local requests, so you'll want to check that setting if your router has multiple LAN ports.

Then on your clients, check that the Pi's ULA is being picked up as the IPv6 DNS server (e.g., "ipconfig /all" in Windows). And try pinging it ("ping -6 fd01..." in Windows) to make sure you've got connectivity. My clients send their DNS queries directly to my PiHole, and I point my PiHole directly at Quad9, and I have never had an issue.

@voigon

I don't waste my time with that ping "menu". I just use ssh to pfSense and go from the command line. However, when resolving this sort of problem, packet capture is your friend, either the built in Packet Capture or Wireshark. You can then see if the ping is appearing where it's supposed to and with the correct addresses, etc..

@NogBadTheBad

I always do packet capture in promiscuous mode, as these days switches keep most of the other traffic away. Back when I first started using it, then known as Ethereal, hubs were still in use, so you'd see everything on the network, including passwords.

@koyaan134 said in Setting up IPv6?:

Or do I just put it into the monitor IP field and that's it?

Yep. That's it.

I appreciate your help by the way - pretty sure you were involved in troubleshooting a few of the threads I was reading!

I've been running IPv6 for almost 14 years and 8 with pfSense, so I do have some experience. 😉

Almost my entire career, going back to 1972, has been on the technical side of telecom, computers and networks, including at IBM. I first learned about IPv4 when I took a course at a local community college in early 1995. Even then, in that class, I realized 32 address bits weren't enough. Around the same time I first read about IPv6 in the April 1995 issue of Byte magazine. I knew then IPv6 was the way to go and have done what I can to promote it.

BTW, along the way I was certified in Novell Netware 3.x, OS/2 Warp 4 and Cisco CCNA. I also took the course for Netware 4, but didn't take the test as by that time I was working at IBM and my focus changed.

I tried restarting pfSense as well as my clients, and it didn't seem to help on the day. However the following day everything started working fine.
I am all good now.
My first thought was to delete this post. But I am leaving it up in case someone else faces a similar situation in the future. As unhelpful as it sounds, waiting a day might make the problem go away :-)

Have to chime in here on the value of this feature. I'm a bit confused as to the response saying it cannot be done, though. I am probably misreading that in the overall context. This feature is in OPNsense, so programmatically it can be done.