Per @Bob-Dig suggestion, I connected a Cisco SG200 switch to the IGC2 port as a trunk VLAN and connected the MacBook Air to a VLAN 40 port on the switch. Same results, IPv4 works correctly, as soon as IPv6 is turned on the IGC2 port bounces. This is what I expected, as macOS Sonoma has full support for VLAN's built-in, which is how the MacBook Air was previously configured sans intermediary switch. Any thoughts on how to get this to work would be appreciated, since it is working for other VLANs on the other ports of the Netgate 6100. Thanks, Brent

@shamrock for starters why would you ever put a /56 on an interface? /64 is the only thing that should be on an interface. Maybe a /128 in some circumstances.. But an interface on a device/router/firewall etc.. should and would only be /64 You can use other larger prefixes in say a firewall rule or route.. Or a delegation to some downstream device that will break up that larger prefix.. 2nd - that is the correct /56.. it would run from.. fd00:fd00:246:200:: - fd00:fd00:246:2ff:fff:ffff:ffff:ffff A prefix is going to start on specific net break, if you put an address that is in the middle of the network, that doesn't change the network address. Its easier to read with IPv4 as example.. Lets say you are using a 192.168.0.0/22 This range is 192.168.0.0- 192.168.3.255 If You put an address of say 192.168.2.1/22 on your interface.. The network that is on is still 192.168.0.0- 192.168.3.255 If you used 192.168.1.1, or 192.168.1.254 or 192.168.3.254 or 192.168.2.27, etc.. the network is still that 192.168.0/22 that runs from 192.168.0.0 to 192.168.3.255, does not matter where in that space the address you put on the interface lands. A prefix or netblock/network is always going to start and end at specific addresses.. Just because you put an IP that is in that range on the interface, doesn't change the the network boundaries If you wanted to use 246:246, that would be like the 71st subnet out of your /56 fd00:fd00:246:246::/64 fd00:fd00:246:246:0000:0000:0000:0000-fd00:fd00:246:246:ffff:ffff:ffff:ffff

@Bob-Dig You are the best! Thanks for the info, i really appreciate it

@mathais I haven't configured a bridge in pfSense, so I can't speak from experience, however physical bridges don't have any addresses. They're supposed to be transparent. Do the actual interfaces have a link local address.

@DrPhil said in Configure IPv6 on multiple LAN interfaces: Hi, I am trying to configure IPv6 on multiple LAN interfaces (LAN and DMZ). Did you ever get this sorted? The thread seemed to peter out at the end... What works for me on Verizon FIOS Interfaces / Wan IPv4 Configuration Type dhcp IPv6 Configuration Type dhcp6 DHCPv6 Prefix Delegation size 56 Send IPv6 prefix hint checked Do not wait for a RA checked it ends up looking a bit weird -- only a link local (FE80::something) configured on the Wan interface, but it works (you can probably find the RFC about using only ipv6 link local addresses on routers - I'm not going to bother searching) Then on the LAN interfaces IPv6 Configuration Type Track interface and under "Track IPv6 Interface" IPv6 Interface WAN IPv6 Prefix ID <pick a unique number -- I like using the vlan #> Then under "Services / DHCPv6 Server" DHCPv6 Server gets checked Range pick something Prefix Delegation Size is 64 Default lease time I used the 7200 default Max lease time I went with 28800. I started with one day but the dhcpv6 address occasionally showed up as deprecated and 'valid_lft forever preferred_lft 0sec' Hopefully that's a good enuf description :)

@DrPhil said in IPv6 static leases when ISP changes the prefix: Under System > Advanced > Networking, there's a setting Do not allow PD/Address release. Is that selected? If not, your prefix will change for something as simple as disconnecting & reconnecting the WAN cable. Thank you! That's exactly what I was hoping to hear. I've now checked that box, and will monitor. If the ISP still changes the prefix on me, I'll just call them. I'm on Verizon FIOS and they do change the prefix all too often. Even without a reboot or anything that would cause the interface to bounce the delegated prefix can change :( The good news is that if you leave the prefix off of the IPv6 address in the DHCPv6 config the server will supply the prefix for you. I haven't figured out how to predict the DUID so I just let the system assign an ipv6 address from the free pool & then go to the ' Status / DHCPv6 Leases' page, find the entry that I want to convert to a static address, and under Actions click the 'Add static mapping' button. That brings up the ' Services / DHCPv6 Server & RA / LAN / DHCPv6 Server / Edit Static Mapping' page and then I put just the "::host addr" in the IPv6 address field. The system will fill in the delegated prefix part of the address when it gives out the DHCPv6 address later on. .

@Martin_D said in IPv6 seems to break unbound 23.09.1: local-data: "pfSense.home.arpa. AAAA fe80::2694:cbff:fedd:4bd1%igc0" That's the one I do not have : local-data: "pfSense.brit-hotel-fumel.net. AAAA 2a01:cb19:dead:beef:92ec:77ff:fe29:392c" I've no "%igc0" (the network name part) and for ùme, unbound has troubles this "%igc0". I've no "fe80" IPv6, but a 'real' "2a01:xxx" as that's part of the prefix DHCPv6 client on WAN obtained. For me, 2a01:cb19:dead:beef:92ec:77ff:fe29:392c was assigned as the LAN IPv6. The error : Conversion error, ip6 addr expected makes me thing that unbound doesn't understand the "%igc0" part. Probably not related, but this one Request only an IPv6 prefix Yes The prefix or prefixxes (multiple /64) are for your LAN(s). You don't want an Ipv6 for your pfSense WAN ? I tend to not check that option. Another one : what do you have here : [image: 1705647873422-e7358334-fd04-4b7b-a20f-74042557b554-image.png]

@shaunmccloud Yeah, the ISP's delegated prefix can change - it's a pain sometimes. Instead, I use DHCPv6 to allocate ULA's (which don't depend on the ISP's delegated prefix). If you're interested, here's what I did for my PiHole. Using the DHCPv6 server, set up a ULA prefix delegation for your LAN, say fd01:2345:ef01:2345:: / 64 (use the same prefix in both the 'from' and the 'to' boxes). Then under Firewall, give the LAN port a VIP (virtual IP) alias of fd01:2345:ef01:2345::1 / 64. (You may need to reboot to get these to stick.) Then see what ULA your Pi uses (SSH in and enter 'ifconfig' - you'll see an address that starts with that fd01... prefix). Enter that full address as the static v6 address in the Pi's /etc/dhcpcd.conf, and also enter it as the DNS server address in pfSense's DHCPv6 server (provided to clients). It also can't hurt to run 'pihole -r' on your pi, and go through the setup again to make sure it spots the ULA as your IPv6 static address. If you have more than one LAN port (OPT1, OPT2, etc), you'll want to set them up with ULA's of their own (including their own VIPs). And if you have multiple ports, in the PiHole's DNS settings tab, tell it to respond only to the physical interface (ethernet or wifi) that you use on the Pi. (If you tell it to only allow local requests, it won't respond to client requests from a different port on the router.) There is a patch for 2.7.2 to make ULA routing work between multiple LAN ports - see https://forum.netgate.com/topic/184867/ula-routing-broke-after-2-7-2-update/29 (This patch is also scheduled to be included in 2.8.) Also note, when you do a pihole -r, it will reset PiHole to respond only to local requests, so you'll want to check that setting if your router has multiple LAN ports. Then on your clients, check that the Pi's ULA is being picked up as the IPv6 DNS server (e.g., "ipconfig /all" in Windows). And try pinging it ("ping -6 fd01..." in Windows) to make sure you've got connectivity. My clients send their DNS queries directly to my PiHole, and I point my PiHole directly at Quad9, and I have never had an issue.

@voigon I don't waste my time with that ping "menu". I just use ssh to pfSense and go from the command line. However, when resolving this sort of problem, packet capture is your friend, either the built in Packet Capture or Wireshark. You can then see if the ping is appearing where it's supposed to and with the correct addresses, etc..

@NogBadTheBad I always do packet capture in promiscuous mode, as these days switches keep most of the other traffic away. Back when I first started using it, then known as Ethereal, hubs were still in use, so you'd see everything on the network, including passwords.

@koyaan134 said in Setting up IPv6?: Or do I just put it into the monitor IP field and that's it? Yep. That's it. I appreciate your help by the way - pretty sure you were involved in troubleshooting a few of the threads I was reading! I've been running IPv6 for almost 14 years and 8 with pfSense, so I do have some experience. Almost my entire career, going back to 1972, has been on the technical side of telecom, computers and networks, including at IBM. I first learned about IPv4 when I took a course at a local community college in early 1995. Even then, in that class, I realized 32 address bits weren't enough. Around the same time I first read about IPv6 in the April 1995 issue of Byte magazine. I knew then IPv6 was the way to go and have done what I can to promote it. BTW, along the way I was certified in Novell Netware 3.x, OS/2 Warp 4 and Cisco CCNA. I also took the course for Netware 4, but didn't take the test as by that time I was working at IBM and my focus changed.

I tried restarting pfSense as well as my clients, and it didn't seem to help on the day. However the following day everything started working fine. I am all good now. My first thought was to delete this post. But I am leaving it up in case someone else faces a similar situation in the future. As unhelpful as it sounds, waiting a day might make the problem go away :-)

Have to chime in here on the value of this feature. I'm a bit confused as to the response saying it cannot be done, though. I am probably misreading that in the overall context. This feature is in OPNsense, so programmatically it can be done.

@alnico Both the WAN and LAN addresses are on the same box. Just a few days ago, I was testing my OpenVPN while on my LAN. Worked fine. Connecting from elsewhere, to the LAN, is the same thing, just in the opposite direction. Just make sure your firewall will pass UDP port 1194.

@sloopbun Me to :-)

UPDATE: This issue is not specific to the use of large mtg (jumbo frames). It affects ICMP6 generally in this configuration. I don't know if the issue is due to the VLAN or the combination of a VLAN on a bridge. IPv4 is not affected and ICMP message sizes (with do-not-fragment set) respect the configured mtu.

@JKnott I guess my question wasn't well phrased. I'll post a rephrased version as a new question and delete this question in a few hours.

@SteveITS I seem to have gotten it to work, but I'm not quite sure how. I'll download the old pre-v6 and current configs and diff them. And, BTW I have a modem-only connection (non-Xfinity device) without any routing or NAT. pfSense runs on a Zotac CI323-nano mini-pc.