@Martin_D said in IPv6 seems to break unbound 23.09.1: local-data: "pfSense.home.arpa. AAAA fe80::2694:cbff:fedd:4bd1%igc0" That's the one I do not have : local-data: "pfSense.brit-hotel-fumel.net. AAAA 2a01:cb19:dead:beef:92ec:77ff:fe29:392c" I've no "%igc0" (the network name part) and for ùme, unbound has troubles this "%igc0". I've no "fe80" IPv6, but a 'real' "2a01:xxx" as that's part of the prefix DHCPv6 client on WAN obtained. For me, 2a01:cb19:dead:beef:92ec:77ff:fe29:392c was assigned as the LAN IPv6. The error : Conversion error, ip6 addr expected makes me thing that unbound doesn't understand the "%igc0" part. Probably not related, but this one Request only an IPv6 prefix Yes The prefix or prefixxes (multiple /64) are for your LAN(s). You don't want an Ipv6 for your pfSense WAN ? I tend to not check that option. Another one : what do you have here : [image: 1705647873422-e7358334-fd04-4b7b-a20f-74042557b554-image.png]

@shaunmccloud Yeah, the ISP's delegated prefix can change - it's a pain sometimes. Instead, I use DHCPv6 to allocate ULA's (which don't depend on the ISP's delegated prefix). If you're interested, here's what I did for my PiHole. Using the DHCPv6 server, set up a ULA prefix delegation for your LAN, say fd01:2345:ef01:2345:: / 64 (use the same prefix in both the 'from' and the 'to' boxes). Then under Firewall, give the LAN port a VIP (virtual IP) alias of fd01:2345:ef01:2345::1 / 64. (You may need to reboot to get these to stick.) Then see what ULA your Pi uses (SSH in and enter 'ifconfig' - you'll see an address that starts with that fd01... prefix). Enter that full address as the static v6 address in the Pi's /etc/dhcpcd.conf, and also enter it as the DNS server address in pfSense's DHCPv6 server (provided to clients). It also can't hurt to run 'pihole -r' on your pi, and go through the setup again to make sure it spots the ULA as your IPv6 static address. If you have more than one LAN port (OPT1, OPT2, etc), you'll want to set them up with ULA's of their own (including their own VIPs). And if you have multiple ports, in the PiHole's DNS settings tab, tell it to respond only to the physical interface (ethernet or wifi) that you use on the Pi. (If you tell it to only allow local requests, it won't respond to client requests from a different port on the router.) There is a patch for 2.7.2 to make ULA routing work between multiple LAN ports - see https://forum.netgate.com/topic/184867/ula-routing-broke-after-2-7-2-update/29 (This patch is also scheduled to be included in 2.8.) Also note, when you do a pihole -r, it will reset PiHole to respond only to local requests, so you'll want to check that setting if your router has multiple LAN ports. Then on your clients, check that the Pi's ULA is being picked up as the IPv6 DNS server (e.g., "ipconfig /all" in Windows). And try pinging it ("ping -6 fd01..." in Windows) to make sure you've got connectivity. My clients send their DNS queries directly to my PiHole, and I point my PiHole directly at Quad9, and I have never had an issue.

@voigon I don't waste my time with that ping "menu". I just use ssh to pfSense and go from the command line. However, when resolving this sort of problem, packet capture is your friend, either the built in Packet Capture or Wireshark. You can then see if the ping is appearing where it's supposed to and with the correct addresses, etc..

@NogBadTheBad I always do packet capture in promiscuous mode, as these days switches keep most of the other traffic away. Back when I first started using it, then known as Ethereal, hubs were still in use, so you'd see everything on the network, including passwords.

@koyaan134 said in Setting up IPv6?: Or do I just put it into the monitor IP field and that's it? Yep. That's it. I appreciate your help by the way - pretty sure you were involved in troubleshooting a few of the threads I was reading! I've been running IPv6 for almost 14 years and 8 with pfSense, so I do have some experience. Almost my entire career, going back to 1972, has been on the technical side of telecom, computers and networks, including at IBM. I first learned about IPv4 when I took a course at a local community college in early 1995. Even then, in that class, I realized 32 address bits weren't enough. Around the same time I first read about IPv6 in the April 1995 issue of Byte magazine. I knew then IPv6 was the way to go and have done what I can to promote it. BTW, along the way I was certified in Novell Netware 3.x, OS/2 Warp 4 and Cisco CCNA. I also took the course for Netware 4, but didn't take the test as by that time I was working at IBM and my focus changed.

I tried restarting pfSense as well as my clients, and it didn't seem to help on the day. However the following day everything started working fine. I am all good now. My first thought was to delete this post. But I am leaving it up in case someone else faces a similar situation in the future. As unhelpful as it sounds, waiting a day might make the problem go away :-)

Have to chime in here on the value of this feature. I'm a bit confused as to the response saying it cannot be done, though. I am probably misreading that in the overall context. This feature is in OPNsense, so programmatically it can be done.

@alnico Both the WAN and LAN addresses are on the same box. Just a few days ago, I was testing my OpenVPN while on my LAN. Worked fine. Connecting from elsewhere, to the LAN, is the same thing, just in the opposite direction. Just make sure your firewall will pass UDP port 1194.

@sloopbun Me to :-)

UPDATE: This issue is not specific to the use of large mtg (jumbo frames). It affects ICMP6 generally in this configuration. I don't know if the issue is due to the VLAN or the combination of a VLAN on a bridge. IPv4 is not affected and ICMP message sizes (with do-not-fragment set) respect the configured mtu.

@JKnott I guess my question wasn't well phrased. I'll post a rephrased version as a new question and delete this question in a few hours.

@SteveITS I seem to have gotten it to work, but I'm not quite sure how. I'll download the old pre-v6 and current configs and diff them. And, BTW I have a modem-only connection (non-Xfinity device) without any routing or NAT. pfSense runs on a Zotac CI323-nano mini-pc.

@IonutIT said in Why does pfsense run dhcpv6 and slaac by default?: RFC6724 mandates that IPv4 is preferred over ULA IPv6 but IPv6 GUA is preferred over IPv4. You can obviously manually bypass this by breaking RFC in Linux systems but can't be done for other embedded systems. I guess my computer hasn't read that RFC. Neither have I for that matter. host firewall firewall.jknott.net has address 172.16.0.1 firewall.jknott.net has IPv6 address fd48:1a37:2160:0:4262:31ff:fe12:b66c ping firewall PING firewall(firewall.jknott.net (fd48:1a37:2160:0:4262:31ff:fe12:b66c)) 56 data bytes 64 bytes from firewall.jknott.net (fd48:1a37:2160:0:4262:31ff:fe12:b66c): icmp_seq=1 ttl=64 time=0.313 ms 64 bytes from firewall.jknott.net (fd48:1a37:2160:0:4262:31ff:fe12:b66c): icmp_seq=2 ttl=64 time=0.162 ms 64 bytes from firewall.jknott.net (fd48:1a37:2160:0:4262:31ff:fe12:b66c): icmp_seq=3 ttl=64 time=0.136 ms 64 bytes from firewall.jknott.net (fd48:1a37:2160:0:4262:31ff:fe12:b66c): icmp_seq=4 ttl=64 time=0.120 ms

@johnpoz Hi John That was fast:-) Sorry that my explanation was not clear enough. fc00:18f:11ab:3010::1 and fc00:18f:11ab:3010:0:0:0:1 is the default gateway for the subnet on the interface. That was what I tried to explain by saying I change the IPv6 number of the interfaces from short to long or the otherway. So no the server have the same IPv6 number all the time ending on 11 (fc00:18f:11ab:3010::11). Configuration of the Interfaces: IPv4 Configuration Type: Static IPv4 IPv6 Configuration Type: Static IPv6 Static IPv6 Configuration IPv6 address fc00:18f:11ab:3010::1/64 (Short) or fc00:18f:11ab:3010:0:0:0:1/64 (Long) Regards Henning

@chill_out Personally I normally just have it use loopback.. And I am back to that - I don't really need my dns going out my HE tunnel..And other than that test of theirs have no need of it.

My ISP has, after weeks of fighting them on the matter, admitted that this is in fact their fault. I would delete this thread, but I cannot.