@Fandangos said in Ipv6 almost working?: https://www.reddit.com/r/ipv6/comments/evv7r8/ipv6_and_netflix/ Is this beyond what the end user is able to solve? That was years ago (the reddit post : more the 4 years). When Netflix, like everybody else started to use IPv6. Netflix, for very understandable reasons don't want me to look at season 10 of Walking Dead, while it's already old and out in other countries. They use my IPv6 to 'know' where I connect from. The thing is : they had not mapped the entire Ipv6 into a a GEO IPv6 database to determine where I connect from. [ and now they know that they will never be able to do so, as there isn't enough materiel on planet earth to build all the hard disks to store this database ] Some IPv6 ranges, tough, are already listed : the ones from huricane.net for example, some sort of VPN IPV6 supplier. I was using them as they offered a good IPv6 implementation (way better as many ISP today). The solution was an easy one : pfBlockerng ! Like this : [image: 1702882235533-229110bf-a604-473e-9916-a319272cbd73-image.png] There is a list on this forum with all (there are several) netflix domain names that you have to enter. Netflix, from then on, will be accessed over IPv4, and you'll be fine.

@tmoore said in Setting up ipv6 with one /64 allocation: For what it's worth my ISP is Teksavvy. I phoned in to them this morning and asked them to give me a /56 address delegation which they have done. So now I have a /56. Are you connected via Bell or Rogers? If Rogers, you might want to check the Rogers config. A friend of mine is with Teksavvy on Rogers. Another friend used be be with them on Bell. As for that pending gateway, you have to provide a monitor address that responds to pings. For mine, I ran traceroute to Google and picked the first address that responded. That address is 2607:f798:10:10d2:0:241:5615:217. It might be different for you, depending on where you are.

@Kenneth_H said in IPv6 with framed IPv6-prefix: it does however seem strange that the lease time is around 5 minutes My lease time is over 164 hours.

@Spaylia Well, I don't know what to say. It's a really strange system you have there. The MAC address comes from the NIC, not pfSense. So, if you're seeing the MAC, that is the 48 bit hardware address, on the LAN side, there must be some other path involved. This is why I asked you to provide the Packet Capture file, so that I can examine it in Wireshark.

@regiolis said in IPv6 not working on LAN: hat's my case..... so i don't know how to do Describe your Internet connection. For example, I'm on a cable modem, which I put into bridge mode. This allows DHCPv6-PD to reach my pfSense firewall, which will then provide IPv6 to the LAN.

I've just put pfsense 2.7 in for my parents Toob connection, it's a IPV4 CGNAT / IPV6 service and I think they allocate /56. Not needed to carve up VLANs etc. it's a flat network. I must check the log file myself to confirm what they had out.

@elbombo Editing /conf/config/xml worked... ``` <dhcrelay> <interface>lan,opt3,opt4,opt8,opt25</interface> <server>10.200.0.233</server> <carpstatusvip>none</carpstatusvip> <enable></enable> </dhcrelay> <dhcrelay6> <interface>lan,opt3,opt4,opt8,opt25</interface> <server>xxxx:xxxx:x:xxxx::233</server> <carpstatusvip>none</carpstatusvip> <enable></enable> </dhcrelay6>

@chill_out said in Router solicitations not working on vlans (2.7.1-RC): My understanding is that with ipv6 there's no more broadcasts, everything is either unicast or multicast That is correct. The closest thing to a broadcast is the all hosts multicast. There are some differences, such as the scope can be specified and for some things, the hop count can be set to 255 as protection against a bogus packet being sent through a router.

Edit: I found the solution, I disabled the DHCPv6 server, RA on Assisted and Priority on High, and on the LAN interface I left it on Track Interface. It works without problems even after the restart. Thanks! @JKnott

@Lurick said in Do not allow PD/Address release - Specific Interface Only?: needs it checked otherwise your IPv6 prefix will change Yeah for sure could see that.. Because it would release it.. But not sure how some ISP would need a release from you - for stuff to work.. They might give you a different prefix anyway even if you don't release.. But not sending a release should have nothing to do with getting a prefix in the first place. you sure can not send a release when your first asking for one.

@Dough29 said in Subneting my /56 prefix to multiple internal LANs: forum lafibre.info That's where I go to check if any progress exists

@FOOLiSH86 said in IPV6 on pfsense WAN: I wanted to understand how to properly set up full ipv6 support on my pfsense You might want to mention your ISP, as some might have issues. As for pfSense, you need the modem in bridge mode, as gateway mode won't work for this. Then you need to enable dhcpv6 on the WAN interface. Normally, you use SLAAC on the LAN side. I used unmanaged for RA mode. Try getting started and ask about any issues as you come across them. Also, someone might have already posted configuration for your ISP or similar. Here's the info for mine.

@JKnott I appreciate your knowledge and input. Getting that deep with the ISP customer support is my fear. I don't know if its worth the effort. It would probably be easier changing ISPs :). Luckily, the problem fixed itself after several days! I didn't change my PfSense configuration but I did bring the WAN interface down and back up again today. I guess whatever was hanging up the CMTS is fixed as it decided to honor the prefix delegation it supplied me. IPv6 traffic within that prefix range is finally routing back. Thank you again.

@yobyot My IPv4 address is so "durable" it's virtually static. Also, the host name, provided by my ISP, is based on the modem and router MAC addresses, so it never changes, unless I change hardware.

@Mats I was really excited by your comment and went and created an alias that points to ::/56 then created an inverted pass rule for this alias. Unfortunately it seemed that I could still access my other networks via IPv6, so something was weird. But then I've switched from using the alias "::/56" to actually defining the network ::/56 in the firewall rule and it magically started working. So it seems that you're right you can block by using this. Thank you, this has been very useful!

@bmeeks said in Why do I have to 'Track Interface' on LAN to WAN for IPv6 to work?: The correct way to handle this is to use a separate sub-domain for your internal AD setup. Something like mydomain.com for the public IP domain name and internal.mydomain.com for the Windows AD network in RFC1918 space. That can work. A quick Google search will lead you to a Microsoft best practices and how-to article on this configuration. I highly recommend you restructure you AD configuration to match what is described at this older Microsoft link here: https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx. And here is a slightly newer document showing the same thing: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc772970(v=ws.10). Thanks for the links - one of them I had looked already (as a Google search pointed to it). My public domain name has a - {dash} in it, and apparently my old ass NAS does not like that. I have tried and tried to get it to recognize the domain-name that I first setup as ad.{mypublicdomain} - even a chat session with them for over an hour (nothing worked - they plan no updates to it. It also only does CIFSv1/SMBv1 - FTP (no sFTP) and NFS (but only to Linux boxes) - and some form of iSCSI. I have over 6TB of files and stuff on there, and they "SEAGATE" is not even willing to 'help' me with another NAS to replace it. One of my IT buddies said I should use {mypublicdomain}.loc for my AD/DS...but still going to resolve the - {dash} in there unless I remove it completely. I have considered creating (renaming my public-facing-domain) as only HomeAssistant uses it (well their app on my phone and the ALEXA and GOOGLE links do too). My older post you referenced was assuming the network was IPv4 only with no IPv6 in use. You want to use IPv6, but your ISP is not guaranteeing you a static assignment (they use prefix delegation which means the IPv6 space might change unexpectedly). That's going to be an issue unless you use both ULA and GUA IPv6 addresses. My post also assumed that your Active Directory domain was never going to be accessed from outside. Sounds like that is not what you intend as you mentioned somewhere up above about using some type of home automation with LDAP authentication I believe (unless I'm confusing this thread with another one). Pretty much what I am going to. Every guide that I have read says not to DISABLE the IPv6 on a DC. I am going to leave it at its default settings and let pfSense take care of it. Same for DHCPv4 - going to only do DNS on AD/DS and I am guessing that pfSense is RESOLVER with the FORWARDING option turned on. I would also need a Domain Override setup to point to AD/DS name and IPv4 address as well. Still trying to grasp the REV LOOKUP (setup in pfSense) thing and the HOST OVERRIDE too. The LDAP stuff that I want to do is not really for Home Automation, per se. I do have HomeAssisitant - what I want to do is sign-ins to the various parts with LDAP credentials so that I do not have to keep up with (currently 22) separate login accounts. All of that stuff is 'inside' my pfSense Firewall - only Alexa and Google can access from outside and their app. I got that working, and hoping that I do not have to go through that again. WHEW!!!