@guardian said in WAN Firewall Rules for IPv6:

Will IPv6 go through a bridge the same way as IPv4?

Yep, as will IPX, NetBIOS, SNA, DECNet, etc..

@Gertjan
Yes this would work if I not disable IPv6 in Advanced Settings and then catch the IPv6 with my own rules as you suggest.
However, by allowing IPv6 in Advanced Settings, pfSense automatically add rules to allow any icmpv6, because this is needed for ipv6 to work.
These rules cannot simply be overruled.
It's not a big problem, at least I can control the logs a little better, but at least icmpv6 will be allowed and that is not something I wanted to begin with.

@asdjklfjkdslfdsaklj said in DHCPv6 PD not installing route after 23.05-RELEASE upgrade:

new bug report.

That link is also a bug ....
I mean : click on it and enjoy.
More edits :
Since 5 days or so :
If the patchs is applied
and you "pkg install dhcpleases6"
does it work ?

@matthewgcampbell

Again, pfSense has to know the route to that subnet. It knows where that interface is, but not what's beyond it.

Here's an example, though it's for IPv4 only.

67e12ab2-1f09-4074-ab90-d157cad78d48-image.png

In order to access that 172.16.2.0 network, I had to tell pfSense where to find it. You may see your pings go out, but how far do you see the replies coming pack? You can use Packet Capture to watch for them. I bet you see them come into pfSense, but then what??? Without a route, pfSense cannot send them where they're supposed to go.

I assume that delegated prefix is provided by your ISP.

@s0ulf3re

I had a similar issue, now resolved (for the most part):

Resolved: Did v23-05 break ipv6?

👍

@Bob-Dig not dynamic prefixes but ULA prefixes which are mapped to a routable IPv6 NAT 1:1

like you set fc08::1000 to a client then you can route it with NPt to whatever prefixes you own you just map ULA/64 to native /64 used to do it many times you can do this with he.net native IP and have failover links and choose which interface to use.

So all the IPv6 are static but not in the range of the routable IPv6 prefix

However never done it with double NAT seems to be tricky

I should add that the only difference between my custom config and the default (non-advanced) config was that request refreshtime; was added and the DNS related request lines were removed.

This why I have a suspicion that adding in request refreshtime might be the thing that actually helped.

@johnpoz
I mostly do, except some university classes require we use it.
R.png

@insmod active just means the cache has expired ie no traffic. IPv6 uses NDP, arp for IPv6..

There is little point to trying to create traffic to keep that listing as "active"

@johnpoz Before my ISP offered IPV6, I used a tunnel from HE. It worked very well. Admittedly it's been a while since I have used HE, but I agree that you can't go wrong with them.

@keyser said in DHCPv6 on WAN works but pf uses SLAAC address:

I'll need some time without users on my net to do some proper testing. But I did do a packet capture, and the ICMP6 flow looked normal. When my pfSense transmitted packet from the SLAAC GUA address to the fe80 default gateway, they were simply blackholed.

When pinging link local addresses, you have to specify the interface with the -I option. You could also try capturing the full DHCPv6 sequence and posting the file here.

I have similar messages from radvd and want to debug dhcp6c messages, but I don't see debug option anywhere, how can I start dhcp6c in debug mode? PfSense version is 23.05 WAN is PPPoE and LAN is set to track IPv6 on WAN.

So far I have found the following to work best on my boxes to remove IPv6 as much as possible resulting in better stability of Unbound no longer crashing or hanging unresponsive at random or when forced performing IPv6 nslookups:

Unbound Custom options to remove all local and external domain AAAA responses in replies given to clients:

server: do-ip4: yes do-ip6: no prefer-ip4: yes prefer-ip6: no private-address: 10.0.0.0/8 private-address: 172.16.0.0/12 private-address: 192.168.0.0/16 private-address: 169.254.0.0/16 private-address: ::ffff:0:0/96 private-address: fd00::/8 private-address: fe80::/10 private-address: ::/0 private-address: :: local-zone: localhost.home.arpa transparent local-data: "localhost.home.arpa A 127.0.0.1" local-zone: localhost transparent local-data: "localhost A 127.0.0.1" local-zone: ip6.arpa redirect local-data: "ip6.arpa A 0.0.0.0" local-zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa redirect local-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa A 0.0.0.0" local-zone: "::/0" static dns64-ignore-aaaa: *.* do-not-query-address: :: do-not-query-address: ::1 do-not-query-address: ::/0

Shellcmd's added to Shellcmd package to load at boot to unload any auto created/started inet6 interfaces, add or relabel for any other interface names that show when running command prompt/console command ifconfig

ifconfig lo0 inet6 ifdisabled ifconfig igb0 inet6 ifdisabled ifconfig igb1 inet6 ifdisabled ifconfig ix0 inet6 ifdisabled ifconfig lo0 inet6 fe80::1%lo0 delete ifconfig lo0 inet6 ::1 delete

These last two are system files, these adjustments here aren't saved in config.xml files so if until there is a patch or tick box added, they would need re-applied each system upgrade but do maintain general reboots -
edit /etc/inc/system.incsearch for 'localhost' around line 331 and comment out - ::1 IPv6 section of lines with /* at beginning, a * for each next line and */ at the end:

/* * $hosts[] = array( * 'ipaddr' => '::1', * 'fqdn' => 'localhost.' . $syscfg['domain'], * 'name' => 'localhost', * 'domain' => $syscfg['domain'] * ); */

edit /etc/hosts.allow comment out line adding a #:

#ALL : [::1] : allow

@Gertjan said in DHCPv6 cannot specify local DNS server if interface is set to track interface with ::local:portion format:

That brings me to the final question, as I actually never gave it a chance : my devices will still have the same IPv6 over time ?
Can I put a IPv6 firewall rule that makes my printer (example) accsible form the Internet ?
Using an IPv6, or a alias that has a host name that is constantly resolved to the correct 'local' IPv6, whatever that might be ?

Assuming your prefix is consistent, yes you can. With SLAAC you have one consistent address and up to seven privacy addresses. You use the consistent address to get through the firewall, for external DNS, etc.. The consistent address can be based on either the MAC address or a random number. Either way, it doesn't change.

I have an external DNS that points to devices I may want to reach.