@gromit1234 said in Another IPv6 weirdness with ISP:

@RobbieTT
OMG - it was in there!
You're using FTTP (I think), but your point about MTU got me thinking....
The WAN was set to 1492 by the ISP. The LAN defaulted to 1500. I changed this to 1492 et voila!

THANK YOU SO MUCH!

👍

No problem at all. It does not matter if you are on FTTP or not, the physical link on the WAN to your ADSL/VDSL2/G.fast modem should be 1508 MTU, allowing a normal 1500 MTU to traverse wearing the 8-byte PPPoE wrapper (ie as per my settings).

☕️

@darkonc was that for me?

@SpaceBass yeah I came to that conclusion like 12 or 13 years ago ;) heheh when first start playing with ipv6.

I try it again every year or so hoping the isp has learned and fixed stuff, etc. My current isp doesn't even offer ipv6 native.. I have to use HE tunnel.

Which I setup something like 12 years ago, and has really been pretty rock solid for when I use IPv6 - which again is only play.. I did for many years host ntp into the ntp pool off my IPv6 via the tunnel. But while back said to myself why.. And just turned that off as well.

Don't get me wrong, works great on my phone - they only give you IPv6, no ipv4 at all - and they connect you to ipv4 using 464XLAT I am pretty sure. And this seems to work just fine on anything accessing on my phone. But when I am out and about on my phone trying to get to amazon.com or fanduel over cell.. I am not real worried about firewall rules, etc.

For the typical home user with their isp gateway, hey they can get to amazon.com or their favorite porn site - most of them don't even know what an IP address is, let alone the difference between v4 and v6..

The simple solution for your "power" user if you will - someone that has taken the jump to pfsense vs some isp gateway device and is now segmenting their network and creating firewall rules to limit what say their iot devices can do.. IPv6 has a pretty steep learning curve, and brings all kinds of complexity to securing your network..

If you want to play - I would suggest HE, you can get a /48 that doesn't change.. And from my experience has been pretty rock solid.. And deploy it how you want to devices you want to play with it, etc.

You not enabling it on your network isn't going to hold the world back from transitioning - in 20 some years or so it might be there ;)

@ansel That was the weird part there was nothing in the logs and the interface showed up.

I say "was" as it hasn't happened in the last week. Sigh.

Heisenbug? Sun Spots?

@keyser

I seem to remember that the draft for IPv6 was out before IPv4 NAT became a thing. Even the original author of NAT (Paul Francis?) didn't think much would come of it. Then came PIX hardware and the world changed.

@darkonc
To my knowledge, this needs to be configured manually in pfSense. The LAN interfaces get their subnets by following the WAN interface, however, the WAN cannot follow itself. In other words: if the prefix change, one needs to manually configure it again - or have some sort of scripting to do this.
All tho I get that "providers should keep prefix fixed, preferably, for the time the contract is active", in reality, most of them do not. They change the prefix if you change/upgrade your router and depending on the configuration you change on the router it can trigger a new prefix (it is based on the DUID in the case of Telus). In my mom's house (Brazil), the IPv6 prefix changes almost every 3 weeks with default configuration (why? to annoy users maybe...).

In short, I agree with everything you said, I would like to have the IPv6 set to the WAN, but I can live without it.

Thanks,
JrBenito.

@RobbieTT

Part of the reason for the U.S. being so slow with IPv6 goes back to when IPv4 was created and most of the addresses went to the U.S.. As a result it didn't have the pressure of the IPv4 address shortage as the rest of the world did. Of course, when it was originally set up, it wasn't intended to be world wide. It was just to support defense researchers and grew from there. Also, back then, there wasn't a lot of data crossing the pond, as there wasn't much capacity until fibre came along.

@SteveITS said in IPv6 not passing despite rules:

Do you have two WANs

bingo!
Just disabled WAN2 for testing, IPv6 works immediately.

Works fine for me now, good job. 👍 👍

@sorg said in How to 4rd with pfsense ?:

This guide is not relevant for our situation.
We are not connected through VDSL, but with Fiber (FTTH using 10G-EPON.)

Ok now I now it a bit better.

We already have the necessary hardware (the ONT) to connect the incoming fiber to a modem and we know the steps to achieve the results.

This was not clear to me from the opening post.

We need to spoof the MAC address of the Freebox on the ethernet interface that will be connected to the ONT: It's ok and working.
We need access to VLAN 836 on this interface and get an ipv6 link with dhcpv6 provisionning: It's ok and working.

Ok.

We need to open a tunnel of type ipip6 over this link in order to get the ipv4 Wan connection.
Ideally this tunnel is negotiated with 4rd or map-e protocol, however, we can also force the settings manually.

Oh ok I see it is in real another problem, so
I was not really able to get it right.

I have not been available to achieve this last step on pfsense/opnsense, while i have all this set up an working in vyos or openwrt.

Oh ok if you got it working in VyOS and OpenWRT it should be a way to find out
how it should work using pfSense.

@JKnott
I will check tomorrow, after the reboot I did the issue has gone. Maybe it was caused by the temporary nic I am using (an usb 2.5 gb) for the wan

Thanks again ;)

It now seems likely that this wasn't related to the 23.05, but to a change in the Signal app around the same time which causes it to start preferring IPv6 over IPv4. There's a thread about it at https://github.com/signalapp/Signal-Desktop/issues/6393

It's still mysterious what the actual problem is.

@SteveITS I just tested two scenarios where it works, none included changing IPv6 config type to none on the interface.

One was to just disable the second gateway and leave on automatic;
Second was to manually choose the WAN_DHCP6 interface as v6 gateway and reboot;

Both working. It's only Automatic with both active that seems to be breaking things.

So let me go back to the first time I booted 23.05 and no IPv6:
I had a gateway group for IPv6 with WAN_DHCP6 (T1) and WAN2_DHCP6 (T2).
This configuration that was working before (giving preference and having the T1 GW active) now seems to malfunction.

@dblclick

Another reason to support this would be DDNS. We are unable to provide a IPv6 address to services .

@matty10209

Not sure why you think that is some sort of lease? Nor what rabbit hole you went down that you think you should delete an interfaces link-local address?

ndp.jpg

Those are the link-local address of pfsense own interfaces..

You can disable IPv6 in pfsense, this doesn't remove the under laying IPv6 support in the OS, ie link-local addresses on the interfaces..

@starcodesystems

If you want to have local only addresses, you want ULA. These work pretty much the same way as RFC 1918 addresses on IPv4. Link local happens automagically on all IPv6 capable devices, but you don't want to use them in the same way as global or ULA addresses. They're more for ICMP messages, router advertisements, etc..

@gamienator-0
Regarding Windows Bug I'm livin with the imagination that pfsense should not not let the request through on that interface for the wrong subnet.

///Peter!