@asdjklfjkdslfdsaklj said in DHCPv6 PD not installing route after 23.05-RELEASE upgrade: new bug report. That link is also a bug .... I mean : click on it and enjoy. More edits : Since 5 days or so : If the patchs is applied and you "pkg install dhcpleases6" does it work ?

@matthewgcampbell Again, pfSense has to know the route to that subnet. It knows where that interface is, but not what's beyond it. Here's an example, though it's for IPv4 only. [image: 1689991824891-67e12ab2-1f09-4074-ab90-d157cad78d48-image.png] In order to access that 172.16.2.0 network, I had to tell pfSense where to find it. You may see your pings go out, but how far do you see the replies coming pack? You can use Packet Capture to watch for them. I bet you see them come into pfSense, but then what??? Without a route, pfSense cannot send them where they're supposed to go. I assume that delegated prefix is provided by your ISP.

@s0ulf3re I had a similar issue, now resolved (for the most part): Resolved: Did v23-05 break ipv6?

@Bob-Dig not dynamic prefixes but ULA prefixes which are mapped to a routable IPv6 NAT 1:1 like you set fc08::1000 to a client then you can route it with NPt to whatever prefixes you own you just map ULA/64 to native /64 used to do it many times you can do this with he.net native IP and have failover links and choose which interface to use. So all the IPv6 are static but not in the range of the routable IPv6 prefix However never done it with double NAT seems to be tricky

I should add that the only difference between my custom config and the default (non-advanced) config was that request refreshtime; was added and the DNS related request lines were removed. This why I have a suspicion that adding in request refreshtime might be the thing that actually helped.

@johnpoz I mostly do, except some university classes require we use it. [image: 1688851689003-r.png]

@insmod active just means the cache has expired ie no traffic. IPv6 uses NDP, arp for IPv6.. There is little point to trying to create traffic to keep that listing as "active"

@johnpoz Before my ISP offered IPV6, I used a tunnel from HE. It worked very well. Admittedly it's been a while since I have used HE, but I agree that you can't go wrong with them.

@keyser said in DHCPv6 on WAN works but pf uses SLAAC address: I'll need some time without users on my net to do some proper testing. But I did do a packet capture, and the ICMP6 flow looked normal. When my pfSense transmitted packet from the SLAAC GUA address to the fe80 default gateway, they were simply blackholed. When pinging link local addresses, you have to specify the interface with the -I option. You could also try capturing the full DHCPv6 sequence and posting the file here.

I have similar messages from radvd and want to debug dhcp6c messages, but I don't see debug option anywhere, how can I start dhcp6c in debug mode? PfSense version is 23.05 WAN is PPPoE and LAN is set to track IPv6 on WAN.

So far I have found the following to work best on my boxes to remove IPv6 as much as possible resulting in better stability of Unbound no longer crashing or hanging unresponsive at random or when forced performing IPv6 nslookups: Unbound Custom options to remove all local and external domain AAAA responses in replies given to clients: server: do-ip4: yes do-ip6: no prefer-ip4: yes prefer-ip6: no private-address: 10.0.0.0/8 private-address: 172.16.0.0/12 private-address: 192.168.0.0/16 private-address: 169.254.0.0/16 private-address: ::ffff:0:0/96 private-address: fd00::/8 private-address: fe80::/10 private-address: ::/0 private-address: :: local-zone: localhost.home.arpa transparent local-data: "localhost.home.arpa A 127.0.0.1" local-zone: localhost transparent local-data: "localhost A 127.0.0.1" local-zone: ip6.arpa redirect local-data: "ip6.arpa A 0.0.0.0" local-zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa redirect local-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa A 0.0.0.0" local-zone: "::/0" static dns64-ignore-aaaa: *.* do-not-query-address: :: do-not-query-address: ::1 do-not-query-address: ::/0 Shellcmd's added to Shellcmd package to load at boot to unload any auto created/started inet6 interfaces, add or relabel for any other interface names that show when running command prompt/console command ifconfig ifconfig lo0 inet6 ifdisabled ifconfig igb0 inet6 ifdisabled ifconfig igb1 inet6 ifdisabled ifconfig ix0 inet6 ifdisabled ifconfig lo0 inet6 fe80::1%lo0 delete ifconfig lo0 inet6 ::1 delete These last two are system files, these adjustments here aren't saved in config.xml files so if until there is a patch or tick box added, they would need re-applied each system upgrade but do maintain general reboots - edit /etc/inc/system.incsearch for 'localhost' around line 331 and comment out - ::1 IPv6 section of lines with /* at beginning, a * for each next line and */ at the end: /* * $hosts[] = array( * 'ipaddr' => '::1', * 'fqdn' => 'localhost.' . $syscfg['domain'], * 'name' => 'localhost', * 'domain' => $syscfg['domain'] * ); */ edit /etc/hosts.allow comment out line adding a #: #ALL : [::1] : allow

@Gertjan said in DHCPv6 cannot specify local DNS server if interface is set to track interface with ::local:portion format: That brings me to the final question, as I actually never gave it a chance : my devices will still have the same IPv6 over time ? Can I put a IPv6 firewall rule that makes my printer (example) accsible form the Internet ? Using an IPv6, or a alias that has a host name that is constantly resolved to the correct 'local' IPv6, whatever that might be ? Assuming your prefix is consistent, yes you can. With SLAAC you have one consistent address and up to seven privacy addresses. You use the consistent address to get through the firewall, for external DNS, etc.. The consistent address can be based on either the MAC address or a random number. Either way, it doesn't change. I have an external DNS that points to devices I may want to reach.

@gromit1234 said in Another IPv6 weirdness with ISP: @RobbieTT OMG - it was in there! You're using FTTP (I think), but your point about MTU got me thinking.... The WAN was set to 1492 by the ISP. The LAN defaulted to 1500. I changed this to 1492 et voila! THANK YOU SO MUCH! No problem at all. It does not matter if you are on FTTP or not, the physical link on the WAN to your ADSL/VDSL2/G.fast modem should be 1508 MTU, allowing a normal 1500 MTU to traverse wearing the 8-byte PPPoE wrapper (ie as per my settings). ️

@darkonc was that for me?

@SpaceBass yeah I came to that conclusion like 12 or 13 years ago ;) heheh when first start playing with ipv6. I try it again every year or so hoping the isp has learned and fixed stuff, etc. My current isp doesn't even offer ipv6 native.. I have to use HE tunnel. Which I setup something like 12 years ago, and has really been pretty rock solid for when I use IPv6 - which again is only play.. I did for many years host ntp into the ntp pool off my IPv6 via the tunnel. But while back said to myself why.. And just turned that off as well. Don't get me wrong, works great on my phone - they only give you IPv6, no ipv4 at all - and they connect you to ipv4 using 464XLAT I am pretty sure. And this seems to work just fine on anything accessing on my phone. But when I am out and about on my phone trying to get to amazon.com or fanduel over cell.. I am not real worried about firewall rules, etc. For the typical home user with their isp gateway, hey they can get to amazon.com or their favorite porn site - most of them don't even know what an IP address is, let alone the difference between v4 and v6.. The simple solution for your "power" user if you will - someone that has taken the jump to pfsense vs some isp gateway device and is now segmenting their network and creating firewall rules to limit what say their iot devices can do.. IPv6 has a pretty steep learning curve, and brings all kinds of complexity to securing your network.. If you want to play - I would suggest HE, you can get a /48 that doesn't change.. And from my experience has been pretty rock solid.. And deploy it how you want to devices you want to play with it, etc. You not enabling it on your network isn't going to hold the world back from transitioning - in 20 some years or so it might be there ;)