@johnpoz Before my ISP offered IPV6, I used a tunnel from HE. It worked very well. Admittedly it's been a while since I have used HE, but I agree that you can't go wrong with them.

@keyser said in DHCPv6 on WAN works but pf uses SLAAC address: I'll need some time without users on my net to do some proper testing. But I did do a packet capture, and the ICMP6 flow looked normal. When my pfSense transmitted packet from the SLAAC GUA address to the fe80 default gateway, they were simply blackholed. When pinging link local addresses, you have to specify the interface with the -I option. You could also try capturing the full DHCPv6 sequence and posting the file here.

I have similar messages from radvd and want to debug dhcp6c messages, but I don't see debug option anywhere, how can I start dhcp6c in debug mode? PfSense version is 23.05 WAN is PPPoE and LAN is set to track IPv6 on WAN.

So far I have found the following to work best on my boxes to remove IPv6 as much as possible resulting in better stability of Unbound no longer crashing or hanging unresponsive at random or when forced performing IPv6 nslookups: Unbound Custom options to remove all local and external domain AAAA responses in replies given to clients: server: do-ip4: yes do-ip6: no prefer-ip4: yes prefer-ip6: no private-address: 10.0.0.0/8 private-address: 172.16.0.0/12 private-address: 192.168.0.0/16 private-address: 169.254.0.0/16 private-address: ::ffff:0:0/96 private-address: fd00::/8 private-address: fe80::/10 private-address: ::/0 private-address: :: local-zone: localhost.home.arpa transparent local-data: "localhost.home.arpa A 127.0.0.1" local-zone: localhost transparent local-data: "localhost A 127.0.0.1" local-zone: ip6.arpa redirect local-data: "ip6.arpa A 0.0.0.0" local-zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa redirect local-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa A 0.0.0.0" local-zone: "::/0" static dns64-ignore-aaaa: *.* do-not-query-address: :: do-not-query-address: ::1 do-not-query-address: ::/0 Shellcmd's added to Shellcmd package to load at boot to unload any auto created/started inet6 interfaces, add or relabel for any other interface names that show when running command prompt/console command ifconfig ifconfig lo0 inet6 ifdisabled ifconfig igb0 inet6 ifdisabled ifconfig igb1 inet6 ifdisabled ifconfig ix0 inet6 ifdisabled ifconfig lo0 inet6 fe80::1%lo0 delete ifconfig lo0 inet6 ::1 delete These last two are system files, these adjustments here aren't saved in config.xml files so if until there is a patch or tick box added, they would need re-applied each system upgrade but do maintain general reboots - edit /etc/inc/system.incsearch for 'localhost' around line 331 and comment out - ::1 IPv6 section of lines with /* at beginning, a * for each next line and */ at the end: /* * $hosts[] = array( * 'ipaddr' => '::1', * 'fqdn' => 'localhost.' . $syscfg['domain'], * 'name' => 'localhost', * 'domain' => $syscfg['domain'] * ); */ edit /etc/hosts.allow comment out line adding a #: #ALL : [::1] : allow

@Gertjan said in DHCPv6 cannot specify local DNS server if interface is set to track interface with ::local:portion format: That brings me to the final question, as I actually never gave it a chance : my devices will still have the same IPv6 over time ? Can I put a IPv6 firewall rule that makes my printer (example) accsible form the Internet ? Using an IPv6, or a alias that has a host name that is constantly resolved to the correct 'local' IPv6, whatever that might be ? Assuming your prefix is consistent, yes you can. With SLAAC you have one consistent address and up to seven privacy addresses. You use the consistent address to get through the firewall, for external DNS, etc.. The consistent address can be based on either the MAC address or a random number. Either way, it doesn't change. I have an external DNS that points to devices I may want to reach.

@gromit1234 said in Another IPv6 weirdness with ISP: @RobbieTT OMG - it was in there! You're using FTTP (I think), but your point about MTU got me thinking.... The WAN was set to 1492 by the ISP. The LAN defaulted to 1500. I changed this to 1492 et voila! THANK YOU SO MUCH! No problem at all. It does not matter if you are on FTTP or not, the physical link on the WAN to your ADSL/VDSL2/G.fast modem should be 1508 MTU, allowing a normal 1500 MTU to traverse wearing the 8-byte PPPoE wrapper (ie as per my settings). ️

@darkonc was that for me?

@SpaceBass yeah I came to that conclusion like 12 or 13 years ago ;) heheh when first start playing with ipv6. I try it again every year or so hoping the isp has learned and fixed stuff, etc. My current isp doesn't even offer ipv6 native.. I have to use HE tunnel. Which I setup something like 12 years ago, and has really been pretty rock solid for when I use IPv6 - which again is only play.. I did for many years host ntp into the ntp pool off my IPv6 via the tunnel. But while back said to myself why.. And just turned that off as well. Don't get me wrong, works great on my phone - they only give you IPv6, no ipv4 at all - and they connect you to ipv4 using 464XLAT I am pretty sure. And this seems to work just fine on anything accessing on my phone. But when I am out and about on my phone trying to get to amazon.com or fanduel over cell.. I am not real worried about firewall rules, etc. For the typical home user with their isp gateway, hey they can get to amazon.com or their favorite porn site - most of them don't even know what an IP address is, let alone the difference between v4 and v6.. The simple solution for your "power" user if you will - someone that has taken the jump to pfsense vs some isp gateway device and is now segmenting their network and creating firewall rules to limit what say their iot devices can do.. IPv6 has a pretty steep learning curve, and brings all kinds of complexity to securing your network.. If you want to play - I would suggest HE, you can get a /48 that doesn't change.. And from my experience has been pretty rock solid.. And deploy it how you want to devices you want to play with it, etc. You not enabling it on your network isn't going to hold the world back from transitioning - in 20 some years or so it might be there ;)

@ansel That was the weird part there was nothing in the logs and the interface showed up. I say "was" as it hasn't happened in the last week. Sigh. Heisenbug? Sun Spots?

@keyser I seem to remember that the draft for IPv6 was out before IPv4 NAT became a thing. Even the original author of NAT (Paul Francis?) didn't think much would come of it. Then came PIX hardware and the world changed.

@darkonc To my knowledge, this needs to be configured manually in pfSense. The LAN interfaces get their subnets by following the WAN interface, however, the WAN cannot follow itself. In other words: if the prefix change, one needs to manually configure it again - or have some sort of scripting to do this. All tho I get that "providers should keep prefix fixed, preferably, for the time the contract is active", in reality, most of them do not. They change the prefix if you change/upgrade your router and depending on the configuration you change on the router it can trigger a new prefix (it is based on the DUID in the case of Telus). In my mom's house (Brazil), the IPv6 prefix changes almost every 3 weeks with default configuration (why? to annoy users maybe...). In short, I agree with everything you said, I would like to have the IPv6 set to the WAN, but I can live without it. Thanks, JrBenito.

@RobbieTT Part of the reason for the U.S. being so slow with IPv6 goes back to when IPv4 was created and most of the addresses went to the U.S.. As a result it didn't have the pressure of the IPv4 address shortage as the rest of the world did. Of course, when it was originally set up, it wasn't intended to be world wide. It was just to support defense researchers and grew from there. Also, back then, there wasn't a lot of data crossing the pond, as there wasn't much capacity until fibre came along.

@SteveITS said in IPv6 not passing despite rules: Do you have two WANs bingo! Just disabled WAN2 for testing, IPv6 works immediately.

Works fine for me now, good job.

@sorg said in How to 4rd with pfsense ?: This guide is not relevant for our situation. We are not connected through VDSL, but with Fiber (FTTH using 10G-EPON.) Ok now I now it a bit better. We already have the necessary hardware (the ONT) to connect the incoming fiber to a modem and we know the steps to achieve the results. This was not clear to me from the opening post. We need to spoof the MAC address of the Freebox on the ethernet interface that will be connected to the ONT: It's ok and working. We need access to VLAN 836 on this interface and get an ipv6 link with dhcpv6 provisionning: It's ok and working. Ok. We need to open a tunnel of type ipip6 over this link in order to get the ipv4 Wan connection. Ideally this tunnel is negotiated with 4rd or map-e protocol, however, we can also force the settings manually. Oh ok I see it is in real another problem, so I was not really able to get it right. I have not been available to achieve this last step on pfsense/opnsense, while i have all this set up an working in vyos or openwrt. Oh ok if you got it working in VyOS and OpenWRT it should be a way to find out how it should work using pfSense.

@JKnott I will check tomorrow, after the reboot I did the issue has gone. Maybe it was caused by the temporary nic I am using (an usb 2.5 gb) for the wan Thanks again ;)

It now seems likely that this wasn't related to the 23.05, but to a change in the Signal app around the same time which causes it to start preferring IPv6 over IPv4. There's a thread about it at https://github.com/signalapp/Signal-Desktop/issues/6393 It's still mysterious what the actual problem is.

@SteveITS I just tested two scenarios where it works, none included changing IPv6 config type to none on the interface. One was to just disable the second gateway and leave on automatic; Second was to manually choose the WAN_DHCP6 interface as v6 gateway and reboot; Both working. It's only Automatic with both active that seems to be breaking things. So let me go back to the first time I booted 23.05 and no IPv6: I had a gateway group for IPv6 with WAN_DHCP6 (T1) and WAN2_DHCP6 (T2). This configuration that was working before (giving preference and having the T1 GW active) now seems to malfunction.