@jordanp123 Likely related to this... https://redmine.pfsense.org/issues/14072

@sn3akerz glad you got it sorted.. So you weren't crazy heheh.. So far I've been unable to wrap my head around a firewall rule to block this. Kind of hard to block something at the firewall if its not going over the firewall ;)

@jbannister SLAAC .... NPT .... Never used these, as they are 'not needed' ( ? ) I followed the pfsense documentation as mentioned above, and was a happy IPv6 user for many years. I advise you to validate the pfsense documentation. There is no SLAAC, even as it promises beautiful things. No NPT. This boils down to : set up a DHCPv6 server on every LAN - with a pool, so you can static DHCP map, as the old DHCPv4 days, your devices. I'm saying this with any in depth knowledge, but : as soon as I read NPT, there are issues .... so, it must be a complex thing. And I tend to keep things "simple", especially my Ethernet networks and everything that is related to it.

@jasonreg I used the first GUA that appeared in the list.

@jasonreg It's up to you. If you can get the monitor working fine, otherwise disable it and rely on IPv4.

@mlohr said in IPv6 Firewall rules with dynamic prefixes: In my understanding, my NAS will always be at "the same interface" from the perspective of pfSense, e.g., an interface configured to be the LAN port or DMZ. The "problem" is that your NAS is not on your WAN, so that will not work for your WAN rule that you need because pfSense doesn't know to which interface this host address belongs (as far as I have understand this, try it for yourself) But what does work is to make a DHCP static mapping on your prefix delegated "LAN" and to create an alias for that hostname you define there. Now every time the prefix changes, the alias will be changed too. In theory. There are still problems when the prefix actually changes but they can be mitigated by doing this at night times and rebooting pfSense via cron and so on.

@yobyot There is one SLAAC address that does not change. Point the DNS to that address.

I was able to reproduce it here and it did create a textdump for me. We're looking into it now.

ehhh, so I made the config change and it worked fine, but some time after I made the change (maybe an hour?) my pfSense system crashed and rebooted with a kernel panic/page fault :-/ (haven't had that happen on me ... ever I think? and I've been a longtime user) Basically I just set my manual Outbound NAT rules to IPv4 only, and only applicable to one of my internal subnets and everything seemed fine until it suddenly crashed. I did check the General and System logs and nothing useful or noteworthy was found there. Maybe the attached debug files are useful to somebody, though (I censored my info) info.0 textdump.tar.0

@bob-dig You're right on this, I don't use two GUA prefixes simultaneously pointing to the same internal ULA prefix, only as failover from one to the other if either ISP gets disconnected, as this is fairly common here. As far as I've tested, this works correctly if the primary ISP fails with pfSense changing the default GW to the next one in its Gateway Group after dpinger detects the failure of the previous one. You have to take care to arrange NPt rules in the same order (from top to bottom) as the matching GW's (1 to n), otherwise it won't work. It even fails back correctly when the previous ISP comes back online.

Also just read some of this: No IPv6 after upgrade to 23.01. You did mention you upgraded... I am on 2.6 still.

Thanks for all the input; I think I'm nearly there but it is still not routing any traffic over IPv6. I set up as above, including the virtual IP as a3sx, and finally the WAN_DHCP6 has come up and is green (it wouldn't without the virtual IP). Amazing, never worked before. I took the address from configuring 'none' on WAN ip6 and seeing the loopback address after reboot (where does this come from??) it starts fe80:: My devices on the LAN are getting IP6 addresses and I can see leases on 'DHCPv6 Leases' status screen. My devices are getting IPv6 addresses starting with 2002:89dc... etc, could this be based on my delegated prefix? (Where do I see the prefix I got?) Yet when I open browser and do an IPv6 test all IPv6 tests fail. If I ping 'google.com' over ipv6 on diagnostics on the webUI it fails as well. Feels like it's close but there is still something wrong. Pfsense+ 23.01 If somebody would be able to look at my screenshare I'd send them money for a beer in the pub! thanks B

Appears the problem was related to a secondary WAN interface we have configured in the firewall. As soon as that WAN interface was disabled, the GIF tunnel would work without the filtering disabled. When the secondary WAN interface was enabled again, the tunnel still worked, so probably some messed up routing.

@steveits OK, thanks. If I can ever get registered on Redmine, I'll file a bug report.

@gwabber No, you route the traffic, just as you do with your default gateway.