The Netgate 6100 interface on the fd04:2240::/48 segment has the following flags: nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> I did a bit of research and I think the following might solve the issue: ifconfig inet6 accept_rtadv It's a production setup so I'm reluctant to try it. Does adding the accept_rtadv make sense?

@jknott # netstat -r Routing tables (output omitted) Internet6: Destination Gateway Flags Netif Expire localhost link#10 UH lo0 tunnel814714.tunne link#17 UH gif0 tunnel814714-pt.tu link#17 UHS lo0 fe80::%mvneta1/64 link#2 U mvneta1 fe80::208:a2ff:fe0 link#2 UHS lo0 fe80::%mvneta2/64 link#8 U mvneta2 fe80::208:a2ff:fe0 link#8 UHS lo0 fe80::%lo0/64 link#10 U lo0 fe80::1%lo0 link#10 UHS lo0 fe80::%mvneta1.10/ link#13 U mvneta1. fe80::208:a2ff:fe0 link#13 UHS lo0 fe80::%mvneta1.7/6 link#14 U mvneta1. fe80::208:a2ff:fe0 link#14 UHS lo0 fe80::%mvneta1.8/6 link#15 U mvneta1. fe80::208:a2ff:fe0 link#15 UHS lo0 fe80::%ovpns1/64 link#16 U ovpns1 fe80::208:a2ff:fe0 link#16 UHS lo0 fe80::%gif0/64 link#17 U gif0 fe80::208:a2ff:fe0 link#17 UHS lo0 Looks like there is a tunnel setup. not sure how to connect to the other side without using the software and in the cli. The goal here is Dual stacking ipv4/6.

@steve1515 Sometimes the solution is to start from scratch, as you may have set something and not realized it.

First, let me note that I'm assuming your IOT devices are on their own network here. If they're on the same network as your other LAN devices, what you want won't be possible. If both WAN 1 and WAN 2 providers have IPv6 available, you would set your IOT network to track the IPv6 prefix of WAN 1, and your other network(s) to track the prefix of WAN 2. pfSense should then be able to route the IPv6 traffic accordingly. If WAN 1 provider doesn't provide IPv6 service then I would disable IPv6 on your IOT network. You wouldn't be able to use WAN 2's IPv6 prefix to provide IPv6 to IOT, then have it route through WAN 1. Your WAN 1 provider wouldn't be able to route traffic from WAN 2's IPv6 addresses.

@johnpoz I'm only using 5 of my 256 /64s. However, I think people have learned a lot of bad habits, with having to conserve IPv4 address space. The only place where a smaller prefix makes sense is with a point to point link, where a /127 is all you need.

Happy to report that the DHCPv6 client of PfSense is detected by my ISP box, delegated prefix (DHCP-PD) on LAN works, and my web browsers reach IPv6 site successfully. It may be thanks to : ISP action, since I reported that IPv6 was not working as I wanted. PfSense 23.01 beta (2023-01-06)

@brukster Thank you! I'll test this out

Thank you @jknott here is what i was able to see in the logs: Jan 6 17:59:53 dhclient 28090 exiting. Jan 6 17:59:53 dhclient 28090 connection closed Jan 6 17:59:42 dhclient 38390 Cannot open or create pidfile: No such file or directory Jan 6 17:59:39 dhcp6c 32952 failed to parse configuration file Jan 6 17:59:39 dhcp6c 32952 /var/etc/dhcp6c.conf:21 invalid interface (bridge0): Device not configured Jan 6 17:59:39 dhcp6c 32952 failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory

@nevolex It is in System/Advanced/Networking if you are on plus.

@pfaai said in WAN doesn't get IPv6: I’m using my home connection to serve public services, Then you only need an address on your LAN, which you apparently have. That is I hope you're not planning on providing those services from pfSense. Also, better check your terms of service. Some ISPs don't like consumers providing public servers. I get a GUA on my WAN interface, but rarely use it. I use the IPv4 address for my VPN, but everything else has a LAN address, which I provide via my DNS server.

@jknott said in IPv6 routing over VPN: Can you spare another? Also, you can always use Unique Local Addresses for the tunnel. No. But the tunnel is not the problem. Here I already use Unique Local Adresses. Here is my IPv6 configuration, maybe it helps to solve my problem: Wireguard Server: [Interface] Address = 10.56.0.1/24, fe00::1/64 PrivateKey = ******************** ListenPort = 51820 [Peer] PublicKey = ******************** AllowedIPs = 10.56.0.5/32, fe00::2/128, 2001:********************::/64 At the wireguard client side (the pfSense) I use the fe00::2. This works. But the routing/NAT between my DMZ server and the pfSense is not working: On the pfSense DMZ interface (which I gave no IPv6 ip) I have the following static route: 2001:******************** 3c:ec:ef:70:6d:ba UHS igb2 On the DMZ server (with the ip 2001:********************:21/128) I configured the route back as the host route: [::]/0 fe80::3eec:efff:fe70:6dba UGH 1024 3 0 ens18 And here comes my problem: Direct ping to fe80::3eec:efff:fe70:6dba (the pfSense's link local address) works. But no NAT or routing to other targets.

I am now getting IPv6 addresses assigned by Starlink again. I didn't change anything but just noticed it today. I enabled WAN ping and can ping it from the mobile network. I am running rtsol every two minutes. This hasn't worked for over six months, but today I noticed it was working again.

@buzzman said in Spectrum config for IPv6: the IPv6 default gateway is not accessible. You're using a link local address, which does not work. Find a GUA somewhere beyond the gateway and use that. I did a traceroute to Google and used the first GUA that turned up. Link local addresses are commonly used for routing with IPv6.

@jknott Well I just learned something new today, thanks!

@mcbrown90 The FDxx... address range is private so it's not going anywhere on the internet no matter how hard you try. FE80 is link local. I don't see in your screenshot any internet routable IPV6 addresses being blocked. If you are using Windows computers, open a command prompt (type CMD on the start menu search box) and type "ipconfig /all" to see what IP addresses your computer is getting. You should have multiple IPV6 addresses, not just the link local and the private FD. [image: 1670085641705-246f174f-82a2-4596-bcd0-0d6028dd33b7-image.png] You would have had to setup how IPV6 addressing is accomplished via router advertisements under SERVICES/DHCP6 SERVER AND RA. Choose ROUTER ADVERTISEMENTS and set the ROUTER MODE to either UNMANAGED or SLAAC. I set mine to SLAAC and input my two DNS servers in the DHCP6SERVER section, so that my devices get my DNS server addresses while also setting their own IPV6 addresses automatically without using DHCP6. UNMANAGED should work if you don't have DNS server addresses you wish to push to the clients. But in the end, your clients need to have Internet routable IPs, not just ULA (unique local FC/FD) addresses.

@maanbsat First thing to try is to turn on DHCP6 Debug and then look in the logs.

Solved. I had to reboot the pfSense after enabling IPv6 track interface on LAN2.