@IonutIT Check "NAT64 Prefix Override" on System > Advanced, Firewall/NAT

@JKnott Yeah, agreed it's a CC thing. I've already registered a tunnel through HE/tunnelbroker because as much as I'm a masochist for the things I want to try and do on my home network just because I can and find them fun to play with... trying to even contact Comcast let alone actually get to more than first tier support is a form a masochism that just doesn't excite me. It's Comcastic! [vent] Add to this that my Netgear M7 Pro drops out in IP-Passthrough mode and now it doesn't offer an IPv4 address anymore, in either IP-PT or NAT mode [end vent] .... yeah, I've go all the masochism I could want right now. ...and that's exactly the response opcode that I get. Identity Association for Prefix Delegation Option: Identity Association for Prefix Delegation (25) Length: 71 IAID: 00000000 T1: 0 T2: 0 Status code Option: Status code (13) Length: 55 Status Code: NoPrefixAvail (6) Status Message: No prefix available on Link 'ca-sanrafael-acr07-link' [Edit: trying to determine why the forum keeps saying this is spam and refusing to post]

@citroklar said in How I set up prefix delegation to carve out /60 subnets from a /56 prefix: But as those /64 subnets cannot be split further, I wanted larger Prefix Delegations - /60s, for both of my internal networks to be precise. (A /56 can be split into 16 /60 subnets.) I couldn't find a way to do this in the gui, so please enlighten me if I missed something there. Take a look on the System / Routing / Gateways page.

If you're making changes and they simply don't appear then I would start at /usr/local/www/services_dhcpv6_edit.php and follow the various linked include files to find functions used there. The rabbit hole can be deep!

Credits to Grok (xAI) – Full IPv6 Boot Watchdog Script with Daily Reboot Limit Thanks to Bob.Dig, Gertjan, and the community for all the help and ideas along the way. But in the end, I went full nuclear with Grok's help to solve the annoying "IPv6 gateway pending" / DHCPv6 fails at boot issue on 25.11 (and earlier versions) with ixgbe/ix interfaces. Grok helped build, debug, refine, and harden this script over dozens of iterations — from parsing issues in ash, ambiguous redirects, long shutdown delays, false positives, to daily reboot protection and input validation. Big thanks to Grok for turning a frustrating problem into a reliable workaround! What the script does Runs automatically after boot Checks if all specified interfaces (INTERFACES=) have at least one global IPv6 address (2000::/3 range, non-link-local) If yes → exits cleanly (no reboot) If no → waits a timeout period (default 120 s of checking) → reboots pfSense Safety: max 2 reboots per calendar day — prevents endless loops if ISP has outage Counter resets automatically at midnight Manual reset: rm /var/db/ipv6_watchdog_reboot_count Extra: Early exit if any interface is physically down (no carrier) Quiet: Logs only important events to syslog (via logger) — no spam Robust: Validates config (interfaces exist, no spaces, numbers valid, etc.) Recommended Installation (fast shutdown, no delays) Save the script (anywhere, e.g. /usr/local/etc/ipv6_watchdog.sh):vi /usr/local/etc/ipv6_watchdog.sh #!/bin/sh # /usr/local/etc/ipv6_watchdog.sh # IPv6 Global Address Watchdog for pfSense - Built with Grok (xAI) # Daily reboot limit (max 2/day), quiet syslog logging, input validation, early exit if link down # More info at: https://forum.netgate.com/topic/199716/25.11-ipv6-gateway-pending/11?_=1767700010718 # ================= CONFIG ================= TIMEOUT=120 # seconds (min 30) INITIAL_DELAY=60 # seconds (min 10) CHECK_INTERVAL=20 # seconds (min 5) INTERFACES="ix2,ix3" # comma-separated, NO spaces! MAX_REBOOTS_PER_DAY=2 LOG_TO_SYSTEM_LOGS=1 # 1 = syslog (recommended), 0 = file # ================= VALIDATION & LOGGING ================= validate_positive_int() { local var="$1" name="$2" min="${3:-1}" if ! echo "$var" | grep -qE '^[0-9]+$'; then logger -t ipv6_watchdog "ERROR: $name must be positive integer (got '$var')" exit 1 fi if [ "$var" -lt "$min" ]; then logger -t ipv6_watchdog "ERROR: $name >= $min (got $var)" exit 1 fi } validate_positive_int "$TIMEOUT" "TIMEOUT" 30 validate_positive_int "$INITIAL_DELAY" "INITIAL_DELAY" 10 validate_positive_int "$CHECK_INTERVAL" "CHECK_INTERVAL" 5 validate_positive_int "$MAX_REBOOTS_PER_DAY" "MAX_REBOOTS_PER_DAY" 1 if [ "$LOG_TO_SYSTEM_LOGS" != "0" ] && [ "$LOG_TO_SYSTEM_LOGS" != "1" ]; then logger -t ipv6_watchdog "ERROR: LOG_TO_SYSTEM_LOGS must be 0 or 1" exit 1 fi if [ -z "$INTERFACES" ]; then logger -t ipv6_watchdog "ERROR: INTERFACES is empty" exit 1 fi if echo "$INTERFACES" | grep -q '[[:space:]]'; then logger -t ipv6_watchdog "ERROR: INTERFACES contains spaces (use 'ix2,ix3')" exit 1 fi OLD_IFS="$IFS"; IFS=','; set -- $INTERFACES; IFS="$OLD_IFS" for iface; do iface=$(echo "$iface" | tr -d '[:space:]') if ! ifconfig "$iface" >/dev/null 2>&1; then logger -t ipv6_watchdog "ERROR: Interface '$iface' does not exist" exit 1 fi done # ================= DETECTION ================= has_global_ipv6() { local iface="$1" local addrs addrs=$(ifconfig "$iface" 2>/dev/null | grep 'inet6 ' | grep -v 'fe80::' | \ sed -E 's/.*inet6[[:space:]]+([0-9a-fA-F:]+).*/\1/') [ -z "$addrs" ] && return 1 echo "$addrs" | grep -qE '^(2|3)' return $? } # ================= MAIN ================= START=$(date +%s) # Early exit if any interface down for iface; do iface=$(echo "$iface" | tr -d '[:space:]') if ! ifconfig "$iface" 2>/dev/null | grep -q 'status: active'; then logger -t ipv6_watchdog "Interface $iface DOWN → watchdog exiting early" exit 0 fi done current_date=$(date '+%Y-%m-%d') if [ -f "$COUNT_FILE" ]; then read saved_date saved_count < "$COUNT_FILE" 2>/dev/null || { saved_date=""; saved_count=0; } else saved_count=0 fi if [ "$saved_date" != "$current_date" ]; then logger -t ipv6_watchdog "New day ($current_date) → reset count to 0" saved_count=0 fi logger -t ipv6_watchdog "IPv6 watchdog starting (count: $saved_count / $MAX_REBOOTS_PER_DAY)" if [ "$saved_count" -ge "$MAX_REBOOTS_PER_DAY" ]; then logger -t ipv6_watchdog "Daily limit reached ($MAX_REBOOTS_PER_DAY). Skipping today." exit 0 fi sleep "$INITIAL_DELAY" while [ $(( $(date +%s) - START )) -lt "$TIMEOUT" ]; do all_good=1 for iface; do iface=$(echo "$iface" | tr -d '[:space:]') if ! has_global_ipv6 "$iface"; then all_good=0 break fi done [ $all_good -eq 1 ] && exit 0 sleep "$CHECK_INTERVAL" done logger -t ipv6_watchdog "CRITICAL TIMEOUT after ${TIMEOUT}s - no global IPv6" new_count=$((saved_count + 1)) if [ "$new_count" -le "$MAX_REBOOTS_PER_DAY" ]; then logger -t ipv6_watchdog "Rebooting ($new_count of $MAX_REBOOTS_PER_DAY today)" echo "$current_date $new_count" > "$COUNT_FILE" /sbin/shutdown -r now "IPv6 watchdog timeout (daily $new_count/$MAX_REBOOTS_PER_DAY)" else logger -t ipv6_watchdog "Daily limit reached. No reboot today." fi exit 1 Make it executable: chmod +x /usr/local/etc/ipv6_watchdog.sh Install Shellcmd package if not present (System → Package Manager → Available Packages → shellcmd) Add Shellcmd entry (Services → Shellcmd → Add):Command (paste exactly): /bin/sh -c 'nohup /usr/local/etc/ipv6_watchdog.sh >/dev/null 2>/dev/null' & Customization Tips Increase TIMEOUT=300 (5 min) if your modem takes longer to restore IPv6 Change INITIAL_DELAY if needed (give more time for interfaces to come up) Set LOG_TO_SYSTEM_LOGS=0 if you want file logging instead Add more WAN interfaces if needed: INTERFACES="ix2,ix3,igb0"

@Bob.Dig My ISP Information AS 3462 HINET Chunghwa Telecom Co., Ltd. Taiwan https://db-ip.com/as3462

One thing I should have mentioned, instead of creating a virtual IP, configure the interface as static and enter the address there. Since you don't want access to the Internet, you don't have to worry about tracking the interface, etc..

@Gertjan I did both and it didn't work. You can see the second solution (Prefer to use IPv4...) activated on one of my screenshots. Reinstalling did work and things are running smoothly now.

@jarmo pfSense and dynamic IPv6 don't go to well together, sad but true. Other routers (for example Fritz Box) can do a much better job out of the box.

@gambit100 said in lan clients periodically drop ipv6 connectivity: If your lan is using SLAAC for IPv6 addresses, your clients will have multiple IPv6 addresses: an Ipv6 address, a "temporary" ipv6 address, and a link local ipv6 address. The routable lan IPv6 address should have the same prefix and different suffixes. In my case, I found using "Diagnostics->Packet Capture" that my router was sending IPv6 renew requests to the ISP and never getting a response (as shown in my previous response). I have SLAAC and routable ipv6 addresses with different prefixes. In addition, the issues typically happen after some hours of connectivity, which intuitively matches the idea of a failure of some sorts or renewal process. I will figure out an appropriate set of parameters for packet capturing and see what happens. Thanks for the tips!

@ahole4sure A Plan B exists. Make a list with known sites that don't want you to use (your) IPv6. The issue is known for years and as already mentioned reasons above, some sites don't 'like' the he.net IPv6s If you have pfBlockerng installed, go here : Firewall > pfBlockerNG > DNSBL First, be sure you use Python mode, not the unbound mode. Next : [image: 1764058931964-7cc5259a-1778-4c85-a9a1-aacb3a6f1fae-image.png] Check 'No AAAA', and fill in thelist with host names (site) that you do'nt want to visit using IPv6. After all, before one of your devices connects to a site, it will resolve the destination host name first. As most if not all devices prefer AAAA (IPv6) they will ask that first, and if needed, to fall back, the A record (IPv4). If there is a AAAA (Ipv6) addresses, that's what gets used. Now comes the trick : pfBlockerng does DNSBL, so it can block AAAA for listed sites. You device will fall back to IPv4 - and all is well. In the past, Netflix was one of those sites : it didn't want you to use the he.net IPv6 networks. Plan A would be of course : Frontier fiber internet does not have ipv6 Break your commercial relations with this frontier ISP. If they ask for a reason, tell them.

@b_chris Thx, had he same problem, for example with www.daiichisankyo.com (which resolves to part-0032.t-0009.t-msedge.net - 2620:1ec:46::60) Setting the MSS to 1452, resolves this issues... And yes, it does not feel quite right. :-/

Finally got this sorted. Zen offered a loan router as I couldn't find the original and it arrived next day, which was nice. Then, after spending over an hour on the phone to a tech person they finally passed the issue over to their IPv6 team who rebuilt the connection and all is now fine. Well, I say all is fine - After I configured everything I started receiving reports that xbox was not working and sure enough xbox.com is painfully slow to load when connecting with IPv6 - I'll look into that one day, could be DNS related. All I really needed to do was get some servers connected so I can play with DNS AAAA records and get some web servers running IPv6. Had to disable the local DHCPv6 server as it either leases addresses to all or nothing. Couldn't find a way of only releasing the static entries so ended up with static IPv6 addresses for just the servers I wanted. Everything seems to be OK for now. Thanks all for your replies and help.

I got caught up in work and dropped this for a while. I'm back now and I've made a little progress. Xfinity / Comcast is give me a /60 (16 /64 subnets). I have the LAN interface tracking WAN using hex 0. This gives my LAN the address of 2601:abc:abcd:fd00:a236:9fff:fef2:383a . This is the last 0 in fd00. I want to pass down to my layer 3 switch a /61 to split among the other VLANs/subnets on that switch. FYI, the L3 switch is the only device on that VLAN. In pfSense, I've changed to the KEA DHCP backend. In SERVICES > DHCPv6 SERVER, on the LAN interface, I see: PRIMARY ADDRESS POOL: PREFIX: Delegated Prefix: WAN/0 (2601:0abc:abcd:fd00::/64)/64 [image: 1763432218723-72bc82e2-4a51-4a05-be4b-ec46d865e660-screenshot-from-2025-11-17-18-00-07.png] In PREFIX DELEGATION POOL I'm trying to serve out a /61 (which should be 8 /64 subnets) to the downstream layer 3 switch. I ran a packet capture on the LAN interface and cleared out the IPV6 DHCP client on that VLAN/LAN interface. It looks like pfSense is only sending a single /64 address. [image: 1763432238823-07003cd3-c7c3-470a-be07-c4097fc66713-screenshot-from-2025-11-17-18-06-47-sanitized.png] I'm not sure where to go from here. I think I've got the DHCP server configured correctly. Does anyone have any thoughts on this? Thanks!

So, it wasn't until I got down to 0 unblocked IOT clients that the problem resolved. Meaning, the problem wasn't caused by a specific client. I went to check the IOT SSID setting in the Unifi controller. It had something called "Proxy ARP" enabled. I disabled it. Miraculously, all problems with IPv6 on the wired Windows hosts went away. This is really crazy.

Ok, I don't know if it is the action of turning off "Use if_pppoe kernel module for PPPoE client", or the subsequent required reboot, but afterwards IPv6 is working as expected. All my interface with enabled IPv6 are getting assigned IPv6 addresses and the "readjusting of services" only happens when I change a rule on the firewall or pfBlockerNG reloads on it's schedule.

@SteveITS Thanks, I will remove those rules.

@louis2 said in Filter an IPV6-address not possible !!?? :(: No idea why I had this trouble ! Note that I still can not enter an address where the text states 'alias or address' Mmmh, if I set the 'Address Familty' to 'IPv6' it does work for me (but not if set to 'IPv4+IPv6')