@Gertjan

This does it!

Thank you all, you are may today's champions! 🎖

I ultimately suspected as much myself, which is also why I haven't taken any further action yet. It's now a question of when I feel like sitting on the phone with AT&T support for however long it takes to convince them to send me a new gateway and then taking the time to configure one from scratch to my liking. It seems like the final outcome is, like @ronv42 said, that the NVG589 is just far too obsolete at this point, and the solution is to replace it.

@smaxwell2 said in IPv6 NDP Incomplete:

So pretty sure my issue lies within my Windows configuration, though I stand to be corrected.

Your 'Windows' devices are like mine : you never changed anything in the 'Network' setup of your devices.
They came with DHCPv4 and DHCPv6 client activated.
There is/was never a need to change anything.

@smaxwell2 said in IPv6 NDP Incomplete:

My ISP provides me IPv6 on the WAN and delegated me a /56

I have my LAN configured within pfSense to "Track Interface" (WAN

Like me.
I assigned prefix ID '0' ion the LAN interface :

2754f99d-c6dc-4ac1-9a8d-69be1d3187d6-image.png

And .... I've set up the DHCPv6 server - like the DHCPv4, for my LAN :

2207d61e-7010-4f74-b7f2-54116f2f5571-image.png

and since I did this (years ago), all my LAN device that are IPv6 capable receive a IPv6 Lease in the ::2 to ::86 range.

Because I'm old and stupid, I also gave most of all my device a DHCPv6 Static DUID Lease. This means that all my device always get the same IPv6 GUA.

C:\Users\Gauche>nslookup diskstation2 Serveur : pfSense.bhf.tld Address: 2a01:cb19:907:xxxx:yyyy:77ff:fe29:392c Nom : diskstation2.brit-hotel-fumel.net Addresses: 2a01:cb19:907:xxxx::c2 192.168.1.33

I actually never (had to) looked at the NDP table page

I can see on the DHCP Logs page that IPv4 and IPv6 are getting renewed :

a167e7a1-58a5-47ea-85d7-c3179191b4d5-image.png

Btw : I use ISC, not Kea.

@patrickdickey52761 said in Verizon 5G Home Internet:

That would indicate they're not using DHCPv6-PD to provide IPv6. Without it, you get IPv6 on the WAN side, but not LAN. My cell company does the same. So, the phone gets an address, as does any tethered device.

I'm dragging up the old thread because I'm in this same position, except I'm not using IP/IPv6 passthrough. Here is a picture from my Verizon Internet Gateway of the IPv6 configuration page

See the above that I wrote earlier. Cell networks generally don't provide DHCPv6-PD to connected devices. This means pfSense cannot provide IPv6 to the LAN side.

@JKnott said in BTnet IPv6 Configuration:

How does your ISP provide IPv6? Most use DHCPv6-PD, which provides your LAN prefix.

The provide a /56. This gives 256 /64 subnets.

The first /64 is setup on the router with router announcements. So for a single vlan with no firewall, you can just connect to the router.

Then the whole /56 (minus the first /64) is routed to the ::5 address of the first /64. So if you need a firewall, fancier routing or have multiple vlans, then you just need to put a router on the ::5 at add other /64 to interfaces as you like.

DHCPv6 PD is the modern way to do this - you do a DHCP request for a whole /64 subnet to use. This is cool, but not supported by my ISP (a BT or BTNet leased line). The static route way is totally find for my needs.

@smk

Here are a couple of other points:

A WAN interface doesn't actually need a public address. With IPv6, routing is often done with the link local address.

That /128 prefix length means there's no actual subnet there. That address is nothing more than a label for your router.

@johnpoz

Somewhat thought that I already made some publicity for he.net here .. but it was somewhere else.

@bmeeks

@bmeeks said in IPv6 Multi-LAN Problem:

My ISP moved me behind CGNAT

That, NAT, shouldn't break the tunnel to the HE pop, but he.net has a condition : your 'WAN IPv4' as seen by them must answer to ICMP (ping). And yous doesn't .... so it's game over for you.
For me, he.net isn't possible anymore for another reason : my new "state of the art newest ISP router" that has an ONT integrated for the fiber access can't handle the '6in4' protocol (41), so pfSense can't connect to the he.net pop server 😰

6in4 isn't ICMP (1), isn't TCP (6), isn't UDP (17), neither GRE (4) but something else.
So, I contacted them. This took me weeks to get in contact with someone who could actually understand my question.
They : We've dropped protocol 41 support on our newest models because ... here it comes .... We, Orange, in France (10+ million subscribers) are now proposing IPv4 and IPv6.
Me : Yeah, right, but your IPv6 for my usage is broken !?
They : You have a static IPv4 and your IPv6 works, I can see that from here.
Me : Yeah, sure, but as the (my) subscription implies : I'm using the Pro subscription as I'm a company, I would like to actually use the /56 as advertised. Your router, needed to connect to the Orange fiber, only has one (1) LAN, and I have a company with several LAN's - not just one.
They : Wow, what ? Multiple LANs ? But that's not supported.
Me : I have that covered : I chained on to a pfSense router, and it wants prefixes - your (my) prefixes.
They [10+ minutes on hold, waiting while listing Cherry FM] : Right, there is a issue that only one prefix gets announced by our router.
Me : Then why announcing /56 as only one /64 works ?

Then they told me to do what others already do : "ditch our ISP router, use an FTP RJ45 to Fiber plug", as my 4100 supports such a connection, create some serious DHCP 4 and 6 options and behold, now I can tap into the full IPv6 /56 advertised. Champagne !

Of course, I'll loose all the ISP "TV" facilities and/or phone support (one phone line, but who cares, we have 6 lines on a PABX), I don't need these.

So, I - and many, many other, are waiting for the router update that delivers us the needed IPv6 support.

edit : let it be known : In France, ISP Orange : less people then you have fingers on your hand know that there is more then "UDP" and "TCP" ....

I could tell my routing tables were screwed up, but I didn't really know why.

After a while, I stumbled on the System/Routing/Gateways settings and noticed the "Default gateway IPv6" was set to "none."

After setting it to WAN_DHCP6, it started working. I'm not sure how that got screwed up, given that my clients were working before.

@JKnott said in IPv6 subnet lan vs wan:

Another issue might be how he's connected.

Correct. And also it is an issue what device manage the connection between pfsense and ISP. A device in modem mode or one in router mode. A device in router mode must also support the prefix delegation to devices in its subnet. Not all do provide that. For example the Draytek Vigor 167 provide router mode and modem mode. But the router mode does not support prefix delegation to devices in the subnet. So for prefix delegation the Vigor 167 needs to be in modem mode then the pfsense will manage the prefix delegation, or it wont work.

@keyser said in IPv6 questions (interface address, firewall rules for slaac hosts, GUA/ULA RA):

@JKnott There is experimental support for that in 23.05 as well now - Havent tried it yet though.

This is an old thread, but wanted to say thanks for the reminder. I was trying to timed-block Internet on my son's Chromebook, but have no control over the school-managed OS, and being Android it doesn't use DHCPv6. Scheduled rule to pass, rule to block, both based on MAC.

@JKnott I cannot answer your question "why?"... :)
But I can report that here in Germany ISPs I know do that as well. Maybe not every 24 hours, but often enough that using those prefixes breaks everything after a change. So: don't know why they still do it (I guess it's just another dumb implementation of v6 as seen so often), but they do it anyways....
That's why I use those global prefixes that change thanx to my German ISP as well as my "own"(not changing) unique locals....for rules and such.
It's depressing but that how some big players really make it tedious to use v6 in my opinion...

@snipleeagle8

As I mentioned, it normally happens with SLAAC in the router advertisements. I have never used DHCPv6 on the LAN side, but I expect it would be the same. Are you using SLAAC or DHCPv6?

Can you do a packet capture, filtering on ICMPv6, and post the capture file here?

@Jung-Fernmelder

What you can do is use Unique Local Addresses, in addition to global addresses. You then use the local DNS to point to the ULA address, rather than GUA.

@tuanson84uk

Are those clients Android devices? They don't work with DHCPv6. Any reason you need it? I've been running IPv6 on my home network for over 14 years and have never needed it.

@JKnott
It is all Netgate. A XS708T and a couple of WAX615.

I will investigate how to make packet capture. Never done it before. It might take some time before I can post any results.

THanks.

@DataIdeas-Josh said in Force RA to send different IPv6 gateway.:

Is there a way to force the RA to send a different IPv6 rather than the pfsense's routers IP?

It's supposed to use it's own address. I'm not quite sure what you're trying to do, but you can have multiple gateways on a LAN and give them a priority, up to 3 of them. You can set priority on the Router Advertisement page.

Hi,

I was seeing the same error, mostly with this IP list: https://api.gcore.com/cdn/public-ip-list

Since ASN are currently not resolved and for reliability, I'm loading the lists from an internal repo anyway and tried my best to remove or reformat "problematic" IPs - without success.

Then I had a closer look at /usr/local/share/pear/Net/IPv6.php and compared it to the public source. It seems that, at least in my case with pfBlocker 3.2.0_8 on CE 2.7.2, the file is missing an old fix for this problem:
https://github.com/pear/Net_IPv6/commit/70080426d3ac9da4908f9277824694e5eda68985

After changing line 684 from $fill = str_repeat(':0:', 6-$c2-$c1); to $fill = str_repeat(':0:', max(1, 6-$c2-$c1));, the error is gone.

@JKnott said in WAN with /64 Delegation:

BTW, I've had the same prefix for around 5.5 years.

I have the same prefix since my parents met. 😉

@Bob-Dig said in IPv6 tunnel broker websites showing in German:

french guy

Who ?
There are some here.