@mikev7896 My problem is that my ISP sends multiple /64 IP prefixes with its RAs although DHCPV6 is used
Pfsense than takes these Prefixes and configures multiple wan addresses. The problem is now that not all of these addresses work
My idea was then to switch off the Address Auto configuration on WAN, but I don't know exactly how I can do that

@steveits
Hey there and thanks for your reply.
That is what I thought.
So, there must have been some rule responsible for this issue. Since the Screenshots of wan and lan did not show any such rule, I figured there must have been other rules...
Just uninstalling pfblockerng solving the problem seems strange otherwise.
Just trying to understand this issue.

@vortex21

Hi, I reconfigured my network yesterday to eliminate the pfSense WAN connection being on a VLAN on the external network port. The WAN interface is now the physical interface card my problem of IPv6 WAN Gateway monitoring reporting 100% loss no longer occurs.
So it appears the problem was related to the use of a VLAN.

Oof, maybe I am just an idiot. I finally looked at /var/etc/radvd.conf:

interface igc0 { AdvSendAdvert on; MinRtrAdvInterval 200; MaxRtrAdvInterval 600; AdvDefaultLifetime 1800; AdvLinkMTU 1500; AdvDefaultPreference medium; AdvManagedFlag on; AdvOtherConfigFlag on; prefix [COMCAST-PREFIX]::/64 { DeprecatePrefix on; AdvOnLink on; AdvAutonomous on; AdvValidLifetime 86400; AdvPreferredLifetime 14400; }; prefix fd0f:f5b9:d3f9:3068::/64 { DeprecatePrefix on; AdvOnLink on; AdvAutonomous on; }; route ::/0 { AdvRoutePreference medium; RemoveRoute on; }; RDNSS fd0f:f5b9:d3f9:3068::1 { AdvRDNSSLifetime 1800; }; DNSSL [DOMAIN] { AdvDNSSLLifetime 1800; };

Sorry for wasting your time! It looks like pfsense's configuration "does the right thing" in radvd.

@jimp I get it, sorry for the misunderstanding

@dvonhand

Once again, you need packet captures, to see what's happening.

@jknott

Yeah after doing a bunch of research and reading some IPv6 RFC's I decided to just use unmanaged. Everything is working good and I got to turn off the DHCPv6 server. One less thing I have to deal with.

@bob-dig said in After IPv6 prefix change no IPv6 connectivity on Windows host:

Maybe the default lease times for IPv6 should be drastically shortened on any interface which uses "track".

Another way to tackle that would be to use NPt I guess. So it would be great for that, if pfSense allows to use Track Interface in the NPt options directly instead of only using it for "physical" interfaces.

Capture.PNG

@skilledinept

If you want to connect to the firewall with a VPN, etc., you can use another interface address, such as the LAN.

Perhaps if you mentioned your ISP, someone else might be able to help.

Update: I did some more reading on these forums and found this discussion from a few months ago that contained the solution.

I need to specify the whole prefix delegation range allocated to me by the ISP:
screenshot_dhcpv6_working.png

As far as I know it's not possible to automatically update this prefix delegation range if the ISP decides to change it; I'll have to update it manually if that ever happens. Please correct me if this statement is wrong...

Consider this question answered. Will leave the post up in the hopes that it will serve as a template / tutorial for others trying to do the same thing in the future.

@jknott I didn't upgrade because of the issues with intel nics and the at&t fiber bypass on 2.6.x
Apparently, fixed drivers aren't going to be provided till 2.7 so I'm holding off till then. Having my primary connection working is more important then having the latest version.

If some sites work, but others don't, it's not likely a pfSense issue. What comes to mind is the site has an IPv6 address, but it's not working properly. However, in that case, it should time out and switch to IPv4.

Can you do a packet capture of what happens when those sites fail?

@junicast
To whom it may concern.

We just migrated to different hardware and the original problem with reloading firewall rules is now resolved big relief.
Actually it happened again. I suspect the Intel X170 are just bad and the update to pfSense 2.6 triggers this problem.

Jun 30 10:24:05 fw3-rx kernel: ixl0: Interface stopped DISTRIBUTING, possible flapping

The other problem persists. Neighbor discovery fails and the reason is that the primary firewall uses its Global Unicast address in the source field instead of the Link Local address. That was not the reason. We observed other occurences of NDP using UGA as source and those worked.

At first I though some NAT rules might be the reason for that but after deactivation the problem persists.

I checked that all interfaces have a Link Local address assigned so that also isn't the reason.

Does someone have an idea under what circumstances this might happen?

Edit:
We contacted Netgate about it. They think this might be an actual FreeBSD bug. They do now have a solution, yet.

d97a8679-c393-4c06-ad30-bbd11056ccf7-image.png

@jimp Working fine here too 👍

@hsv I noticed problems with IPv6 too, but for me these are not general but individual to an interface. For example, because mine is virtual and I deleted a "faulty" interface, added a new one and problem was gone (new MAC address etc.). So maybe try this four your installation too, if you can.

@jbattermann I used :1::1/64 as the gateway address and the following in the RA section as I have Apple devices :-

Screenshot 2022-06-24 at 20.00.36.png

When this used to be a problem for me, I added the 192.168.100.x IP to the dhcp ignorelist so pfSense would not accept it when offered by the ISP CPE. This definitely helped.

@jknott said in fe80::1:1 as static route for ipv6 track interface LAN? also LAN link-local no response?:

There are 256 possible prefixes within that /48. You use the other prefixes for other interfaces.

My mistake. That should be 65536, not 256. Better have another beer. 😉