@jkmuk

Do a packet capture on DHCPv6.

To do this, shut down pfsense and disconnect the WAN cable.
Reboot and start Packet Capture
Plug in the WAN cable.
After a couple of minutes, download the capture file and post it here.

This issue is reproduced by Netgate support and tracked as https://redmine.pfsense.org/issues/12790

@jknott as I said this setting work for me perfectly.

@gertjan I applied it to all interfaces in a floating rule. Why Not right? Yeah. Its an alias. Netflix was sort of sneaky by not blocking everything. Had me fooled for a minute there. I also handed out static IPV6 addresses to everything connected to the pfsense including my XMPP chat server and phone server. Interestingly, that totally fixed NAT issues like broken video and broken voice even when only one side of the conversation was on IPV6 and the other side was on IPV4. Thats the main reason I want everyone to transition to IPV6. No more NAT. No more buying a public IP for every server. No more need for STUN, ICE, Jingle, WebRTC, TURN servers or crap like that.

@wbond
Ok, great.
The dull thing about "ISP router in in router mode" is : it should work, as my he IPv6 tunnels are all up right now @work and also the one @home.
I'm using the he.net POP in Paris.

Note : he.net is supplying me with IPv6, as my ISP doesn't know what that is (@work) - or, @home, they just supply on /64. so none are available for the LAN's.

Btw : always check the tunnel status. And if doubt, the forum on he.net.

Still an issue today

@pfsensation

Yep, it's green and showing online.

@keyser said in IPv6 via IPSec:

My understanding is that ULA is not 100% like RFC1918 - there is actually another range of IPv6 addresses for that.

Not that I'm aware of. ULA is the same as RFC1918 in that it's routeable, but not allowed on the Internet. However, you can't have a VPN over the Internet that uses ULA on either end. VPNs can certainly carry ULA though, just as they can RFC1918.

Thank you all for your answers and discussion. Unfortunately it’s a “real problem”. There is a person who I trusted before but this person is now in suspicion for a bad deed. While changing my passwords (way too late I did that) I saw a log in to my personal account that was definitely not made by myself. It’s possible that that person had an auto login but I also had the hunch this person spied my personal mailbox (which is of great concern because I was in touch with official entities). Well I think the chance is quite low I forgot to logout somewhere and that that device has the same /56 prefix as that person. So I can just hope that was an auto login or that person did not found anything. Thank you all.

@jknott I'll try this out when I can find a time my flatmates are all asleep (not often!). Going on a long drive today, but thanks for the tip :)

@jknott
I know you can use WAN and LAN, but that doesn't help if you want to allow a rule for a client inside the IPv6 pool.

My address for WAN maybe 1111:2222:3333:4444:AAAA:BBBB:CCCC:DDDD, but my client maybe
1111:2222:3333:4444:AAAA:BBBB:CCCC:FFFF. So, I need my firewall to point to the FFFF address in the forward and if my IPv6 address changes, then I have to manually go into the firewall and update them.

@elscorcho

Good. That setting allows you to choose whatever size prefix you want, up to whatever your ISP provides. So, if you choose 64, then you only get a single /64.

I also have a /56, with a /64 assigned to my main LAN, guest WiFi, test LAN, a downstream Cisco router and I can then route another /64 to the Cisco router.

With IPv6, you get gazillions of addresses, so no need to worry about how many you use.

@mrpete

HEY!!! Get your priorities straight!!! 😉 🎅

BTW, isn't OPNsense based on pfsense? A friend of mine runs it and seems to like it.

@magikmark

????

If if was connected before, why is it now a "new" device? Regardless, one trick is to power down the modem for a minute or so and then try connecting.

@bmeeks

I'm a lot luckier with my ISP. They've been providing native IPv6 for about 6 years and via 6to4 and 6rd tunnels for a while before that. They are also my cell phone carrier so not only does my phone get an IPv6 address, but so do devices I tether to it. Also, my IPv4 address is virtually static and the host name depends on my hardware MAC addresses, so I have no problems with connecting my VPN to my network.

@martywise

My IPv4 address is virtually static, but my host name is based on modem and router MAC addresses. If I change hardware, the host name will change. If I change my router or it's NIC, my address will change. On IPv6, my prefix has survived modem and complete replacement of the box I run pfsense on. I suspect it might take a nuke or two, to change it. 😉

@johnpoz said in Access my website from WAN IP:

That would be a feature request or bounty..

I am going with feature request. 😀

@johnpoz Done

https://redmine.pfsense.org/issues/12600