thank you!

@xyz

By having another router ahead of pfsense, you're creating your problem. ISPs typically use DHCPv6-PD to pass the prefix on to the subscriber. That first router blocks that. This means you have to route the prefix to pfsense and I don't know that the first router is capable of that.

BTW, one of the reasons for a firewall/router such as pfsense is to keep the trash out.

@chrisjmuk

::1 is the loopback address, just like 127.0.0.1 with IPv4. If you ping that address, the ping won't leave the device you're on. For this sort of thing, you could use the link local address, if you don't have global or unique local addresses available. Link local addresses start with fe80:.

@jknott found the issue, was stuck in the state, needed to clear.

another issue is that i can cant ping a certain ip on my cisco and it cant ping the pfsense, ::1 but can ping ::20 no idea why.

@uzairali001 said in How do I configure ipv6 on pfsense:

Set DHCPv6 Prefix Delegation size to 64

Set that to whatever the ISP provides. Mine gives me a /56.

DHCPv6 Server check DHCPv6 Server

Use SLAAC unless you need DHCPv6.

Assisted

I have unmanaged.

@j-koopmann

With SLAAC, you have 1 address that's consistent and up to 7 privacy addresses, with a new 1 every day. You configure DNS for the consistent address. If your ISP does not provide a consistent prefix, you can use ULA addresses, in addition to GUA, to have a consistent address for DNS.
'

@virgiliomi

One other point about VPNs. I use my IPv4 address for it for 2 reasons. One is I only use the VPN from my notebook computer, which I might be using from a location that only has IPv4 and the other has to do with DNS. I use a public DNS server which is configured for the IPv6 addresses that I want to make available on it. But my public IPv4 address is an alias that points to the host name provided by my ISP and is based on my cable modem and firewall MAC addresses. With the alias, the IPv6 address is never used. I could directly configure the IPv4 address, so that the IPv4 or IPv6 address would be used as appropriate, but that would then fail on the very rare occasion that my address changes.

@shootify

You don't have to use a DHCPv6 server on the LAN. As I mentioned, Android devices won't work with it. SLAAC does all you need, unless you have a specific requirement that needs DHCPv6. I have both GUA and ULA here and only use SLAAC.

@johnpoz

One work around for those with changing prefixes would be to use Unique Local Addresses, as I describe here. Then they could still use DNS to point to local addresses.

@jknott Windows doesn't use configured DNS servers in order, it remembers the "last success" and prefers that one. It's not new in W10. People get in trouble all the time by listing their domain controller IPs first and public DNS "as a backup" and end up having network problems when the PC can't find the domain on the public DNS.

@cmcqueen Can you ping the router LAN IPv6 when in the "bad" state? This is probably not your issue but after setting up a Hurricane Electric tunnel recently, I found the PCs could connect out over IPv6 but could not ping the LAN IPv6 nor resolve DNS until the router was restarted. Couldn't seem to duplicate it afterwards which is odder.

@dr_tech If you're actually on 2.5.0 there was this IPv6 fix in 2.5.1: Gateway value for DHCP6 interfaces missing after RA events triggered script without gateway information

@dr_tech

Then use those routers as APs, one on each subnet. Again, no need for routing. However, have fun with finding clear WiFi channels on 2.4 GHz.

@operations

No, DHCPv6-PD is used to assign addresses and prefixes. The DHCPv6 part is similar to DHCP in IPv4, in that it provides an interface address. The PD part provides the prefix for use on the local networks. DS-Lite refers to a method for providing IPv4 over an IPv6 only network. It encapsulates the IPv4 packets in IPv6 and uses carrier grade NAT to provide the IPv4 addresses.

@johnpoz Argh! Now I see what you were referring to. I just thought you were generally wanting to confirm if I was referring to Netgear or Netgate.

NETGEAR support stinks. I never reached out to NETGATE because I don't think the problem is the 8860 or pfSense. Ugh....

I tried to edit the post but says too much time has elapsed. Can you edit, John?

Netgate support is great the few times I have reached out!!! :P

@vabello It would be nice if the guide for installing pfsense on Hyper V included this issue.

I have run into it and trying basically everything in this thread and whatever sleuthing turns up to get these errors to go away.

I am working with Hyper V 2019 and the NICs (for now) are Intel X722 (10 Gbe) ones. I know the physical NICs have VMQ enabled (power shell command spit that out). The console messages though were for two virtual devices and it kept spamming (so I was unable to continue setup after initial install from iso).

If I figure anything out, I will share it.

@evolve-0

I don't see that being a problem. No matter how the random number is generated, duplicate address detection is used to avoid collisions. As long as there is a 64 bit random number, it's actual value is irrelevant. If it matches with an address on a different subnet, so what? The prefix will be different, so the address will still be unique.

I think some people worry too much about "privacy". While there may be some concern about tracking people where they go through their MAC address, there's no reason to worry about it for the stable address. It would only be used for reaching a computer, so the address must be known. If it's always in one location, then there's nothing to track. Further, once you're off the local network, there's no way to tell if it's a MAC or random number based address.