@johnpoz said in IPv6 configuration for LAN only when no IPv6 from ISP?: name 1 resource just 1, that your typical user would need ipv6 to access? As I mentioned, there are many who are stuck behind CGNAT. They cannot connect to their networks from outside.

@johnpoz I originally used fe80::/16, which you told me was incorrect (which is true... it should be fe80::/10 like you mentioned). But then you said this: An alias for any specific "net" using the space of /16 wouldn't be a specific net, it would be a huge chuck of the whole space FE80::/10, where did you come up with using /16 anyway? The way I interpreted that, was that using /10 also wasn't ideal, and using a /64 would use less space (and would be closer to a * net). Both /64 and /10 both work, so I can update the Redmine ticket if you think /10 should be the correct default. 224.0.0.0/3 is the multicast address space. Originally I created individual rules for each specific address, but decided to "simplify" doing that and instead creating an alias that included the entire multicast address space. My alias is called MULTICAST_SUBNET, and includes the network of 224.0.0.0/3 which is technically correct right? I use more then just mDNS requests fall into that subnet. But you are 100% correct that I should update that ticket and make it 224.0.0.251, since that is unique to mDNS and is the only destination required for Avahi. Something else related to this thread... some of my devices on some VLANS make requests for SSDP. They have an IPv4 destination of 239.255.255.250. However, IPv6 traffic is blocked by default unless this rule is created: source: fe80::/10 destination: ff02::c Port: 1900 Another example would be the same source and destination above, but for port 3702 which is WSDD (used by a Windows 10 device). These are examples of traffic where I would assume (incorrectly based on your feedback) the * net source rule to cover when IPv6 is enabled on on a network. And no offense taken. I'm far from an expert here. I've already solved this myself, although you may see the way I've done it is less then ideal. I created this post to hopefully help others.

@thondwe said in WAN_DHCP6 Pending - Pfsense 2.5.2: but the dpinger command uses -B "Gateway Address" as an option Not a gateway. type dpinger without any options, and you see what it want : the local address to bind to : bind (source) address Like "192.168.1.1" if you want to "dpinger" to a device on your LAN (seems absurd, but I do just that). So it knows from what address ( and interface) to start pinging from. @thondwe said in WAN_DHCP6 Pending - Pfsense 2.5.2: for the Hurricane Electric Tunnel -B address is different to the final ping target at the end.. he.net give us static IPv6's for our "our side' and their side 2001:470:1f12:5cx::1/64 == their side 2001:470:1f12:5cx::2/64 == pfSense side. Thus "2001:470:1f12:5cx::2" is the address used for dpinger == the address to bind to. Btw : here is the "GIF" tunnel info : gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1480 description: HeNetv6 options=80000<LINKSTATE> tunnel inet 192.168.10.3 --> 216.66.84.42 inet6 2001:470:1f12:5cx::2 --> 2001:470:1f12:5cx::1 prefixlen 128 inet6 fe80::215:17ff:fe77:d119%gif0 prefixlen 64 scopeid 0xa groups: gif nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> I do have a "fe80::215:17ff:fe77:d119" but it's not use any where..

@tarbash Results match is as follows: good %IP%|nochg %IP%

@code4food23 It means you have to assign an address to the interface. With SLAAC, addresses are created automagically.

@lordsandwurm I made a cronjob in pfsense to reboot it every night, that mostly fixed it for me. I wish that wouldn't be necessary...

@chrisjmuk did you create that route via the gui, with gateway setup? or trying to just add the route from the cmd line?

@ethereal said in IPv6 DHCPv6 Delegation Range: @bob-dig probably his setup is a bit more complex and using the firewall as firewall - rather than a router for his lan. @simple0ne I have a similar setup at home and I was thinking to go ahead and try to implement it. Will give it a go next weekend or so. @Ethereal sounds good. I will get back to testing this further in the next few days hopefully, so I'll let you know if I discover any thing interesting. @Bob-Dig, yep two use separate use cases. One is where the firewall is basically already just serving as firewall (+ proxy for some services on IPv4) as @Ethereal mentioned. The second scenario is actually a little different and has two flavours (though they are quite similar to each other): The pf is serving as the outside firewall of a dual vendor DMZ, but the pf is also providing some services to devices/networks living within the DMZ. Similar to the first, but the pf is the only firewall, but is providing some services to downstream clients. There are a few networks, each with a lot of WAPs (that are actually routing) on them, which are managed separately, but wish to have IPv6 routed to them for allocation to wireless clients. Part of the problem here isn't purely technical, it's that the administrative domains for different devices/parts of the network are owned by different parties. This makes for some additional headwinds when it comes to adopting wider changes that could make everything a bit easier to resolve.

@bob-dig said in Block fc00::/7 out WAN just like RFC1918?: @jknott said in Block fc00::/7 out WAN just like RFC1918?: Yep. My ISP's gateway has a link local address. Mine too. Mine three.

@jimp I believe I had set it to DHCPv6 only but what is the setting I need to disable SLAAC?

@jpvonhemel You might want to allow ping. Most of the ICMP6 stuff is used on the local LAN and on the WAN side, pfsense is the "client". As for sparse addresses, the standard LAN size is a /64, which has as many addresses as the entire IPv4 address space squared. In that huge space, you might have a few dozen working addresses at any time, most of which are temporary. Bottom line, you're not much of a target. Did that test site list which ICMP6 it was testing?

@viktor_g I created a redmine ticket for this here: https://redmine.pfsense.org/issues/12280

@jbattermann I haven't done load balancing, so I can't help with that. Are you saying you have 2 prefixes on the LAN side of one network? Also, load balancing on the WAN side shouldn't have any effect on the LAN.

thank you!

@xyz By having another router ahead of pfsense, you're creating your problem. ISPs typically use DHCPv6-PD to pass the prefix on to the subscriber. That first router blocks that. This means you have to route the prefix to pfsense and I don't know that the first router is capable of that. BTW, one of the reasons for a firewall/router such as pfsense is to keep the trash out.

@chrisjmuk ::1 is the loopback address, just like 127.0.0.1 with IPv4. If you ping that address, the ping won't leave the device you're on. For this sort of thing, you could use the link local address, if you don't have global or unique local addresses available. Link local addresses start with fe80:.

@jknott found the issue, was stuck in the state, needed to clear. another issue is that i can cant ping a certain ip on my cisco and it cant ping the pfsense, ::1 but can ping ::20 no idea why.