@uzairali001 said in How do I configure ipv6 on pfsense: Set DHCPv6 Prefix Delegation size to 64 Set that to whatever the ISP provides. Mine gives me a /56. DHCPv6 Server check DHCPv6 Server Use SLAAC unless you need DHCPv6. Assisted I have unmanaged.

@j-koopmann With SLAAC, you have 1 address that's consistent and up to 7 privacy addresses, with a new 1 every day. You configure DNS for the consistent address. If your ISP does not provide a consistent prefix, you can use ULA addresses, in addition to GUA, to have a consistent address for DNS. '

@virgiliomi One other point about VPNs. I use my IPv4 address for it for 2 reasons. One is I only use the VPN from my notebook computer, which I might be using from a location that only has IPv4 and the other has to do with DNS. I use a public DNS server which is configured for the IPv6 addresses that I want to make available on it. But my public IPv4 address is an alias that points to the host name provided by my ISP and is based on my cable modem and firewall MAC addresses. With the alias, the IPv6 address is never used. I could directly configure the IPv4 address, so that the IPv4 or IPv6 address would be used as appropriate, but that would then fail on the very rare occasion that my address changes.

@shootify You don't have to use a DHCPv6 server on the LAN. As I mentioned, Android devices won't work with it. SLAAC does all you need, unless you have a specific requirement that needs DHCPv6. I have both GUA and ULA here and only use SLAAC.

@johnpoz One work around for those with changing prefixes would be to use Unique Local Addresses, as I describe here. Then they could still use DNS to point to local addresses.

@jknott Windows doesn't use configured DNS servers in order, it remembers the "last success" and prefers that one. It's not new in W10. People get in trouble all the time by listing their domain controller IPs first and public DNS "as a backup" and end up having network problems when the PC can't find the domain on the public DNS. @cmcqueen Can you ping the router LAN IPv6 when in the "bad" state? This is probably not your issue but after setting up a Hurricane Electric tunnel recently, I found the PCs could connect out over IPv6 but could not ping the LAN IPv6 nor resolve DNS until the router was restarted. Couldn't seem to duplicate it afterwards which is odder.

@dr_tech If you're actually on 2.5.0 there was this IPv6 fix in 2.5.1: Gateway value for DHCP6 interfaces missing after RA events triggered script without gateway information

@dr_tech Then use those routers as APs, one on each subnet. Again, no need for routing. However, have fun with finding clear WiFi channels on 2.4 GHz.

@operations No, DHCPv6-PD is used to assign addresses and prefixes. The DHCPv6 part is similar to DHCP in IPv4, in that it provides an interface address. The PD part provides the prefix for use on the local networks. DS-Lite refers to a method for providing IPv4 over an IPv6 only network. It encapsulates the IPv4 packets in IPv6 and uses carrier grade NAT to provide the IPv4 addresses.

@johnpoz Argh! Now I see what you were referring to. I just thought you were generally wanting to confirm if I was referring to Netgear or Netgate. NETGEAR support stinks. I never reached out to NETGATE because I don't think the problem is the 8860 or pfSense. Ugh.... I tried to edit the post but says too much time has elapsed. Can you edit, John? Netgate support is great the few times I have reached out!!! :P

@vabello It would be nice if the guide for installing pfsense on Hyper V included this issue. I have run into it and trying basically everything in this thread and whatever sleuthing turns up to get these errors to go away. I am working with Hyper V 2019 and the NICs (for now) are Intel X722 (10 Gbe) ones. I know the physical NICs have VMQ enabled (power shell command spit that out). The console messages though were for two virtual devices and it kept spamming (so I was unable to continue setup after initial install from iso). If I figure anything out, I will share it.

@evolve-0 I don't see that being a problem. No matter how the random number is generated, duplicate address detection is used to avoid collisions. As long as there is a 64 bit random number, it's actual value is irrelevant. If it matches with an address on a different subnet, so what? The prefix will be different, so the address will still be unique. I think some people worry too much about "privacy". While there may be some concern about tracking people where they go through their MAC address, there's no reason to worry about it for the stable address. It would only be used for reaching a computer, so the address must be known. If it's always in one location, then there's nothing to track. Further, once you're off the local network, there's no way to tell if it's a MAC or random number based address.

Nope. Solution for tonight is just disable IPv6 completely and live in IPv4 land. Thankfully this is a small network, I can reboot (or release/renew, or disconnect/reconnect) everything pretty quickly. I'll try non-VLAN, non-LAG ports tomorrow.

Many years ago, ther were question like this https://forum.netgate.com/topic/118566/netflix-and-he-net-tunnel-fixed-using-unbound-python-module?_=1622934995649 These days, the package pfBlockerNG can work with lists of AAAA domain names, that can be blocked (no AAAA returned on a DNS request) so the A record gets used == IPv4.

For my site the issue has been resolved now. Been running smoothly for more than a week after increasing Router Lifetime in services_router_advertisements.php?if=lan

@jknott It is a router for around 100 bucks. It only has one switch and one guest network, so the rest will get passed on I guess.

@sts-134 You allow only what you want to. In this case, I didn't want to block anything. On the other hand, my guest WiFi VLAN is configured to allow only pinging the interface or going out to the Internet. [image: 1621939830548-c703fd7b-51cd-4e17-8cd4-8bd8d81345ed-image.png]