@jpvonhemel You might want to allow ping. Most of the ICMP6 stuff is used on the local LAN and on the WAN side, pfsense is the "client". As for sparse addresses, the standard LAN size is a /64, which has as many addresses as the entire IPv4 address space squared. In that huge space, you might have a few dozen working addresses at any time, most of which are temporary. Bottom line, you're not much of a target. Did that test site list which ICMP6 it was testing?

@viktor_g I created a redmine ticket for this here: https://redmine.pfsense.org/issues/12280

@jbattermann I haven't done load balancing, so I can't help with that. Are you saying you have 2 prefixes on the LAN side of one network? Also, load balancing on the WAN side shouldn't have any effect on the LAN.

thank you!

@xyz By having another router ahead of pfsense, you're creating your problem. ISPs typically use DHCPv6-PD to pass the prefix on to the subscriber. That first router blocks that. This means you have to route the prefix to pfsense and I don't know that the first router is capable of that. BTW, one of the reasons for a firewall/router such as pfsense is to keep the trash out.

@chrisjmuk ::1 is the loopback address, just like 127.0.0.1 with IPv4. If you ping that address, the ping won't leave the device you're on. For this sort of thing, you could use the link local address, if you don't have global or unique local addresses available. Link local addresses start with fe80:.

@jknott found the issue, was stuck in the state, needed to clear. another issue is that i can cant ping a certain ip on my cisco and it cant ping the pfsense, ::1 but can ping ::20 no idea why.

@uzairali001 said in How do I configure ipv6 on pfsense: Set DHCPv6 Prefix Delegation size to 64 Set that to whatever the ISP provides. Mine gives me a /56. DHCPv6 Server check DHCPv6 Server Use SLAAC unless you need DHCPv6. Assisted I have unmanaged.

@j-koopmann With SLAAC, you have 1 address that's consistent and up to 7 privacy addresses, with a new 1 every day. You configure DNS for the consistent address. If your ISP does not provide a consistent prefix, you can use ULA addresses, in addition to GUA, to have a consistent address for DNS. '

@virgiliomi One other point about VPNs. I use my IPv4 address for it for 2 reasons. One is I only use the VPN from my notebook computer, which I might be using from a location that only has IPv4 and the other has to do with DNS. I use a public DNS server which is configured for the IPv6 addresses that I want to make available on it. But my public IPv4 address is an alias that points to the host name provided by my ISP and is based on my cable modem and firewall MAC addresses. With the alias, the IPv6 address is never used. I could directly configure the IPv4 address, so that the IPv4 or IPv6 address would be used as appropriate, but that would then fail on the very rare occasion that my address changes.

@shootify You don't have to use a DHCPv6 server on the LAN. As I mentioned, Android devices won't work with it. SLAAC does all you need, unless you have a specific requirement that needs DHCPv6. I have both GUA and ULA here and only use SLAAC.

@johnpoz One work around for those with changing prefixes would be to use Unique Local Addresses, as I describe here. Then they could still use DNS to point to local addresses.

@jknott Windows doesn't use configured DNS servers in order, it remembers the "last success" and prefers that one. It's not new in W10. People get in trouble all the time by listing their domain controller IPs first and public DNS "as a backup" and end up having network problems when the PC can't find the domain on the public DNS. @cmcqueen Can you ping the router LAN IPv6 when in the "bad" state? This is probably not your issue but after setting up a Hurricane Electric tunnel recently, I found the PCs could connect out over IPv6 but could not ping the LAN IPv6 nor resolve DNS until the router was restarted. Couldn't seem to duplicate it afterwards which is odder.

@dr_tech If you're actually on 2.5.0 there was this IPv6 fix in 2.5.1: Gateway value for DHCP6 interfaces missing after RA events triggered script without gateway information

@dr_tech Then use those routers as APs, one on each subnet. Again, no need for routing. However, have fun with finding clear WiFi channels on 2.4 GHz.

@operations No, DHCPv6-PD is used to assign addresses and prefixes. The DHCPv6 part is similar to DHCP in IPv4, in that it provides an interface address. The PD part provides the prefix for use on the local networks. DS-Lite refers to a method for providing IPv4 over an IPv6 only network. It encapsulates the IPv4 packets in IPv6 and uses carrier grade NAT to provide the IPv4 addresses.