I have a similar use case, namely building tenants with their own routers. Can this method (firewall rules) be used to control prefix delegation, or at least restrict access to allowed tenants? We're doing this (denying) now with IPv4, where we tell them to plug in, see the IPv4 lease request to create a static lease, after which we can create a firewall rule allowing it. Can't get the old Comcast router to give more than a /64 so I was thinking of using Hurricane to get IPv6 for the tenants.

@derelict Of course, it was one of the DHCPv6 messages. That makes a lot of sense. (I thought this was RA-related since as discussed before, the DHCPv6 mode is the only way aside from SLAAC to make pfSense pick the gateway from the RA message.) So we're back to not receiving the DHCPv6 messages at all. I added similar rules for DHCPv6 messages, and we just don't see them at all. But that's not an issue for this thread.

@bob-dig That's nonsense. First off, we shouldn't avoid IPv6, as that's what the world is moving to and the sooner the better. Also, I gave some suggestions that may help @MrGlasspoole with his problem.

@foo said in Configuring multiple routable IPv6 subnets with multiple routers: How should I have the router A, LAN A and LAN B interfaces configured to connect to router B and C? Should I use DHCPv6 or RA? Think about how you'd do it in IPv4. You set up routes to say those addresses go there. Same thing with IPv6. This is basic stuff for anyone setting up networks, whether IPv4 or IPv6.

@jimp said in RA (and therefore SLAAC) not working after updating to 2.5.0: It still looks like a settings issue. If your ISP is sending you a /56 then set the delegation size on the WAN settings to match, /56. It should slice that up into /64 chunks automatically. Holy cow, really simple to fix, if you just know what to do ;) Thank you so much, this solved the issue!

Why stop there.. While they are at - let me put a /32 on the interface.. That is the min sized prefix you get from arin ;) so you might as well let me put it on my interface - I might want to route it <rolleyes> And clearly the only way to route anything is put it on an interface..

Just like you have rule #2 preventing access to the private IPv4 range, create a rule that prevents access to your IPv6 prefix range. I'm assuming that your IPv6 prefix is static (I certainly hope it is if you have 40 VLANs). For example, if your prefix is 2001:aaaa:bbbb:cd00::/56, create a rule that prevents access to that entire address range. Now your various VLANs won't be able to communicate with each other via IPv4 or IPv6. Of course, if you use pfSense for DNS, NTP, etc., I hope you've allowed those through other rules, because that block would also prevent communication with pfSense. If you want to allow communication between two VLANs, create a single rule for both IPv4/v6, and use the "[interface] Network" selection for the destination... that will include both the IPv4 and IPv6 subnets for the VLAN that you select.

Well, with apologies for the noise level, I found a "fix" - I enabled "Do not wait for a RA" on the WAN interface, rebooted the modem and now recovery is complete without having to toggle the interface. I am stumped why this makes any difference as the modem clearly is sending out RAs after its reboot. I can see from the System logs that dhcp6 client is started without RA mode - consistent with how its now configured! :-) and sends a solicit and gets an advertise back - which then kicks the PD process off. Stu

Works here as well

Hi guys, I've followed this conversation quite a while and run into the same issue. For everyone who would like to have dynamic NPT address to solve this issue please find my repo here: https://github.com/gewuerzgurke84/pfSense-dynamicNptAddress It's tested it with 1 NPT mapping and 1 "Tracking" Interface with pfSense 2.5.0 and it solves my issue so far. Nevertheless I'd prefer to have this feature as part of the distribution itsself as it is a requirement to get IPv6 running in a reasonable way (at least in Germany)... Best Regards, Alex

@yon-0 said in Thank you for the IPv6 NAT capabilities in 2.5: how config ipv6 nat in pfsense 2.5 You do it exactly as with IPv4 (use ULAs "instead" of private IPs and don't forget outbound NAT).

@thiamata You can add prefixes on the Router Advertisement page, but if you do that you will also have manually add the original prefix, as for some reason it's no longer automatically added.

@ofloo route get -inet6 default show the correct gateway, .. I've disabled the rule from the firewall that is making it use a this gateway. Still it uses the wrong interface. So I removed he.net from that gateway group. And still it uses he.net. Even when route get -inet6 default shows a different IPv6 gateway. This is not just broken, but seems impossible to me.

@fabrizior Nope, no setting for IAID in static mappings in 2.5.0...Sounds like a good feature request though... assuming dhcp6d has a way to use it...

@virgiliomi said in Configuration IPV6: Easier until you start assigning IP .......... I don't see any case where DHCPv6-PD would be desirable over a static IPv6 block. But maybe that's just me. Noop, you got a point. I have to add that I'm using a static IPv6 setup myself, as my ISP doesn't know what IPv6 is. and if they do, they come up with a single /64 or a /56 but only the first /64 is routable or ..... (whatever, their BOX has just one LAN so they don't understand the fuzz - not even that some clients are actually companies and they could have more then 1 LAN ....) with he.net, the one I'm using, the price is : not worlds fastest ISP, but free and rock solid. And very static. @virgiliomi said in Configuration IPV6: My prefix was rock solid on my last ISP (Comcast). ..... unplugging the interface or rebooting. A pretty solid proof that '$$$€€€' and 'Mbits/sec' is just a part of the equation. Good 'protocol' support is as important. And this one doesn't need the reading of their promises on paper. It will always be "Hands on testing for 6 months" ;) @virgiliomi said in Configuration IPV6: But they don't. Because my DUID hasn't changed... They probably cleared out their DHCPv6 server cache and settings. As you said : they are probably in the implementing phase.

@pmisch Well that's the thing. More and more the answer is "just use a competing product". What is Pfsense even for anymore if they can't fix years old bugs and they can't do IPv6 under realistic real world scenarios? Pfsense looks like a dying project to me so I've personally been steering people away from it.

No further issues since upgrading to 2.5.0. Looks like the bugs have been squashed!

@viktor_g I have a static IP (via DHCP4/6) from my ISP. The IPv4 works with no problems. IPv6 gets an IP ok, but the resolv.conf.never updates. Rebooted multiple times. The other day I was looking at the scripts that update the resolv.conf for IPv6. If I am not mistaken, they only do so if the IP changes. Which it won't with a static IP. Although I could be misinterpreting. I gave up and added the DNS entries via the General Setup to get around this issue for now.

@tadao I forgot to mention that the WAN Interface Address of the pfSense must be set to DMZ IP on the ISP router/modem.