@jknott Thanks for your help! I am gonna try that when I have the day off. I'll let you know if I got it to work!

I upgraded this morning my main 'company' pfSense to 2.5.0. I'm using he.net for my my IPv6 'needs'. I had nothing to do. Everything came up and was working fine. ( + captive portal using FreeRadius - OpenVPN server for my remote access). Even a non-native package I installed many years ago was upgraded and kept on running.

@virgiliomi said in Updated to 2.5 everything went smooth except for WAN IPv6 status being stuck on "Unknown" and "Pending" - Have Comcast, despite multiple Cable Modem restarts, and PFSense restarts: There's a bug in 2.5.0 that has been found that requires a monitoring address to be manually added in the System > Routing settings for the IPv6 gateway. The gateway will show as "Pending" until a monitoring address is manually set. For whatever reason, 2.5.0 is not automatically getting the gateway address and monitoring it. Try adding a monitoring address (you can make it anything valid/reachable for the purpose of testing) and see if that fixes things for you. If you want to add the exact gateway address as the monitor address, go to Diagnostics > Routes and copy the default gateway from the IPv6 table. Just know that this could change if your ISP does maintenance before the bug is fixed. Hopefully that helps... This worked for me, thanks!

@andrew_241 Yeah, those look like "policy routing" rules since you were specifying a gateway (rather than letting pfSense use the default gateway). But if you only have one WAN connection, or you don't want to route specific traffic in a specific way, you don't really need those rules, because everything can just route through the default gateway. But since you had those rules... there is a deeper issue with the IPv6 gateway behind the scenes, so the IPv6 rule was not functional because of the bug, and was preventing your IPv6 traffic from flowing as a result.

I got it working again, by restoring a previous config.

@virgiliomi does re-saving the interface fix the issue? That seems to be the case with me. Edit: did some testing and it seems that my interface got corrupted, deleted it and re made it and now its all good, survives reboots, looked in the logs and saw that the dhcp6c precess couldn’t find the interface and then it would quit.

I just did another test with a second LAN Track Interface on WAN2. There i used Prefix 1 and after a reboot (why is this necessary?) the second LAN also get it's IPv6 prefix. So it seems you just can use it with increasing values. So why is this the case?

@jefftee If I unblock private networks and loopback addresses on my WAN, the gateway comes back as up. Try that

@gary201 The issue from July 2019 was resolved without them really going into detail about what was happening during their large maintenance/migration. When I got in touch with them they were still in the "putting out fires" mode. They made a note of my issue, emailed me a few days later when they had a fix in place for me to verify, and all was good. Around December 2nd of 2020 I did have an IPv6 outage after a maintenance window. No IPv6 traffic was routing. I also tried different machines directly wired to the ONT at that time to verify it wasn't something on my end (not that I had changed anything). I reached out to them and they were able to in their words, "remove a filter" and it fixed my issue. I'm not sure how helpful that is, but it's all they told me.

@viktor_g said in IPv6 PPPoE MSS incorrect: @bm118 Could you test this patch: 135.diff You need to install System Patches pkg: https://docs.netgate.com/pfsense/en/latest/development/system-patches.html Works a treat, thank you very much!

Redmine issue created: https://redmine.pfsense.org/issues/11415

@hescominsoon I'm not sure what to say other than maybe try Comcast's forums or other ISP community sites on the internet for settings that will work. It's been over a year since I had Comcast service, but I used pfSense with IPv6 and had no issues for over four years using the settings I provided earlier. If you have a gateway (modem+router) in gateway mode, pfSense won't work for IPv6 because the gateway will acquire a single /64 for its own use. I don't know if their gateways will sub-delegate additional /64's or not. If you have a gateway that is in bridge mode, or have just a regular modem (I used both Motorola/Zoom and Arris modems over my time on Comcast), you should be able to request a /60 unless they've changed things since I left.

OK i think I found the "issue". The first interface I ipv6 enabled gave itself the entire /56 delegation, I had to change the prefix id and change it back to make it only grant itself a /64.

@jknott said in Blocking InterVLAN with IPv6: The sooner the world moves to IPv6, the sooner we can get rid of IPv4 and all those hacks. Yup and this 1 guy is holding it up... JFC dude the world is waiting for you to get IPv6 running on your local network already.. Amazon is waiting for you to give them the green light so they can finally move to it, same with twitter.. Shoot of the top like 1 million sites, 28% or so are ipv6.. All the others been waiting for you to give them the go! ;) I think my ISP is waiting on you as well - since they don't provide it.. Nor do they have it even on their road map.. So make sure you call them when you done so they can get started.. In what year do you think this graph will hit even 50%? [image: 1612245073521-graph.png] The world is waiting on you dude - would you hurry up already ;) I think once you give the green light this graph is just going to shoot to the moon.. Just like gamestop stock prices ;) [image: 1612245802960-graph2.png]

@jknott A Unifi Switch has its Ports set to the profile "All" by default. In Cisco terms this would mean that every Port is set to Trunk Mode with native VLAN 1 and every other VLAN tagged What helped was to set a specific Profile where only one VLAN is selected. In other words, the port now is in Access Mode and has no tagged VLANs

@bob-dig I have tried assisted and stateless. I rebooted each time after I change the mode, the monitor will say pending and unknown. If I restarting dpinger the gate monitoring says offline. pinging google via IPV6 i have 100% fail. Does not matter between mode assisted and stateless. What mode should I use?

@mushymiddle said in Switch from /64 to /48: There is very little information about how to deal with /48's and handing-out /64's in general on the Internet. When you configure a LAN or VLAN interface, you have to specify a unique prefix ID. With a /48, the range is 0 - ffff.

I know this is an old post but in case anybody else finds it and need a possible solution: For me it was because I had Snort running, and it blocked the Tunnel IPv4 endpoint. I had to add it to the alias list that I use to whitelist IPs for Snort (and restart Snort!)

@bob-dig said in IPv6 Dynamic Prefix with static suffix for LAN interface: @foerkede Why would you? Best compatibility is to assign one /64 to your LAN via track interface. Then in the DHCPv6 Server on LAN you add a static mapping for one machines DUID together with a hostname and an interface identifier of your liking. Now you can use that hostname in firewall rules, even after your prefix changed. Yes that's a good way to manage the clients in the network and I will probably do that. My idea was to set the LAN Interface IPv6 to a memorable address, like <prefix>::1 as you do in IPv4, so you can configure static IPv6 addresses more easily (gateway and DNS config). But I forgot that if the prefix changes, I have to change all the static addresses on the machines too. So the DHCPv6 solution seems to be the only good one if you don't get a static prefix from your ISP. Thanks for your fast and helpful input!