@jknott Honestly, I don't think I ever intentionally set anything up for that (nor knew it was an option to disable it either). It's just something that's always been there on the dashboard. I assumed it was pfsense pinging the gateway address and getting the answer (since the gateway is usually given by dhcp on the WAN).

I just found the checkboxes to disable it - all good :-)

8be775e9-6ceb-4d0d-90d3-7915e64cb8fa-image.png

@pfguy2018

I recently changed the rules for my guest WiFi VLAN to IPv6. in some cases it was only necessary to change from IPv4 to IPv4 & IPv6. I have only one rule that is IPv6 specific and none that are IPv4 specific. That IPv6 one is to block anything within my prefix.

Here are my rules:

Screenshot_20201212_161304.png

@jknott OK - so have sussed it -am on a pure IPv6 connected PC now! So Static IPv6 address on link, DHCPv6 disabled, but RA set as assisted with a DNS server with the link ipv6 address set on the RA tab.

So I think this is SLAAC + RDNSS working properly?

Even managed to use a literal IPv6 address for the pfsense box - https://[ipv6 address] needed in edge - square brackets eh?

Irony of testing though one of the Test -Ipv6 sites I was using didn't resolve an IPv6 address (test-ipv6.com) where as ipv-test.com was happy!

@bob-dig

All the addresses appear automagically. One of each type is consistent, based on the MAC address. The privacy addresses are based on random numbers. The only thing I configure is the DNS entries, which I point to the consistent addresses. I do not ever use a privacy address for DNS, as it would only last for a week. It is also possible to have consistent addresses based on a random number, for those who are worried about someone tracking their MAC address.

@gertjan

While I haven't seen 2 link local addresses in a device with only 1 interface, multiple routeable addresses are common. For example, this computer, once it's been up for a week, will have a total of 16 routeable addresses, 8 global and 8 unique local. Of those, one of each is consistent and MAC based and the others are privacy addresses, of which I get new ones every day, with them expiring after 7 days.

I see. Will tracerouting the ipv4 addresses shown in the registration process be sufficient to tell if a specific tunnel endpoint is a good choice or will it require registration and bringing up the tunnel itself to be sure?

True, line 9 :
@kaj said in ICMPv6 Trouble?:

prefix ::101:101/128 {

is not ok at all.

@wlp94611 see https://redmine.pfsense.org/issues/10984

You've probably either figured this out already or just decided to ignore it but I have found that those errors are typically caused by an IPv6 client that doesn't support DHCPv6 and your IPv6 Router Advertisements are configured not to support SLAAC (set to either "Managed" or "Disabled" on that interface).

Under "Services/DHCPv6 Server & RA", change your RA mode to "Assisted" or "Stateless" on the interface those clients are connected to and this error should disappear.

@AmC_OldSarge said in Android Clients unable to reach Internal Exchange Server:

From what I am reading, by default, android uses IPv6 for DNS.

Most things prefer IPv6 by default, but if it's not available they'll go immediately for IPv4.

@cnrd said in pfSense does not reply to NS sent by ISP router, ISP does not respond to DHCPv6 request as a result:

As stated here: https://www.freebsd.org/security/advisories/FreeBSD-SA-08:10.nd6.asc

The solution described below causes IPv6 Neighbor Discovery Neighbor Solicitation messages from non-neighbors to be ignored.
This can be re-enabled if required by setting the newly added net.inet6.icmp6.nd6_onlink_ns_rfc4861 sysctl to a non-zero value.

I think a package coming from a global address to a link local would be considered a non-neighbor.

Here is what I read on Redit:

"II. Problem Description

IPv6 routers may allow "on-link" IPv6 nodes to create and update the
router's neighbor cache and forwarding information. A malicious IPv6 node sharing a common router but on a different physical segment from another node may be able to spoof Neighbor Discovery messages, allowing it to update router information for the victim node."

Now, take a look at the packet containing the neighbour solicitation or advertisement and check the hop limit. It is 255. This is protection against that threat as a router would have to decrement it from 0, but a 0 hop limit would cause the packet to be dropped. This guarantees the packet originated on the local network. If it's any other number, the packet originated elsewhere and with a hop limit other than 255 or 0.

@signalz

If one device gets an IPv6 address but another doesn't, you have a local problem. Likely you have pfsense misconfigured.

As for AAAA records, there is no way for any DNS server to know what name you assign to an address, unless you configure it. I have both the pfsense DNS server and a public server available. I put the host names I choose on those servers. Also, bear in mind, there are consistent addresses and privacy addresses, which change every day. Point the DNS to the consistent addresses. Consistent addresses are often based on the MAC address, but may be based on a random number. Either way, you point the DNS to the consistent address. Also, you will probably have a WAN IPv6 address, which is likely not used for routing.

So, when you determine what your consistent addresses are, enter names for them in the pfsense DNS server.

@evberd thanks for posting. I just lost connectivity again today, triggering the multiple-reboot cycle of pFsense until it would finally pull an IPv6 for my WAN and LAN. While I can grit my teeth and suffer through this until I get it going before the next disruption, it is truly vexing behavior. I woke up to no connectivity a few days ago due to Comcast equipment maintenance, and had to spend half an hour and was late to work because I needed to get the internet going for distance learning for my kids.

That said, I've read what you've written a couple times, and it hasn't completely sunk in. I have tried using VLAN before and failed miserably. I am not an expert.

I do use dynamic DNS as Comcast has changed my IP address several times over the past 6 months, I think due to equipment upgrades which is not a bad thing. The performance is impressive. Dynamic DNS does actually work, and does not seem to be a terrible solution for residential service.

DHCPv4 can use a "client identifier" such as a DUID, just like DHCPv6. (rfc4361)

I suspect this is what you are seeing.

@qwerty123
I've got Spectrum and it's the same thing- I have some homelab servers that I don't want dynamic but I have implemented ipv6 internally (dual stack). What I did, right or wrong, was set the WAN interface to DHCP6, and the LAN and 2 VLANs to track, specifying prefix IDs for the VLANs (/56 hint worked). I also set the WAN to NOT send a release to the ISP under DHCP6 Client Config. Instead of using the DHCP6 from my servers, I set that up in PFSense and setup static IPV6 mappings for the servers. But instead of specifying the prefix which we know may change, I set the addresses as ::{interface identifier} hoping that if I don't specify a prefix, and it changes, at least the prefix ID and the interface ID remain as I specified and my servers still get a valid routable IPV6 ip. When it changes I will have to update a couple of ALIASES that list those networks, and some settings under Services/DHCPv6 Server & RA. Hopefully I won't have to mess with the static mappings though.

Still some things to examine there but yes the ndp output is what I was looking for.

@Bob-Dig said in Network Prefix Translation (NPt) Failing:

First, JKnott is always right.

That's not what my ex says! 😉

@skilledinept

Forget about the management interface and radius for a moment. The purpose of an AP is to provide a layer 2 connection between devices. That's it. So, it should pass IPv4 & IPv6 equally well. I get the impression your radius server is IPv4 only. Is that a problem? Can the clients only connect via IPv6? These days, dual stack is quite common and normally IPv6 is preferred, with fallback to IPv4.