Really?

After another call to my ISP the problem finally solved!!!
There was nothing from my side!

Thank you all for your support.

@Jim-Coogan what ended up being a show stopper for me was my ISP only allocating a /64 range to my modem. For DHCPv6 relay to work with pfSense acting as a router you need to be able to use DHCPv6 with Prefix Delegation. To do that you need a bigger allocation than /64, e.g. /56 or /60 etc.

The bridged interfaces are ipv4 only. the issue is that the automatically generated rules are floating rules so they apply globally

Yeah as Jknott has stated its normal.. It is also possible that the wan never even gets global address, and just use link-local.. Im not a fan of that, I like to see a global address on my wan ;)

There is plenty of IPs to go around ;) ISP can afford to assign a global to the transit network ;)

edit: to expand on the sheer number of IPs.. A min assignment from RIR for an ISP is a /32 - I just got one for a ipv6 project we are doing from Arin.. That is 65K /48s ;) or 4 billion /64s..

Comcast got a /9 - which is 36 quadrillion /64s - you would think they can afford a few /64 for transit networks ;)

And its not like they can't get more... It took a couple of weeks to get the /32 - all you have to do is show basic need.. And a basic plan on how your going to use them..

These ISPs telling users they can only get 1 /64 is just nuts... You can head over to HE and they will give you a /48 you can tunnel for free. I have had mine for over 10 years..

ISPs should have no issues giving users either a 48 or at min a /56 and using a global for their transit network.

What if you use a remote receiver?

From experience I've learned that DDNS in pfSense, or any other appliance only works when you're "gentle" to it, meaning one hostname. As soon as you add additional hostnames, domains it'll fail to update them so I got a VPS and installed pfSense on it for the static IP they give you, starting at USD5/mo, sometimes less, it's the cheapest static address you can rent.

I actually use it for the GIF to HurricaneElectric and tunnel both IPv4 and IPv6 to the local pfSense, I have about the same latency in local IPv4 as in tunneled IPv4 and (double-) tunneled IPv6.

But where I'm going with this is:

I also use my remote instance's public address as the monitor IP for the local WAN gateway. And since I can contact the remote instance locally through the tunnel, I get statistics on it with any tool, like from which IP a tunnel is has been brought up--which I know would only be mine. "Loopback" Stats. This data can be sent to a syslog server or queried through SNMP. You can query all sorts of data, I check consumption because the VPS has a data cap, I'm used to not having it because of my ISP so this is really handy, you can set it to notify you through a bot on Telegram, Matrix, classic email or a buttload of other integrations it has:

Screen_Shot_2020-10-09_at_14_37_41.png
Screen_Shot_2020-10-09_at_14_51_00.png

The first one is LibreNMS, completely free, does SNMP and syslog, you don't need scripts or databases because it's meant to keep historic data, it's all there as long as you feed it. The second one is VMware's vRealize Log Insight, also free (*with purchase) it only does syslog but it's very comprehensive, king of syslogs, it can proxy the syslog to yet more servers and has this thing called agents, custom-made-on-site apps preconfigured to send data to it and reconfigurable remotely. It's very cool.

LibreNMS is like a 2core/2G/20G VM if I'm not mistaken, Log Insight is much hungrier but you can tweak it before first starting it, I discovered. Both need fast disks.

@virgiliomi said in IPv6 ping/traceroute from Windows 10 PCs:

Before I try to offer a reason, can I make a guess that you have Verizon FiOS? 🙂

Edit: Never mind... I see you're not from the US. We have an ISP in part of the US that has an ICMP Traceroute issue (affects only Windows, not Linux/Mac since they use UDP instead of ICMP by default). I thought that might have been what you were experiencing.

I am not familiar with your ISP so can't be specific, but a few things to double check- You did set the prefix delegation under WAN/DHCP 6 CLIENT CONFIG, and try with prefix hint set ON and OFF?

@Hikari

The /x indicates the prefix length. Your LAN gets a /64 prefix, which means 64 bits for the network address, leaving 64 for the device within the LAN. A /128 means the entire 128 bits is prefix leaving no bits for more than 1 device. I doubt it would have anything to do with the MAC, as it's assigned by DHCP. If it was MAC based, it would be obvious. Your LAN gateway demonstrates the link local address is used, not a public address.

@JKnott said in Multiple /64 ULA subnets sharing same WAN /64 prefix via NPTv6?:

It's amazing how CHEAP some ISPs are, considering the IPv6 address space is so vast. While my ISP initially provided a single /64, that was only temporary and they soon moved to /56. Then there's he.net, which will provide a /48 for free! Before my ISP offered IPv6, I used a tunnel and got a /56 again for free.

BTW, the address space is so vast that every single person on earth could have over 4000 /48s and that's with only 1/8th of the entire address space assigned to anything.

My ISPs don't even offer more expensive plans, not that I'd accept paying. A tech even told me that only government companies are forced to follow IPv6 standards. As it's a private ISP company, they can use proprietary protocols, and it's my problem if Internet doesn't work fully. Another one told me that I'm "welcome" to cancel the contract if I want to.

Indeed, according to IPv6 standard, every ISP receives at least a /32 prefix. With it, these 2 ISPs have more /56 prefixes than IPv4 addresses.

@nva said in Multiple /64 ULA subnets sharing same WAN /64 prefix via NPTv6?:

My ISP only route single /64 subnet to resident connection. I'm planning to deploy ULA for each of my VLANs and then NPT to that public /64 prefix assigned by ISP. Do I need to worry about suffix conflict?

Is there any drawbacks (e.g. latency...) in deploying ULA + NPt compared to just GUA via Track interface? The only problem i can think of is that I would need to manually adjust NPt entries every time my ISP routed prefix change and will try to get it working.

Were you able to get it to work? That's what I was considering doing on my OpenWRT a couple years ago but got tired after 2 long fights with both ISPs. Now I'm considering moving to pfSense because of some BusyBox limitations.

Are you able to update your VLANs prefixes when your ISP changes it?

One ugly thing I consider doing is choosing a random /60 prefix from one of my ISPs /32 and setting it as base for my VLANs. ALAIK, some OSs will use IPv4 if only ULA is provided for them, because it implies that no Internet is available on IPv6, even if router manages ULA to GUA correctly.

Using a global prefix that's not delegated to me breaks me from reaching out any device that's on that prefix, but I don't access any residential IP other than mine anyway.

@JKnott You can delegate prefixes. An address is assigned and the delegated prefix is routed to it.

e25444ec-ae09-48a2-883d-650b75f7ff52-image.png

https://docs.netgate.com/pfsense/en/latest/services/dhcp/ipv6.html#dhcpv6-prefix-delegation

Don't lose hope... it's been just less than a month since it started working for me, so they may have re-started testing.

Fixed in upstream, see https://redmine.pfsense.org/issues/10757

@carloabelli

Unlike IPv4, ICMP is essential with IPv6. I have a rule on my WAN that allows all ICMP on both 4 & 6.

Well... in the packet capture, the MAC address of the Ethernet frame matches the MAC address of the default gateway from my ISP (which is not unusual when dealing with packets being routed to you). But the IPv6 address is definitely not the same, and it doesn't appear to be an EUI64 address, so I can't match it to a MAC address. I do realize that I masked part of the address that would have identified that fact.

It's likely a misconfiguration on my ISP's part... they only just got IPv6 up and running about a week ago, and it may not even be completed yet (But I've figured out how to make it work with pfSense, not knowing whether their own routers even work with it).

It's kind-of annoying that this is logged in the general system log though...it'd be nice if it were in the routing log... but I assume since it's the kernel generating these messages, that's why it's in the system log.

That was exactly what I needed. Thank you so much!

I have been working on a similar setup. Dual WAN IPv4+IPv6. I get native IPv4 from my ISP. For IPv6 I have been using Hurricane Electric for at least a decade. Recently, I stumbled upon a tunnel service that does both IPv4 and IPv6. This makes it possible to rather easily move services, yet keeping IPs the same, both IPv4 and IPv6.

But that's more of a backstory. I have been researching quite the same problem you describe. Packets that are generated on the router (e.g. ICMP TTL Exceeded when doing a traceroute) should be sent back through the same interface they entered, but for IPv6, this doesn't work.

It seems that in FreeBSD, the backing operating system for pfSense, this is simply not implemented for IPv6. There is code in review for this, but it may take some more time before that reaches FreeBSD itself, and consequently pfSense.

Hope this helps.

With thanks to Netgate tech support, the solution was to turn off my interface's Block private networks and loopback addresses. Upon reflection, this does make sense and with it disabled, my DHCPv6 server with RA set to either managed or assisted is now responding to DHCPv6 client requests and issuing assignments.

And yet, I will submit a feature request such that when the DHCPv6 Server is enabled, an alert should be posted saying "but you need to disable Block private networks and loopback addresses on the interface, otherwise the DHCPv6 server will never receive the incoming IPv6 client's request for a local RA server..."