You can packet capture the pings going out. If there is no response there's nothing you can do about it - they have to fix it.

If absolutely necessary (as in they still blame the firewall), put a managed switch (or some kind of network tap) between the WAN and the ISP and capture on a mirror port there. Then you're definitely looking at what's out on the wire, outside of the firewall. Set the monitored port to the one connected to the modem, not pfSense. If you see the echo requests and no replies there, there is certainly nothing more you can do. Press them hard for an escalation. If you can get to the right person/group you might be able to get it fixed.

@tku said in IPv6 no routing from DMZ to internet:

But, I'm using PfBlocker which I configured (in all my enthusiasm) to add (blocking)rules to all interfaces, for some reason the ipv6.google.com-IPv6 address is on the list. So some kind of logical that connecting to the IPv6 website didn't work.

I'm using pfBlockerNG-devel - and some IPv6 lists.
ipv6.google.com never was problem for me.

What is the IPv6 that google uses - the one you use to connect to ?
Is this IPv6 (network) really present on a list ?

What is this list ? IPv6_known_search_engines ?

Hi

The reason this is happening is because you have id-assoc na but not id-assoc pd. This is because the config is not complete just from the WAN interface. You have to also set a LAN interface to track the WAN interface. This is where the rest of the configuration is set and it defines id-assoc pd with the values you set there.

@johnpoz said in Need some instructions for getting started with IPv6:

That is not the point if the end user can not get an IPv4... Can freaking promise you the end user ISP has given them some way to get to IPv4.. Because sorry - at best there is 30% of the top websites on the world that even support IPv6...

Here's an article, in today's Toronto Star, that seems to imply IPv6 will be needed on cell phones:

Internet-based 911 calling on the horizon in Canada

"Essentially, every connected phone will have an internet protocol address, which will be cross-referenced with key data sets mostly supplied by municipalities. The database will comprise every street address in an area and the entry location of buildings. Emergency service boundaries will also be accessible to ensure the right responders are dispatched.

The result should allow the 911 system to pinpoint the location of callers to within centimetres."

I haven't found much in the way of details, but giving phones unique addresses will probably require IPv6.

I also don't understand how they'll be able to determine location within centimetres.

There is this document, which has on page 68, page 3 of Appendix 2:

"North American Network Operators Group (NANOG)

A governing body that provides guidance and instructions for the design of an IP network. NANOG is typically involved in the best current operational practices for IPv6 planning."

This system is apparently supposed to be implemented all over Canada and U.S. My Pixel 2 certainly gets IPv6 from my carrier, but not all phones or carriers support it yet.

It appears that if you add a cron job to run "/sbin/rtsol -a" once an hour it'll keep the IPv6 connection. I suspect someone read RFC 6275 and decided that "Router advertisements in such networks SHOULD be sent only when solicited" also applied to this network, despite it not technically being a mobile network. (Telus are also a mobile carrier, so it's possible this is where the confusion came from.)

@lifespeed

One has nothing to do with the other. The do not release only affects whether the prefix will change. SLAAC has to do with sending the prefix out to the LAN, whether it changes or not.

@alnico

Don't forget, you can configure OpenVPN to carry both IPv4 and IPv6.

@mix_room said in TCP-ACK blocked when using IPV6 over GIF over IPSec:

Why are you even using that GIF tunnel? Why don't you run IPv6 directly over IPSec?

Because the documentation states that you can not do this with IPsec.

One other thing, IPSec was originally designed for IPv6 and back ported to IPv4. So, it's highly unlikely it would not support IPv6.

No not yet as I doubt I'd get anyone on the phone who would even know what IPv6 is. Plus my online account is having problems so I can't post on their forums either at the moment.

Yeah for sure. Next time try to be useful bc nothing you say is a solution, nor with such a genius you have exposed how to attain the correct configuration without adding the routes to NAT. But you won't, cause all you do is noise. Take the bicycle and have a merry xmas, i'm done with you. ffs.

Yep, the gateway address is the address of the AVM box (fe80: ...).

Man, things could be so easy. Let's get rid of that old IPv4 crap and move on to the future. Can't understand why this causes so much trouble at the ISP's site.

Thank you all for your help and thanks to @JeGr for describing the prefix delegation config. I will walk trough this once more to see if I find some config that works for me. But yes, I will check out what other providers can offer. If I find one that is not too expensive and provides a static prefix, I'm gone.

Have a nice weekend!

@lifespeed said in setup for server behind Comcast dynamic IPV6, VLANs, publicly reachable:

Yes, I am well aware that Comcast's residential service with dynamic IP keeps the same IP address for months or even longer.

There's a setting on the WAN page "Do not allow PD/Address release" that should be selected to prevent getting a different prefix. Have you selected it?

@aljames said in radvd.conf - invalid all-zeros prefix:

I’ll need to educate myself more on it.

IPv6 Essentials is an excellent reference. In addition to the things mentioned above, there are also some things that go to improved performance, such as fixed length headers and more.

Here is another excellent reason to move to IPv6.

Despite clear warnings, Europe is out of IP addresses—again

There haven't been enough IPv4 addresses for several years and the situation is getting worse.

Dear all,

Thank you. I will keep plugging at this; will keep posted as need arises.

Cheers!

@DraNick

The link local address normally comes from the MAC, but can be changed, for example my LAN gateway address. However, what you can try is changing the MAC address, so that it will provide the correct link local address. That can be done on the WAN interface page. I suspect what you're seeing is pfSense is not allowing you to set a 2nd link local address, as only one is allowed. I don't know if there's a way to change the WAN link local address directly, as happens on the LAN side.

When a link local address is created from the MAC, fffe is inserted in the middle and the 7th bit is inverted.

Also, the link local address only has to be unique on the local connection. You could use the exact same one on another interface. For example, I have fe80::1:1 on 2 interfaces as shown below.

inet6 fe80::1:1%em0 prefixlen 64 scopeid 0x2
inet6 fe80::1:1%bge0 prefixlen 64 scopeid 0x1

The difference is the interface ID.

As I mentioned, link local addresses are often used for routing, as a router only has to know how to reach the next hop. In fact, with point to point links you don't even need any IP address. All you need is the interface that connects to the next router.

Like I said turn off default logging and only log what you want... So you can set it up to block and log your tcp stuff, but not the multicast

@chrcoluk I downloaded 2.5 and tested this today.

Based on my results i created https://redmine.pfsense.org/issues/9893

If you have any information you could add to the new bug it would be appreciated.

Or ignore the logs.

Or make rules that suppress the logs.

Whether or not you enable IPv6 really depends on whether or not you have IPv6.

@JKnott I finally figured it out. "Track Interface" is the option that seems to be the right way to solve my problem.