No, Netgear and HP. All managed.

What I finally did was deleting the interface and then creating it new. This time there seems to be no problem. Thanks everybody. I have to read more log files to get a sense, when there is something not ok. Also I crafted some new IPv6 addresses in the DHCPv6 Server, like this one: ::192:168:2:37

To the ones that may have the same problem as me, I managed to go a little further. To allow incoming ICMPv6 ping messages I had to uncheck those two options on my interface: [image: 1583847471255-8d0c7aec-55ca-44c1-a620-957d549360ae-image.png] I'm still having a problem with my Cisco SG250-26 which does not let some IPv6 packets passing through...

eh i wonder if he.net do some kind of check on the hardware used and it need time to sync after a change, mac address or fingerprint or something

I think it's being blocked by the default deny rule. Make a rule on that VLAN3_HB interface for tcp port 22 and set it to accept. If you assign a new interface there aren't any rules applied to it so everything will be blocked by default. Also if the machine your connecting to is on another segment make sure a firewall rule that will let that traffic pass is applied. I assume ssh to pfsense is working because pfsense has anti lockout rules for local ssh managment.

Sounds like a similar issue to what happens when devices use NIC teaming or similar to impersonate one another's addresses in non-standard ways. I don't see a sysctl to affect that directly but you might try adjusting the value of the net.inet6.ip6.log_interval tunable. You can make an entry for it under System > Advanced on the tunables tab. It controls the number of seconds between log messages. So you could maybe try -1 or 0 to disable, or a much higher value so it happens less frequently (e.g. 120, 3600, 86400...)

Alright so that is working, but now the LAN VM's have no access to the WAN. I have been troubleshooting for a while now on what this could be but cannot find anything on it... I have no gateway for LAN nor routing setup.

As noted, so long as you have zero-loss connection, fragmentation is not an issue. For example, my HE.NET connection is a corporate one and out of the peak times (around 3 p.m. work days) it passes all tests for any MTU <= 1472 and MSS <= MTU - 20. Problems arise only under heavy load. By the way, the harder targets (to me) are those in Eastern Europe, Latin America, and Africa.

@JKnott said in IPv6 setup with public subnet: There are enough /48s to give every single person on earth over 4000 of them. This is with only 1/8 of the IPv6 address space assigned to GUAs. Over 3/4 of the address space isn't even allocated to anything. <devils advocate> This is true, but it is not reflected in the price ARIN charges for v6 space. For a small provider, the annual fee doubles when you go from a /40 (256 customer allocations) to a /36 (4096 customer sites), and doubles again when you go to a /32 (65,536 sites). Probably smaller shops are trying to cut costs on v6 deployment, as it offers little benefit to them if they have sufficient v4 space. </devils advocate>

@karsten_berlin said in IPv6 on Telekom Business Line: known by me, but the "internal routing" within the pfsense from LAN to WAN and vice-versa is a mystery in that case to me. We have a normal business DSL by DTAG, WAN is PPPoE, DHCP6, DHCPv6 Prefix of /56, LAN with Trackinterface WAN. All is static. It's like dynamic but always the same IPs. Maybe it helps, don't know if its different with other connection types. pfadmin

When you get your IPv6 through free tunnel from HE, you get to ;) [image: 1580305393165-ptrzone.jpg]

@johnpoz Thanks! This may prove useful!

@IsaacFL You can have a lot more than 8. I don't know if there is a limit. Probably each OS might have it's own limits. Both Linux & Windows have 8 addresses, after being up for a week, with a new one each day One concept of multiple addresses on an interface is for each service on the host to have its own GUA. That way you don't have to worry about port conflicts. There are also privacy addresses with SLAAC, which change daily That was one of the reasons they decided on 64 bits for the host part of the address so that they could be randomly generated by the service with a reasonable chance that it wouldn't be a duplicate Also, to work with the EUI-64 MAC addresses. EUI-48 addresses are converted to EUI-64 by inserting fffe in the middle. On my own network, I have both GUA and ULA addresses, 8 of each.

@Overclock said in Non local gateway IPv6: I let you inform about OVH response. Ask them how SLAAC is supposed to work with a /56. You may be able to get a single /64 to work, but the other 255 will be unusable.

I suggest you post exactly what the ISP provided to you regarding how they provisioned IPv6 to you.

@bin_batore Well maybe you're right but fortunately, I'm not facing such issues.