@JKnott said in IPv6 setup with public subnet: There are enough /48s to give every single person on earth over 4000 of them. This is with only 1/8 of the IPv6 address space assigned to GUAs. Over 3/4 of the address space isn't even allocated to anything. <devils advocate> This is true, but it is not reflected in the price ARIN charges for v6 space. For a small provider, the annual fee doubles when you go from a /40 (256 customer allocations) to a /36 (4096 customer sites), and doubles again when you go to a /32 (65,536 sites). Probably smaller shops are trying to cut costs on v6 deployment, as it offers little benefit to them if they have sufficient v4 space. </devils advocate>

@karsten_berlin said in IPv6 on Telekom Business Line: known by me, but the "internal routing" within the pfsense from LAN to WAN and vice-versa is a mystery in that case to me. We have a normal business DSL by DTAG, WAN is PPPoE, DHCP6, DHCPv6 Prefix of /56, LAN with Trackinterface WAN. All is static. It's like dynamic but always the same IPs. Maybe it helps, don't know if its different with other connection types. pfadmin

When you get your IPv6 through free tunnel from HE, you get to ;) [image: 1580305393165-ptrzone.jpg]

@johnpoz Thanks! This may prove useful!

@IsaacFL You can have a lot more than 8. I don't know if there is a limit. Probably each OS might have it's own limits. Both Linux & Windows have 8 addresses, after being up for a week, with a new one each day One concept of multiple addresses on an interface is for each service on the host to have its own GUA. That way you don't have to worry about port conflicts. There are also privacy addresses with SLAAC, which change daily That was one of the reasons they decided on 64 bits for the host part of the address so that they could be randomly generated by the service with a reasonable chance that it wouldn't be a duplicate Also, to work with the EUI-64 MAC addresses. EUI-48 addresses are converted to EUI-64 by inserting fffe in the middle. On my own network, I have both GUA and ULA addresses, 8 of each.

@Overclock said in Non local gateway IPv6: I let you inform about OVH response. Ask them how SLAAC is supposed to work with a /56. You may be able to get a single /64 to work, but the other 255 will be unusable.

I suggest you post exactly what the ISP provided to you regarding how they provisioned IPv6 to you.

@bin_batore Well maybe you're right but fortunately, I'm not facing such issues.

@fabrizior said in IPv6 Sanity Check - delegated prefixes & inbound icmp questions: Why is the WAN IPv6 Gateway Address a link-local address (fe80::201:5cff:fea3:b846)? For the LAN IPv6 configs set to Track Interface (WAN), is there any way to customize/set a preferred host address rather than the seemingly randomly assigned address? call me old-fashioned... I'd prefer them to be ::1 Link local addresses are often used for routing. All a router needs to know is how to get to the next hop. A link local address is fine for that. If you're also assigned a WAN address, it will likely not be used for routing. With SLAAC, there is one consistent address, based on the MAC, or a random number. You can spoof the MAC to give you what you want. You can also use manual configuration. If you're using DHCPv6 on the LAN, you can create specific mappings to what you want.

You can packet capture the pings going out. If there is no response there's nothing you can do about it - they have to fix it. If absolutely necessary (as in they still blame the firewall), put a managed switch (or some kind of network tap) between the WAN and the ISP and capture on a mirror port there. Then you're definitely looking at what's out on the wire, outside of the firewall. Set the monitored port to the one connected to the modem, not pfSense. If you see the echo requests and no replies there, there is certainly nothing more you can do. Press them hard for an escalation. If you can get to the right person/group you might be able to get it fixed.

@tku said in IPv6 no routing from DMZ to internet: But, I'm using PfBlocker which I configured (in all my enthusiasm) to add (blocking)rules to all interfaces, for some reason the ipv6.google.com-IPv6 address is on the list. So some kind of logical that connecting to the IPv6 website didn't work. I'm using pfBlockerNG-devel - and some IPv6 lists. ipv6.google.com never was problem for me. What is the IPv6 that google uses - the one you use to connect to ? Is this IPv6 (network) really present on a list ? What is this list ? IPv6_known_search_engines ?

Hi The reason this is happening is because you have id-assoc na but not id-assoc pd. This is because the config is not complete just from the WAN interface. You have to also set a LAN interface to track the WAN interface. This is where the rest of the configuration is set and it defines id-assoc pd with the values you set there.

@johnpoz said in Need some instructions for getting started with IPv6: That is not the point if the end user can not get an IPv4... Can freaking promise you the end user ISP has given them some way to get to IPv4.. Because sorry - at best there is 30% of the top websites on the world that even support IPv6... Here's an article, in today's Toronto Star, that seems to imply IPv6 will be needed on cell phones: Internet-based 911 calling on the horizon in Canada "Essentially, every connected phone will have an internet protocol address, which will be cross-referenced with key data sets mostly supplied by municipalities. The database will comprise every street address in an area and the entry location of buildings. Emergency service boundaries will also be accessible to ensure the right responders are dispatched. The result should allow the 911 system to pinpoint the location of callers to within centimetres." I haven't found much in the way of details, but giving phones unique addresses will probably require IPv6. I also don't understand how they'll be able to determine location within centimetres. There is this document, which has on page 68, page 3 of Appendix 2: "North American Network Operators Group (NANOG) A governing body that provides guidance and instructions for the design of an IP network. NANOG is typically involved in the best current operational practices for IPv6 planning." This system is apparently supposed to be implemented all over Canada and U.S. My Pixel 2 certainly gets IPv6 from my carrier, but not all phones or carriers support it yet.

It appears that if you add a cron job to run "/sbin/rtsol -a" once an hour it'll keep the IPv6 connection. I suspect someone read RFC 6275 and decided that "Router advertisements in such networks SHOULD be sent only when solicited" also applied to this network, despite it not technically being a mobile network. (Telus are also a mobile carrier, so it's possible this is where the confusion came from.)

@lifespeed One has nothing to do with the other. The do not release only affects whether the prefix will change. SLAAC has to do with sending the prefix out to the LAN, whether it changes or not.