@JKnott: you've got my requirement upside-down.

I want the pfSense firewalls, on their WAN interface, to accept RAs from the upstream routers.

This is the normal behaviour for RAs. In fact, pfSense supports it if the WAN interface is configured dynamically using DHCP6 or SLAAC. I want to know if it's possible when the WAN interface is configured with a static IPv6 address.

Downstream, everything is fine:

fw1 fw2 | | -+---+----+- | server I can configure pfSense to send RAs only (without offering SLAAC prefix or DHCP6) I can configure the server with a static IPv6 address I can configure the server to pick up its default route via RA (e.g. Linux: accept_ra=1)

That all works fine. Now I need to do the same upstream, where the pfSense WAN is the "client" and the upstream routers send RAs.

You are right that I could instead use VRRP or CARP. The reasons not to do this are partly philosophical (IPv6 already provides this facility, in the form of Router Advertisements), and partly practical: the Netgear M4300-24X24F I'm using has a bug where it drops more than 90% of IPv6 CARP packets, which results in devices switching into MASTER-MASTER mode. (Aside: it also doubles IPv4 CARP packets. Go figure). I do have a case open with Netgear for this.

I know how networks work, so I'm trying to ask a specific question about pfSense from pfSense experts. The question is: if I configure pfSense WAN interface with a static IPv6 address, can it also be configured to accept Router Advertisements? "Yes" or "no" from someone who knows the answer, please.

To view it from the command line, use ndp -a, or ndp -na so it doesn't attempt to resolve names.

If the page is timing out, the most likely explanation is that it is taking too long when trying to resolve hostnames.

It's OK now. I left it alone for a few days, because I was to busy doing other things. And I just checked and I get the fixed prefix now.

@admins said in IPv6 duid:

0e:00:00:01:00:01:23:e2:27:2c:ac:1f:6b:69:dd:9e

That looks like it matches what you originally posted.

What really matters is what is being sent in the DHCP logs. That is what the ISP will see.

Looks like you have an extraneous space in there. The way to set that is using the web interface as described above. Please don't take this as condescending but don't over-think this. It works fine.

It is impossible to say what is wrong. We have no ideas what specific instructions your ISP is insisting you perform. These questions are really better suited at them then give us EXACTLY what they are telling you to do. then, if possible, make pfSense do that. Else it is just guessing.

@johnpoz said in DHCPv6 on multiple interfaces:

Not possible!!! Your vlans are are not isolated is your problem..

As anyone with certain TP-Link gear knows. However, I believe he identified the issue as due to the NIC drivers in Windows 10.

Thanks, I thought about that, but the address in question is clearly listed as my WAN gateway:

IPv6 Address
2604:5500:c078:8000:xxx:xxxx:xxxx:xxxx
Subnet mask IPv6
64
Gateway IPv6
fe80::768e:f8ff:fea6:6e01

The only other device I can think of that could possible run misc network services would be my Aruba AP whose IP doesn't match.

I have no other router on my LAN.

https://redmine.pfsense.org/issues/9577 maybe this apply to you also :)

@Nan0tEch said in Netflix and HE.net tunnel fixed using Unbound python module:

how does this works for the netflix app by not getting the IPv6 adresses as i block all IPv6 in my network?

The issue is / was : devices that run browsers to visit Netflix, or apps on phones or SmartTV could contact Netflix by IPv4 and - if you have it enabled - IPv6.
Some ISP's don't know what IPv6 is, so ipv6.he.net can be used as an IPv6-ISP, in parallel with your classic ISP, doing IPv4 only.

The issue is : like many VPN's, the gateway he.net is using (an Ipv6) is considered as and "VPN endpoint" and listed as such by NetFlix : they don't accepts that I use ipv6.he.net to stream their content.

So, blocking AAAA requests when some device on my LAN want to resolve a Netflix server help : my device steps back to IPv4 only, thus using my classic ISP, Netflix doesn't complain now.

Nite : If you do not use IPv6 your don''t need the unbound-python trick described here.

@Nan0tEch said in Netflix and HE.net tunnel fixed using Unbound python module:

What could the app be using by getting these IPv6 blocks and blocking the streaming service.

What do you mean ?
How it works ?
See the script. It blocks AAAA requests if the URL is on a list, present in the script. You have to edit the script to implicate other URLs.

@JKnott that is exactly what I do for all of my other hosts. Manual entries in the DNS.

The plan was to have the DDNS set to notify me by email if the prefix ever changes but I noticed never got an email when it actually occurred.

I am also using this in conjunction with uptime robot.

I can adjust it to use the WAN instead for this but it seems this is a bug since it is possible for the WAN ip to stay the same but have the prefix change.

I know I would, but as I said (or tried to), as soon as I set my current router / modem to bridge mode, it involves (due to my ISP's restrictions), that I don't get IPv6 anymore at all. And currently I get a /64 only (see original post), which proves (additionally) that my ISP offers IPv6 only because they don't have enough IPv4 addresses.

When I set my router / modem to bridge mode (acting as a modem only), I then get an individual IPv4 address (which I currently do not have, hence DSlite I think it's called) and my ISP seems to think "oh well, no IPv6 necessary anymore". Which is at least in my case in some way true, because currently I need IPv6 only to make stuff like my Plex server, my cloud etc. accessible on the internet - which obviously wouldn't be possible as long as my server is not reachable by IPv4. Some german website said this DSlite thingy is more or less a german thing only, so I'm not sure you're aware of this problem at all, but I hope this post clarifies my situation better.

All of the PD and tracked interface settings happen in the dhcp6c client itself. It does everything. All it needs to be is set up and run.

Whenever you change an inside interface tracking setting you have to edit/save the WAN that is being tracked (or wait for a renewal) to get the changes applied because that re-runs the dhcp6c client on that interface.

See Also: SLAAC

I do not know that switch... All I can tell you is that if your getting 2 address from two different RA then your not isolated at Layer 2 - its simple as that. Be it your switch config, or you have something else bridging the 2 L2 networks.

It makes no sense to me to run a vlan on top of the native interface if all your going to do is run 1 network on it.. Pointless... Now if your going to run more than 1 vlan on it, then there is something to be said to only tagging and no native.. But if all you have is native interface pfsense needs not now anything about vlans for that network.

But an "any" setting doesn't seem logical to me at all..

From you later image looks like you have every port as a member of 3 vlans - that is BORKED for freaking sure!!

wrong.png

I can tell you for freaking sure that is wrong without knowing that switch os at all...

The only ports that should be members of more than 1 vlan are ports connected to something that will sep the vlans based upon tag, etc.. Like a router interface that has more than 1 vlan on it, or a another switch uplink, or connection to an AP, etc.

@admins said in No IPv6 DHCP6 Request on WAN:

How could I check if dhcp6 is sending an request?

Do a packet capture on ICMP6 on the WAN interface. However, it might be difficult to use the pfSense Packet Capture at that time, so you'd need a managed switch, with port mirroring, between the firewall and modem. You'd then use a computer running Wireshark to capture the packets. I assume your modem is in bridge mode, not gateway.

Looks like the validation check had the wrong variable name for IP address validation. It only seems to have affected IPv6, though.

https://redmine.pfsense.org/issues/9543

The fix will show up there momentarily, and can be applied with the system patches package

@rdunkle said in Comcast ipv6 / Netgear C7100V:

I did not clone any MAC address, just went with what it had.

I am thinking my mention of cloning mac address might of muddled the conversation... This is an option for when you want to change devices and not power cycle a modem..

I use to do this when I wanted to fire up a different router distro most of the time on a vm.. So that my public IP wouldn't change.. And allowed me to switch between distros faster without having to wait for the modem to power cycle as well.

It for sure is an "option" if you do not have an easy method of power cycle the modem, or not enough time to wait for it, etc. etc.. Prob the only option you will have once you place a modem in bridge vs router mode would be to switch it back to router mode.. I hit the 192.168.100.1 address to view "status" of my cable modem for example.. Which doesn't even have a router mode.

Glad you got it all sorted.

How about LAN to the IPv6 address on the pfSense WAN interface?

How about LAN to the very next IPv6 hop outside the WAN?

Packet capture on WAN. If the echo requests are being sent but no reply is being received, there's nothing pfSense can do about it. Complain to the ISP.

It is very possible they could have something different configured (perhaps unintentionally) for the interface address/prefix and the routed, delegated /60 prefix.