@JKnott Hi, thanks for your response. I'm checking right now the issue with my ISP, seems there are some missing routes that are causing this behavior.

It itself isn't... but the fact is that they're providing a gateway, and unless you put it in Bridge mode, it's acting as a router rather than a modem. So pfSense is getting a single WAN address and no prefix because it's being treated as a client on the gateway's network.

@simonszu said in Firewall VM not reachable via IPv6 on Hetzner: Where is my error? Has my interface config a mistake somewhere? Yes. Here : @simonszu said in Firewall VM not reachable via IPv6 on Hetzner: Currently i have a static IPv6 on my WAN interface, it has the first IP from the /64 subnet Hetzner gave me. On the LAN end i took another IP from this subnet The first IP from the /64 could / should be used on the LAN NIC. For the WAN, you should use some other IPv6 ... as is shown here : @simonszu said in Firewall VM not reachable via IPv6 on Hetzner: https://pratt.is/hetzner-und-proxmox-pfsense-als-gateway/ See the IPv6 page : the guy uses a DHCP6-client setup, certainly not a static WAN IPv6 setup.

@Napsterbater MS is so bad, they work on broken IPv4 too: tbit from 130.217.250.115 to 52.113.64.150 server-mss 1460, result: pmtud-fail app: http, url: https://meet.lync.com/ [ 0.009] TX SYN 44 seq = 0:0 b7ef [ 0.136] RX SYN/ACK 44 seq = 0:1 2774 [ 0.136] TX 40 seq = 1:1 b7f0 [ 0.136] TX 369 seq = 1:1(329) b7f1 DF [ 0.268] RX 1500 seq = 1:330(1460) 277b DF [ 0.268] RX 1500 seq = 1461:330(1460) 277c DF [ 0.268] RX 1460 seq = 2921:330(1420) 277d DF [ 0.268] TX PTB 56 mtu = 1280 [ 0.693] RX 1500 seq = 1:330(1460) 2780 DF [ 0.693] TX PTB 56 mtu = 1280 [ 1.443] RX 1500 seq = 1:330(1460) 279e DF [ 1.443] TX PTB 56 mtu = 1280 [ 2.927] RX 1500 seq = 1:330(1460) 27f7 DF [ 2.928] TX PTB 56 mtu = 1280 [ 5.896] RX 1500 seq = 1:330(1460) 2834 DF tbit from 2001:df0:4:4000::1:115 to 2603:1047:0:2::e server-mss 1440, result: pmtud-fail app: http, url: https://meet.lync.com/ [ 0.009] TX SYN 64 seq = 0:0 [ 0.232] RX SYN/ACK 64 seq = 0:1 [ 0.232] TX 60 seq = 1:1 [ 0.232] TX 389 seq = 1:1(329) [ 0.459] RX 1500 seq = 1:330(1440) [ 0.459] RX 1500 seq = 1441:330(1440) [ 0.459] RX 1500 seq = 2881:330(1440) [ 0.459] RX 80 seq = 4321:330(20) [ 0.459] TX PTB 1280 mtu = 1280 [ 0.470] TX 60 seq = 330:1 [ 1.178] RX 1500 seq = 1:330(1440) [ 1.178] TX PTB 1280 mtu = 1280 [ 2.489] RX 1500 seq = 1:330(1440) [ 2.490] TX PTB 1280 mtu = 1280 [ 5.083] RX 1500 seq = 1:330(1440) [ 5.084] TX PTB 1280 mtu = 1280 [ 10.302] RX 1500 seq = 1:330(1440)

afaik still not possible, openvpn guys are working on it and maybe it will be available for version 2.5 (of openvpn not of pfsense)

macOS, at least, seems to do the right thing: nameserver[0] : fe80::1:1%vlan0 Not sure whether that was received from an RA or DHCP since I am running that segment in Assisted mode (both). You will also have to specifically pass link-local traffic (fe80::/10) to fe00::1:1 tcp/udp port 53 and add fe80::/10 to an unbound access list. Link-local is not considered to be LAN Net so none of it is added automatically when you pass from LAN Net.

@JeGr said in DNS hostname for dynamic IPv6 address: Newer Hosts tend to use EUI-64 if implemented so are not "predictable" by their MAC address anymore Actually, all IPv6 addresses are EUI-64. The host part can be either MAC based, random number or other. With IPv6, the EUI-48 MAC address is converted to EUI-64 by inserting FFFE in the middle and inverting bit 7.

@bagusf said in DHCPv6 response cannot go through the pfsense: Is that true? If have not tried that operation mode but as your linked document says: "It is normally best to avoid such configurations as they can be problematic, ..." There's a reason why network traffic is divided into layer two and three. @bagusf said in DHCPv6 response cannot go through the pfsense: And i follow this guide... I still fail to understand why you would want to bridge but not to route. What advantages will you get from this? @bagusf said in DHCPv6 response cannot go through the pfsense: Hmm.. Lets just say, I have a PC with VMWare installed, connected to IPv6 Network. Inside the VMware I make several VM for different proposes. To improve the security, I want pfsense to act as bridge and firewall inside the VMWare. You won't get increased security with bridging mode. I would consider a Router + Filtered network more secure. But if you think I'm wrong, please try to convince me. In the end I think IPv6 has its strengths within routing since it's just large. Exploit that. This guide might give you more comfort idk but I doubt it will be security. Everything you filter in bridged mode you can also filter in routed mode, so.

@b3er said in pfSense as tunnel broker: found interesting behavior, if no LAN interface/subnet exists in router setup, Nothing interesting in that. Just read the documentation: If only a single interface exists, pfSense is not in firewalling/NAT mode (it even says so when installing it after adding the WAN). So without a second interface, you are not actually firewalling anything and adding the OPTx Interface from the GIF tunnel then adds the "second" interface and first LAN interface so automatically gets the default LAN setup and firewalling is engaged so WAN will be properly shielded.

@moorthyragav said in WAN IPv6 and LAN IPv4 is Possible to configure in PFSense 2.44 ?: yes, we are using 30 public IPs 1:1 nat for our clients with old ISP. So let me get this right - you have clients that currently have a public IPv4 address for their own use.. And now your plan is to move them only to ipv6.. Pretty sure many of them will just leave, if you do that. While ipv6 is the future and all.. If these clients are currently hosting services to their customers/clients via IPv4 and you take that away from them - they prob going to be pretty freaking pissed ;) The whole internet is not all ipv6 capable - and they could loose many of their customers/clients if they can no longer provide their services via IPv4... Did you ok it with all your clients the removal of IPv4?

@JKnott: you've got my requirement upside-down. I want the pfSense firewalls, on their WAN interface, to accept RAs from the upstream routers. This is the normal behaviour for RAs. In fact, pfSense supports it if the WAN interface is configured dynamically using DHCP6 or SLAAC. I want to know if it's possible when the WAN interface is configured with a static IPv6 address. Downstream, everything is fine: fw1 fw2 | | -+---+----+- | server I can configure pfSense to send RAs only (without offering SLAAC prefix or DHCP6) I can configure the server with a static IPv6 address I can configure the server to pick up its default route via RA (e.g. Linux: accept_ra=1) That all works fine. Now I need to do the same upstream, where the pfSense WAN is the "client" and the upstream routers send RAs. You are right that I could instead use VRRP or CARP. The reasons not to do this are partly philosophical (IPv6 already provides this facility, in the form of Router Advertisements), and partly practical: the Netgear M4300-24X24F I'm using has a bug where it drops more than 90% of IPv6 CARP packets, which results in devices switching into MASTER-MASTER mode. (Aside: it also doubles IPv4 CARP packets. Go figure). I do have a case open with Netgear for this. I know how networks work, so I'm trying to ask a specific question about pfSense from pfSense experts. The question is: if I configure pfSense WAN interface with a static IPv6 address, can it also be configured to accept Router Advertisements? "Yes" or "no" from someone who knows the answer, please.

To view it from the command line, use ndp -a, or ndp -na so it doesn't attempt to resolve names. If the page is timing out, the most likely explanation is that it is taking too long when trying to resolve hostnames.

It's OK now. I left it alone for a few days, because I was to busy doing other things. And I just checked and I get the fixed prefix now.

@admins said in IPv6 duid: 0e:00:00:01:00:01:23:e2:27:2c:ac:1f:6b:69:dd:9e That looks like it matches what you originally posted. What really matters is what is being sent in the DHCP logs. That is what the ISP will see. Looks like you have an extraneous space in there. The way to set that is using the web interface as described above. Please don't take this as condescending but don't over-think this. It works fine. It is impossible to say what is wrong. We have no ideas what specific instructions your ISP is insisting you perform. These questions are really better suited at them then give us EXACTLY what they are telling you to do. then, if possible, make pfSense do that. Else it is just guessing.

@johnpoz said in DHCPv6 on multiple interfaces: Not possible!!! Your vlans are are not isolated is your problem.. As anyone with certain TP-Link gear knows. However, I believe he identified the issue as due to the NIC drivers in Windows 10.