@bagusf said in DHCPv6 response cannot go through the pfsense: Is that true? If have not tried that operation mode but as your linked document says: "It is normally best to avoid such configurations as they can be problematic, ..." There's a reason why network traffic is divided into layer two and three. @bagusf said in DHCPv6 response cannot go through the pfsense: And i follow this guide... I still fail to understand why you would want to bridge but not to route. What advantages will you get from this? @bagusf said in DHCPv6 response cannot go through the pfsense: Hmm.. Lets just say, I have a PC with VMWare installed, connected to IPv6 Network. Inside the VMware I make several VM for different proposes. To improve the security, I want pfsense to act as bridge and firewall inside the VMWare. You won't get increased security with bridging mode. I would consider a Router + Filtered network more secure. But if you think I'm wrong, please try to convince me. In the end I think IPv6 has its strengths within routing since it's just large. Exploit that. This guide might give you more comfort idk but I doubt it will be security. Everything you filter in bridged mode you can also filter in routed mode, so.

@b3er said in pfSense as tunnel broker: found interesting behavior, if no LAN interface/subnet exists in router setup, Nothing interesting in that. Just read the documentation: If only a single interface exists, pfSense is not in firewalling/NAT mode (it even says so when installing it after adding the WAN). So without a second interface, you are not actually firewalling anything and adding the OPTx Interface from the GIF tunnel then adds the "second" interface and first LAN interface so automatically gets the default LAN setup and firewalling is engaged so WAN will be properly shielded.

@moorthyragav said in WAN IPv6 and LAN IPv4 is Possible to configure in PFSense 2.44 ?: yes, we are using 30 public IPs 1:1 nat for our clients with old ISP. So let me get this right - you have clients that currently have a public IPv4 address for their own use.. And now your plan is to move them only to ipv6.. Pretty sure many of them will just leave, if you do that. While ipv6 is the future and all.. If these clients are currently hosting services to their customers/clients via IPv4 and you take that away from them - they prob going to be pretty freaking pissed ;) The whole internet is not all ipv6 capable - and they could loose many of their customers/clients if they can no longer provide their services via IPv4... Did you ok it with all your clients the removal of IPv4?

@JKnott: you've got my requirement upside-down. I want the pfSense firewalls, on their WAN interface, to accept RAs from the upstream routers. This is the normal behaviour for RAs. In fact, pfSense supports it if the WAN interface is configured dynamically using DHCP6 or SLAAC. I want to know if it's possible when the WAN interface is configured with a static IPv6 address. Downstream, everything is fine: fw1 fw2 | | -+---+----+- | server I can configure pfSense to send RAs only (without offering SLAAC prefix or DHCP6) I can configure the server with a static IPv6 address I can configure the server to pick up its default route via RA (e.g. Linux: accept_ra=1) That all works fine. Now I need to do the same upstream, where the pfSense WAN is the "client" and the upstream routers send RAs. You are right that I could instead use VRRP or CARP. The reasons not to do this are partly philosophical (IPv6 already provides this facility, in the form of Router Advertisements), and partly practical: the Netgear M4300-24X24F I'm using has a bug where it drops more than 90% of IPv6 CARP packets, which results in devices switching into MASTER-MASTER mode. (Aside: it also doubles IPv4 CARP packets. Go figure). I do have a case open with Netgear for this. I know how networks work, so I'm trying to ask a specific question about pfSense from pfSense experts. The question is: if I configure pfSense WAN interface with a static IPv6 address, can it also be configured to accept Router Advertisements? "Yes" or "no" from someone who knows the answer, please.

To view it from the command line, use ndp -a, or ndp -na so it doesn't attempt to resolve names. If the page is timing out, the most likely explanation is that it is taking too long when trying to resolve hostnames.

It's OK now. I left it alone for a few days, because I was to busy doing other things. And I just checked and I get the fixed prefix now.

@admins said in IPv6 duid: 0e:00:00:01:00:01:23:e2:27:2c:ac:1f:6b:69:dd:9e That looks like it matches what you originally posted. What really matters is what is being sent in the DHCP logs. That is what the ISP will see. Looks like you have an extraneous space in there. The way to set that is using the web interface as described above. Please don't take this as condescending but don't over-think this. It works fine. It is impossible to say what is wrong. We have no ideas what specific instructions your ISP is insisting you perform. These questions are really better suited at them then give us EXACTLY what they are telling you to do. then, if possible, make pfSense do that. Else it is just guessing.

@johnpoz said in DHCPv6 on multiple interfaces: Not possible!!! Your vlans are are not isolated is your problem.. As anyone with certain TP-Link gear knows. However, I believe he identified the issue as due to the NIC drivers in Windows 10.

Thanks, I thought about that, but the address in question is clearly listed as my WAN gateway: IPv6 Address 2604:5500:c078:8000:xxx:xxxx:xxxx:xxxx Subnet mask IPv6 64 Gateway IPv6 fe80::768e:f8ff:fea6:6e01 The only other device I can think of that could possible run misc network services would be my Aruba AP whose IP doesn't match. I have no other router on my LAN.

https://redmine.pfsense.org/issues/9577 maybe this apply to you also :)

@Nan0tEch said in Netflix and HE.net tunnel fixed using Unbound python module: how does this works for the netflix app by not getting the IPv6 adresses as i block all IPv6 in my network? The issue is / was : devices that run browsers to visit Netflix, or apps on phones or SmartTV could contact Netflix by IPv4 and - if you have it enabled - IPv6. Some ISP's don't know what IPv6 is, so ipv6.he.net can be used as an IPv6-ISP, in parallel with your classic ISP, doing IPv4 only. The issue is : like many VPN's, the gateway he.net is using (an Ipv6) is considered as and "VPN endpoint" and listed as such by NetFlix : they don't accepts that I use ipv6.he.net to stream their content. So, blocking AAAA requests when some device on my LAN want to resolve a Netflix server help : my device steps back to IPv4 only, thus using my classic ISP, Netflix doesn't complain now. Nite : If you do not use IPv6 your don''t need the unbound-python trick described here. @Nan0tEch said in Netflix and HE.net tunnel fixed using Unbound python module: What could the app be using by getting these IPv6 blocks and blocking the streaming service. What do you mean ? How it works ? See the script. It blocks AAAA requests if the URL is on a list, present in the script. You have to edit the script to implicate other URLs.

@JKnott that is exactly what I do for all of my other hosts. Manual entries in the DNS. The plan was to have the DDNS set to notify me by email if the prefix ever changes but I noticed never got an email when it actually occurred. I am also using this in conjunction with uptime robot. I can adjust it to use the WAN instead for this but it seems this is a bug since it is possible for the WAN ip to stay the same but have the prefix change.

I know I would, but as I said (or tried to), as soon as I set my current router / modem to bridge mode, it involves (due to my ISP's restrictions), that I don't get IPv6 anymore at all. And currently I get a /64 only (see original post), which proves (additionally) that my ISP offers IPv6 only because they don't have enough IPv4 addresses. When I set my router / modem to bridge mode (acting as a modem only), I then get an individual IPv4 address (which I currently do not have, hence DSlite I think it's called) and my ISP seems to think "oh well, no IPv6 necessary anymore". Which is at least in my case in some way true, because currently I need IPv6 only to make stuff like my Plex server, my cloud etc. accessible on the internet - which obviously wouldn't be possible as long as my server is not reachable by IPv4. Some german website said this DSlite thingy is more or less a german thing only, so I'm not sure you're aware of this problem at all, but I hope this post clarifies my situation better.

All of the PD and tracked interface settings happen in the dhcp6c client itself. It does everything. All it needs to be is set up and run. Whenever you change an inside interface tracking setting you have to edit/save the WAN that is being tracked (or wait for a renewal) to get the changes applied because that re-runs the dhcp6c client on that interface.

See Also: SLAAC

I do not know that switch... All I can tell you is that if your getting 2 address from two different RA then your not isolated at Layer 2 - its simple as that. Be it your switch config, or you have something else bridging the 2 L2 networks. It makes no sense to me to run a vlan on top of the native interface if all your going to do is run 1 network on it.. Pointless... Now if your going to run more than 1 vlan on it, then there is something to be said to only tagging and no native.. But if all you have is native interface pfsense needs not now anything about vlans for that network. But an "any" setting doesn't seem logical to me at all.. From you later image looks like you have every port as a member of 3 vlans - that is BORKED for freaking sure!! [image: 1559244472130-wrong.png] I can tell you for freaking sure that is wrong without knowing that switch os at all... The only ports that should be members of more than 1 vlan are ports connected to something that will sep the vlans based upon tag, etc.. Like a router interface that has more than 1 vlan on it, or a another switch uplink, or connection to an AP, etc.