Im having now the same Problem.
Im from Germany and i don’t get an IPv6 at the Lan Interface. The Wan gets an IPv6 and the router (of my ISP) tells me it is registered with the ipv4 (Home Network) and ipv6. All on the Wan.
At lan interface i can access the webpage.
I made the wan dhcp6 at the ipv6 configuration type,
Checked only the 2 ticks send ip prefix hint and debug. For the prefix Delegation size I used 64 (cause the router gets an 64 Delegation size).

At the lan Interface I made it track interface for the ipv6 configuration type. And choosed at the bottom Wan for the track ipv6 interface and entered 0 for the prefix id.

At dhcpv6 server & ra I disabled the dhcpv6 server and tried all router modes at router advertisements.

I hope someone could help me. It’s really important.

@ssjoco85 said in IPv6 subneting and DHCP PD how to:

Always when my WAN reconnect. I have PPPoE on WAN. Most of the ISPs use dynamic IPv6 prefixes on consumer lines.

I'm on a consumer service and my prefixes are solid, ever since the "Do not allow PD/Address release" option was added to pfSense. DHCPv6-PD uses something called "Device Unique IDentifier" (DUID) to lock the prefix to the customer.

@jimp
Thanks for your comment, may be there are some misstakes in wording at my site, it's not my mothers speech :-)
My last stand was, that you don't see the nessessarity, nice to see we are some steps forward :-)
At me it looks not that complicated, prefix as variable to call everywhere and thats it . Ok I have no idea how coding works so I can only hope someone do it ;-)

My point is it is not assigned to him via DHCP. And there is zero reason to use DHCP to assign it to pfSense.

Just route it.

@Derelict I stated previously it was a PEBKAC error (as in the problem lies between the Keyboard and Chair). Again thanks everyone for your help and time on this.

I have multiple clients and many of them run multiple VPN's.

Putting a mention in the document to remind troglodytes like myself to disable VPN's when testing might deserve a mention?

@mark-b

Have you ended up figuring this one out? I’m having similar issues.

They are not responding.

One other thing you may want to try. Put your modem into gateway mode and see if it works properly. If it does, then the problem is with pfSense. If it doesn't it's with your ISP. My experience shows the tech support will not work on a problem if a customer firewall/router is used. So, use the gateway mode to determine where the problem is.

Thanks @Derelict I think I have it working now. I had a couple of problems with the way I was trying to do it.

I ended up having edge-pf delegate /60 subnets so that internal-pf could use /64 subnets on its lans. The biggest catch, that had me scratching my head for ages, is the dhcpd service seems to need to be restarted; or a reboot. I'm not exactly sure which situation requires which but just saving a new configuration or restarting an interface isn't enough.

After I have all this working I'll post my config to help the next novice like me.

Thanks for the help @Derelict and @JKnott. I now have my WAN and LAN interfaces looking like they are working as they should. I can also successfully ping and traceroute to the public ipv6 address I found.

For others who may have similar problems I found this post useful to understand a little more about how track interface works.

My next hurdle is to get prefix delegation working from the pfsense that connects to the internet to the pfsense that does internal routing and services. I'm having some trouble with that but I'll create a new post for it since it's outside of this topic.

Well, I got it working last night... oddly enough the problem was actually due to the bug I mentioned in my original post - https://redmine.pfsense.org/issues/5999. Because IP aliases break tracking I had removed my IPv6 interface from CARP. That meant that my secondary was picking up some percentage of the IPv6 traffic on the LAN. It still had routes to my old ISP over the v6 tunnel, so it was sending some of the traffic out that way.

The solution for the moment was to turn the secondary off, I'm going to do some more config tweaking tonight and see if I can get to a state (probably with no IPv6 on the secondary) where I can leave it on-line so I have at least some level of failover.

@bbusa said in Native IPv6 from Telekom using GPON and PPPoe [solved]:

They had misinformation on the phone, and that created the confusion.

Misinformation from an ISP? WOW, that's a first!!! Yeah, right. 😉

IPv6 from my ISP worked well from the start, three years ago, until I ran into a problem around New Years. With my own testing, I had determined the problem was at the ISPs office and later was even able to identify the failing system. It took me 3 months to get the problem resolve and I often found myself having to teach the support people how IPv6 worked. Hopefully, the support will improve, as ISPs get more experience with IPv6.

Having multiple GUAs on a host puts a lot of the burden on that host for choosing the desired source address for a particular connection.

The pfSense routing role could be handled right now using existing policy routing rules based on the source IPv6 address. This source, out this WAN, that source, out the other WAN.

But the decision moved to the host as to which source address is used for a particular connection.

@mikael-ljung-mikeonline-se
I think best practice is to use GUA for everything. If you have a broken ISP that changes the prefix then ULA is a way to work around that.

@PabloAbonia said in IPV6 with Windows 10 DNS and Link-Local Address used for Global Address:

Address #2 is the preferred address which is not assigned from pfSense via DHCPv6, and is generated by Windows 10. It is derived from the prefix, and the fe80 address in address found under #4

This is entirely normal. With IPv6, you have a 64 bit prefix and 64 bit suffix. With the consistent address (MAC or random) it will have exactly the same suffix as the link local. You will see this even more, if you also use Unique Local Addresses. Then you will see the same suffix for link local, Unique Local Addresses and Global Unique addresses. With the privacy addresses, you will also have GUA and ULA with matching suffixes. Entirely normal.

Yeah, I had the PrefixID set but was calling it a NetID. Sorry for the confusion. Got IPv6 working by changing the LAN DHCPv6 Server + RA setting called "Delegation Prefix Size" to a 64 on the DHCPv6 Server + RA settings for the LAN interface and unchecking "Use DHCPv6 Server Settings" in the DNS Configuration at the bottom. Still not sure why that fixed it. But got a 10/10 with no warnings at https://test-ipv6.com.

Settings from here were helpful getting it to the point I had it before:
https://forum.netgate.com/post/619372

Now time to make sure I have policies set properly...Routable IPs in an internal network are a new level of fun. The VPN issue in particular.
https://docs.netgate.com/pfsense/en/latest/vpn/ipv6-and-vpns.html

Cheers.

We're not talking about point-to-point links, bro.

I don't have time to make every forum response cover every possible caveat.

@derelict said in IPv6 default route disappears:

Vote with your deutchemarks, people.

They are called Euros for years, ya' know? 😸

Problem is, that those small little pearls are mostly local ISPs in specific regions or cities. Even if I'd wanted to go all out and "shut up and take my money", it won't get me far. In most non-crowded places you're happy if you can get DSL with PPPoE or Cable from the same few companies. There are only some like e.g. DG / Deutsche Glasfaser / "german fiber" that will get you FTTH or FTTB.
So more often then not, voting with ones wallet isn't possible as no other/better service is available. 🤷