It says unless your running forwarder/resolver.. Prob could be worded a bit more precise - or actually check to see if listening on actual interface if you have strict set.

Normally people that run resolver/forwarder want their dhcp clients to talk to pfsense. This is what like 99% of use cases (number just pulled out of my ass <grin>)

If you have a lot of interfaces pick the way you want to go about it that is least amount of work ;)

I will try and duplicate so can put in request to have wording updated, or option changed so that if strict and not bound to interface don't hand out pfsense IP.

@derelict Thanks for your reply. This ISP has made some of possibly questionable implementation decisions in their network.

First, the DHCP before RA feature was tested on this network. Their edge routers will not respond to an RS until after the DHCP solicit/advertise and DHCP request/reply sequence is complete. After that, the edge router will respond to an RS with an RA. I just fired up wireshark and captured some packets. The router lifetime in the is 4500 seconds (75 minutes), the reachable time is 0 and the and the retrans timer is 100 ms. These values are also used in the unsolicited RA messages, which leads to another interesting implementation decision.

Second, the time between the unsolicited RA messages ranges from approximately 15 minutes to approximately 30 minutes. I determined this by capturing RA messages over several hours. This is longer than usual, but according to RFC 2461, MaxRtrAdvInterval is 1800 seconds, so they are operating within the allowable limit.

I also looked at the DHCP reply. T1 and T2 in the IA for PD are 300 and 480. The preferred lifetime and valid lifetime in the IA Prefix are 600 and 900, respectively.

The above are from my router which is working properly.

Apparently on some fiber networks, the unsolicited RA messages are not being sent at all. This is a known problem that they are working with the router vendor on. I'm trying to help someone else figure out why pfsense is behaving as I described above. Based on these timers, I would think it should work for 75 minutes (or whatever the prefix lifetime is) until the prefix expires, then it should stop working. However, it seems to fail once after initially getting a prefix, then if the interface is restarted, it keeps working. I don't understand why it would keep working if prefix expiration is causing it to stop working after the interface is started. Maybe something else is going on. I don't have packets captured from this network, but I'll try to get some.

I know this is old but even on 2.4.4-p2 ipv6 only works for about 1 to 2 days and then all Facebook videos stop loading until I turn ipv6 off. I guess I will just have to give up on ipv6 with my ISP.

@alankeny said in Splitting a static /48 from Mediacom into subnets:

With their static IPv6 allocation, the WAN side is basically a bridged network that can have 1,208,925,819,614,629,174,706,176 IPv6 hosts on it, and that's the only configuration option available.

That's nonsense. A /48 is not usable in that manner. It's supposed to be split up into /64s, which are what is used on a LAN. For example, I have a /56. One /64 is used for my main LAN, a 2nd for a test interface and a 3rd for my VPN. MY ISP uses DHCPv6-PD to provide my prefix and WAN interface address. As Derelict mentions, take a look at what's on the wire. You might want to see if you can talk to 2nd level support. Maybe they might have a clue about how IPv6 works.

@heartofrainbow said in IPv6 not working on LAN:

The WAN and LAN IPv6 addresses have the same prefix

Doesn't work that way..

your so called passthru mode would be a bridge.. Why don't you call your isp and ask what they support or what is your ISP so we can look it up.

What are you wanting to do with IPv6 exactly? If you don't even know how your ISP does it, why does it even matter... If you want IPv6 - just get a free tunnel from HE.. Then you can have a /48 and clickity clickity done... Doesn't matter what your ISP supports or doesn't support.

@nthly

Glad to help.

@mikekoke said in DHCPv6 problem with Netgear router:

Richiesta scaduta.

Request timed out - what are you rules.. If you don't allow icmp then no you wouldn't be able to ping..

Do a traceroute - does it actually send it to pfsense IPv6

So what network/prefix did you put on your lan side network?

You sure your actually even surfing via IPv6?

What does say https://test-ipv6.com/ show you when you go there from a client

That is not your whole ipconfig /all output..

A widows box will have teredo, 6to4 and isatap interfaces listed... Unless you took the time to clean them up... They will attempt to get IPv6 and tunnel out of your ipv4 network..

If you want to play with IPv6 - your ISP doesn't have to support it.. Just get an HE tunnel.. they are FREE and and will give you a /48 to play with.. And they have certification program to walk through and help you learn the stuff you need to learn to correctly setup IPv6.. My last isp support ipv6 - well kind of.. It was way more trouble than it was worth... So I ran HE tunnel.. And my new isp doesn't have any ipv6 support.. Still have my same /48 because I was using tunnel.. But then again I only run it on the devices I want to run it on, for my own amusement and testing.. There is not actual "need" for it.. If that is something you want to do to learn about IPv6 than yeah lets go - lots of learning to do.. Happy to help... But when someone doesn't know the difference between a A record and AAAA... maybe they quite ready to ride the IPv6 train correctly.

Here is the thing - IPv6 for sure is the FUTURE... But no matter how much some people want it... IPv4 is not going away any time soon.. For the home user, sorry there is no actual reason they need to run IPv6.. And to be honest until such time that they can commit to learning how to correctly configure it.. Its easier to turn it off.. Some people don't like that approach... But sorry thing tunneling out of your IPv4 network just to use a protocol that is not actually needed. Name a internet resource that you NEED, that you can not get to unless you have IPv6 and then we can talk about IPv6 being a "required" thing...

And in the corp world - yeah the cost of transition on the lan side when they have all the IPv4 space they need with rfc1918.. Sure they can put their public facing stuff on both IPv4 and IPv6 that is for outside access.. But on the internal corp network - it cost money to do this transition... Until there is a financial reason - corp is going to drag their feet screaming into the IPv6 world..

So there is PLENTY of time to get up to speed on IPv6.. Nothing saying you need to take on that challenge right now.

On my Comcast Interface page, I've enabled the option: "Do not wait for a RA". This seems to accomplish what I want to do.

Are there any ill effects I should be aware of?

Ok, thank you, sorry for duplicated theme.
About :3:: - it really not existing IP at all, but real if remove this part. I sure, because have ntopng installed and have configured monitoring for long time storing. For me this strange situation.
P.S. This clients is Win10.

So what does the config on pfSense look like vs your external server config? There must be some difference in the formatting or naming of the option to explain what is happening.

Look in /var/dhcpd/etc/dhcpdv6.conf

@roally That's more than I see in my file. I am currently setting up a box with an older version of pfSense. 2.3.4 worked for all the time and I'll see soon whether there is a difference. If it would work, I'd know what is supposed to be in radvd.conf...

It looks like FreeBSD is able to create IPv6 fragments (45 fragments created), but i have no idea where they are going to in case of the WAN interface.

netstat -s -p ip6
ip6:
402474348 total packets received
0 with size smaller than minimum
0 with data size < data length
0 with bad options
0 with incorrect version number
0 fragments received
0 fragments dropped (dup or out of space)
0 fragments dropped after timeout
0 fragments that exceeded limit
0 packets reassembled ok
614833 packets for this host
401766863 packets forwarded
2 packets not forwardable
45 redirects sent
746064 packets sent from this host
0 packets sent with fabricated ip header
0 output packets dropped due to no bufs, etc.
0 output packets discarded due to no route
0 output datagrams fragmented
45 fragments created
0 datagrams that can't be fragmented
0 packets that violated scope rules
0 multicast packets which we don't join

@jimp said in TunnelBroker - Should "Enable IPv6 over IPv4 tunneling" be enabled?:

No, that is not needed. It's for passing IPv6 encapsulated traffic from your WAN through to some other device behind the firewall, so that the other device can handle IPv6 routing.

https://www.netgate.com/docs/pfsense/book/config/advanced-networking.html#ipv6-over-ipv4-tunneling

Thanks

@beremonavabi said in Three Entries in NDP for Some Devices? [ANSWERED]:

Unfortunately, I don't even have a name for what I'm seeing so I can't look it up.

https://en.wikipedia.org/wiki/IPv6#SLAAC_privacy_extensions

I got an e-mail from Hyperoptic today saying that apparently IPv6 is disabled pending a firmware update they are currently working on... not sure if was just being fobbed off but that was enough discouragement to make me leave playing for a few days. I will try again then. I wonder if this is a firewall issue really but I tried a bunch of frankly scary things there too and nothing helped.

@jimp Thanks, this time I have edited the file /etc/inc/filter.inc as it appears here: https://redmine.pfsense.org/projects/pfsense/repository/revisions/e9446f537051c7b536d0b3fbb5ebd00c3766001a/diff?utf8=%E2%9C%93&type=sbs

/* Do not form an invalid NPt rule. * See https://redmine.pfsense.org/issues/8575 */ if (!(is_subnetv6($srcaddr) || is_ipaddrv6($srcaddr)) || !(is_subnetv6($dstaddr) || is_ipaddrv6($dstaddr))) { continue; }

the system patches package it seems that it is not ready yet, but with that edition by hand it works great for now and in version 2.4.5 it will be fixed.

Putting a prefix other than 128 does not work in the environment I use, the rule is created, but it does not work as expected.

Thank you