@jimp said in TunnelBroker - Should "Enable IPv6 over IPv4 tunneling" be enabled?: No, that is not needed. It's for passing IPv6 encapsulated traffic from your WAN through to some other device behind the firewall, so that the other device can handle IPv6 routing. https://www.netgate.com/docs/pfsense/book/config/advanced-networking.html#ipv6-over-ipv4-tunneling Thanks

@beremonavabi said in Three Entries in NDP for Some Devices? [ANSWERED]: Unfortunately, I don't even have a name for what I'm seeing so I can't look it up. https://en.wikipedia.org/wiki/IPv6#SLAAC_privacy_extensions

I got an e-mail from Hyperoptic today saying that apparently IPv6 is disabled pending a firmware update they are currently working on... not sure if was just being fobbed off but that was enough discouragement to make me leave playing for a few days. I will try again then. I wonder if this is a firewall issue really but I tried a bunch of frankly scary things there too and nothing helped.

@jimp Thanks, this time I have edited the file /etc/inc/filter.inc as it appears here: https://redmine.pfsense.org/projects/pfsense/repository/revisions/e9446f537051c7b536d0b3fbb5ebd00c3766001a/diff?utf8=%E2%9C%93&type=sbs /* Do not form an invalid NPt rule. * See https://redmine.pfsense.org/issues/8575 */ if (!(is_subnetv6($srcaddr) || is_ipaddrv6($srcaddr)) || !(is_subnetv6($dstaddr) || is_ipaddrv6($dstaddr))) { continue; } the system patches package it seems that it is not ready yet, but with that edition by hand it works great for now and in version 2.4.5 it will be fixed. Putting a prefix other than 128 does not work in the environment I use, the rule is created, but it does not work as expected. Thank you

It seems as if radvd is not working properly. Either there is no routing info, or unbound marches to a different drummer. I think the next step is to find out what the ISP actually sends and evaluate that with Wireshark. It could be problem a problem with the subnets and prefix sizes.

@ftln46 said in What is my ISP using for IPV6?: What I was having a hard time figuring out is why does my WAN interface get no global IPV6 address ? From a technical standpoint, it's not needed. A global IPv6 address on the WAN interface wouldn't be used for anything beyond testing (ping, etc.) or management. On IPv6, routing is normally done with the link local addresses. As for your ISP, you'll have to ask them if they provided an IPv6 address for the WAN interface. .

@mircolino I wish I could give a better answer but I did what I previously described and my problem hasn't come back since. I think there was some sort of setting persisting that shouldn't have and what I did was clear it out...

@roally Are you certain your ISP delegates a /48?

Doesn't say much? ND entry? how do I delete? [image: 1542848043356-screen-shot-2018-11-22-at-1.53.07-pm-resized.png]

@bepo I know that it is not a payment service @bepo, thanks for remembering it. I also know that there are comments that allow progress and others that do not. Thank you for your comment.

Is anyone running Hyper-v w/ v6 dhcp working from ISP on this latest pfsense??

Overall, IPv6 works the same as IPv4, but there are some differences. One great benefit is getting rid of NAT. If you want a consistent address, you just have to turn off privacy addresses. The way you do that depends on your operating system.

I may have solved this on my own. My floating rules were set to all interfaces in the list, but it seem that selecting no interface in the list makes it apply to every interface. I'm still testing this, but I don't see the (let out anything from firewall host itself) anymore.

So today I did a new install of pfsense 2.4.4 and played back my config. There is an ULA in virtuel IP's at LAN1 and so as discribed LAN1 gets an IPv6 from WAN via Tracking and it is shown as second in ifconfig. But RADVD is'nt working correct anymore on this Interface. It not advertises the prefix. So this is a BUG, right? pfadmin

@pmisch said in Clients don't receive IPv6 address on LAN with track interface: Do you have any other filtering mechanisms in place like intrusion prevention or have you activated "block bogon" on your LAN interface? I suspect the outgoing packets do not leave the firewall even though the packet filter itself isn't blocking. Must be something else. There's also a possibility of an interim device like a switch that might block packets. Quite unlikely but not impossible. Triggered by your comment on an interim device like a switch blocking packets I checked my switches, since I had been messing with multicast and broadcast filtering and settings on those switches (2 Netgear ProSAFE Plus Switches). My provider has an IPTV service (using multicast for TV channels) and it's a bit unstable, which is why I've been tinkering with those settings. After turning off some filtering (I think turning off 'Block Unknown Multicast Address' did the trick) the router advertisements arrived at the clients and they receive an IPv6 address! So that was the problem. Thank you very much for your comments and help!

I'm seeing the exact same behavior on my VM running 2.4.4-RELEASE (amd64). What gives? Nov 2 08:45:52 pfsense dhcp6c[60377]: failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory Nov 2 08:45:52 pfsense dhcp6c[60377]: failed initialize control message authentication Nov 2 08:45:52 pfsense dhcp6c[60377]: skip opening control port Nov 2 08:45:52 pfsense dhcp6c[60377]: /var/etc/dhcp6c_wan.conf:3 IA_PD (0) is not defined Nov 2 08:45:52 pfsense dhcp6c[60377]: failed to parse configuration file

after upgrading pfSense to 2.4.4 IPv6 assignment is back working again, without doing anything. maybe there was a bug I missed? Thanks anyway everyone for helping

My prefix is "dynamic"... yes, in theory as long as the DUID doesn't change, my prefix doesn't change either (I successfully held the same /60 prefix from my ISP for over a year, before changing the DUID for troubleshooting purposes). Same with the IPv4 address and my MAC address. But that doesn't mean that my ISP couldn't at some point initiate some changes to their network that would cause my prefix to change, just as my IPv4 address has changed in the past when they've done major network maintenance, though obviously the MAC wouldn't have changed. So I am still of the notion that this is something needed. A dynamic prefix, no matter how stable it might be, is still dynamic and could potentially change at any time for a variety of reasons.