Spoke too soon... It worked for a bit then stopped after I rebooted pfsense.

The ISP is Spectrum/TimeWarner. I'll call them tomorrow, but you don't get to talk to engineers, just call center people. Most of them can't even spell IPv6, much less tell you anything about it. Another odd thing, I rebooted pfSense and then checked the DHCP logs to see if I could confirm the /56 that was being handed out. I didn't see anything in the log at all for dhcp6 (yes, there was stuff in there before...) : # clog /var/log/dhcpd.log | grep dhcp6 # <------ ¯\_(ツ)_/¯ radvdump shows that the /64s being offered there have valid lifetimes of infinity : prefix 2604:2000:ffc0:4::/64 { AdvValidLifetime infinity; # (0xffffffff) AdvPreferredLifetime infinity; # (0xffffffff) AdvOnLink on; AdvAutonomous off; AdvRouterAddr off; }; # End of prefix definition So maybe pfSense is caching this and just re-using it without triggering dhcp6c at all? I know it's not in config.xml so maybe on the filesystem somewhere? I have to look at the code to see if this is what's actually happening. I'll try to do some more packet captures as well.

@gertjan said in IPv6 Network details from ISP: Ah, yeah ! Can we have FTP back ?? Please ? ^^ How about VoIP or some games, where you need to use an STUN server to tell the devices what the real world address is for something hidden behind NAT. There's also IPSec authentication headers, which are broken by NAT. What if you want to run two servers, running the same protocal, behind NAT? Then you need to do remap some port numbers.

Ok so I rebooted after installing pfblockerng and now I can’t get my ipv6 address back again ‍️

@msf2000 : for what it's worth : my settings and yours (see your image) are the same. I have an only-win7 network (9 PC's) and a 2008R2 : never had anything to do so IPv6 work on LAN. for all my PC's and devices IPv6 DHCP settings : [image: 1536123333376-f68b6cd7-82ff-4587-b6d9-172b032f36b4-image-resized.png] Btw : For most devices I set DHCPv6 Static Mappings : [image: 1536123668651-6c7021f1-317d-45da-b193-1ec739d55342-image-resized.png] Btw : Using Win7 for a company. I ruled out Windows 8.x for a company, and, my opinion, Windows 10 isn't still ready yet, I guess I'll be using it in a year or so ... A "route print" on a Win7 PC : C:\Users\Réception-Gauche>route print =========================================================================== Liste d'Interfaces 10...b8 ac 6f 47 2c 77 ......Broadcom NetLink (TM) Gigabit Ethernet 1...........................Software Loopback Interface 1 =========================================================================== IPv4 Table de routage =========================================================================== Itinéraires actifs : Destination réseau Masque réseau Adr. passerelle Adr. interface Métrique 0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.6 200 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 192.168.1.0 255.255.255.0 On-link 192.168.1.6 356 192.168.1.6 255.255.255.255 On-link 192.168.1.6 356 192.168.1.255 255.255.255.255 On-link 192.168.1.6 356 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 192.168.1.6 356 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.1.6 356 =========================================================================== Itinéraires persistants : Aucun IPv6 Table de routage =========================================================================== Itinéraires actifs : If Metric Network Destination Gateway 10 266 ::/0 fe80::212:3fff:feb3:5875 1 306 ::1/128 On-link 10 18 2001:470:1f13:5c0::/64 On-link 10 266 2001:470:1f13:5c0:2::c6/128 On-link 10 266 fe80::/64 On-link 10 266 fe80::75cd:7073:d0a4:bc7c/128 On-link 1 306 ff00::/8 On-link 10 266 ff00::/8 On-link =========================================================================== Itinéraires persistants : Aucun C:\Users\Réception-Gauche>

@isaacfl said in Cannot route IPv6 - Frustrated: LOCAL_SUBNETS_v6 HILARIOUS! That was is! The rule change fixed it. I used LAN NET because it was set up that way for the IPv4 rule. Thanks for walking through this mess with me. I Learned a lot.

@johnpoz The maximum working MSS is 1440 in my LAN interface setup in pfSense. 1280 also works. (the tracepath result gave me the same result as for you) As I said, I used 1220 because I found that post https://forum.netgate.com/topic/73573/massive-http-ipv6-connectivity-issues/8 where the solution was to set the MSS to 1220. I’m setting IPv6 in my « home » LAN, to learn more about IPv6 but also to have a fully functional IPv6 connection. I hope that’s the only problem I’ll find about my IPv6 setup. Again, thanks for all the resource you shared.

@derelict I will ask for the humax model. I have a friend using this model without problems.

The procedure to request features is in the documentation. No need to discuss a public topic privately.

I know this is an edge case (v6 on WAN only), but still seems like a bug to me.

I cannot imagine that a bridge like that is necessary. That is really ugly. They should route the /56 to an address on the WAN interface. That address can be obtained in multiple different ways. It can even be link-local. It is really up to them to tell you, in general terms, how to provision your router interface. For anyone else it would just be a guessing game. This is an example of instructions for a static /48 from a popular IPv6 transit + colo provider: IPv6 2001:xx:x:xx::/64 ::1 is ISP ::2 is Customer They route 2001:xxx:xxx::/48 to 2001:xx:x:xx::2 It's as simple as that. Interface network + routed subnet. In that case you would set pfSense WAN to Static 2001:xx:x:xx::2/64 with a gateway of 2001:xx:x:xx::1 and use 2001:xxx:xxx::/48 on the inside however you want.

to the interfaces.inc file: The specific parts of the script just checks for link local and an interface ipv6, but since IPv6 knows more than one type of an interface IP (GUA and ULA handled by a single function and stops if an matching IP is found) This could be the reason for the behavior i ve seen for my problem and at the end for ur's too. For me an ifconfig in a console, i ll get all IPv6 IP's of an specific interface...if i do same in the gui i ll just only get two IP's So u get for example in GUI an LL+GUA or an LL+ULA, but NOT ULA+GUA+LL Since most configs generate from the pfsense scripts, the underlying "real" IP's are ignored in this case. At the end u have missing routes, cause the routes are build from only the half of informations needed But my programming skills are not so deep to evaluate my thinking, im an hardware guy. :/

@slampman said in ipv6 client routing issue: It looks like it is doing RA's but I dont know enough about v6 to tell if they are correct? That looks like Packet Capture. I much prefer Wireshark, as it provides much more info. However, you can download the capture and open the file with Wireshark. There is a router advertisement there: 21:57:02.548979 IP6 fe80::250:56ff:fe9c:8801 > ff02::1: ICMP6, router advertisement, length 152 But since I can't see it in Wireshark, I can't tell you much about it, other than the router link local address and it's an unsolicited multicast, rather than a response to a request. If I could view it in Wireshark, I'd be able to determine the prefix used for the network and some other things.

I have exactly the same problem. My setup is slightly different. My WAN is set to DHCP and DHCP6. My assigned prefix doesn't normally change that often, but from time to time it does. (For example after a power outage that take a while to solve; or after network maintenance by our ISP) Anyhow, I too have track interface on my LAN (and VLAN) interfaces, and had added Virtual IPs to those interfaces as well. Those Virtual IPs were ULA addresses, where the intention was that I could always reach the firewall by its virtual IP. In my case I do not have to wait for a ppoe reconnect or a DHCP renewal on the WAN interface, it is enough that I reboot my pfSense to reproduce it. When that happens the GUA address on the LAN or VLAN interface is replaced by the Virtual IP and the RA stops 'distributing' the GUA adresses to the clients. I too have no solution for that, so I have removed the Virtual IPs to get the GUA anouncements working again.

Jul 30 21:41:11 dhcp6c 14743 Sending Solicit Jul 30 21:41:11 dhcp6c 14743 set client ID (len 14) Jul 30 21:41:11 dhcp6c 14743 set elapsed time (len 2) Jul 30 21:41:11 dhcp6c 14743 set option request (len 4) Jul 30 21:41:11 dhcp6c 14743 set IA_PD Jul 30 21:41:11 dhcp6c 14743 send solicit to ff02::1:2%vtnet1 Jul 30 21:41:11 dhcp6c 14743 reset a timer on vtnet1, state=SOLICIT, timeo=10, retrans=111000 Jul 30 21:41:11 dhcp6c 14743 receive advertise from fe80::12e8:78ff:fe4e:db51%vtnet1 on vtnet1 Jul 30 21:41:11 dhcp6c 14743 get DHCP option IA_PD, len 41 Jul 30 21:41:11 dhcp6c 14743 IA_PD: ID=0, T1=43200, T2=69120 Jul 30 21:41:11 dhcp6c 14743 get DHCP option IA_PD prefix, len 25 Jul 30 21:41:11 dhcp6c 14743 IA_PD prefix: 2a01:c50e:9101:fa00::/56 pltime=86400 vltime=140733193474432 Jul 30 21:41:11 dhcp6c 14743 get DHCP option server ID, len 23 Jul 30 21:41:11 dhcp6c 14743 DUID: 00:02:00:00:05:58:4f:53:50:20:49:6e:74:65:72:6e:65:74:20:50:72:6f:64 Jul 30 21:41:11 dhcp6c 14743 get DHCP option client ID, len 14 Jul 30 21:41:11 dhcp6c 14743 DUID: 00:01:00:01:22:f1:89:88:52:54:00:a7:d6:70 Jul 30 21:41:11 dhcp6c 14743 get DHCP option authentication, len 27 Jul 30 21:41:11 dhcp6c 14743 proto: unknown(0), alg: unknown(0), RDM: mono counter, RD: 0000 0000 0000 0000 Jul 30 21:41:11 dhcp6c 14743 unsupported authentication protocol: 100 Jul 30 21:41:11 dhcp6c 14743 failed to parse options

@derelict said in Prefix Delegation to subrouter requires hard-coding subnets when Track Interface enabled: Even better would be a static assignment from the ISP. That is common for larger businesses, but small business and home users generally don't get it. For them, the ISP generally wants something that's just plug 'n go. Assigning static addresses requires configuration on their part. Also, when I first started using pfSense, my prefix could change for something as minor as disconnecting/reconnecting the Ethernet cable.

Right. If you use SLAAC the host should establish a "permanent" address based on the MAC address but randomly generate temporary addresses. In general the "permanent" address can be used for connections to the host, while the random address is used for connections from the host. This is all controlled by settings on the host itself, not the routers or firewalls.