to the interfaces.inc file:
The specific parts of the script just checks for link local and an interface ipv6, but since IPv6 knows more than one type of an interface IP (GUA and ULA handled by a single function and stops if an matching IP is found)

This could be the reason for the behavior i ve seen for my problem and at the end for ur's too.

For me an ifconfig in a console, i ll get all IPv6 IP's of an specific interface...if i do same in the gui i ll just only get two IP's
So u get for example in GUI an LL+GUA or an LL+ULA, but NOT ULA+GUA+LL

Since most configs generate from the pfsense scripts, the underlying "real" IP's are ignored in this case.

At the end u have missing routes, cause the routes are build from only the half of informations needed

But my programming skills are not so deep to evaluate my thinking, im an hardware guy. :/

@slampman said in ipv6 client routing issue:

It looks like it is doing RA's but I dont know enough about v6 to tell if they are correct?

That looks like Packet Capture. I much prefer Wireshark, as it provides much more info. However, you can download the capture and open the file with Wireshark.

There is a router advertisement there:
21:57:02.548979 IP6 fe80::250:56ff:fe9c:8801 > ff02::1: ICMP6, router advertisement, length 152

But since I can't see it in Wireshark, I can't tell you much about it, other than the router link local address and it's an unsolicited multicast, rather than a response to a request. If I could view it in Wireshark, I'd be able to determine the prefix used for the network and some other things.

I have exactly the same problem.

My setup is slightly different.
My WAN is set to DHCP and DHCP6. My assigned prefix doesn't normally change that often, but from time to time it does. (For example after a power outage that take a while to solve; or after network maintenance by our ISP)

Anyhow, I too have track interface on my LAN (and VLAN) interfaces, and had added Virtual IPs to those interfaces as well. Those Virtual IPs were ULA addresses, where the intention was that I could always reach the firewall by its virtual IP.

In my case I do not have to wait for a ppoe reconnect or a DHCP renewal on the WAN interface, it is enough that I reboot my pfSense to reproduce it.

When that happens the GUA address on the LAN or VLAN interface is replaced by the Virtual IP and the RA stops 'distributing' the GUA adresses to the clients.

I too have no solution for that, so I have removed the Virtual IPs to get the GUA anouncements working again.

Jul 30 21:41:11 dhcp6c 14743 Sending Solicit Jul 30 21:41:11 dhcp6c 14743 set client ID (len 14) Jul 30 21:41:11 dhcp6c 14743 set elapsed time (len 2) Jul 30 21:41:11 dhcp6c 14743 set option request (len 4) Jul 30 21:41:11 dhcp6c 14743 set IA_PD Jul 30 21:41:11 dhcp6c 14743 send solicit to ff02::1:2%vtnet1 Jul 30 21:41:11 dhcp6c 14743 reset a timer on vtnet1, state=SOLICIT, timeo=10, retrans=111000 Jul 30 21:41:11 dhcp6c 14743 receive advertise from fe80::12e8:78ff:fe4e:db51%vtnet1 on vtnet1 Jul 30 21:41:11 dhcp6c 14743 get DHCP option IA_PD, len 41 Jul 30 21:41:11 dhcp6c 14743 IA_PD: ID=0, T1=43200, T2=69120 Jul 30 21:41:11 dhcp6c 14743 get DHCP option IA_PD prefix, len 25 Jul 30 21:41:11 dhcp6c 14743 IA_PD prefix: 2a01:c50e:9101:fa00::/56 pltime=86400 vltime=140733193474432 Jul 30 21:41:11 dhcp6c 14743 get DHCP option server ID, len 23 Jul 30 21:41:11 dhcp6c 14743 DUID: 00:02:00:00:05:58:4f:53:50:20:49:6e:74:65:72:6e:65:74:20:50:72:6f:64 Jul 30 21:41:11 dhcp6c 14743 get DHCP option client ID, len 14 Jul 30 21:41:11 dhcp6c 14743 DUID: 00:01:00:01:22:f1:89:88:52:54:00:a7:d6:70 Jul 30 21:41:11 dhcp6c 14743 get DHCP option authentication, len 27 Jul 30 21:41:11 dhcp6c 14743 proto: unknown(0), alg: unknown(0), RDM: mono counter, RD: 0000 0000 0000 0000 Jul 30 21:41:11 dhcp6c 14743 unsupported authentication protocol: 100 Jul 30 21:41:11 dhcp6c 14743 failed to parse options

@derelict said in Prefix Delegation to subrouter requires hard-coding subnets when Track Interface enabled:

Even better would be a static assignment from the ISP.

That is common for larger businesses, but small business and home users generally don't get it. For them, the ISP generally wants something that's just plug 'n go. Assigning static addresses requires configuration on their part. Also, when I first started using pfSense, my prefix could change for something as minor as disconnecting/reconnecting the Ethernet cable.

Right.

If you use SLAAC the host should establish a "permanent" address based on the MAC address but randomly generate temporary addresses.

In general the "permanent" address can be used for connections to the host, while the random address is used for connections from the host.

This is all controlled by settings on the host itself, not the routers or firewalls.

Did the ISP mention a ND & PD prefix, I recieved the following from my ISP:-

ND Prefix: 2a02:xxxx:xxxx:xx::/64
PD Prefix: 2a02:xxxx:xxxx::/48

The ND prefix is for the WAN interface and the PD prefix for the LAN, I split my PD into /64 chunks.

0_1532608875731_Untitled.jpeg

0_1532608550929_Untitled 2.png

0_1532608908749_Untitled 3.png

0_1532608781215_Untitled 4.jpeg

I can confirm that it's possible to get IPV6 on the LB1120 in bridge mode with AT&T working in PFsense, but it's a VERY non-optimal configuration.
It appears that I get a single /64 via SLAAC (as mentioned above). The default route for internet isn't fe80::1 It appears to be randomly generated and locally advertised. Here's where things get weird - although I can see the router adverts, the router won't actually pass the packets if I boot it connected to PFsense.
Here's what did work:

Hook the LB1120 (unpowered) up to a computer running windows. Turn on the LB1120 and let it boot Query the ethernet port in windows with 'ipconfig'. Record the IP address received by windows, the GW address assigned, and the ethernet address of the windows machine's ethernet port. Unplug the LB1120 from the win10 computer (don't power it off). Configure PFsense to spoof the win10 computer's HW address, set static IPV6 using the assigned address (though you can actually change it slightly, too). I'm also assigning it as a /126 (/128 might be possible), and set a static gw recorded above.
The mac spoof is necessary to get both a DHCPv4 IP and working IPV6. Yes, this is incredibly hackish. Ideally, I'd like to figure out what magic is happening with windows that isn't happening with PFsense, so I can set this thing to autoconfig.

So far, I see only 2 differences in the packet captures:

Windows uses an AT&T-advertised nameserver on a private local address: fc00:a:a::300

I tried hard-coding that nameserver in the config, but it did not help.
2. Windows sends a bunch of broadcasts on ff02::16. This is multicast listener discovery. I'm not sure how to make PFsense send these, and only a few search hits for mld with pfsense. Any ideas?

Now, I'm having some trouble getting ipv6 packets to pass the wireless WAN link when the router is set to prefer the wired IPV6. But that's a multi-WAN issue, so I'll probably start a new thread on that.

0_1531078235262_Capture.PNG

@isaacfl said in IPv6 Router Advertisements - Router Mode - Stateless DHCP:

From my own testing today. "Stateless DHCP" seems to be the same as assisted but with the "Management" flag not set. My PC's seemed to not mind, but my Apple products work better with "Assisted".

Which is exactly what the dropdown says?

@xero9 I'm in a similar boat. In most cases, I've just applied the changes through the webGUI. Sometimes, I'll release and renew the DHCP through the webGUI. On occasion, I've taken disabled and re-enabled the interface in the GUI to ensure that I've forced a reset (though this is probably overkill). I haven't had to reboot the machine.
Are you able to consistently get an address on your WAN? Something starting with 2600:, probably? It will always have an address starting with fe80:

Great defect report you have made: https://redmine.pfsense.org/issues/8611 👍

@isaacfl actually, I just went and checked and my "cheat sheet" for multicast is obsolete

See https://en.m.wikipedia.org/wiki/Multicast_address

For updated multicast (go down to IPv6 )

@jycai Here is my WAN rule for ICMP

0_1530296084677_wanicmp.PNG

@theserverguy Only after I enter the ::1 address specifically in the monitoring field. Just enabling the 6to4 config isn't enough for the gateway monitoring.

If I leave it blank IPv6 still works but the monitor says it's down. So it seems to be cosmetic but affects the uptime stats.

So I suspect the 6to4 code simply missing a step when it creates the dynamic gateway for monitoring.

@jknott said in sub-delegation of WAN PD for DHCPv6 server:

@jimp said in sub-delegation of WAN PD for DHCPv6 server:

“Prefix” doesn’t mean /64, it means “IPv6 subnet”

"PD" means prefix delegation, part of the process that creates addresses for devices. The prefix, with PD, is 64 bits and the other 64 bits are determined by some other means such as SLAAC or DHCPv6.

PD does mean prefix delegation, but I think you might be confusing a couple terms. Normal DHCPv6 doesn't involve PD. If a client just wants an address it requests one from the interface which is inside the /64 subnet. If that client also happens to be a router, then it kicks in PD to request a delegation. This is an additional block of addresses that get routed to the client.

PD is not locked to /64. You can delegate whatever size blocks you want depending on what you have available. PD is frequently larger than /64, that's how an ISP will assign multiple /64's to a single customer, by delegating them a /60, /56, or whatever they choose.

The firewall will take individual /64 networks out of that block and assign them locally. When you set an interface in pfSense to "Track Interface" for IPv6, you can then set an IPv6 Prefix ID which controls how it chooses a network to put on the interface.

If your ISP uses PD to delegate you a /60, then you can choose from 16 different IDs for /64 networks inside that block (id 0 through f), so you can delegate ID 0 to your LAN, 1 to a guest network, 2 to a DMZ, and so on.

In OPs scenario, they want to take some of that, say IDs 8-F, and use that to delegate to some other router. For example, ID 0 would be on LAN, a client gets an address in the 0 network, and then the firewall would route prefix ID 8 to that address.

It's also been in Linux for a while.