@snipleeagle8

As I mentioned, it normally happens with SLAAC in the router advertisements. I have never used DHCPv6 on the LAN side, but I expect it would be the same. Are you using SLAAC or DHCPv6?

Can you do a packet capture, filtering on ICMPv6, and post the capture file here?

@Jung-Fernmelder

What you can do is use Unique Local Addresses, in addition to global addresses. You then use the local DNS to point to the ULA address, rather than GUA.

@tuanson84uk

Are those clients Android devices? They don't work with DHCPv6. Any reason you need it? I've been running IPv6 on my home network for over 14 years and have never needed it.

@DataIdeas-Josh said in Force RA to send different IPv6 gateway.:

Is there a way to force the RA to send a different IPv6 rather than the pfsense's routers IP?

It's supposed to use it's own address. I'm not quite sure what you're trying to do, but you can have multiple gateways on a LAN and give them a priority, up to 3 of them. You can set priority on the Router Advertisement page.

Hi,

I was seeing the same error, mostly with this IP list: https://api.gcore.com/cdn/public-ip-list

Since ASN are currently not resolved and for reliability, I'm loading the lists from an internal repo anyway and tried my best to remove or reformat "problematic" IPs - without success.

Then I had a closer look at /usr/local/share/pear/Net/IPv6.php and compared it to the public source. It seems that, at least in my case with pfBlocker 3.2.0_8 on CE 2.7.2, the file is missing an old fix for this problem:
https://github.com/pear/Net_IPv6/commit/70080426d3ac9da4908f9277824694e5eda68985

After changing line 684 from $fill = str_repeat(':0:', 6-$c2-$c1); to $fill = str_repeat(':0:', max(1, 6-$c2-$c1));, the error is gone.

@JKnott said in WAN with /64 Delegation:

BTW, I've had the same prefix for around 5.5 years.

I have the same prefix since my parents met. 😉

@Bob-Dig said in IPv6 tunnel broker websites showing in German:

french guy

Who ?
There are some here.

I am not sure why everything is working, but it's working. Perhaps my configuration will be of assistance in the future.

@JKnott said in Services / Router Advertisement - DHCPv6 server - strange behavior:

Thanks to some genius at Google, Android does not support DHCPv6

Same genius at Google for its Chrome OS ;-)
Does also not fully support RFC 3315

See: https://en.wikipedia.org/wiki/Comparison_of_IPv6_support_in_operating_systems

@NickyDoes yeah a /56 is lot of /64s for testing and playing with ;)

Best practice is /64 for any segment you want to break out.. Even if it only has a couple of devices on it.. It seems insane when you first start playing with Ipv6 to be honest.. Since a /64 is so freaking huge when it comes to how many IPs..

Following the info on the link provided worked so i'm all good to go. Thanks again

@ChrisJenk

Well, I you'll have to see what the flags are when whatever fails.

@the-other

Success! This issue was a layer 2 issue: I hadn't configured one VLAN switch port's VLAN ID, a simple oversight. Return traffic wasn't reaching the pfSense interface.

Whittling away the unknowns.

@guardian said in Very Basic IPv6 security question.:

Hi - I have been using pfSense for several years, but just with IPv4 since I have yet to get my head around what I need to do to secure IPv6. At the moment I have IPv6 disabled on all interfaces including the WAN.

I am being forced into IPv6 by my ISP due to changes in the cable TV system which is moving from a legacy RF system to an IPTV system that uses IPv6. (Rogers in Canada-Ignite TV-I was told it is a similar system to Comcast in the US-I think it is called Xfinity or something like that.)

IIUC, I should be able to enable IPv6 on the WAN and get an IPv6 address (I think it uses DHCP6, but I'm not sure so I need to experiment), and since none of the other interfaces have IPv6 enabled there should be no traffic flow to/from the network.

Am I correct, or do I need to take measures to protect my network?

My initial goal is just to get IP connectivity to the router. Once I have done that to see if I can pipe IPv6 traffic over a VLAN.

P.S.: Any suggestions as to helpful learning resources would be much appreciated.

You can access the web gui over IPv6. So make sure you sure that fyi

Example every interface can access the firewall gui unless you block it...

Screenshot 2024-07-28 at 20.40.46.png

Test it and see..

@johnpoz I have no idea, it only does it with iMac in safari browser with IPv6 enabled. That port 149 is not a standard port used often also. It makes no sense why it would be showing up so much.. thanks for verifying this with me.

Hi,
Since you are using IP passthrough for IP4 why not do the same with IP6. I do not have static IP and do it this way. I guested at the settings having looked all over for configuration settings with AT&T. Comcast was much easier. I am definitely not an expert with this.

WAN has DHCP for both IP4 and IP6
I have the following DHCP6 Client configuration boxes checked
Send IPv6 prefix hint
Do not wait for a RA.

I get a /128 IP for the WAN.

On the lan side.
I know of 2 settings that work for a LAN network with no VLANS
IPV6 Configuration Track Interface or Type Static IPV6 (Will probably break if IP6 changes on WAN)

With tack interface:
You select the IPV6 Interface (WAN)
You should get an IP6 for the LAN and mine was a /64
At this point I get IP6 addresses for all the devices on the LAN interface.
Problem with this setting is that I have VLANs setup and those VLANs don't get a IP6 address.

This works but probably isn't correct.
You can also change the LAN to static. I did this using the prefix address and selected an IP6 address with a /64 address. I used an IP6 calculator to guess at a correct IP6 address to choose.
Routing and everything works for the LAN.
The IPv6 upstream gateway is None.
I was able to setup DHCP6 on the LAN with a range.
Devices on the LAN can reach the internet via IP6
I have not been successful figuring out how to get IP6 on the VLANs yet.

Hope this helps.

@NickyDoes

If enabled, it uses RDNSS to provide the IPv6 server address. If not enabled, then you have to rely on DHCPv6 to provide is. If you don't have DHCPv6, then you have to rely on DHCPv4 DNS to provide an IPv4 DNS server address. However, whichever DNS server you use, you will get back the exact same info.

@br8bruno said in So close on IPv6 yet so far away - Can't get to internet over IPv6 despite everything seeming to be in place.:

Not really sure, but I will as the ISP

They will ask you to execute a traceroute to, for example, 8.8.8.8
The second, third, maybe fourth IP listed is theirs - on of their equipment. Pick any of these, as long as they answer to ping.
Further on, you'll will find the main 'highway Internet core routers'.

@NickyDoes IPv6 gets quite tricky when it comes to pfSense. Like with IPv4 there is no support for automatic client DNS nameregistration in IPv6, so either you have to register all clients/servers manually (SLAAC clients and Static IP clients) or in some products the DHCPv6 server can register its clients in DNS - but not on pfSense though (so manually it is….).

Also - IPv6 on most/all clients use something called privacy extensions, so if you use SLAAC you cannot create pr. Client outbound firewall rules. You have to allow og deny everything equally for the intire subnet.
With privacy extensions clients will pick a new random IPv6 address every day for oubound connections.

You could experiment with the new MAC address based firewall rules though…