@Antibiotic said in HE tunnel broker:

This is not a native ipv6, its going over ipv4 as understood and increase only latency. Why you using ipv6 tunnel, for what?

The traffic is really IPv6.
The fact that it goes over pppoe or PPP or radio waves (Wifi or 4G) or VHF (to ISS) or whatever or whatver kind of VPN : it is IPv6.
he.net exists because there are ISPs out there that do only IPv4 and if you need IPv6, he.net is a very good plan B.

edit : you can se the tunnel as a VPN connection between two points, your pfSense and their POP. This tunnel can only use IPv4, so that is used to encapsulate IPv6.

@Gertjan said in Configure IPv6:

The thing is : they have to invest. Their equipment is probably a collection of 'works fine for IPv4' but can not deal with allocating IPv6 stuff

That's likely a software issue, not hardware.

@Globaltrader312 I have now also removed the firewall rules under NAT

@michelv I don't recall ever seeing that in my logs, but then again I block a lot of multicast at the switch level, but if I had to guess it would be this

https://docs.netgate.com/pfsense/en/latest/firewall/configure.html#ip-options

TCP options should only ever be in SYN packets.. That clearly isn't a SYN. when sent to broadcast ff02::fb

I would sniff and look at those that are blocked.. If you don't want those logged you could set a non log rule with ip options checked.

options.jpg

@mike123 Sorry but I don't buy this.. How was windows 11 getting IPv6 if you did not provide it through pfsense? And windows 11 isn't going to share its internet connection without you enabling that feature.

Did you enable the mobile hotspot feature? I would like to see these connections you were seeing on thee other servers to IPv6 addresses.

Sure if you enabled IPv6 on this machine, or it got internet via IPv6 and you enabled mobile hotspot then yeah it could hand out IPv6 address to other clients.

None of which would have anything to do with pfsense.

network to get IPV6 via DHCP relay.

No not how it would work there would not be a dhcpv6 relay involved.

This device that your saying is browsing the internet via IPv6.. Can we see a traceroute from this device to some IPv6 address out on the internet..

If your windows 11 box is sharing its internet connection, I would disable that. And I would prob also just disable IPv6 on it if you don't want it using it either.

Its pretty simple to just not provide IPv6 to devices behind pfsense if you don't want to.

OK this issue can be close, its fixed with the upgrade today to 24.03.

@syn4ck https://redmine.pfsense.org/

@JKnott
@Gertjan
I used to have cable (Xfinity), but got rid of it as it was a potential surge path (nothing is properly grounded here), I am able to get AT&T fiber, but their insistence on you using their gateway put me off. Maybe if I find a way to use my own fiber modem (if that is the proper term) fiber would be the way to go.
As for now, it seems like I am out of luck, though : )
Thank you, appreciate the input!

@jhg said in pfSense static ipv6 address on LAN tracking delegated prefix?:

Is there a way to give the firewall's LAN interface a static IPv6 address within the delegated prefix?

I know of one 'official' way : you have to do this if you are really get an /64 (probably way bigger) to assign to your LAN(s).
Normally, ISP don't do this, you need to have the dhcp6c on WAN asking for at least one 'prefix', and have that assigned to your LAN using Tracking mode.

Create a free account here : https://tunnelbroker.net

bfa252a7-0d69-4be4-ac0b-64c115ece417-image.png

From here on, it's easy :
Assign statically the xxx:5c0:2 to you WAN IPv6.

Because they give you a /48, don't even bother with the announced /64 = xxx:5c0::/64
Assign statically the first 2001:471:c8xx:0::/64 (from the /48 pool) to your first LAN.
Assign statically the first 2001:471:c8xx:1::/64 (from the /48 pool) to your second LAN.
Etc, continue like that 65533 times for 65535 LAN's ^^

I've been using this 'setup' for nearly a decade, and it was just perfect.
Well, close to perfect, as a IPv6 over Ipv4 tunnel is used to the closest he;net access point, Paris for me (216.66.84.42). My IPv4 WAN speed was about 25 Mbits/sec back then, and I'm not sure they will follow my current speed, > 1 Gbits right now.
But again : it worked flawlessly.

@Derelict the URL is not working

@Imesh_
Hello did you manage to get the ipv6 on the lan?

@KluthR said in Show dhcp6c status for ISP prefix:

If this was the right way to test it.

I suspect it might take another reboot. However, the way I found out about the problem was just disconnecting & reconnecting the Ethernet cable to the cable modem was enough to cause the prefix to change.

Issue resolved. The MTU needed to be 1500 not 1492. Thanks for the help, guys.

BTW the Redmine mentioned PR (https://redmine.pfsense.org/issues/6626) is also available at github at https://github.com/pfsense/pfsense/commit/7c4b3d3c8d2d15b1e59d1d262cc295a848434355

So, the :: feature expands the $rule['interface']'s prefix to the host portion. Useless in my case.

Okay, lets make my target v6 a complete one: it works!
Assuming the Do not allow PD/Address release is being ignored and I get a new prefix, then all my rules are dead.

Correct me if Iam wrong, but pfSense misses a dropdown for that :: case, allowing me to select the target interface for auto-prefix-determination at https://github.com/pfsense/pfsense/blob/9fd4cb962ad28b0e03c8c755a80b20ad7c867d9e/src/etc/inc/filter.inc#L3247

Our data center set up a /125 IIRC for our IPv6 WAN and routes our LAN subnet to a specific IP. (We have a HA setup so two IPs plus the shared IP)

Like this but IPv6: https://docs.netgate.com/pfsense/en/latest/recipes/route-public-ip-addresses.html#ip-assignments

@MikeV7896 Just want to say thank you,followed your settings and it works.

@SteveITS
If I leave it blank, my devices don't get IPs. I followed the @JKnott procedure and now it's running well.

I was able to locate the device using:

netsh int ipv6 show neighbors

This gave me the MAC address for the link local ipv6 addresses.

@Gertjan So if it's disabled by default then why does it work if I don't change that setting and it shows a green tick in the services.

All clients pass the IPv6 tests and if I ping google.co.uk it uses the google IPv6 address.