@derelict I will ask for the humax model. I have a friend using this model without problems.

The procedure to request features is in the documentation. No need to discuss a public topic privately.

I know this is an edge case (v6 on WAN only), but still seems like a bug to me.

I cannot imagine that a bridge like that is necessary. That is really ugly. They should route the /56 to an address on the WAN interface. That address can be obtained in multiple different ways. It can even be link-local. It is really up to them to tell you, in general terms, how to provision your router interface. For anyone else it would just be a guessing game. This is an example of instructions for a static /48 from a popular IPv6 transit + colo provider: IPv6 2001:xx:x:xx::/64 ::1 is ISP ::2 is Customer They route 2001:xxx:xxx::/48 to 2001:xx:x:xx::2 It's as simple as that. Interface network + routed subnet. In that case you would set pfSense WAN to Static 2001:xx:x:xx::2/64 with a gateway of 2001:xx:x:xx::1 and use 2001:xxx:xxx::/48 on the inside however you want.

to the interfaces.inc file: The specific parts of the script just checks for link local and an interface ipv6, but since IPv6 knows more than one type of an interface IP (GUA and ULA handled by a single function and stops if an matching IP is found) This could be the reason for the behavior i ve seen for my problem and at the end for ur's too. For me an ifconfig in a console, i ll get all IPv6 IP's of an specific interface...if i do same in the gui i ll just only get two IP's So u get for example in GUI an LL+GUA or an LL+ULA, but NOT ULA+GUA+LL Since most configs generate from the pfsense scripts, the underlying "real" IP's are ignored in this case. At the end u have missing routes, cause the routes are build from only the half of informations needed But my programming skills are not so deep to evaluate my thinking, im an hardware guy. :/

@slampman said in ipv6 client routing issue: It looks like it is doing RA's but I dont know enough about v6 to tell if they are correct? That looks like Packet Capture. I much prefer Wireshark, as it provides much more info. However, you can download the capture and open the file with Wireshark. There is a router advertisement there: 21:57:02.548979 IP6 fe80::250:56ff:fe9c:8801 > ff02::1: ICMP6, router advertisement, length 152 But since I can't see it in Wireshark, I can't tell you much about it, other than the router link local address and it's an unsolicited multicast, rather than a response to a request. If I could view it in Wireshark, I'd be able to determine the prefix used for the network and some other things.

I have exactly the same problem. My setup is slightly different. My WAN is set to DHCP and DHCP6. My assigned prefix doesn't normally change that often, but from time to time it does. (For example after a power outage that take a while to solve; or after network maintenance by our ISP) Anyhow, I too have track interface on my LAN (and VLAN) interfaces, and had added Virtual IPs to those interfaces as well. Those Virtual IPs were ULA addresses, where the intention was that I could always reach the firewall by its virtual IP. In my case I do not have to wait for a ppoe reconnect or a DHCP renewal on the WAN interface, it is enough that I reboot my pfSense to reproduce it. When that happens the GUA address on the LAN or VLAN interface is replaced by the Virtual IP and the RA stops 'distributing' the GUA adresses to the clients. I too have no solution for that, so I have removed the Virtual IPs to get the GUA anouncements working again.

Jul 30 21:41:11 dhcp6c 14743 Sending Solicit Jul 30 21:41:11 dhcp6c 14743 set client ID (len 14) Jul 30 21:41:11 dhcp6c 14743 set elapsed time (len 2) Jul 30 21:41:11 dhcp6c 14743 set option request (len 4) Jul 30 21:41:11 dhcp6c 14743 set IA_PD Jul 30 21:41:11 dhcp6c 14743 send solicit to ff02::1:2%vtnet1 Jul 30 21:41:11 dhcp6c 14743 reset a timer on vtnet1, state=SOLICIT, timeo=10, retrans=111000 Jul 30 21:41:11 dhcp6c 14743 receive advertise from fe80::12e8:78ff:fe4e:db51%vtnet1 on vtnet1 Jul 30 21:41:11 dhcp6c 14743 get DHCP option IA_PD, len 41 Jul 30 21:41:11 dhcp6c 14743 IA_PD: ID=0, T1=43200, T2=69120 Jul 30 21:41:11 dhcp6c 14743 get DHCP option IA_PD prefix, len 25 Jul 30 21:41:11 dhcp6c 14743 IA_PD prefix: 2a01:c50e:9101:fa00::/56 pltime=86400 vltime=140733193474432 Jul 30 21:41:11 dhcp6c 14743 get DHCP option server ID, len 23 Jul 30 21:41:11 dhcp6c 14743 DUID: 00:02:00:00:05:58:4f:53:50:20:49:6e:74:65:72:6e:65:74:20:50:72:6f:64 Jul 30 21:41:11 dhcp6c 14743 get DHCP option client ID, len 14 Jul 30 21:41:11 dhcp6c 14743 DUID: 00:01:00:01:22:f1:89:88:52:54:00:a7:d6:70 Jul 30 21:41:11 dhcp6c 14743 get DHCP option authentication, len 27 Jul 30 21:41:11 dhcp6c 14743 proto: unknown(0), alg: unknown(0), RDM: mono counter, RD: 0000 0000 0000 0000 Jul 30 21:41:11 dhcp6c 14743 unsupported authentication protocol: 100 Jul 30 21:41:11 dhcp6c 14743 failed to parse options

@derelict said in Prefix Delegation to subrouter requires hard-coding subnets when Track Interface enabled: Even better would be a static assignment from the ISP. That is common for larger businesses, but small business and home users generally don't get it. For them, the ISP generally wants something that's just plug 'n go. Assigning static addresses requires configuration on their part. Also, when I first started using pfSense, my prefix could change for something as minor as disconnecting/reconnecting the Ethernet cable.

Right. If you use SLAAC the host should establish a "permanent" address based on the MAC address but randomly generate temporary addresses. In general the "permanent" address can be used for connections to the host, while the random address is used for connections from the host. This is all controlled by settings on the host itself, not the routers or firewalls.

Did the ISP mention a ND & PD prefix, I recieved the following from my ISP:- ND Prefix: 2a02:xxxx:xxxx:xx::/64 PD Prefix: 2a02:xxxx:xxxx::/48 The ND prefix is for the WAN interface and the PD prefix for the LAN, I split my PD into /64 chunks. [image: 1532608863839-untitled-resized.jpeg] [image: 1532608539896-untitled-2-resized.png] [image: 1532608897675-untitled-3-resized.png] [image: 1532608769255-untitled-4-resized.jpeg]

I can confirm that it's possible to get IPV6 on the LB1120 in bridge mode with AT&T working in PFsense, but it's a VERY non-optimal configuration. It appears that I get a single /64 via SLAAC (as mentioned above). The default route for internet isn't fe80::1 It appears to be randomly generated and locally advertised. Here's where things get weird - although I can see the router adverts, the router won't actually pass the packets if I boot it connected to PFsense. Here's what did work: Hook the LB1120 (unpowered) up to a computer running windows. Turn on the LB1120 and let it boot Query the ethernet port in windows with 'ipconfig'. Record the IP address received by windows, the GW address assigned, and the ethernet address of the windows machine's ethernet port. Unplug the LB1120 from the win10 computer (don't power it off). Configure PFsense to spoof the win10 computer's HW address, set static IPV6 using the assigned address (though you can actually change it slightly, too). I'm also assigning it as a /126 (/128 might be possible), and set a static gw recorded above. The mac spoof is necessary to get both a DHCPv4 IP and working IPV6. Yes, this is incredibly hackish. Ideally, I'd like to figure out what magic is happening with windows that isn't happening with PFsense, so I can set this thing to autoconfig. So far, I see only 2 differences in the packet captures: Windows uses an AT&T-advertised nameserver on a private local address: fc00:a:a::300 I tried hard-coding that nameserver in the config, but it did not help. 2. Windows sends a bunch of broadcasts on ff02::16. This is multicast listener discovery. I'm not sure how to make PFsense send these, and only a few search hits for mld with pfsense. Any ideas? Now, I'm having some trouble getting ipv6 packets to pass the wireless WAN link when the router is set to prefer the wired IPV6. But that's a multi-WAN issue, so I'll probably start a new thread on that.

[image: 1531078228218-capture.png] @isaacfl said in IPv6 Router Advertisements - Router Mode - Stateless DHCP: From my own testing today. "Stateless DHCP" seems to be the same as assisted but with the "Management" flag not set. My PC's seemed to not mind, but my Apple products work better with "Assisted". Which is exactly what the dropdown says?

@xero9 I'm in a similar boat. In most cases, I've just applied the changes through the webGUI. Sometimes, I'll release and renew the DHCP through the webGUI. On occasion, I've taken disabled and re-enabled the interface in the GUI to ensure that I've forced a reset (though this is probably overkill). I haven't had to reboot the machine. Are you able to consistently get an address on your WAN? Something starting with 2600:, probably? It will always have an address starting with fe80:

Great defect report you have made: https://redmine.pfsense.org/issues/8611

@isaacfl actually, I just went and checked and my "cheat sheet" for multicast is obsolete See https://en.m.wikipedia.org/wiki/Multicast_address For updated multicast (go down to IPv6 )