Hi Derelict,

Thanks a lot for your reply,

as I mentioned we announce this subnet and I have full control over the routes, I also do have a static route to route the whole /32 prefix to the WAN CARP VIP, the idea is that I don't want to use DHCP6, when a customer needs an IPv6 Subnet what I do is just add the first IP of that subnet as an IP Alias Stacked with the V1050 CARP VIP, and that IP will also be the Gateway for the customer who will use this subnet.

after digging more seems it's not a routing or setup problem, it's actually a firewall rules issue, it seems that pfsense doesn't add the IPv6 IP Aliases to the auto created Aliases, i'm not sure if anyone had this issue but if no one open a bug report about it then I will do it.

here is what happens, I do have IN and OUT rules configured
on WAN:
Protocol: IPv4+6
Source: any
Destination: V1050 net    –--> this suppose to include any IP that is assigned to V1050 interface including IP Aliases, and it's an Auto Alias created by pfsense.

on V1050 I have a firewall rules to allow all traffic.

so basically what ever IPv6 IP Alias you add to V1050 interface you should reach it, but this doesn't work cause the V1050 net Alias doesn't include that new IP Alias, I added a new firewall rule on WAN to allow traffic to that new IP Alias and I was able to to reach it.

Best Regards

In your WAN settings, you want to request a different prefix size. With residential service, you can request as low as /60, which will give you 16 /64's to use on various networks.

You will want to delete your DUID after changing the setting (you'll need to shell to the router and rm /var/db/dhcp6c_duid) then release/renew the WAN connection so it creates a new DUID and requests a new lease and prefix from Comcast's DHCPv6 server. Then you should be able to set up multiple networks using Track Interface and select a different prefix ID for each network.

Hi pmisch,

thanks a lot for your reply!

Only ping is (was) working, nothing else. I did not dig into routing issues because ping was working. If ICMP packages are routed correctly, I assume correct routing tables.
I was already looking into the tcpdump on the firewall, I'm not an expert in reading this traffic but I did not see any problems here.

Over the xmas days I had some time to review my whole network, and I found a really embarrassing fault. I 've had an additional network interface activ on my server I 've never used and used the same IPv4 address for pfSense. After disabling this interface pfSense is now working as expected. Still testing everything, but this post goes already over the pfSense VM.

Nevertheless thank you again for replying!

Btw: What does sounds german? My english or my problem? ;-) But yes, you nailed it…

Shouldn't it be possible to use SLAAC for a link-local WAN connection with the ISP router

If you take a peek with Wireshark or packet capture, you'll find routers normally use the link local address.  It doesn't need a public address to be able to route traffic.

i'm in the same boat (on FTTP NBN) using pfsense and unable to get ipv6 working

just for the purposes of testing i spun up a sophos utm instance and got an ipv6 lease immediately (could ping6 from WAN but PD did not work due to current version only supporting /64 PD)
next i tested a ubiquiti edgerouter lite and can get full ipv6 working (correct settings are /56 PD with prefix-only, wan interface keeps a link-local address and each internal/lan interface gets a PD and all clients get an ipv6 lease inside the prefix).

pfsense is my preferred platform however i am unable to get any ipv6 traffic flowing at all

running a tcpdump i can see neighbour solicitations from my provider (telstra)

would appreciate some assistance if anyone has any further insights

Depends on the delegation.

For :00e4: and :00ff: to be in the same delegation it would have to be a /56.

:00ef: and :00e4: are in the same /60.

@razzfazz:

You can do it from the command line by deleting the DUID file and killing & restarting dhcp6c manually.

Thanks for that tidbit…I renamed the file and (since it said service dhcp6c wasn't running?) I restarted the router, and it did acquire an IPv6 block for the LAN as desired.

Thank you scott83. I've tested and that setting was already enabled on my computer. I ran the enable command again and rebooted and still no DNS via RA. I'm wondering if I've set something somewhere else in pfSense that is stopping it from sending the DNS via RA?

Thanks for the replies.  The issue ended up being a bug with IGMP snooping on my Ubiquiti Edgeswitch.  Disabling IGMP snooping on the specific VLAN with unmanaged RAs set allowed the RAs to be broadcasted to the clients.

There's a known issue with the DHCPv6 lease list not working right… Bug 7413

It's been kicked down the road a couple of versions now, since at least 2.4.0… hopefully it gets fixed soon.

@marjohn56:

:) Yes, well - Kaspersky… Hmm

Not allowed near any of my machines.

Apart from the fact they may or may not be in leagues with the Kremlin I have always found it slows my machines down.

I use Webroot, never have an issue.

Well either way, thanks for your help man - wouldn't have been able to do it without you.  I think the issue is pretty much sorted now.

@bimmerdriver:

Just to provide an update on this. I did try reporting it to OVH. Their support organization support@ovh.ca did not reply to my emails so I phoned them. Hard as it is to believe, they told me to try reporting it to their abuse website. They said there might be better response. I did get a response, but as is plain to see, they still have not fixed the problem. I guess the lesson here is if you are looking for a company to host your website, don't use OVH. Their network is broken and their service sucks.
..

Their (OVH) transit router replied to the ping, some routers before, and some afterwards (not OVH) didn't.

Not very related, but :
I don't know if OVH is a good host for a web site - I can't tell. I have some 10 web sites with them and several dedicated servers - never used comparable services else where for the last 10 years, so,. So, I can't compare  ;) Never contacted their commercial or technical support (ok, may once or twice in 10 years).  Of course, my sites are up with a pretty 99,999 % uptime for the mentioned time span.
Btw : replying to ICMP (ping) is important when IPv6 comes into play, for IPv4 it was less important.
It's said that OVH isn't following all 'official' guidelines concerning IPv6 implementation - this is probably true when we talk about them as an ISP, but on my dedicated servers, IPv6 (a classic /64 each) works great for the last several years. Same thing for the basic site hosting services.

True is that OVH is investing like no other company in networking, except for Google probably. See http://weathermap.ovh.net/#europe for Europe, USA and the rest.
When they have an issue like two weeks ago : 2 independent high tension lines went down (in theory, in France, not possible  ;D) AND a main backup diesel power supply  didn't start, all their boarding routers went down (my servers stayed up btw) and most of their data centers became unreachable. It create a huge hole on the Internet map ….
BIG == vulnerable.

edit : OVH is one of the companies that offered a "host a WordPress or commercial site yourself" for a coupe of € a year. So, even my grandmother thought its was time to build her own site ... She neither wasn't aware that some knowledge was needed to actually 'run' a site and 'send that mail'  (and OVH wasn't and isn't selling knowledge ...).

edit2 : as johnpoz :
( I don't know why my navigators prefer IPv4 now, before switching to IPv6. Normally, they do it the other way around (I use he.net for IPv6). Whatever ...)

Capture1.PNG
Capture1.PNG_thumb
Capture2.PNG
Capture2.PNG_thumb

(I don't think OP (who vanished) got a /36)

I managed to get port 80 free so way to go for requesting my cert.
Well, no, nc just listens on port 80 tcp4 instead of also tcp6? That's just mean. :-
I wasn't able to figure out exactly why that is.
It's in /usr/local/pkg/acme/acme.sh while the _startserver() function seems to be the part where the http server is being invoked.
I set ncaddr manually to my desired IPv6 address. Now it's listening and my cert is being issued.
First try with acme testserver it still showed timeout. Gotta report a bug I guess.

Edit:
Here's the bug report.
https://redmine.pfsense.org/issues/8126

What does your provider say how to configure your WAN port?
What are your actual settings of the WAN interface?

"Presumably, i need to set up routing on each interface to the gateway for the tunnel?"

No.. Why would you think that?  Your just attaching a network to pfsense, just like a ipv4 network..  Pfsense will be the gateway to the clients on that network.

Pfsense knows what its default gateway is for wan, and it knows what it is for ipv6 via your tunnel you setup - you would not setup a gateway on an interface unless it was a wan connection.

Normally the other router would announce itself. If it's possible to use it from that subnet it must already be there.

@bigtfromaz:

It's a shame that Cox, with billions of subnets at their disposal, won't supply a static one to the account.  HE is doing it for free.

Cox is a typical ISP. HE is not a typical ISP. If HE offered residential internet service, I would pay more for it.

Phew… After a long battle with the DC...

I obtained a second /64 routed and carried over the existing WAN address. I assigned it to the LAN and to devices. All is good!

Thanks!!

@thehammer86:

Just looking for clarification on the optimical MTU for the HE 6in4 tunnel interface in pfSense.  I have a DSL connection so I would think that I would need to drop the MTU at the HE side config from 1480 to 1472.  Would I also set the HENETv6 interface in pfSense to 1472 as well?

If your IPv4 MTU is 1492, then your 6in4 is 1472, You can set it on the interface in pfSense and then also set it on https://tunnelbroker.net/ under the advanced tab of the affected tunnel.