@doktornotor:

Seeing that code snippet, I'd hazard to say if that config box vanished from the GUI, noone would notice in next 50 years.

Yeah quite a few cobwebs have been spun over the last 13 years. A fun thing I like to do is run the following command in the /src directory

find . \( -name "*.inc" -o -name "*.php" \) | xargs grep -En "(XXX|TODO|FIXME)"

Some real gems in there…  :P

@pox:

Thank you both. I don't like that the ubiquiti don't have a web interface, and that I have to download a management software.

I bought a D-Link DAP-2610.

Just for the record: with the D-Link AP everything works as expected.
Never again TP-Link.

Thanks. I have my network setup to use the native IPV6 address from my ISP. The WAN interface IPV6 is set to DHCP6 and the LAN interface IPV6 is set to Track Interface (WAN). I got that from an article on how to configure pfSense to use Comcast native IPV6. Everything seems to work the same as when I had the Comcast modem doing the routing. Only problem is the iOS devices. If I understand correctly, your method has pfSense doing the IPV6 assignment and you defined static IPV6 addresses for all the devices. Right?

If I were to go down that road, what would I use for an IPV6 prefix? Something I make up? Something based on the Comcast native IPV6 prefix?

You would do it exactly like you do with IPv4, but using IPv6.

In IPv6 you generally will have a routed prefix. You would use that instead of RFC1918.

Example:

You are routed this prefix:

2001:db8:4b56::/48

You assign:

VLAN100: 2001:db8:4b56:64::/64
VLAN101: 2001:db8:4b56:65::/64
VLAN102: 2001:db8:4b56:66::/64
VLAN103: 2001:db8:4b56:67::/64

On VLAN 100-103 you would:
Pass anything to any local assets they need, like DNS servers
Reject anything to This Firewall
Reject anything to 2001:db8:4b56::/48 (and possibly more if you are using any ULA addresses locally, etc.)
Pass anything to any

It can be beneficial to use an alias for the block destination. You could add 2001:db8:4b56::/48, fc00::/7, etc to it.

Yes, there is added responsibility to identify local addresses that need protection without the perceived convenience of just blocking RFC1918. But this responsibility is no different than having routed, public subnets in IPv4.

If you are careful in your planning, such as setting all VLANs to use the same DNS server addresses, you might even be able to get away with defining an interface group and using one set of rules for them all.

I'm somewhat surprised that the pfsense routers supplied by netgate don't use the enterprise format.

Because dhcp6c does not support it.

@pmisch:

@masterzen:

…
(this is something I find strange, I thought there would have been an interconnexion network outside of our /48)

On the WAN side of the PFSense router, I have setup 2001:XXXX:YYYY::2/48.
I added an IPv6 gateway to 2001:XXXX:YYYY::1.

From the pfsense shell I can ping:

the CPE LAN (2001:XXXX:YYYY::1) the CPE WAN ( 2001:XXXX:ZZZZ::371/126)

but I can't ping the other side of their point-to-point net (nor access any IPv6 site).

From an exterior IPv6 host, I can ping everything except our pfsense WAN, note: when capturing the traffic on the WAN I don't see anything coming in).

They assured me that from their CPE they can ping anywhere including our pfsense WAN.
Our WAN firewall allows ICMPv6 (echo rep, echo req, router adv, router sol, neighbor sol, neighbor adv).

We double-checked our config and their CPE config of the LAN side.

I'm out of clue about what I have done wrong in the config, my gut feeling is that there is something wrong in their CPE configuration, but it's hard to tell from outside.

Any idea of what can be wrong and how we can further troubleshoot ?

Thanks!
Masterzen.

First 2001:XXXX:ZZZZ::371/126 is outside of 2001:XXXX:YYYY::/48. I don't understand your confusion.

My confusion is that they put our attributed /48 on the CPE LAN.
I thought that for proper interconnection you had to do either a point-to-point network (ie a dedicated /126 or /64 outside of the /48) or use a /64 from the attributed /48.

The 2001:XXXX:ZZZZ::370/126 address is their interconnection between their upstream routers and their CPE, not our pfsense and their CPE.

@pmisch:

Secondly: from your description the error seems to lie outside of your realm. I'm quite sure that your provider's setup is faulty.

Yes, I'm quite positive it's not our setup, but they seem to think otherwise…
I have asked them to capture packets at different points on the CPE to see where packets are dropped but they don't seem to want to do it :(

That's weird. What kind of connection is it you have to your upstream? Since your doing BGP it doesn't seem to be a PPPoE / dialup connection, right?
I suspect the link might not be ok.

@SidMan06052001:

Nope it is not able to delegate. It is a very crappy router with almost no options to configure.

I had the exact same issue. Sold my Fritzbox which wasn't able to act as a bridge and bought a decent VDSL Modem (Draytek Vigor 130). Working like a charm now.

can only deliver my script which is a little bit changed.

#!/bin/sh # # rc.check_lanipv6 # # performs an: ifconfig re1 | grep 'inet6 2003:' # and reloads interface lan if no valid IPv6 Adress is currently bound on re1 /usr/bin/logger -t re1 "Probing for valid IPv6 Adress on LAN interface (re1)" while ! ifconfig re1 | grep 'inet6 2003:' >/dev/null do         /usr/bin/logger -t re1 "No valid IPv6 Prefix found ... trying to reload WAN interface to fix that"         /usr/local/sbin/pfSctl -c 'interface reload wan' >/dev/null         sleep 15         /usr/bin/logger -t re1 "Probing (again) for valid IPv6 Adress on LAN interface (re1)" done /usr/bin/logger -t re1 "Valid IPv6 Adress found ..." exit 0

@SoulChild:

Basically, suppose you have a torrent-downloader running and it's also listening on IPv6

Using IPv6 prefix delegation, I'm getting a public IPV6 address on my pc. Fine :) Outgoing connectivity works great

How do I enable 1 port to be opened toward my ipv6 address inside my network? I can just add a rule in the firewall, that works… untill the provider gives me another ipv6 address

Is there a way to dynamically track this?

This is an old thread, but for my own sake I write here how I did it:

The torrent server uses privacy addresses, so they change regularly.
I made a cron job on the torrent server that does

ip addr show dev eth0|grep inet6 |grep global|awk '{print $2}'|awk 'BEGIN { FS = "/" }; {print $1}' >/var/www/html/WNMpyVH7t9V08MCvF91zSBuGNvsJaawW1JTq6tQl6Z0A7ohwHsGv9Z05vYTOqQ5Oyp.txt

This saves all IPv6 addresses currently in use by the torrent server.
Then on pFsense I created an URL alias, fetching that file from the torrent server periodically.
Then I created a firewall rule to allow access to that alias on the torrent ports.

Done.

Hmm, I have a similar WAN setup here (in the UK) and do not see an issue. Though my box has more than 256MB of RAM. I don't see what looks like a RAM issue there though.

Can we get any more detail on who your ISP is and what the exact settings your using on WAN are?

I have seen similar things happen with Unbound failing to start before it is restarted and ending up with a bad or missing PID.

Steve

Also want to mention I use Altibox IPv6 DNS as the monitoring IP for the gateway rather than the gateway IP itself which is blocking PING.

On the networks you want to access the internet, you assign global addresses and can also assign ULA.  On the network you don't want to reach the Internet, ULA only.  Assuming you have more than a /64 IPv6 prefix, you select a different prefix ID for each interface.  For example, I have a /56.  That means I can pick anything between  0 & FF for a network.  Routing between interfaces means your computer should be able to reach the cameras etc..

I've checked disabling completely IPv6 on the br1 and br2 interfaces and still teh same problem, so I'm not sure what else to do.

If you disable dhcp6 server and disable dhcp6 on wan/LAN interfaces it stops the flood. In pfsense 2.4

One ping that is a little higher than the others should not interest you. No problem.
pfadmin

Can pfSense assign the full /48, up to FFFF?  On my system, the prefix IDs only go up to FF.  But I only have a /56 prefix.

If you get a /48 PD you can set the track interface prefix ID from 0 to ffff. What is displayed and accepted as input there is dynamic and is dependent on the size of the PD. (A /60 shows 0 - f)

pfSense running with thousands of defined interfaces is another matter.

Thanks everyone for your answers!