That's weird. What kind of connection is it you have to your upstream? Since your doing BGP it doesn't seem to be a PPPoE / dialup connection, right? I suspect the link might not be ok.

@SidMan06052001: Nope it is not able to delegate. It is a very crappy router with almost no options to configure. I had the exact same issue. Sold my Fritzbox which wasn't able to act as a bridge and bought a decent VDSL Modem (Draytek Vigor 130). Working like a charm now.

can only deliver my script which is a little bit changed. #!/bin/sh # # rc.check_lanipv6 # # performs an: ifconfig re1 | grep 'inet6 2003:' # and reloads interface lan if no valid IPv6 Adress is currently bound on re1 /usr/bin/logger -t re1 "Probing for valid IPv6 Adress on LAN interface (re1)" while ! ifconfig re1 | grep 'inet6 2003:' >/dev/null do         /usr/bin/logger -t re1 "No valid IPv6 Prefix found ... trying to reload WAN interface to fix that"         /usr/local/sbin/pfSctl -c 'interface reload wan' >/dev/null         sleep 15         /usr/bin/logger -t re1 "Probing (again) for valid IPv6 Adress on LAN interface (re1)" done /usr/bin/logger -t re1 "Valid IPv6 Adress found ..." exit 0

@SoulChild: Basically, suppose you have a torrent-downloader running and it's also listening on IPv6 Using IPv6 prefix delegation, I'm getting a public IPV6 address on my pc. Fine :) Outgoing connectivity works great How do I enable 1 port to be opened toward my ipv6 address inside my network? I can just add a rule in the firewall, that works… untill the provider gives me another ipv6 address Is there a way to dynamically track this? This is an old thread, but for my own sake I write here how I did it: The torrent server uses privacy addresses, so they change regularly. I made a cron job on the torrent server that does ip addr show dev eth0|grep inet6 |grep global|awk '{print $2}'|awk 'BEGIN { FS = "/" }; {print $1}' >/var/www/html/WNMpyVH7t9V08MCvF91zSBuGNvsJaawW1JTq6tQl6Z0A7ohwHsGv9Z05vYTOqQ5Oyp.txt This saves all IPv6 addresses currently in use by the torrent server. Then on pFsense I created an URL alias, fetching that file from the torrent server periodically. Then I created a firewall rule to allow access to that alias on the torrent ports. Done.

Hmm, I have a similar WAN setup here (in the UK) and do not see an issue. Though my box has more than 256MB of RAM. I don't see what looks like a RAM issue there though. Can we get any more detail on who your ISP is and what the exact settings your using on WAN are? I have seen similar things happen with Unbound failing to start before it is restarted and ending up with a bad or missing PID. Steve

Also want to mention I use Altibox IPv6 DNS as the monitoring IP for the gateway rather than the gateway IP itself which is blocking PING.

On the networks you want to access the internet, you assign global addresses and can also assign ULA.  On the network you don't want to reach the Internet, ULA only.  Assuming you have more than a /64 IPv6 prefix, you select a different prefix ID for each interface.  For example, I have a /56.  That means I can pick anything between  0 & FF for a network.  Routing between interfaces means your computer should be able to reach the cameras etc..

I've checked disabling completely IPv6 on the br1 and br2 interfaces and still teh same problem, so I'm not sure what else to do.

If you disable dhcp6 server and disable dhcp6 on wan/LAN interfaces it stops the flood. In pfsense 2.4

One ping that is a little higher than the others should not interest you. No problem. pfadmin

Can pfSense assign the full /48, up to FFFF?  On my system, the prefix IDs only go up to FF.  But I only have a /56 prefix. If you get a /48 PD you can set the track interface prefix ID from 0 to ffff. What is displayed and accepted as input there is dynamic and is dependent on the size of the PD. (A /60 shows 0 - f) pfSense running with thousands of defined interfaces is another matter.

Thanks everyone for your answers!

Yeah you are right. Here is similiar situation. https://forum.pfsense.org/index.php?topic=80472.0 I am out of luck. Thanks everybody for their time.

If you grabbed a /48 right?  But the /64 you get from them is not going to do you any good for internal use between multiple segments..  You would not subnet the /64 you can get from HE..  If you need more than 1 local segment you need to get the /48 and that you can break up in to your /64s you need.

I do the following on all windows hosts on my network: netsh interface ipv6 isatap set state disabled netsh interface ipv6 6to4 set state disabled netsh interface teredo set state disabled

That's for a host, not a network. I would like to give one host 65536 addresses via dhcp (or any other centrally managed way would be ok too). Or am I missing something obvious here? Yes.  While IPv6 supports multiple IPs on an interface (mine currently has 17) I suspect 65K is a bit much.  If you're running virtual machines for those servers, they will get there own individual addresses, if configured to bridge.

For people having MTU issues or questions, I was looking into this a while ago, trying to troubleshoot some connectivity problems. I found some useful info. There is "MTU Path Maximum network path size scan utility", which can be downloaded here: https://www.iea-software.com/products/mtupath/. It supports both ipv4 and ipv6. It uses both icmp and udp. You can sort of do this manually using ping, but this runs more quickly. There are some more powerful but less flexible utilities available from wand.net.nz. There are two utilities and you can download them at https://wand.net.nz/pmtud/. They are based on open-source software. The outgoing test could probably be built-into pfsense. It would make a good addition to the diagnostics. The incoming test requires an external host to run the query on.

OK I got my system working with IPv6 disabled. I turned off the DNS Forwarder and DNS Resolver. Now the LAN clients are working. But without the Forwarder or Resolver, I can't individually assign DNS to LAN clients. For example, the kids LAN clients need to be operating on one DNS policy (forcing Google safe search) and the parents using another DNS policy (such as allowing youtube and netflix). So now my problem is DNS configuration, not belonging in this thread anymore. In summary, 2.4.0-RC (amd64) seemed to fix my IPv6 problem. Disabling the DCHPv6, RA, and LAN IPv6 worked once I updated to 2.4.0-RC (amd64).

@omnidan: Alright, let me try again by describing the highlevel problem :) For various devices on my network (AppleTV, ipad, notebook etc.) I want to unblock georestictions of video streaming by routing the traffic of netflix, youtube etc. through an IPv6-HE-tunnel. The tunnel is working and I have complete control over the devices. Some do have limited options for configuration, however, i.e. the appletv or ipad. All devices get their ipv6 configuration and route ipv6 traffic properly to the tunnel gateway. Some apps however still prefer ipv4 (25ms advantage of ipv6 or not). That's why I want to force ipv6 for certain domains like youtube.com, netflix.com etc. Netflix over IPv6 using he.net ? That's would be a huge no-go. Netflix WILL block you. Running IPv6 via he.net (tunnel broker) is ok, but all netflix.com traffic should be forced to chose IPv4. @reinderien : Very nice. Gona try your solution.