Yeah you are right.

Here is similiar situation.
https://forum.pfsense.org/index.php?topic=80472.0

I am out of luck. Thanks everybody for their time.

If you grabbed a /48 right?  But the /64 you get from them is not going to do you any good for internal use between multiple segments..  You would not subnet the /64 you can get from HE..  If you need more than 1 local segment you need to get the /48 and that you can break up in to your /64s you need.

I do the following on all windows hosts on my network:

netsh interface ipv6 isatap set state disabled netsh interface ipv6 6to4 set state disabled netsh interface teredo set state disabled

That's for a host, not a network. I would like to give one host 65536 addresses via dhcp (or any other centrally managed way would be ok too).
Or am I missing something obvious here?

Yes.  While IPv6 supports multiple IPs on an interface (mine currently has 17) I suspect 65K is a bit much.  If you're running virtual machines for those servers, they will get there own individual addresses, if configured to bridge.

For people having MTU issues or questions, I was looking into this a while ago, trying to troubleshoot some connectivity problems. I found some useful info.

There is "MTU Path Maximum network path size scan utility", which can be downloaded here: https://www.iea-software.com/products/mtupath/. It supports both ipv4 and ipv6. It uses both icmp and udp. You can sort of do this manually using ping, but this runs more quickly.

There are some more powerful but less flexible utilities available from wand.net.nz. There are two utilities and you can download them at https://wand.net.nz/pmtud/. They are based on open-source software. The outgoing test could probably be built-into pfsense. It would make a good addition to the diagnostics. The incoming test requires an external host to run the query on.

OK I got my system working with IPv6 disabled.

I turned off the DNS Forwarder and DNS Resolver. Now the LAN clients are working. But without the Forwarder or Resolver, I can't individually assign DNS to LAN clients. For example, the kids LAN clients need to be operating on one DNS policy (forcing Google safe search) and the parents using another DNS policy (such as allowing youtube and netflix). So now my problem is DNS configuration, not belonging in this thread anymore.

In summary, 2.4.0-RC (amd64) seemed to fix my IPv6 problem. Disabling the DCHPv6, RA, and LAN IPv6 worked once I updated to 2.4.0-RC (amd64).

@omnidan:

Alright, let me try again by describing the highlevel problem :)

For various devices on my network (AppleTV, ipad, notebook etc.) I want to unblock georestictions of video streaming by routing the traffic of netflix, youtube etc. through an IPv6-HE-tunnel.

The tunnel is working and I have complete control over the devices. Some do have limited options for configuration, however, i.e. the appletv or ipad. All devices get their ipv6 configuration and route ipv6 traffic properly to the tunnel gateway. Some apps however still prefer ipv4 (25ms advantage of ipv6 or not). That's why I want to force ipv6 for certain domains like youtube.com, netflix.com etc.

Netflix over IPv6 using he.net ?
That's would be a huge no-go. Netflix WILL block you.

Running IPv6 via he.net (tunnel broker) is ok, but all netflix.com traffic should be forced to chose IPv4.

@reinderien : Very nice. Gona try your solution.

I don't want to disable RAs.  They're used to assign the prefix.  Also, ULAs are routeable, just not over the Internet.

Here's how it looks on a Linux system:

vlan3    Link encap:Ethernet  HWaddr 74:D4:35:5A:F5:FB 
          inet addr:172.16.3.10  Bcast:172.16.3.255  Mask:255.255.255.0
          inet6 addr: fd48:1a37:2160:1:5c0b:a1d3:1ff8:7224/64 Scope:Global
          inet6 addr: fe80::76d4:35ff:fe5b:f5fa/64 Scope:Link
          inet6 addr: fd48:1a37:2160:1:76d4:35ff:fe5a:f5fb/64 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1300  Metric:1
          RX packets:1478 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1204 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:307424 (300.2 Kb)  TX bytes:247592 (241.7 Kb)

How do you change the MSS on an interface? Did you mean MTU?

I'd suggest trying again with all ICMP for IPv6 allowed to/from LAN & WAN in the firewall.

If you have a Linux machine, try the tracepath6 command to a hostname that's giving you trouble. Usually it will tell you where the MTU on the link changes. Ideally run the command from the otherside to you as well for even more information on the PMTU.

And maybe increase the MTU of wan_stf to 1480 (but only if you're not using PPPoE). FreeBSD also seems to have MTUs per route.
For example, these commands can help you see what routes there are along with the diagnostics->routes page:
netstat -r -n
route -6 get default

BTW the 1232 I think comes from the (1280B MTU - 20B IPv4 6rd header - 28B tcp header)?

i have same problem… I have to set dhcp6 on wan to none... then apply then wait 5 mins then set again.. works like a champ... my isp is comcast

@riceri:

@JKnott:

Do you now have multiple /64s available?

Yes, they route the whole /48 to my router and i can split it to multiple /64 and my router takes care of that routing.

Good, that's the way it's supposed to work.  Now all you have to do is figure out what to do with the other 65,535 /64s.  ;)

BTW, I only get a /56 from my ISP.  :(

Thanks! That did it. Once I changed the routing setting for the LAN interface, the radvd service is gone from the list of services in the web interface now.

Thanks for the help!

Personally? I hope it never gets "solved". It's a ridiculous design choice that OVH and their ilk need to be forced to fix properly.

As to whether pfSense ever gains an NDP proxy, who knows. Maybe eventually. I am not fond of how the one that just showed up in ports is implemented, though.

You'll need to provide a lot more detail about the specifics of how you set everything up, including DHCPv6 and RA tab settings for each interface/VLAN

I have a similar setup (HE.net /64 and routed /48) and I use subnets from the /48 on VLANs and they work perfectly.

Something about your interface/DHCP/RA setup or even your switch/L2 must be not quite right.

I was also going to suggest ULA.  I have that set up here, just to play with.  One nice thing is the prefix never changes.  You start with "fd" and then add a 40 bit random number to create a /48 prefix.  You could rely on pfSense to advertise the prefix, as I have done, or just create whatever address you want.  For example, fd::n, where n is any hex number between 1 and ffff.

BTW, I now have "static" IPv6 addresses since pfSense was updated to keep the same prefix.

@vc6SfV8:

I finally gave up and contacted Time Warner.  They had disabled IPv6 for everyone and were enabling it at the customer's request only going forward.  It sounds like it was causing too many headaches for them.  They enabled it again for me and it works now…. It would have been nice to know that before spending 10 hours troubleshooting.

Good for you, calling them! Sends a good message.

For what it's worth, I opened a redmine ticket for it: https://redmine.pfsense.org/issues/7734

@marjohn56,

OK, there are a lot of changes around dhcp6c in version 2.4b

I think you where referring to your https://github.com/pfsense/pfsense/pull/3515; and this got merged in 2.4b?

It's not a dhcp6c problem per say, you are correct that the Bridge interface does not exist when dhcp6c fires up, so it's a start up issue.

Until a full fix is found can I suggest a shell command is run at startup with a delay and then start dhcp6c from there. Not ideal I know, but it will get around the problem you have.

I 100% agree with you and applied your observations but my problem still remains, at this point I have given up and just disabled IPv6