• [SOLVED] ipv6 no routing between lan & wan

    4
    0 Votes
    4 Posts
    6k Views
    T

    Was just about to post the same problem. I have a Vigor 130 + pfSense here, with the Vigor doing the VLAN 7 tagging OOTB.

  • Dhcp6c dies silently

    1
    0 Votes
    1 Posts
    863 Views
    No one has replied
  • Local Network Protection for IPv6

    37
    0 Votes
    37 Posts
    5k Views
    johnpozJ

    "This is epic trolling, even for you."

    Even for me?  Wow.. You do understand you started this whole thing. JKnott post a RFC fro some info and you I assume in your complete understanding of ipv6 and how vpn services work disagree with that RFC??  Did you even read it?  I guess that is a no from your comments.

    You understand its a Request for Comment, the authors addresses are listed - if you disagree with them, why don't you contact them directly and point out to them how Nat is still needed for vpns ;)

    "It works FFS. Get over it."

    Which has ZERO to do with the the info that was posted - who is trolling?

  • External Ping doesn't work

    8
    0 Votes
    8 Posts
    2k Views
    johnpozJ

    "Basically, I have received a /64 static block from my "isp" 2a01❌y:z"

    If all they gave you was /64, then they do not want you putting anything behind a router, ie pfsense.  The only way to use a firewall in such a case would be bridged so your devices behind the firewall are on that /64

    hetzner is online host, so this is in the cloud somewhere?  Or a DC and your trying to run your own router/firewall - pfsense?  If you want to use IPv6 behind pfsense then they should route more networks to you, or should use delegation to allow your router to request a prefix, /60, /56, /48 etc.. That would then be routed to you.

    I have quite a few vps that have ipv6 address space, and yeah you get a /64.  But these vps are meant to be directly connected to the hosting network, and not behind some firewall/router.  So your trying to run pfsense on some virtual esxi box or something and put your other vms you create behind pfsense in the cloud?

  • 6rd Gateway always shows offline.

    3
    0 Votes
    3 Posts
    1k Views
    T

    That worked for me thanks for the help :)

  • IPv6 Tunnel and Netflix - Windows DNS - How Do I solve this?

    6
    0 Votes
    6 Posts
    2k Views
    awebsterA

    Just wanted to say that I implemented Gertjan's suggestion, and it works great!

    Btw : I know, this isn't the 'best' solution (I'm locking out many IPv6 that might not be owned by netflix but had not any troubles yet).

    Actually, those prefixes appear to be sub-allocated to Netflix from AWS (but they aren't maintaining rwhois), and appear to only belong to Netflix, so I don't think it will impact much else at the present time.

  • Not getting IPv6 from ISP (Telus)

    20
    0 Votes
    20 Posts
    7k Views
    B

    @753951:

    I had exact same setting (I don't remember ever changing it). LAN off, WAN on. But turning it off for a moment on WAN made IPv6 working again. It's back to default value (on now) on WAN and everything still works even after reboot.

    I made other changes (LAN tracks WAN) and it's all working now. The only thing I can't get to work is VM interface in pfSense (Hyper-V virtual switch). It's set up to track WAN interface, exactly same as LAN, but that entire segment (one Debian, one Windows 10, one Windows 8.1 and one Windows Server 2016, which is domain controller, DHCP server and DNS server) can't get public IPv6. Can you have more than one interface in pfSense set to track another one for DHCPv6?

    That's really strange.

    For a typical dual-stack configuration with one WAN and one LAN it's a pretty simple setup.

    You should have the following WAN settings:

    IPV4: dhcp
    IPV6: dhcp6
    request prefix only
    /56 prefix
    do not wait for ra
    do not allow pd release

    You should have the following LAN settings:

    ipv4: static
    ipv6: track interface
    upstream gateway: none
    track ipv6 interface: WAN

    Except for do not allow pd release, it will not work without the settings. I recommend do not allow pd release. It works quite well at preventing the prefix from changing. However, Telus engineering told me that as long as the DUID does not change, the prefix should not change. I have found that if I clear do not allow release, it will release the lease and there will be a new prefix. If I do that a few times, occasionally the same prefix will be allocated again.

    If you plan to use pfsense for dhcpv6, I also recommend assisted RA.

    Not sure what you're trying to accomplish with the VM interface. Please elaborate. I have my hyper-v configured so the hyper-v management interface is on the LAN. I also have an extra NIC that's only connected to the hyper-v (not to any guests) and is connected to an unbridged LAN port on the modem. I use this only to log into the modem. I bumped up the routing metric so if any address other than the modem lan is accessed, it will go through the LAN interface on pfsense.

  • IPv6 DHCP to my Windows DHCP Server and DNS - how do I simplify this?

    6
    0 Votes
    6 Posts
    3k Views
    DerelictD

    You don't have to do anything with DHCPv6 Relay unless the DHCPv6 server is on another subnet.

  • PfSense 2.3.4 - IPv6 gateway edit error

    1
    0 Votes
    1 Posts
    666 Views
    No one has replied
  • IPv6 sanity check

    24
    0 Votes
    24 Posts
    4k Views
    JKnottJ

    In a static IPv6 WAN configuration, if the provider is expecting /56 and you set /64 on the WAN interface (others have said setting /56 on the WAN interface is ridiculous; they are correct), the ISP assumes that 2001:xxxx:xxxx:6901:: is on the same L2 subnet, but it isn't because the subnets sizes don't match.

    Think of the /56 as 256 /64s.  PfSense can pick select /64 for each LAN or VLAN interface.

  • Pfsense reboot using he.net IPv6 tunnel

    4
    0 Votes
    4 Posts
    1k Views
    N

    @fastisp:

    The physical interface is a Realtek PCIe GBE network Controller (onboard ethernet controller).

    That might be the cause of your problems.

    Otherwise, I have no idea. :(

  • SLACC Bleedthrough on VLANs

    24
    0 Votes
    24 Posts
    4k Views
    johnpozJ

    ^ that clearly is not needed derelict, I already posted the RA coming out of pfsense with the vlan tag on it..  See my tcpdump.

    "Try with it set to unimagaged on the vlans and managed on the native interface with DHCPv6 enabled."

    Has ZERO to do with anything!!

    And as a side note - how do you know I don't have that currently setup that way ;)

    Simple enough for you to show that pfsense is not putting tags on traffic.. simple tcpdump is all that is needed you will either see the tags or you wont..

    Per what Derelict stated about the conf and the interfaces in it.. You can see clearly that assigned to the vlan interface or not.

    conf.png
    conf.png_thumb

  • 6rd via DHCPv4 option 212

    1
    0 Votes
    1 Posts
    773 Views
    No one has replied
  • Multiple instances of dhcp6c causing no ipv6 address

    3
    0 Votes
    3 Posts
    917 Views
    J

    Unfortunately yes this is a production system. I have enabled Reject Leases From: 192.168.100.1 as my modem (surfboard) apparently does that when it loses connection. I haven't seen it happen in a couple days, but we're still in the 4 day window.

  • Migrating to IPv6

    28
    0 Votes
    28 Posts
    5k Views
    C

    HOLY JEBUS!

    After whacking my head against this and doubting my networking skills… I got it running. Turns out: A rogue IPMI from (older) testing times was also using the same IP used for the transfer net. This resulted in some kind of wierdness.

    Deactivated ipv6 on said ipmi, everything is working.

    Thanks all you rock!
    I can rest easy tonight.

    \o/
    -Chris.

  • Just want IPv6 on LAN for now - is this correct?

    20
    0 Votes
    20 Posts
    4k Views
    johnpozJ

    As to visiting the site only twice - I find myself using their looking glass interface now and then https://lg.he.net/ very handy… And if your leveraging their FREE dns you will need to go there, or if you want to edit any of your IPv6 PTR records.

    So prob a bit more than twice for some of us ;)

    BTW they also make a handy app for your iphone/android
    http://networktools.he.net/

  • IPv4 NAT port forwarding and IPv6 port forwarding

    6
    0 Votes
    6 Posts
    4k Views
    johnpozJ

    While I agree, and sure hope he is not forwarding traffic to something that is not meant to be public consumed.  He is forwarding to port 80 - so assumed it was some public sort of website.

    If this is a private use app your running - then by all means the correct solution would be to vpn into pfsense and then access whatever it is you want.

  • IPv6 'single host' rule selects a /32

    5
    0 Votes
    5 Posts
    1k Views
    DerelictD

    Thanks for pointing it out:

    https://redmine.pfsense.org/issues/7625

  • IPv6 Setup with two chained pfSense Firewalls

    8
    0 Votes
    8 Posts
    2k Views
    JKnottJ

    /64 Neighbour Discovery (ND) Prefix. This is used to automatically address the WAN interface of your Router, or if you are directly connected without a router, the WAN interface of that device.

    Actually, it's router advertisements that do that.  The router advertisements tell the device the network address and the router link local address.  If necessary, a device can to a router solicitation to trigger an advertisement.  Neighbour discovery is used to find the MAC address for a host's IPv6 address.

  • Prevent IPv6 Address Detection?

    12
    0 Votes
    12 Posts
    2k Views
    johnpozJ

    @JKnott - it was just the first site I found with a quick google to just show that browser can leak your local address.  It might not even do IPv6, etc.

    Without some details its unclear to what might have been reported to this guys buddy.  But if he has ipv6 off on pfsense, I find it pretty much impossible for it to be a global IPv6 address from his isp, etc.  So it could be something like a browser leak, or could be say a teredo address..

    There are better sites for detecting ipv6 leaks, etc.

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.