@m0k2001 Don't bother Elno. He's busy being co-President.

@Gertjan said in Setting up IPv6 on my Netgate: The fe80 are like RFC1918 Actually, unique local addresses are like RFC1918. You can pick whatever addresses you want within the ULA block and, like RFC1918 addresses, they are routeable, just not on the public Internet.

@jwt Definetly looking forward to it and be glad to test it out in first snapshots/betas that will have it. We can easily hook up an v6 only network in the lab (there should already be one) and give it a spin :)

@johnpoz How on earth did you come to these conclusions about my knowledge level?? Of course I know how to setup a CA in pfSense. I have a CA running just fine since years. Three hosts in my network use it's server certificates. I know how to run multiple services as virtual hosts on one machine. I'm actually doing this on multiple machines (BSD and Linux) in my network. Of course I do use RFC 1918 addresses (who doesn't) and I'm totally aware of how I can assign private addresses. I just as well know how to configure a browsers to not use Doh. But I won't reconfigure other users' browsers. You are correct in this assumption: I have no specific need for IPv6. Because I have as many public IP addresses as I need and I'm not forced to access any public services which are not available in IPv4. (I can't speak for my users of course.) This may however be the wrong mind set to look at IPv6 in general. This way IPv6 will probably never take the place it should have. I WAS wrong about names mandatory for http protocol, thank's for correcting this.

@smaxwell2 I would suggest you start a new post as this is now off topic and not your post to begin with.

For anyone finding this in 2024, I had to enable "Multicast Enhancement" for the Unifi Wifi network AND I had to disable Hotspot 2.0. Only then did the Router Advertisements flow down to wifi clients. I was sitting in wireshark on a MacOS 14.6 laptop client and suddenly there was a flurry of traffic. Pro-tip: You may have to wait for the RA interval for the Unifi change to make a difference. Default is 200 seconds, you can change this in the RA Server settings. I set mine to 10 seconds then clicked the button to restart the RA server. This worked! [image: 1730900736051-screenshot-2024-11-06-084436.png] [image: 1730900948556-screenshot-2024-11-06-084835.png]

@JKnott That's true... I don't know what else to use. Never had this issue before. But if the IP from my LAN works, then I use that!

@patient0 You were on the right track. After an additional nudge from Netgate support (going above and beyond), I changed PD from 62 to 56 and it's working now.

Moderators: please delete this post I will follow-up in my original post

It seems this is is what I'm looking for essentially but pfSense doesn't have anything yet at least sadly: https://forum.netgate.com/topic/185114/does-pfsense-have-an-equivalent-feature-to-opnsense-s-ipv6-dynamic-hosts-or-negative-masks-in-iptables Edit: I found what I needed in opnsense and wish pfSense would bring it over too. Allow tracking of interfaces for the NPT6 table and it works just fine. Set the inside to track the WAN and then in the NPT settings track the LAN prefix and it will nat if the WAN subnet offered changes.

@Gertjan Okay thank you. That means by incident I have the same TLS error in LibreSSL on Mac OS and in OpenSSL on the Fire TV Stick (Android) which only affects IPv6 connections. Seems to be the only explanation.

@Gertjan This does it! Thank you all, you are may today's champions!

I ultimately suspected as much myself, which is also why I haven't taken any further action yet. It's now a question of when I feel like sitting on the phone with AT&T support for however long it takes to convince them to send me a new gateway and then taking the time to configure one from scratch to my liking. It seems like the final outcome is, like @ronv42 said, that the NVG589 is just far too obsolete at this point, and the solution is to replace it.

@smaxwell2 said in IPv6 NDP Incomplete: So pretty sure my issue lies within my Windows configuration, though I stand to be corrected. Your 'Windows' devices are like mine : you never changed anything in the 'Network' setup of your devices. They came with DHCPv4 and DHCPv6 client activated. There is/was never a need to change anything. @smaxwell2 said in IPv6 NDP Incomplete: My ISP provides me IPv6 on the WAN and delegated me a /56 I have my LAN configured within pfSense to "Track Interface" (WAN Like me. I assigned prefix ID '0' ion the LAN interface : [image: 1728377088687-2754f99d-c6dc-4ac1-9a8d-69be1d3187d6-image.png] And .... I've set up the DHCPv6 server - like the DHCPv4, for my LAN : [image: 1728377167446-2207d61e-7010-4f74-b7f2-54116f2f5571-image.png] and since I did this (years ago), all my LAN device that are IPv6 capable receive a IPv6 Lease in the ::2 to ::86 range. Because I'm old and stupid, I also gave most of all my device a DHCPv6 Static DUID Lease. This means that all my device always get the same IPv6 GUA. C:\Users\Gauche>nslookup diskstation2 Serveur : pfSense.bhf.tld Address: 2a01:cb19:907:xxxx:yyyy:77ff:fe29:392c Nom : diskstation2.brit-hotel-fumel.net Addresses: 2a01:cb19:907:xxxx::c2 192.168.1.33 I actually never (had to) looked at the NDP table page I can see on the DHCP Logs page that IPv4 and IPv6 are getting renewed : [image: 1728377300422-a167e7a1-58a5-47ea-85d7-c3179191b4d5-image.png] Btw : I use ISC, not Kea.

@JKnott said in BTnet IPv6 Configuration: How does your ISP provide IPv6? Most use DHCPv6-PD, which provides your LAN prefix. The provide a /56. This gives 256 /64 subnets. The first /64 is setup on the router with router announcements. So for a single vlan with no firewall, you can just connect to the router. Then the whole /56 (minus the first /64) is routed to the ::5 address of the first /64. So if you need a firewall, fancier routing or have multiple vlans, then you just need to put a router on the ::5 at add other /64 to interfaces as you like. DHCPv6 PD is the modern way to do this - you do a DHCP request for a whole /64 subnet to use. This is cool, but not supported by my ISP (a BT or BTNet leased line). The static route way is totally find for my needs.

@smk Here are a couple of other points: A WAN interface doesn't actually need a public address. With IPv6, routing is often done with the link local address. That /128 prefix length means there's no actual subnet there. That address is nothing more than a label for your router.

@johnpoz Somewhat thought that I already made some publicity for he.net here .. but it was somewhere else.

@bmeeks @bmeeks said in IPv6 Multi-LAN Problem: My ISP moved me behind CGNAT That, NAT, shouldn't break the tunnel to the HE pop, but he.net has a condition : your 'WAN IPv4' as seen by them must answer to ICMP (ping). And yous doesn't .... so it's game over for you. For me, he.net isn't possible anymore for another reason : my new "state of the art newest ISP router" that has an ONT integrated for the fiber access can't handle the '6in4' protocol (41), so pfSense can't connect to the he.net pop server 6in4 isn't ICMP (1), isn't TCP (6), isn't UDP (17), neither GRE (4) but something else. So, I contacted them. This took me weeks to get in contact with someone who could actually understand my question. They : We've dropped protocol 41 support on our newest models because ... here it comes .... We, Orange, in France (10+ million subscribers) are now proposing IPv4 and IPv6. Me : Yeah, right, but your IPv6 for my usage is broken !? They : You have a static IPv4 and your IPv6 works, I can see that from here. Me : Yeah, sure, but as the (my) subscription implies : I'm using the Pro subscription as I'm a company, I would like to actually use the /56 as advertised. Your router, needed to connect to the Orange fiber, only has one (1) LAN, and I have a company with several LAN's - not just one. They : Wow, what ? Multiple LANs ? But that's not supported. Me : I have that covered : I chained on to a pfSense router, and it wants prefixes - your (my) prefixes. They [10+ minutes on hold, waiting while listing Cherry FM] : Right, there is a issue that only one prefix gets announced by our router. Me : Then why announcing /56 as only one /64 works ? Then they told me to do what others already do : "ditch our ISP router, use an FTP RJ45 to Fiber plug", as my 4100 supports such a connection, create some serious DHCP 4 and 6 options and behold, now I can tap into the full IPv6 /56 advertised. Champagne ! Of course, I'll loose all the ISP "TV" facilities and/or phone support (one phone line, but who cares, we have 6 lines on a PABX), I don't need these. So, I - and many, many other, are waiting for the router update that delivers us the needed IPv6 support. edit : let it be known : In France, ISP Orange : less people then you have fingers on your hand know that there is more then "UDP" and "TCP" ....

I could tell my routing tables were screwed up, but I didn't really know why. After a while, I stumbled on the System/Routing/Gateways settings and noticed the "Default gateway IPv6" was set to "none." After setting it to WAN_DHCP6, it started working. I'm not sure how that got screwed up, given that my clients were working before.