I should add, it's not obvious what the purpose of a WAN address on a residential gateway is. Possibly for the ISP to perform firmware updates. In the case of my gateway, it does not respond to ping.

DHCPv6 in pfSense seems a little flakey but I suspect what is happening is that DHCPv6 won't enable until it sees ipv6 on the WAN and Track Interface all fall into place. I use pfSense for DHCPv6 on my smaller networks. On my larger networks I've graduated to using dnsmasq directly. Once you get used to what all a fully configurable dnsmasq can do, the DHCP servers inside any router brand look like cheap toys. Even routers that use dnsmasq are no good. They don't expose but a tiny fraction of what dnsmasq can really do.

@pmisch:

I suggest to set radvd to Unmanaged instead of Managed in order for your clients to get stateless IP addresses. This should work.
As far as I can tell DHCPv6 is no really ready for usage mainly because the different client implementations on the different OSes don't work really well.

Thanks, I've done exactly that and created some overrides for the DNS Resolver just for the machines I have to access remotely so I can access them by names.

@kpa:

The first address you get from SLAAC is fixed by the MAC address (within the given /64 prefix, I will use 2001:db8:: below) and you can use that to make a static host override on the DNS resolver/forwarder. For example if the MAC address is "00-11-22-33-44-55" then the EUI-64 (the 64-bit host id) would be ::211:22FF:FE33:4455.

http://silmor.de/ipaddrcalc.html#ip6

With the EUI-64 known you can create the override as an AAAA record "myhost.mydomain.tld"  -> "2001:db8::211:22ff:fe33:4455".

Thank you very much!!!, that was exactly what I needed. Now I have turned off DHCP6 and leave SLAAC for every client. I've created the overrides like you mention only for the ones I need to access.

Thank you!

Okay, let's start again from right at the very top.

I have a local network, and a HE Tunnel, and I want to connect the two together. I would like to allocate a multi-ip range to each machine in the local net (Prefix Delegation, if that's the right term) for virtual machines and service hosting, but that is not particularly necessary at this point (I can just bridge the networks and have them allocate as if they were full machines on the LAN, rather than VMs on a host).

I have available 2 ranges. An allocated /64 at 2001:470:1f17:<blah>::/64 and an allocated /48 at 2001:470:<yadda>::/48

The HE tunnel is up and working fine on interface HeNet, with an address of 2001:470:1f17:<blah>::2 /64, talking to the gateway at 2001:470:1f17:<blah>::1

My clients are a mixture of Windows 10, Windows 8.1, Linux and Android devices, and I would like them to autoconfigure their settings as much as is possible.</blah></blah></yadda></blah>

@pablot:

@kpa:

@pablot:

@JKnott:

And the addresses being leased by SLAAC cant't be viewed on the DHCPv6 lease status, right?

SLAAC has nothing to do with DHCPv6.  It gets the prefix via RADVD and provides the rest of the address, using either a MAC based or random 64 bit number.  If DHCPv6 is used, it's generally for providing things like server addresses.  However, it's not needed for DNS servers, as that can be provided by RDNSS.

ok, and is there a way to check what IP addresses have been asigned by SLAAC? (like the way I can see the DHCP Leases)

No such way. The RA daemon that advertises the route and the prefix does absolutely nothing else but those functions, selection of the address from the advertised prefix happens completely on the client (of course assisted with duplicate address detection but even that does not involve the RA daemon).

ok, thanks for your help, I'm learning a lot!!!! :)

Just one more… I cannot make my clients to ping a host on internet, the names resolve ok to the IPv6 addresses, but somehow I guess I do not have a gateway configured properly or something is "closed" at the pfSense box that blocks traffic.

I had this issue when I first setup a 6rd tunnel. The fix for me was to disable gateway monitoring on the ipv6 gateway. It wasn't responding to pings so pfSense would treat it as being down.

If you want IPv6 until your ISP brings it online just get a HE tunnel, easy enough to setup - you can get a FREE /48 from them and there you go IPv6 no need for your isp to support it..

Hmm. I have an HE.NET tunnel and happily get DHCPv6 + /56 PD from Cox.

I have been watching it for a while. They are honoring the DUID and not changing my prefix despite new modems and WAN MACs. My IPv4 address with them as changed at least three times since I started getting delegated this prefix.

@doktornotor:

Have you tried the "Request only an IPv6 prefix" checkbox on WAN?

Yes. There is my config :

@hda:

You need more (say /60, /56 or /48) from your ISP, to be able to create more /64 LAN's.

The first ISP in Belgium (Proximus) provide only one /64 per client :-(

I think this problem would be solved already if pfSense would not be restricted to CIDR. If a full subnet mask would be used, the top 64 bit could just be left 0 and the lower 64 bits (or at least the EUI-48 part could be 1 so that the IP+subnet mask would ignore the IPv6 prefix and only match the host-specific part. That's how firewall rules for dynamic IPv6 subnets can be easily implemented in ip6tables on Linux.

I have idea however if the CIDR restriction is a pf issue and whether a full subnet mask can be easily implemented.

Stefan

@kpa:

You can use both the static address and the random address at the same time. If you need to open any inbound traffic you use the static address based on the MAC address and for all outgoing traffic that is going beyond the pfSense router the random address gets used automatically. Best of the both worlds.

It's the way I think I'm gonna go, the only thing is that I can't set per-host rules and, more importantly, if the Traffic Graph section ever gets updated to support IPv6, I'll have no clue who is hogging my bandwidth, which is something I often rely upon (only 20 down/2 up).

@hda:

If your /56 prefix does not change, then just don't do Track Interface.
Assign Static LAN's prefix + subnet, suiting your LAN-host IP number.
Use RA Managed (DHCP) or Router Only (Static)

Unfortunately, it's dynamic.  It still seems buggy that pfSense would abandon its static routes after a network bounce though…

FYI regarding the Windows 10 Anniversary DHCPv6 renewal issue… according to the very last post in  this MS Technet discussion, the fix will be in the March 2017 monthly update.

The are the values of my test system (CentOS 7):

[root@test01 ~]# sysctl -n net.core.wmem_max
212992
[root@test01 ~]# sysctl -n net.core.rmem_max
212992
[root@test01 ~]# sysctl -n net.ipv4.tcp_rmem
4096    87380  6291456
[root@test01 ~]# sysctl -n net.ipv4.tcp_wmem
4096    16384  4194304

I checked them on a few other of my CentOS systems and they all give the same results back. I did not make any kernel modifications via sysctl.
The bandwidth issue is also visible when I do a curl -vv http://www.google.com from the PfSense Box

Thanks for the reply!

I will do that in the future, but i was exactly curious on how to do this.
I'm running pfsense 3.2.1 so I'm ipv6 ready.

Yes @marjohn pointed out the error of my ways

Simply setting the IPv6 Prefix ID to 1 rather than 0 means I can split my /56 across another LAN

Hi,

indeed it turned out to be client I was testing it, which was using dhcpcd. It works on other machines here, including Windows 10, GNU/Linux (both with Connman, NetworkManager). Since I was getting DHCPv6 in assisted mode I never suspected the client. Sorry for bothering everyone, but this turns out not to be an issue with pfsense after all.

Kind regards,
Bartosz