Hurm. definitely related to RA.

ip -6 neigh (from a linux system) doesn't show any routers prior to pinging the router ip.

after pinging the interface's ipv6 address on the router everything works and ip -6 neigh shows the router as reachable

Are you using the same prefix ID as on your LAN interface?

If so that would be an issue.

I have a 6rd configuration as well and can get a separate ipv6 subnet allocation on my other internal interface, but I can't get it to pass any ipv6 traffic.

@timmiet:

here is my full setup.
comcast modem/router (DNS and DHCP on)-> pfsense 2.2.4 (DNS and DHCP off) -> Server 2012r2 (DNS and DHCP on)
server has a static IPV4 but IP6 is Obtain automatically.
from pfsense I can ping tcpip6 from server I can not.

comcast router IP 192.168.107.1
PFSense IP 192.168.7.1
Windows Server 192.168.7.10

I'm very very very very TCPIPV6 stupid please help.
:)

To start, I would test with a computer connected directly to the Comcast modem. If that doesn't work, you will never be able to get a Comcast to Pfsense to (same) computer to work…

@doktornotor:

Uhm… instead of trying random prefixes, you should find out HOW does your ISP deliver IPv6.

Yes, the first place one should look.  I was not able to find that info.  Info I did find was generic and had no date.  It apparently referred to the rollout from several years ago.  Other posts showed different values so I tried some.

One suggestion I read was to plug a win machine into the modem.  I don't have a win machine.  I've been thinking of trying that on my wife's macbook but only as a final option to confirm if an IPv6 addr is obtained.

I'll keep searching for more info.
thanks

@doktornotor:

Floating or not won't matter, a rule for ICMPv6 won't ever match his internal machine listening on port 8088.

@jtl:

As I test I used```
nc -6 -l 8088

I created another rule for port 8088 and that works. Here's a bit of a cluttered screenshot showing it. Left window is remote server, and right is netcat.

https://i.imgur.com/xGUavMh.png

Need to read up more on IPv6 sometime.

@pixeltofu:

Cool thanks! Got it working by disabling the DHCPv6 server and changing the Router advertisements to unmanaged!
The Androids also work now!

Why should I change the internal IP's to /24? What's the advantage of it? It's just my internal network?

You'll almost never need the full /16 for one network segment and even if you try to do that you'll run into serious performance problems with that many clients on the same broadcast domain. A /24 is the best compromise in a single broadcast domain for number available addresses, performance and manageability.

You have to qualify which interface you mean with a link-local address, as an example this is  from the FreeBSD ping6 manual page:

The following will probe hostnames for all nodes on the network link     attached to wi0 interface.  The address ff02::1 is named the link-local     all-node multicast address, and the packet would reach every node on the     network link.           ping6 -w ff02::1%wi0

Interesting…

O.K. well I've finished off most of the changes to dhcp6c now and that's all sorted apart from removing rubbish from the log like ctrl crud on startup, but that can wait. I'll see if I can find out why dpinger is not closing.

From my point of view, telekom don´t use DS-List ?!? ( see IP 79.XX in the dokument ).

What directions?  These https://doc.pfsense.org/index.php/Using_IPv6_with_a_Tunnel_Broker

"but i found it weird that i couldnt unless going through my lan ip. "

So you were hitting your public IPv4 1.2.3.4 address from a box on your network, lets call it 192.168.1.100..  That would be NAT reflection.  And unless you set it up in pfsense then no its not going to work.  Unlike many consumer routers that have it on by default.

Here is the thing testing nat reflection is not a valid test that your port forward is going to work, be it with consumer router or pfsense.

@JKnott:

So why the difference with sending a renew on some occasions and not on others, when in both cases I just pulled the cable?

If you want, I can send you a PM to provide links to the captures, on Google Drive.  Then you'll be able to compare the 2 situations.

I'm not talking about renew I'm talking about release, two different things.

Under Services > DHCPv6 Server/RA, you can change the DHCPv6 range to be different - like ::2000 to ::3000 - then at the bottom of the page is where you can set up a static DHCPv6 entry for the host you want.

However, you'll need to know the DUID of the host, so it might be easier to have it pick up a lease first, then add a static DHCPv6 entry from the Status > DHCPv6 Leases page by clicking the white and blue + button on the right side of the table.

Solved. This turned out to be an ISP side routing issue. Like in https://forum.pfsense.org/index.php?topic=104583.0 , I was trying to advertise the /48 to the ISP gateway through SA, which is apparently not how it's supposed to work.

Testing with netcat6, I listened at a remote server for UDP packets and sent one from the LAN. It went through. So in fact LAN->Internet was working, but replies (Internet->LAN) never came through.

This was resolved by the ISP setting up a separate link network {linkprefix}::/64, and then routing {prefix}::/48 <-> {linkprefix}::1/64 (ISP GW) <-> {linkprefix}::2/64 (Pfsense) <-> LAN. (No route daemon running on pfsense, only static configs at ISP side.)

Unfortunately, I never found out why/how Internet<->Pfsense traffic worked before (regardless of Pfsense box's address), if there were no routes set up at ISP's before. Maybe their gateway added my Pfsense box as a single host to their routing tables through IPv6 Neighbor discovery or something.

Another good source of info is "IPv6 Essentials".
http://shop.oreilly.com/product/0636920023432.do

@Derelict:

FWIW mail.yahoo.com hangs for me too on HE tunnel but not on centurylink native. Haven't has time to look at it further and, after all, who needs ANOTHER reason not to use yahoo mail?

Haha, I hear you. I have several yahoo mail users complaining about this. Unfortunately, this is one of those examples of "old habits die hard."

@apple4ever:

@bimmerdriver:

It's definitely worth looking at a tunnel. If there's a server close to your location the throughput may be quite close to the throughput of your link. However, recently, I've been unable to access mail.yahoo.com through the tunnel, although I have no way to determine whether the problem is caused by the tunnel, yahoo's network or possibly even pfsense. Aside from that issue, the tunnel has been rock solid since I started using it, which was several years ago.

I decided you are right, so I set one up. Love getting a /48, and having a static IP. Makes things so much easier. Hopefully I won't run into issues like you did (luckily I don't use yahoo mail).

Have you done anything with delegated prefix? I'm trying to add the range, but its giving me an error that doesn't make sense:

I'm trying to delegate a /52 using the range of 2001:470:1234:1000:: to 2001:470:1234:1fff:ffff:ffff:ffff:ffff but it give me an error:

"Prefix Delegation To address is not a valid IPv6 Netmask for 2001:470:1234:1000::/52"

Except all the subnet calculators tell me it should be valid.

Help?

Don't forget to set up the dynamic dns if you don't have a static ipv4 address.

Sorry, haven't delegated a prefix. I'm only using a /64. Not sure why it's not happy with that.