That /48 is 65536 /64s.  You normally configure the router to use one of those for each LAN or VLAN.  This is done in pfSense on the LAN tab in IPv6 Prefix ID.  Normally, it's 0, for a single LAN, but you'd choose another for other LANs/VLANs.  One deficiency I've noticed with pfSense is that it only accepts values between 0 & ff, which will only cover a /56 block for 256 networks.  So, most of that /48 will be wasted, unless you use a different router that properly supports a /48.  Of course, I don't think most users will have more than 256 LANs/VLANs.  ;)

Prefix ID's are assigned and all internal VLAN interfaces have and address with their assigned prefixes.

Thanks for all replies! I contacted my service provider and they suggested a workaround that actually worked  :) The /64 network that they provide apparently has some issues and they suggested to ditch it and just get /128 address from the dynamic pool. After that reconfiguration I do not receive RA from them any longer and the rest of configuration worked like a champ. Thanks again for your input.

So I'll want to use this for a few days to confirm, but .. It appears that manually setting the DNS servers in the RDNSS settings fixes this. Entering Google's DNS -> works Entering one Google and the pfSense's IPv6 LAN address -> works Leaving it blank -> broke Entering only pfSense's IPv6 LAN address -> broke Troubleshooting suggestions welcome ..

@workingman: Quick question for you though.  Have you modified the interfaces.inc like https://forum.pfsense.org/index.php?topic=64175.0 or did it just work? I did with no modifications. Just enabled all from the gui.

Well, this solves my problem.  Not sure it's exactly right for IPv6 use cases. --- /etc/inc/interfaces.inc-dist        2017-03-09 02:08:06.689241000 -0500 +++ /etc/inc/interfaces.inc    2017-03-09 02:30:10.816229000 -0500 @@ -1776,10 +1776,17 @@ default: {$ppp['type']}client:         create bundle static {$interface} -      set bundle enable ipv6cp         set iface name {$pppif} EOD; + +        if (!empty($ifcfg['ipaddrv6'])) { +              $mpdconf .= <<<eod<br>+        set bundle enable ipv6cp + +EOD; + +        }         $setdefaultgw = false;         $founddefaultgw = false;         if (is_array($config['gateways']['gateway_item'])) {</eod<br>

Ahh ok I hope some of devs have access to pd setup somewhere… Otherwise I can make it available to collect necessary things...

@pfbolt: Without DHCPv6, which I assume would mean using SLAAC instead, how would pfSense know about the hostname? You are right. My first suggestion was not quite right. So your prefix might change. Then I'd suggest to give DHCPv6 a try with dynamic updates to your or someone elses DNS server. I got such a setup running for v4 but it took me some time, especially when it comes to the ACL who may write what into DNS… I don't know if and how it works with v6 but it should work.

Works fine. I never thought about it. I am native now and not really in a position to test it. What I get won't matter to you. It's what you get that will matter. Try it and see. It's free.

Below is the ipv6 tcpdump for Linux where things fly right off and work perfect. Note… it doesnt seem like its using dhcpv6. dhcpv6 carries on similar to pfsense... but avahi jumps in and joins the multicast groups and seems to go for it. In the end for dhcpv6 it seems to time out in the end after avahi completes ipv6 setup sudo tcpdump -i wlp4s0 -s 512 -vv ip6 or proto ipv6 tcpdump: listening on wlp4s0, link-type EN10MB (Ethernet), capture size 512 bytes 02:31:00.241561 IP6 (hlim 1, next-header Options (0) payload length: 36) :: > ff02::16: HBH (rtalert: 0x0000) (padn) [icmp6 sum ok] ICMP6, multicast listener report v2, 1 group record(s) [gaddr ff02::fb to_ex { }] 02:31:03.517549 IP6 (hlim 1, next-header Options (0) payload length: 56) :: > ff02::16: HBH (rtalert: 0x0000) (padn) [icmp6 sum ok] ICMP6, multicast listener report v2, 2 group record(s) [gaddr ff02::1:ffad:3c2f to_ex { }] [gaddr ff02::fb to_ex { }] 02:31:03.681528 IP6 (hlim 1, next-header Options (0) payload length: 56) :: > ff02::16: HBH (rtalert: 0x0000) (padn) [icmp6 sum ok] ICMP6, multicast listener report v2, 2 group record(s) [gaddr ff02::1:ffad:3c2f to_ex { }] [gaddr ff02::fb to_ex { }] 02:31:03.781541 IP6 (hlim 1, next-header Options (0) payload length: 36) :: > ff02::16: HBH (rtalert: 0x0000) (padn) [icmp6 sum ok] ICMP6, multicast listener report v2, 1 group record(s) [gaddr ff02::fb to_in { }] 02:31:04.253554 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) :: > ff02::1:ffad:3c2f: [icmp6 sum ok] ICMP6, neighbor solicitation, length 24, who has fe80::f266:e0df:ead:3c2f 02:31:04.649543 IP6 (hlim 1, next-header Options (0) payload length: 36) :: > ff02::16: HBH (rtalert: 0x0000) (padn) [icmp6 sum ok] ICMP6, multicast listener report v2, 1 group record(s) [gaddr ff02::fb to_in { }] 02:31:05.253655 IP6 (hlim 1, next-header Options (0) payload length: 36) fe80::f266:e0df:ead:3c2f > ff02::16: HBH (rtalert: 0x0000) (padn) [icmp6 sum ok] ICMP6, multicast listener report v2, 1 group record(s) [gaddr ff02::1:ffad:3c2f to_ex { }] 02:31:05.261567 IP6 (hlim 1, next-header Options (0) payload length: 36) fe80::f266:e0df:ead:3c2f > ff02::16: HBH (rtalert: 0x0000) (padn) [icmp6 sum ok] ICMP6, multicast listener report v2, 1 group record(s) [gaddr ff02::fb to_ex { }] 02:31:05.269567 IP6 (hlim 1, next-header Options (0) payload length: 56) fe80::f266:e0df:ead:3c2f > ff02::16: HBH (rtalert: 0x0000) (padn) [icmp6 sum ok] ICMP6, multicast listener report v2, 2 group record(s) [gaddr ff02::fb to_ex { }] [gaddr ff02::1:ffad:3c2f to_ex { }] 02:31:05.278445 IP6 (flowlabel 0x8c4b0, hlim 255, next-header ICMPv6 (58) payload length: 8) fe80::f266:e0df:ead:3c2f > ip6-allrouters: [icmp6 sum ok] ICMP6, router solicitation, length 8 02:31:05.316728 IP6 (flowlabel 0x52205, hlim 255, next-header UDP (17) payload length: 160) fe80::f266:e0df:ead:3c2f.mdns > ff02::fb.mdns: [udp sum ok] 0 [2q] [2n] ANY (QM)? f.2.c.3.d.a.e.0.f.d.0.e.6.6.2.f.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. ANY (QM)? dell3350.local. ns: dell3350.local. AAAA fe80::f266:e0df:ead:3c2f, f.2.c.3.d.a.e.0.f.d.0.e.6.6.2.f.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. PTR dell3350.local. (152) 02:31:05.354192 IP6 (flowlabel 0x52205, hlim 255, next-header UDP (17) payload length: 53) fe80::f266:e0df:ead:3c2f.mdns > ff02::fb.mdns: [udp sum ok] 0 [2q] PTR (QM)? _ipps._tcp.local. PTR (QM)? _ipp._tcp.local. (45) 02:31:05.386776 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 64) fe80::d478:a2ff:febf:ce18 > ip6-allnodes: [icmp6 sum ok] ICMP6, router advertisement, length 64         hop limit 64, Flags [other stateful], pref high, router lifetime 1800s, reachable time 30000s, retrans time 1000s           prefix info option (3), length 32 (4): 2600:1008:b102:62de::/64, Flags [onlink, auto], valid time 86400s, pref. time 14400s             0x0000:  40c0 0001 5180 0000 3840 0000 0000 2600             0x0010:  1008 b102 62de 0000 0000 0000 0000           mtu option (5), length 8 (1):  1428             0x0000:  0000 0000 0594           source link-address option (1), length 8 (1): 00:15:ff:da:96:90             0x0000:  0015 ffda 9690 02:31:05.397557 IP6 (hlim 1, next-header Options (0) payload length: 96) fe80::f266:e0df:ead:3c2f > ff02::16: HBH (rtalert: 0x0000) (padn) [icmp6 sum ok] ICMP6, multicast listener report v2, 4 group record(s) [gaddr ff02::1:ffc1:e02 to_ex { }] [gaddr ff02::1:ff28:1351 to_ex { }] [gaddr ff02::fb to_ex { }] [gaddr ff02::1:ffad:3c2f to_ex { }] 02:31:05.540616 IP6 (flowlabel 0xbd230, hlim 1, next-header UDP (17) payload length: 54) fe80::f266:e0df:ead:3c2f.dhcpv6-client > ff02::1:2.dhcpv6-server: [udp sum ok] dhcp6 inf-req (xid=511867 (client-ID type 4) (option-request DNS-server DNS-search-list DNS-server DNS-search-list client-ID) (elapsed-time 0)) 02:31:05.567388 IP6 (flowlabel 0x52205, hlim 255, next-header UDP (17) payload length: 160) fe80::f266:e0df:ead:3c2f.mdns > ff02::fb.mdns: [udp sum ok] 0 [2q] [2n] ANY (QM)? f.2.c.3.d.a.e.0.f.d.0.e.6.6.2.f.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. ANY (QM)? dell3350.local. ns: dell3350.local. AAAA fe80::f266:e0df:ead:3c2f, f.2.c.3.d.a.e.0.f.d.0.e.6.6.2.f.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. PTR dell3350.local. (152) 02:31:05.605549 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) :: > ff02::1:ffc1:e02: [icmp6 sum ok] ICMP6, neighbor solicitation, length 24, who has 2600:1008:b102:62de:f532:60:42c1:e02 02:31:05.697521 IP6 (hlim 1, next-header Options (0) payload length: 96) fe80::f266:e0df:ead:3c2f > ff02::16: HBH (rtalert: 0x0000) (padn) [icmp6 sum ok] ICMP6, multicast liste

@phil1234: HI there. I am new to this, but I think I have the same error, so instead of openining a new thread, I post into this discussion, hope this fits and is ok. pfsense 2.3.3 on a fritbox 6490. I also complain that the tracked interface has a different IPV6 subnet than the interface that is tracking, but share the idea that it must be me, otherwise more people would complain :) So I have my router (fritzbox) that receives an IPV6  xxxx:xxxx:a59f:8700::/56. Behind it, I have pfsense with WAN, LAN and DMZ. WAN 1000baseT <full-duplex>192.168.178.22 xxxx:xxxx:a59f:8700:20c:29ff:fe84:d9cf LAN 1000baseT <full-duplex>DMZ 1000baseT <full-duplex>10.254.0.1 xxxx:xxxx:a59f:87ff:20c:29ff:fe08:cca As you can see, the DMZ does has 87FF, not 8700 like the WAN. That is bad as I think that makes it impossible for the devices in that DMZ to receive a 8700 address, which is needed for portforwarding. Fritzbox will not forward 87FF… if I change the prefix ID in the option tracked interface, it gives me more options, but I cannot get it to become 00. my wan setting is set to DHCP6/64 with that hint-checkbox. my dmz setting is set to track interfacfe WAN prefix ID: 0. PS: Oh and I tried DHCP relay to the WAN-Gateway (FE80::.. Fritzbox) which didn't work either. ANd cannot use static as I've been told it willchange often.</full-duplex></full-duplex></full-duplex> A picture of your connectivity would be helpful. If you're connecting a pfsense to another router, the port should either be bridged through to the ISP edge router or the router pfsense is connected to must be able to delegate a prefix. Please provide screen captures of your LAN, WAN and dhcpv6 settings.

yeah from those default rules then all unsolicited inbound would be blocked.. With such a huge space.. its almost impossible to just scans of the space.. Unlike ipv4 where you can scan for open ssh servers.. In 1 /64 your talking 18,446,744,073,709,551,616 IPs you would need to scan ;) All of ipv4 space - all of it is total possible only 4,294,967,296 in comparison ;)

Ok Doc. Your first patient is: Subnet: 128 bits Give it some 64 bit medicine and let's see if that unstops the DHCP server. In non medical terms, you forgot to set the subnet mask on your LAN address. pfSense chose 128 for you. You need 64. I like DHCPv6 only, no SLAAC. Firewalls just aren't ready yet for all the problems SLAAC is going to cause.

OK, my bad.  Must have missed that.  Sorry for the confusion. //Dan Lundqvist

@haarweg: and what if I do want a public v6 address on my WAN interface? Can you give me a hint to make that happen? Because I want to do HTTP and OpenVPN to my pfSense box (with XS4ALL fiber). You have public IPv6 on any of your LAN's or box's as public. Because IPv6 is public exposure with just a (un)block away on the WAN-firewall IP:portnumber.

I should add, it's not obvious what the purpose of a WAN address on a residential gateway is. Possibly for the ISP to perform firmware updates. In the case of my gateway, it does not respond to ping.

DHCPv6 in pfSense seems a little flakey but I suspect what is happening is that DHCPv6 won't enable until it sees ipv6 on the WAN and Track Interface all fall into place. I use pfSense for DHCPv6 on my smaller networks. On my larger networks I've graduated to using dnsmasq directly. Once you get used to what all a fully configurable dnsmasq can do, the DHCP servers inside any router brand look like cheap toys. Even routers that use dnsmasq are no good. They don't expose but a tiny fraction of what dnsmasq can really do.

@pmisch: I suggest to set radvd to Unmanaged instead of Managed in order for your clients to get stateless IP addresses. This should work. As far as I can tell DHCPv6 is no really ready for usage mainly because the different client implementations on the different OSes don't work really well. Thanks, I've done exactly that and created some overrides for the DNS Resolver just for the machines I have to access remotely so I can access them by names.

@kpa: The first address you get from SLAAC is fixed by the MAC address (within the given /64 prefix, I will use 2001:db8:: below) and you can use that to make a static host override on the DNS resolver/forwarder. For example if the MAC address is "00-11-22-33-44-55" then the EUI-64 (the 64-bit host id) would be ::211:22FF:FE33:4455. http://silmor.de/ipaddrcalc.html#ip6 With the EUI-64 known you can create the override as an AAAA record "myhost.mydomain.tld"  -> "2001:db8::211:22ff:fe33:4455". Thank you very much!!!, that was exactly what I needed. Now I have turned off DHCP6 and leave SLAAC for every client. I've created the overrides like you mention only for the ones I need to access. Thank you!

Okay, let's start again from right at the very top. I have a local network, and a HE Tunnel, and I want to connect the two together. I would like to allocate a multi-ip range to each machine in the local net (Prefix Delegation, if that's the right term) for virtual machines and service hosting, but that is not particularly necessary at this point (I can just bridge the networks and have them allocate as if they were full machines on the LAN, rather than VMs on a host). I have available 2 ranges. An allocated /64 at 2001:470:1f17:<blah>::/64 and an allocated /48 at 2001:470:<yadda>::/48 The HE tunnel is up and working fine on interface HeNet, with an address of 2001:470:1f17:<blah>::2 /64, talking to the gateway at 2001:470:1f17:<blah>::1 My clients are a mixture of Windows 10, Windows 8.1, Linux and Android devices, and I would like them to autoconfigure their settings as much as is possible.</blah></blah></yadda></blah>