It's a bug in netgear IGMP Snooping

https://community.netgear.com/t5/Smart-Plus-Click-Switches/GS724Tv4-Enabling-IGMP-Snooping-on-a-VLAN-Breaks-IPv6-on-that/td-p/995071

@johnpoz:

Dude I have been PUSHING for many years..  The problem is I work for a tier 1 telecom subsidiary, the service branch..  And if the customers don't ask, then they don't do ;)

Believe me if was working at my old enterprise sort of job, would of been on ipv6 years ago there.. Where I had some input to overall direction for the enterprise.  Current position is more a fire fighter to why something is not working that I rarely had any say on the design of..  Or on some projects just the banana bender - make this happen.  Shit I have been complaining for years as well if your not going to use IPv6 then you shouldn't leave it unconfigured on the images your deploying..  Which finally got some traction when I showed them the % of traffic that is noise when 400 machines on just 1 segment with the default windows setup produces related to ipv6 when you leave it default out of the box.  Not multiply that by all the other segments with 1000's of more machines and producing a bunch of noise your switches have to handle for no reason at all..

As of late I no longer in the DC side of things other than when problem to fix, and more wan, etc. So even less input to what they do in the data centers.. I can see their point though - until such time they have a customer that needs/wants ipv6 there is little need to fire it up in a data center that is all rfc1918 space other than the edge.. And when you have a /16 of public space to work with and using a very very small % of that ipv6 doesn't really scream required..

I have been playing with ipv6 for many many years.. Got my free sage tshirt back jan of 2011 from HE ;)  I have been pushing for it, have had ipv6 on my network for years!!

We've had ipv6 since around 2012. It's amazing how much traffic will be carried over ipv6 if you have it available. I don't watch it closely now that I'm using pfsense, but when I was using sophos utm it emailed me a report every month. Some months it was 80-90%. And that was using a hurricane electric tunnel, which I will continue to use until pfsense 2.4 is released (hopefully with the RA fix). At that point, I'll switch to native dual stack. The latency and bandwidth of ipv4 and ipv6 are the same, if not better for ipv6.

@stan-qaz:

Do you have pfSense set to ignore the modem's default internal address? I use this for my SB-6183 on Cox Cable.
…
To make the DHCP client reject leases from an undesirable DHCP server, place the IP address of the DHCP server here. This is useful for rejecting leases from cable modems that offer private IP addresses when they lose upstream sync.

Just a note that if you do this, you won't be able to check your modem's status page if it loses sync with your ISP for whatever reason. So if your modem is rebooting and you want to check the signal levels, event log, or something else, you won't be able to since pfSense is ignoring the modem's DHCP server.

This is fixed for me now, it was a configuration error on my side. The reason for the reloading of settings was that in Telekom's new BNG network the DHCPv6 would not hand out an IPv6 address for the WAN interface, only DNS server addresses and the delegated /56 prefix comes in via DHCPv6. Because of the empty addresses part of the DHCPv6 reply, dhcp6c would retry the request after a timeout of 0 seconds. In the new BNG network the address for the WAN interface comes in via Router Advertisement.

This is now fixed for me by checking "Request only an IPv6 prefix".

IIRC in the "old" Telekom network, the WAN interface would also get an address via DHCPv6.

confused - why are you trying to use the /48 as your transit.. You are using downstream routing at your pfsense router.. So your carp would be your transit network, which looks with that 48 to overlap all your downstream networks.

@doktornotor:

Huh? That thing does not even test IPv6. There's nothing wrong with 1480 in the first place.

Yeah I hear ya, all I know is if I change my lan settings to 1480 pfsense starts working but I am unable to get to speedtest.net.  If I turn v6 off all of it works, so its something to do with the 6rd, most stuff works when the mtu is blank but I noticed a couple sites like pfsense forum and netgate not working.  Not sure how to figure what the real issue is and what needs to be corrected but something is still not 100%.

The other issue I appear to have is if I change my MTU settings on my lan the lan card on pfsense goes sideways, I have to reboot my box to bring it back on line, not sure whats causing that either, ughh.

"I'm an ipv6 novice"

Doesn't sounds like you should be running a email server on ipv6 then ;)

"but experimenting with IPv6 to be prepared for the eventual change."

And I commend that fully.. I dabble with ipv6 myself to keep my hands in it for when might actually use it at work..  Which is truly lagging, I will most likely be retired before ipv6 is fully mainstream to be honest..  I would suggest go take certs tests from HE, you can get a free tshirt when you pass sage level.

I by no means am a dhcpv6 expert, but what dok mentions is going to be where you get started.. The DUID is going to be per machine, and this is normally how a dhcpv6 would give you your IP.. Its not going to give you multiple because you have multiple interfaces in the same network.. Now this could be tied with the IAID I assume to allow you to have each interface get an IP in the same prefix.

You would have to read the rfc's to be sure.. And then again would depend on if pfsense supports that, and if your isp support that..

I don't really see when this would be useful though.  Such a setup shouldn't really exist.. Why would you put 2 interfaces from the same machine into the same network?  Especially on a ROUTER!! You might do it on some host I guess serving up websites or something on different IPs.. But on a router - no.

Simple solutions to your problem.. Use different isps ;)  So each interface would get its own IP in its own prefix..  Use HE for ipv6, you could for sure setup tunnels on each interface.

Even if pfsense supports having each interface get an ipv6 in the prefix, doesn't mean your ISP does.. You could contact them - good luck with that ;)

I guess the WAN 'tracks' something for a list of LAN's - this list will be setup explicitly when the WAN is set - this list will be populated when all the LAN's exists AND when WAN is saved.
Something like that ^^

I can understand why ISPs might not want to statically assign non-business customer prefixes, as the customers may come and go.  However, through the use of the DUID, the assigned address should not change, at least not for the lifetime of the DUID.

Hurm. definitely related to RA.

ip -6 neigh (from a linux system) doesn't show any routers prior to pinging the router ip.

after pinging the interface's ipv6 address on the router everything works and ip -6 neigh shows the router as reachable

Are you using the same prefix ID as on your LAN interface?

If so that would be an issue.

I have a 6rd configuration as well and can get a separate ipv6 subnet allocation on my other internal interface, but I can't get it to pass any ipv6 traffic.

@timmiet:

here is my full setup.
comcast modem/router (DNS and DHCP on)-> pfsense 2.2.4 (DNS and DHCP off) -> Server 2012r2 (DNS and DHCP on)
server has a static IPV4 but IP6 is Obtain automatically.
from pfsense I can ping tcpip6 from server I can not.

comcast router IP 192.168.107.1
PFSense IP 192.168.7.1
Windows Server 192.168.7.10

I'm very very very very TCPIPV6 stupid please help.
:)

To start, I would test with a computer connected directly to the Comcast modem. If that doesn't work, you will never be able to get a Comcast to Pfsense to (same) computer to work…

@doktornotor:

Uhm… instead of trying random prefixes, you should find out HOW does your ISP deliver IPv6.

Yes, the first place one should look.  I was not able to find that info.  Info I did find was generic and had no date.  It apparently referred to the rollout from several years ago.  Other posts showed different values so I tried some.

One suggestion I read was to plug a win machine into the modem.  I don't have a win machine.  I've been thinking of trying that on my wife's macbook but only as a final option to confirm if an IPv6 addr is obtained.

I'll keep searching for more info.
thanks

@doktornotor:

Floating or not won't matter, a rule for ICMPv6 won't ever match his internal machine listening on port 8088.

@jtl:

As I test I used```
nc -6 -l 8088

I created another rule for port 8088 and that works. Here's a bit of a cluttered screenshot showing it. Left window is remote server, and right is netcat.

https://i.imgur.com/xGUavMh.png

Need to read up more on IPv6 sometime.

@pixeltofu:

Cool thanks! Got it working by disabling the DHCPv6 server and changing the Router advertisements to unmanaged!
The Androids also work now!

Why should I change the internal IP's to /24? What's the advantage of it? It's just my internal network?

You'll almost never need the full /16 for one network segment and even if you try to do that you'll run into serious performance problems with that many clients on the same broadcast domain. A /24 is the best compromise in a single broadcast domain for number available addresses, performance and manageability.

You have to qualify which interface you mean with a link-local address, as an example this is  from the FreeBSD ping6 manual page:

The following will probe hostnames for all nodes on the network link     attached to wi0 interface.  The address ff02::1 is named the link-local     all-node multicast address, and the packet would reach every node on the     network link.           ping6 -w ff02::1%wi0

Interesting…

O.K. well I've finished off most of the changes to dhcp6c now and that's all sorted apart from removing rubbish from the log like ctrl crud on startup, but that can wait. I'll see if I can find out why dpinger is not closing.