Running both IPv4 and IPv6 over the same IPv4 only GRE tunnel actually seems to work over the same tunnel now! The IPv6 link-local addresses that are set on the IPv4 GRE tunnel works fine to use as p2p link for IPv6 traffic. I needed to set the remote IPv6 link-local address as IPv6 default gateway, then everything started working.

Remote end (Cisco router) is using static IPv6 routing with the Tunnel interface as route, thus using all available IPv6 addresses to route the traffic to pfsense, including the pfsense link-local address on the GRE interface.

Success!

//Staffan

I've started using RA in Stateless DHCP mode and have enabled DHCPv6 to hand out DNS addresses. This seems to work fine for Windows 8.1 machines on my network but Windows 10 doesn't get the IPv6 DNS server addresses. Is this a problem with Win10 or pfsense?

Yes the tunnel was up. Thats what I couldn't understand. Its been working for days without issue. Anyway, I worked through the pfsense IPv6 tunnel guide and I found the problem! Under the gateway settings this option was UNTICKED:

This will select the above gateway as the default gateway.

So I ticked it and its all working now!

I have a public static IPv4 address so it wouldn't be this. I'm just not sure WHY this box was unticked and it stopped working. Very odd.

@razzfazz:

System -> Advanced -> Networking -> uncheck "Allow IPv6"?

This fixed the issue. I didn't wait long enough  :-X

Thanks to everyone that helped.
I purchased an Arris modem TM822G, and I'm happy to say it works!

virgiliomi. How about more, Router advertisements and DHCPv6.

@Inq:

If you only have a /64 delegated by your ISP 0 is the only valid option for prefix id.

That would be great to add to the text on the web page just as it stands and it would explain the 0-0 option being shown.

No issues, my setup works fine.

…ct

Both DHCPv6 and RA are enabled on all 3 LANs almost identical setups (I have the domain name set different on two of the LANs).  My windows laptop can use IPv6 on my guest wireless but if I connect my phone or iPad it does not work.  Move the devices back to my LAN and they work just fine.

Assuming you have an IPv6 address on the LAN interface, and you have the RA on the LAN interface turned on, it should collect the prefix from the interface config.

A working config looks like this:

# Automatically Generated, do not edit # Generated for DHCPv6 Server lan interface em1 { AdvSendAdvert on; MinRtrAdvInterval 5; MaxRtrAdvInterval 20; AdvLinkMTU 1500; AdvDefaultPreference low; AdvManagedFlag on; AdvOtherConfigFlag on; prefix 2001:470:xxxx::/64 { DeprecatePrefix on; AdvOnLink on; AdvAutonomous on; AdvRouterAddr on; AdvValidLifetime 7200; AdvPreferredLifetime 3600; }; route ::/0 { RemoveRoute on; }; RDNSS 2001:470:xxxx::1 { }; DNSSL example.local { }; };

@zarje:

Pardon my ignorance but what do you mean by: pfSense uses fe80::1:1 for link local addresses if Track Interface is in use

If you receive a prefix from your ISP via DHCP then any inside interfaces (LAN, OPT1, etc.) that want to use a /64 from that prefix need to be configured for IPv6 as "Track Interface", then selecting the WAN interface as the interface being tracked, and the prefix ID to be used. With this setup, the pfSense interface will use a SLAAC address with the prefix, as well as configure itself as fe80::1:1 for link-local.

But if your interface has IPv6 configured static, then the fe80::1:1 link-local address isn't configured by pfSense.

Unmanaged can assign DNS servers, as radvd supports RDNSS and pfSense configures radvd's RDNSS functionality. Unfortunately many common clients do not support RDNSS, including all versions of Windows 'out of the box'.

I did read about RDNSS but most of my network comprises of Windows clients so this isn't useful for me. Pity!

As things stand, pfSense 2.3 requires you to configure an IPv6 range if you enable the DHCPv6 server. I believe the underlying server is capable of running in a DNS server only mode by omitting any range6 statement, but I haven't tested this.

I need to test this still. I'd like to avoide DHCPv6 handing out IP addresses as I think having two (private and public) global addresses is enough.

Another thing you can do is set option 7 in DHCPv6 to 255, this will reduce the priority of the DHCP assigned IPv6 address, yes clients will still end up with 4x IPv6 addresses but they will prefer to use the SLAAC temporary address over the DHCPv6 assignment.

If you end up with 4 IPv6 addresses (3 of which are global) then I assume the public address is permanent (if the MAC address doesn't change)? I Know the privacy address can change daily (or whenever).

With so many addresses in a /64 assignment - 3x per host plus a link local still isn't many!

I'm just loving the power and flexibility of my IPv6 range!! Although I have two ranges from HE, I currently use the /48 which I have subnetted using a /64. I even have my reverse DNS (PTR) setup with HE and it all works great so far. I plan on setting up a new IPv4/IPv6 network from scratch in 6 months so I can't wait. Of course, pfsense has been amazing in all this too. My old Draytek had no chance of establishing an IPv6 tunnel with HE. I even had one of our comms guys at work setup and configure a loan Cisco router for me and the tunnel still dodn't work. When I received my pfsense box I had it up and running in about 30min  :)

@Com:

Well that is strange. I've tried everything I can think of and the DNS server doesn't get assigned until I give a range greater than 0. When the range is greater than 0 it gets the dns server perfectly fine and ends up with two ipv6 addresses (one slaac and one dhcpv6). Not the end of the world as I've got one or two of them to go around in my /64 :)

The on interesting thing is that they are both listed as Preferred. I would think that only one of the IPv6 addresses should be preferred.

Thank you,

I blame Microsoft, Windows clients (I don't often use mine) don't collect the DNS servers from the RA packets.
So in the windows world if you want to provide DNS over IPv6 then DHCP is for you, the other suggestion I have is to set option 7 to 255 on the DHCPv6 server to make the client prefer to use its SLAAC address rather than the DHCPv6 assignment.

Great, thanks for the help. I will have to play around with it.

Further discussion in https://forum.pfsense.org/index.php?topic=110109.0

Easy to do - we always expect /48 and /64 assignments :)

Judging by your description initially, it seemed like you had a PD-assigned subnet, and were sending traffic out your WAN, but it was just disappearing somewhere upstream. Probably was something on the modem that flaked out from the sounds of it, or maybe Comcast missed adding a PD route for your delegated subnet and power cycling the modem fixed that upon your next DHCPv6 request. Glad that worked. Might want to try rebooting only pfsense to make sure it comes up clean after a reboot.

Upgraded to 2.3 and I can confirm that radvd doesn't start when it is marked as disabled in the GUI.  :D

Upgrading to pfSense v2.3 broke my IPv6-connectivity. :-)  Need to take a look at it when I get home tonight.

EDIT: Sorry. A new reboot was needed. Everything working again. Not sure why it never came up the first time.

@cmb:

Guessing maybe you were just trying ICMP? There was a bug in the GUI's firewall log display for ICMPv6 in versions pre-2.3, where it'd be in the log but not displayed in the GUI.

No, I was running a web-based IPv6 SMTP test, and also trying to access IMAP via my phone (also IPv6). Both attempts always timed out, but when I moved my rules over to the tunnel ruleset they started working… never saw any block messages.