@JKnott said in IPv6 subnet lan vs wan: Another issue might be how he's connected. Correct. And also it is an issue what device manage the connection between pfsense and ISP. A device in modem mode or one in router mode. A device in router mode must also support the prefix delegation to devices in its subnet. Not all do provide that. For example the Draytek Vigor 167 provide router mode and modem mode. But the router mode does not support prefix delegation to devices in the subnet. So for prefix delegation the Vigor 167 needs to be in modem mode then the pfsense will manage the prefix delegation, or it wont work.

@JKnott I cannot answer your question "why?"... :) But I can report that here in Germany ISPs I know do that as well. Maybe not every 24 hours, but often enough that using those prefixes breaks everything after a change. So: don't know why they still do it (I guess it's just another dumb implementation of v6 as seen so often), but they do it anyways.... That's why I use those global prefixes that change thanx to my German ISP as well as my "own"(not changing) unique locals....for rules and such. It's depressing but that how some big players really make it tedious to use v6 in my opinion...

@snipleeagle8 As I mentioned, it normally happens with SLAAC in the router advertisements. I have never used DHCPv6 on the LAN side, but I expect it would be the same. Are you using SLAAC or DHCPv6? Can you do a packet capture, filtering on ICMPv6, and post the capture file here?

@Jung-Fernmelder What you can do is use Unique Local Addresses, in addition to global addresses. You then use the local DNS to point to the ULA address, rather than GUA.

@tuanson84uk Are those clients Android devices? They don't work with DHCPv6. Any reason you need it? I've been running IPv6 on my home network for over 14 years and have never needed it.

@DataIdeas-Josh said in Force RA to send different IPv6 gateway.: Is there a way to force the RA to send a different IPv6 rather than the pfsense's routers IP? It's supposed to use it's own address. I'm not quite sure what you're trying to do, but you can have multiple gateways on a LAN and give them a priority, up to 3 of them. You can set priority on the Router Advertisement page.

Hi, I was seeing the same error, mostly with this IP list: https://api.gcore.com/cdn/public-ip-list Since ASN are currently not resolved and for reliability, I'm loading the lists from an internal repo anyway and tried my best to remove or reformat "problematic" IPs - without success. Then I had a closer look at /usr/local/share/pear/Net/IPv6.php and compared it to the public source. It seems that, at least in my case with pfBlocker 3.2.0_8 on CE 2.7.2, the file is missing an old fix for this problem: https://github.com/pear/Net_IPv6/commit/70080426d3ac9da4908f9277824694e5eda68985 After changing line 684 from $fill = str_repeat(':0:', 6-$c2-$c1); to $fill = str_repeat(':0:', max(1, 6-$c2-$c1));, the error is gone.

@JKnott said in WAN with /64 Delegation: BTW, I've had the same prefix for around 5.5 years. I have the same prefix since my parents met.

@Bob-Dig said in IPv6 tunnel broker websites showing in German: french guy Who ? There are some here.

I am not sure why everything is working, but it's working. Perhaps my configuration will be of assistance in the future.

@JKnott said in Services / Router Advertisement - DHCPv6 server - strange behavior: Thanks to some genius at Google, Android does not support DHCPv6 Same genius at Google for its Chrome OS ;-) Does also not fully support RFC 3315 See: https://en.wikipedia.org/wiki/Comparison_of_IPv6_support_in_operating_systems

@NickyDoes yeah a /56 is lot of /64s for testing and playing with ;) Best practice is /64 for any segment you want to break out.. Even if it only has a couple of devices on it.. It seems insane when you first start playing with Ipv6 to be honest.. Since a /64 is so freaking huge when it comes to how many IPs..

Following the info on the link provided worked so i'm all good to go. Thanks again

@ChrisJenk Well, I you'll have to see what the flags are when whatever fails.

@the-other Success! This issue was a layer 2 issue: I hadn't configured one VLAN switch port's VLAN ID, a simple oversight. Return traffic wasn't reaching the pfSense interface. Whittling away the unknowns.

@guardian said in Very Basic IPv6 security question.: Hi - I have been using pfSense for several years, but just with IPv4 since I have yet to get my head around what I need to do to secure IPv6. At the moment I have IPv6 disabled on all interfaces including the WAN. I am being forced into IPv6 by my ISP due to changes in the cable TV system which is moving from a legacy RF system to an IPTV system that uses IPv6. (Rogers in Canada-Ignite TV-I was told it is a similar system to Comcast in the US-I think it is called Xfinity or something like that.) IIUC, I should be able to enable IPv6 on the WAN and get an IPv6 address (I think it uses DHCP6, but I'm not sure so I need to experiment), and since none of the other interfaces have IPv6 enabled there should be no traffic flow to/from the network. Am I correct, or do I need to take measures to protect my network? My initial goal is just to get IP connectivity to the router. Once I have done that to see if I can pipe IPv6 traffic over a VLAN. P.S.: Any suggestions as to helpful learning resources would be much appreciated. You can access the web gui over IPv6. So make sure you sure that fyi Example every interface can access the firewall gui unless you block it... [image: 1722224655273-screenshot-2024-07-28-at-20.40.46.png] Test it and see..

@johnpoz I have no idea, it only does it with iMac in safari browser with IPv6 enabled. That port 149 is not a standard port used often also. It makes no sense why it would be showing up so much.. thanks for verifying this with me.

Hi, Since you are using IP passthrough for IP4 why not do the same with IP6. I do not have static IP and do it this way. I guested at the settings having looked all over for configuration settings with AT&T. Comcast was much easier. I am definitely not an expert with this. WAN has DHCP for both IP4 and IP6 I have the following DHCP6 Client configuration boxes checked Send IPv6 prefix hint Do not wait for a RA. I get a /128 IP for the WAN. On the lan side. I know of 2 settings that work for a LAN network with no VLANS IPV6 Configuration Track Interface or Type Static IPV6 (Will probably break if IP6 changes on WAN) With tack interface: You select the IPV6 Interface (WAN) You should get an IP6 for the LAN and mine was a /64 At this point I get IP6 addresses for all the devices on the LAN interface. Problem with this setting is that I have VLANs setup and those VLANs don't get a IP6 address. This works but probably isn't correct. You can also change the LAN to static. I did this using the prefix address and selected an IP6 address with a /64 address. I used an IP6 calculator to guess at a correct IP6 address to choose. Routing and everything works for the LAN. The IPv6 upstream gateway is None. I was able to setup DHCP6 on the LAN with a range. Devices on the LAN can reach the internet via IP6 I have not been successful figuring out how to get IP6 on the VLANs yet. Hope this helps.

@NickyDoes If enabled, it uses RDNSS to provide the IPv6 server address. If not enabled, then you have to rely on DHCPv6 to provide is. If you don't have DHCPv6, then you have to rely on DHCPv4 DNS to provide an IPv4 DNS server address. However, whichever DNS server you use, you will get back the exact same info.