True, IPv6 can be daunting at first, but the reality is that the most basic networking principles from IPv4 still hold; the Layer 2 part hasn't changed, you can't have the same subnet on two interfaces on the same box (except fe80::/10), you have to have routes to get your traffic from point A to point B. Oversimplified, but that's the gist of it.
It works. I get functional IPV6 on my router, however pfsense doesn't seem to want to let me advertise this to clients on my lan.
Also, there seems to be no choices/combination of options to do PD on a normal WAN interface. in the 2.2.5 changelog, it said IA-PD changes were made for PPPoE users.
You should be able to make LAN as 2001:2060:f4:e::1/64, all the 2001:2060:f4:e: numbers should be yours.
[The last 64 bits are required reserved for any host on the LAN, SLAAC or DHCPv6 or Static.]
Your gateway for the LAN is obviously 2001:2060:f4:d::1/64
Look in System: (routing) Gateways for your correct route.
For Static on hosts use RA + Router Only
For DHCP6-Server (range in last 64 bits) use RA + Managed (be sure to NOT check bogon networks on Interfaces:LAN)
For SLAAC from hosts use RA + Unmanaged
Everything works now. Ports are reacheable though IPv6.
Final routes can be found from the attachments.
You may do an traceroute6 to mail.sami-mantysaari.com to check. :)
Technically, there is no limitation to the number of interfaces that a system can have with the same link-local IP. https://tools.ietf.org/html/rfc4007#section-5
This is because the interface's name must appear in it's use in order to select it.
ie: ping6 fe80::dead:c0de won't work because it won't know what interface to use. You must use ping6 fe80::dead:c0d%em0.
That being said, FreeBSD 10.2 is perfectly happy with 3 interfaces configured as fe80::1, besides lo0 is also fe80::1.
I've developed a fix, which is in recent 2.2.5-DEVELOPMENT snapshots. If this solves the problem, please comment on the bug to reference this thread and say your problem is fixed.
Sounds like there is another device on your LAN segment that is wanting to be a router.
Indeed. radvd is telling SharkBit that another device is advertising a DNSSL local domain and O bit that are different to those being advertised by pfSense.
If pfSense is the gateway, the announcements from the other device (whatever has the link local address of fe80::feb5:8fc9) should be disabled.
If you suffer from this, System -> Advanced > Firewall/NAT and Disable reply-to rules (tick the box).
Not sure what multi WAN ipv6 users can do to fix it.
I'm less convinced that the problem is on the comcast configuratoin part if anymore.
I noticed from the firewall logs that most of my ipv6 traffic is simply being blocked when this occurs, and if i attempt to reload the filter rules a handful of times, it eventually starts working.
I did run into a problem with there appeared to be some race condition where my ipv6 rules wren't being applied so maybe it's related to that.
I'm getting centurylink fiber pulled next tuesday, and they use 6rd, so I'm not going to bother digging into the current problem and see what happens when the centurylink connection is up.
After some experimentation, I've determined that the DHCP leases file in /var/dhcpd/var/db has to be manually edited or deleted if you decide to make the prefix delegation mask shorter at any point, for instance if you go from a /64 prefix delegation size to a /60.
This is because the leases file contains previously allocated leases, and despite the fact that the client is asking for shorter mask (/60 for instance), continues to hand out the same subnet (/64) as it had previously.
Thanks,
–Andrew
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
