Same problem here, LAN won't get any ipv6 address. Radvd gives same error over and over again. P.s. WAN works just fine. PFsene can ping and traceroute over ipv6.

Jan 2 12:17:29 radvd[14977]: IPv6 forwarding seems to be disabled, but continuing anyway. Jan 2 12:17:29 radvd[14977]: IPv6 forwarding setting is: 0, should be 1

With the /60, you could set up a second network (i.e. for guests to your home) and allocate a /64 for that network… I'd say you could use a third /64 for any servers, if you wanted to keep them separate from your LAN, but I know Comcast  looks down upon running servers (unless you happen to have their 2Gb fiber service). You could also delegate a block to a downstream router... so if you happened to be in a situation where you have a roommate, you could delegate a /64 or /63 to them to keep their stuff separate from yours.

Hi cmb,

I configured only a few things – all other options are in default.

Configured:

WAN (hn0): Static IPv4, Static IPv6 (in unique local fd00::/8 range) + gateway to another IPv4 / IPv6 router

LAN (hn1): Same, without GW

NAT: Disabled

FW: Pass all IPv4/6 on WAN and LAN (I’m building testing environment so security isn’t my concern right now and I’m going to add rules later)

DHCPv4/6 and Router Advertisement: Disabled

DNS Resolver: Disabled

basically – it’s just a router…

Windows Servers that are in several subnets and should communicate each other get IPv6 addresses from pfSense. That’s problem since Windows Servers (their interfaces are in default so RA is enabled) have configured static IPv4 and 6 (fd00::/8).

When radvd is up then Windows Server gets another IPv6 and I can see lease in "Status: DHCPv6 leases" section. Windows Server then tries to communicate with another in different subnet using IPv6 from DHCPv6 and that’s not possible since another router doesn’t have correct static route (IP from DHCPv6 has different subnet).

@Alex:

@David_W:

Choose DHCP6 and configure it for Prefix Delegation only. You will get an IPv6 address for your WAN interface via SLAAC if your ISP supports SLAAC.

If you are using PPPoE for your WAN, you might find the patch I posted yesterday in the IPv6 forum to be helpful.

Did you need to use that patch for your Zen connection or is it only a problem with certain ISPs implementations?

That patch addresses two issues in pfSense.

Firstly, the interface ID is usually random on the first connection after boot. When SLAAC is in use, as in Zen's IPv6 implementation, this leads to a random lower 64 bits of the WAN IPv6 address. The patch is imperfect, as it does not result in the same interface identifier following a disconnect and reconnect, though I will address that in time and update the patch.

Secondly, it prevents dhcp6c from being started twice on the same connection, which results in significant brokenness when it occurs. This issue seems to affect a relatively small number of people using 2.2.5 and 2.2.6, but it needed addressing. I haven't personally experienced this issue, but it's something of a show stopper for those affected by it.

@chamont:

neiltiffin, Do you have Comcast business or residential? I can't seem to find a straight answer (yet) on < /64 for residential customers (which I am).
Monty

Residential and it is hit and miss.  Checked it today an no IPv6.  Uptime 47 days.  Rebooted and IPv6 is back.

A workaround is to use SLAAC as IPv6 Configuration Type on the LAN. Works well.

Even tho i seem to be talking to myself, i give it a go (again).

Had a 7 day "streak" without any incidents, but the previous night i had a WAN disconnect according to the logs. This in turn lead to me loosing ipv6 a few hours later. Now, i wonder, could it be that whenever i loose WAN connectivity something "hangs" in that RA wont broadcast/refresh my prefix until i either reboot or restart wan? (By saving wan settings and applying without actually changing anything).

It could be just a coincidence that i had 7 days uptime on WAN now vs. before changing nic's, as it usually happen at night (2 pm ish), which COULD indicate some ISP maintenance or something like that. Anyway, the thing is that it does seem as when WAN link goes down, something weird will happen with my prefix.

I just upgraded to 2.2.6 today, but havent really had the chance to study the patchnotes yet, so not sure if this is something that is specifically addressed there tho.

C

HowTo (In Dutch) for the scenario (pfSense, XS4ALL and IPv6) can be found http://blog.firewallonline.nl/how-to-en-tutorials/xs4all-pfsense-opnsense-ipv6/.
Using it myself and working ok. Beware that there is a nasty bug: https://redmine.pfsense.org/issues/2762 preventing normal IPv6 usage with pfSense (slow loading sites).
That is why I use 2.3 alpha.

The only difference with my scenario is I skipped out de FB and working with VLANs on WAN side.

To reduce potential problems: use MTU=1492 and MSS=1472 on WAN Interface

For that issue in particular, apinger has been replaced with dpinger in 2.3, and that's something we're in the middle of working on right now. So not something we'll pursue with apinger since it's gone in development versions. We'll make sure that scenario works in 2.3.

why would you need to add that to pfsense routes?  If you want your vpn client to use the ipv6 tunnel to get to other ipv6 networks other than the ones you list then yeah you prob want to push that route to your vpn client

In the advanced box
push "route-ipv6 2000::/3"

@kobold:

Does this mean that after setting up the WAN interface / (re)boot, I always have to disconnect and connect the PPPoE twice?

Yes. And control the process with (kill -9 PID).

First time you will get rid of the "privateextension"-address (good), but there seems no proper/reliable cleanup of old PID dhcp6c. (bad). Therefore second time will assure you one valid PID on the proper fe80::, so to keep the hourly & mandatory 2-hourly lease renewal with ISP on fe80:"MAC".

FYI: something strange in Status-Interfaces(PPPoE) are the value's for Link-Local & Address. I would expect Address to be based on pfSenseBox-WAN-MAC and Link-Local on the pfSenseBox-LAN-MAC. Now it is both on pfSenseBox-LAN-MAC (!?). In 2.2.4 Address was based on pfSenseBox-WAN-MAC. Typical design question…

Oh, and work with forced MTU 1492 (WAN & LAN's).

<sarc>About need or grief or learning… Track interface. Once your refrigerator is aware with its MAC, it will talk to kaymart about the eggscontainer because you allowed RA assisted or unmanaged, SLAAC ;). And don't you love it, the 2-way audiovisual SmartTV. Nah, IPv6 will ease national security applications.</sarc>

ISP-native or cloudy GE-tunnel does it matter ?

I use IPv6 pfSense for explicit outbound allowance, so create static LAN's and use DHCP6-server an RA managed or just create static server(hosts) for LAN's...

Not that i have the all-knowledge of stuff tho, but this HAS been covered a lot of times before :)

Anyway.
1. You can ofc. have both ipv4 and ipv6 addresses on your gear. That way you will "always" be able to connect to the ipv4 address if that is a concern :)
2. If you do not want to use ipv6 at all, just disable ipv6 on the lan/wan interfaces + you can remove the check in the box under System -> Advanced -> networking : Allow ipv6 (That way, ipv6 is disabled throughout pfsense)
3. There are different ways of setting up ipv6 for your internal devices. Several posts here on the forum about timewarner and ipv6. The easiest "out-of-the-box" setup should be to set WAN interface to "dhcp6", and LAN interface to "track interface" on the ipv6 box. You may have to fiddle around with the prefix size (dont remember for timewarner). If that works, your internal lan clients will get their ipv6 addresses from your isp via pfsense prefix delegation (PD). This wont make for static ipv6 addresses, or you having a direct influence on who gets what address.

If you want to have static ipv6 addresses on your LAN, and use different network prefixes++ this can be achieved with running a internal dhcpv6 server and assigning addresses in a sense like you have with ipv4 although this is a much more advanced setup :)

If you want to setup the latter, im sure this has been covered in many posts on the forum aswell :) Hopefully you got a couple of answers even tho im by far any expert in the field. Please correct me if im totally off tho :)

C

I just want to say thanks to everyone who tried to help me on IRC and Reddit. I ended up solving this issue. The fix was to call up TWC and they changed my cable modem to put pfsene into bridge mode. Before I called them I had psfense in a "Pass Through" mode on the Ubee cable modem. I thought that was all I needed to do. With that setup I actually had a network on the cable modem and on pfsense. I also had an addition wifi hotspot coming from the cable modem.

Once TWC put the modem into bridge mode, I could no longer access the cable modem interface. Wifi stopped as well. However, my pfsense start getting IPv6 addresses for my clients on LAN!

Just in case anyone is wondering, the pfsense configuration is pretty much the same as in http://theosquest.com/2014/08/28/ipv6-with-comcast-and-pfsense/. I did also add a Firewall Rule to blcok all IPv6 traffic coming into LAN from outside of LAN.

I also changed the DHCPv6 Prefix Delegation size to 64. 63 didn't seem to work, but I might try again with 56 or some other number lower than 64 to get another IPv6 range for GWN

@empbilly,
Forget what you've been doing with IPv4 subnets.  The general consensus in the IPv6 world is that the "subnet" is no larger and no smaller than /64.
That leaves you with 64 bits of usable host addresses in a single subnet. 
To put that into perspective 64 bits = The entire world's Internet MULTIPLIED BY The entire world's Internet, and there would still be loads of addresses left over squeezed into a single IPv6 subnet.
Technically when using only SLAAC its less, but still >40 bits.
The only place where you'd see a netmask larger than /64 would be in the case of RA prefix delegation on a router where it is expected that other routers on the same subnet would take  the prefixes, again a /64, to use on one of their other interfaces.

Android devices support SLAAC tho.

Setting pfsense dhcp6 server to "Assisted" should make ipv6 come alive on the android clients.

C

Yes, but the point is why do I ever need this rule in first place, in order to get the ipv6 connectivity to work :-/

Thank you so much, it's working now :-)