So this is where your doing it?  See pic

On your CLIENT do an ipconfig /all.. what does it show for dns for the openvpn connection?

So for example I connect to one of my vps running openvpn..  Now can you do a query via vpn, do a traceroute do you go down the tunnel to get to the dns you provided?

vpndns.png
vpndns.png_thumb
dnsonvpnclient.png
dnsonvpnclient.png_thumb
dnsqueryandtrace.png
dnsqueryandtrace.png_thumb

Ok, little follow-up.

It looks like it's not possible (at all) to actually specify which address is advertised in a RA. I assume the host directly uses the source address of the RA

To speed up failover, one can hack the pfSense code which generates the actual radvd config and set MinRtrAdvInterval 3, MaxRtrAdvInterval 5 and, for the ::/0 route add AdvRouteLifetime 5. This reduces failover time to around 10 seconds - but I'm not sure if it is generally a good idea to mess with these values.

The fastest option (in terms of failover) seems to be actually not to use SLAAC in the first place, but to manually configure IPv6 on each host - to be able to specify the desired CARP IP as default gateway…

Does this make sense?

PS: Oh, just found this read: https://www.isc.org/blogs/routing-configuration-over-dhcpv6-2/

Yes, I already worked around the multiple P2 issue with a config edit and both come up successfully.

Tomorrow I'm going to try setting the network on the ASA side of the IPv6 P2 to ::/0 instead of the LAN address…

Doesn't revert anywhere here, as already noted. And no need to be clicking Save either.

Indeed it is. It comes enabled by default these days I thought. I never had to turn it on.

You can't use overlapping prefixes on the WAN and LAN side of your pfSense box ([PREFIX]:a300::/64 is a subset of [PREFIX]:a300::/56).

I am running ipv6 on 2.2.4 without any issues.  But I use a tunnel from Hurricane Electric, FREE, STABLE, FAST - WORKS!! Easy to setup and you get a /48 from them.  If you ask me most of the isp are not quite ready for ipv6..

This way doesn't matter!

And you can even setup PTR for your ipv6 addresses..  Does your isp let you do that ;)

OK, you need a MoDem transparent (pass-tru/bridged to PPPoE) -OR- a MoDem-Router that can act as a DHCP6-Server (like the Fritz!Box 7360).

@ancker:

I take full advantage of the 'register static DHCP entries in DNS' feature for IPv4.
I would like to do something similar for IPv6.
…
Is there a way to do this? I'd like for my internal hosts to start talking via IPv6 where possible.

Hopefully the ability to use DHCPv6 server with interfaces that are tracking another for IPv6 will be coming in version 2.3… that's likely still a ways off though. There will be lots of big changes in that version.

This won't help for EUI-64 addresses, but if you opt to run IPv6 in a "Managed" way (no SLAAC), then anything that supports DHCPv6 will go that route, while anything else won't use IPv6 (i.e. Android). This is an option that would (hopefully) also be available for interfaces that are tracking IPv6.

ref: post by cmb

@pra:

Perhaps you need to use a NDP proxy (same as arp proxy but for IPv6)
But i don t find it

It does not and should not exist. You don't need nor want to proxy NDP. WAN and LAN(s) must have distinct subnets with proper routing. The ISP must supply you with a /64 or larger routed to your WAN address.

@hda:

A prefix /60 gives you a collection of 2^4-1 subnets for your site. Each LAN, WAN node has its own unique subnet value, and such address has mask /64 …

Thanks for confirming that.  That's what i had guessed was occurring. 
But how would something like this work of the ISP does'nt provide you a /56.  For example, if their router only requested a /60, how would one allocate IPv6 addresses to WAN/LAN?

Also, why is this occurring when I try to request a /64:
And the LAN interface is tracking the WAn interface and it gets:
  inet6 xxx prefixlen 60

Where is the LAN interface getting this /60?

Thanks.

The firewall should hand out its own address for DNS in that case. There isn't a way to control it otherwise at the moment.

You realize that it allows anyone to completely bypass your firewall by simply sending fragmented IPv6 packets, right?

IIRC from last time I touched this damned thing - there are tabs to separately disable the IPv6 stuff only. Might be distro, NM version and init specific though. Probably better asked elsewhere.

Hello,

@Nick2253:

Can you set NPt destination prefix to track the WAN IP?

@jimp:

1. No, not yet (though it's a feature we'd like to see eventually)

Such a feature would be very nice. I need it for IPv6 load balancing (2xDSL with dynamic IPv6). Please add this!

Yeah, I'm definitely butted out of your "I have invented a /48 to use that noone routed to me and it doesn't work" "issue"…

Yes /48 on the WAN was definitely wrong.

I had again contact with my ISP. They gave me now a transfernet /126 for my WAN. They routed the /48 to my WAN IP.
But still not working, I believe or better sure this is not a pfsense or my config error. I don't have confidence in my provider now.

I'm able to ping from LAN side, even from a host (computer) to they're router - my gateway.

Asked them now to send there "show running-config ipv6", which they won't give me….

caputre:
no NDP request found. No response seen to ICMPv6 request in frame 38.
That's all about I see.

Keep you posted.