Native IPv6 which does not use a prefix provided by my ISP.

One thing you should double check is that you have followed the part in the directions labeled "Pitfalls" about making sure that System > Advanced, Networking tab has "Allow IPv6" checked. That's the only way I know of that will stop the v6 auto gateway from showing up.

I plan on making some updates to the wiki doc after the hangout. I ran through the whole process a couple times this week and had no problems. The gateways showed up automatically as expected and everything worked. There were a few minor differences to the wiki doc but nothing earth shattering.

Ok, figured out what was wrong on my configuration!
The Captive Portal is not working with ipv6 and prevent the RA daemon to work properly.

Thread can be closed

Thanks

@Satras:

….
I'm currently talking (again) to my ISP and try to convince him.. but I guess he won't listen.

Normally, an ISP is considered as a BIG company (several millions of clients) so implementing IPv6 "for you" would be pure fiction.

I'm using a big (biggest) French ISP "Orange" (+16 000 000 clients, mostly ADSL and some fiber links). They still think about "IPv6", because they have to switch the entire country to mixture of IPv6 and IPv4 in one go. Nice aspect: this is France so, first, they 'talk' about it (for the last 5 years already)  ;)

I'm using https://tunnelbroker.net/ services for years now. This means that all my PC's and other devices  have an native IPv4 and IPv6 access.
Works great !!

Looks like policy based routing is the answer

to bring up a tunnel with HE you have to allow ping to your public IP on your wan..  I have set this up so many times, it really is like 20 seconds tops to get a tunnel going.

Btw I noticed you have a ipv4 icmp rule on your lan - but your notes say ipv6?  And its kind pointless since you have a any any rule from your lan that would allow icmp anyway.

"Enabling the adapter, even with no clients connecting, leads to very long DNS lookup times, or faiilure to resolve, and much slower page loads for browsers behind the firewall."

Huh??  What is having a hard time to resolve?  You do understand even if you query via IPv4 for a fqdn if there is AAAA record you most likely get that returned as well since many dns clients default to query both..

If you get back a AAAA (ipv6 address for a fqdn) and your client prefers and has ipv6 it will try to use that..  But what does this have to do with pfsense having a link local address?  I use ipv6 on some interfaces in pfsense and none on other interfaces that I am not using IPv6 in that network.. Yes those interfaces still get link local as shown above..

Your posting of this

inet6 2001:5<foo>9:4125:5501 prefixlen 128
and
inet6 2601:248:<foo>:44c6 prefixlen 64

This is NOT a none setting on the interface.. Where are you saying this is coming from??  If you have an interface set to NONE for ipv6 it sure and the hell is not going to get a global ipv6 address on it.. 2000::/3

So you bring up openvpn..  I route ipv6 over one of my vpn servers connections, and then on another one I do not - so as you can see from attached one has a global ipv6 address, the other does not but both of them have link local addresses on them for ipv6..

If you are not ready to use ipv6, then make sure all your interfaces in pfsense have none set for ipv6 this is all that should have to be done..

openvpnipv6.png
openvpnipv6.png_thumb</foo></foo>

Block DNS over IPv6. Follow the wiki for the rest. End of story. Not going to explain for the zillionth time that System - General is NOT for clients.

This is working for me: https://moerbst.wordpress.com/2016/07/31/ipv6mit-pfsense-an-dsl-der-telekom/ It's in german language but with screenshots for every step, so it should be no problem :-)

That is not the default setting.. So clearly at some point you said, I only want tcp/udp outbound – so that would break ping/traceroute, etc..

How have you configured your WAN and your LAN?
At least in my area, Comcast will hand out a /64 prefix or a /60.
If you want the simplest config,

your WAN interface should be set up to use DHCP6

leave "DHCPv6 Prefix Delegation size" at 64

check the "Send IPv6 prefix hint" checkbox

then for IPv6 on your LAN interface set it up to "track interface" pointing to the WAN interface with the "IPv6 Prefix ID" set to 0 (you can't change it if you requested a /64 on the WAN).

That should be enough to get legitimate IPv6 addresses on your LAN.

Tim

When they don't support it, they should at least stop breaking it.

Frankly, time to find a new ISP. This thing just works (pretty much everywhere when you drop the MTU to 1280) unless some lame ISP screws that intentionally or just by some clueless misconfiguration of their equipment.

@richardd:

What I'm missing in pfSense DHCP6 is the option to use the MAC address for identification

No such thing exists for DHCP6.

YOu had to reboot your ISP equipment Im almost sure about that. If you use PPPoE sometimes when pppoe session is not disconnected properly it simply doesnt work until you reboot things :)

Glad you made it working.

So your double natting to this pfsense box 192.168.1.1 which is in front of your pfsense box that also nats.  Does that pfsense have a public on its wan?

You mention your at school - is this the schools network?  Or do you have your own private internet connection.  Many schools lock down their networks, where they don't even want you running nat that would allow you to put non registered devices on their network.  It would be quite possible that they are blocking protocol 41 which is required for a HE tunnel.

From the HE faq

*Two important notes:

Your IPv4 endpoint address must be reachable via ICMP ECHO_REQUEST (Internet Control Message Protocol).
    If you are using a NAT (Network Address Translation) appliance, please make sure it allows and forwards IP protocol 41.

What is IP Protocol 41?
    IP Protocol 41 is one of the Internet Protocol numbers. Within the IPv4 header, the IPv4 Protocol field is set to 41 to indicate an encapsulated IPv6 packet.

Even if they do allow it.. Not sure it would work through a double nat?  Do you have access to this pfsense in front of yours - is it allowing protocol 41?  Is it sending it to your 2nd pfsense wan IP?  See attached.

protocol41.png
protocol41.png_thumb

It appears this may still be a bug in 2.2.2  My PPPoE sessions being renewed seem to completely break DHCP6 prefix delegation with my ISP.  The WAN link comes up and can be used to communicate but routing for the delegated subnet is completely broken.

I was able to confirm that killing the processes and re-saving the wan config as suggested on the documentation page here https://doc.pfsense.org/index.php/DHCPv6_Client_XID_Mismatch resolved the issue.

@doktornotor:

Can people here retest this with latest 2.2.3 snapshots? Seems working for me.

Ditto, seems fine for me as well, but more widespread testing would be appreciated.

Thank You Johnpoz & Gertjan. … :D learningg  ....  :-*

@doktornotor:

…
Also note that the IPv6 display for PPPoE has never worked properly -- neither in the GUI dashboard, nor in the console menu.

+1, that is, the WAN IPv6 prefix + MACderivative parallel to the WAN IPv4 entry.
Luckily I know my steady /48 on beforehand, so I can issue the different subnets for the SLAAC, Static or DHCPv6 LAN's ;)