OK, you need a MoDem transparent (pass-tru/bridged to PPPoE) -OR- a MoDem-Router that can act as a DHCP6-Server (like the Fritz!Box 7360).

@ancker:

I take full advantage of the 'register static DHCP entries in DNS' feature for IPv4.
I would like to do something similar for IPv6.
…
Is there a way to do this? I'd like for my internal hosts to start talking via IPv6 where possible.

Hopefully the ability to use DHCPv6 server with interfaces that are tracking another for IPv6 will be coming in version 2.3… that's likely still a ways off though. There will be lots of big changes in that version.

This won't help for EUI-64 addresses, but if you opt to run IPv6 in a "Managed" way (no SLAAC), then anything that supports DHCPv6 will go that route, while anything else won't use IPv6 (i.e. Android). This is an option that would (hopefully) also be available for interfaces that are tracking IPv6.

ref: post by cmb

@pra:

Perhaps you need to use a NDP proxy (same as arp proxy but for IPv6)
But i don t find it

It does not and should not exist. You don't need nor want to proxy NDP. WAN and LAN(s) must have distinct subnets with proper routing. The ISP must supply you with a /64 or larger routed to your WAN address.

@hda:

A prefix /60 gives you a collection of 2^4-1 subnets for your site. Each LAN, WAN node has its own unique subnet value, and such address has mask /64 …

Thanks for confirming that.  That's what i had guessed was occurring. 
But how would something like this work of the ISP does'nt provide you a /56.  For example, if their router only requested a /60, how would one allocate IPv6 addresses to WAN/LAN?

Also, why is this occurring when I try to request a /64:
And the LAN interface is tracking the WAn interface and it gets:
  inet6 xxx prefixlen 60

Where is the LAN interface getting this /60?

Thanks.

The firewall should hand out its own address for DNS in that case. There isn't a way to control it otherwise at the moment.

You realize that it allows anyone to completely bypass your firewall by simply sending fragmented IPv6 packets, right?

IIRC from last time I touched this damned thing - there are tabs to separately disable the IPv6 stuff only. Might be distro, NM version and init specific though. Probably better asked elsewhere.

Hello,

@Nick2253:

Can you set NPt destination prefix to track the WAN IP?

@jimp:

1. No, not yet (though it's a feature we'd like to see eventually)

Such a feature would be very nice. I need it for IPv6 load balancing (2xDSL with dynamic IPv6). Please add this!

Yeah, I'm definitely butted out of your "I have invented a /48 to use that noone routed to me and it doesn't work" "issue"…

Yes /48 on the WAN was definitely wrong.

I had again contact with my ISP. They gave me now a transfernet /126 for my WAN. They routed the /48 to my WAN IP.
But still not working, I believe or better sure this is not a pfsense or my config error. I don't have confidence in my provider now.

I'm able to ping from LAN side, even from a host (computer) to they're router - my gateway.

Asked them now to send there "show running-config ipv6", which they won't give me….

caputre:
no NDP request found. No response seen to ICMPv6 request in frame 38.
That's all about I see.

Keep you posted.

Native IPv6 which does not use a prefix provided by my ISP.

One thing you should double check is that you have followed the part in the directions labeled "Pitfalls" about making sure that System > Advanced, Networking tab has "Allow IPv6" checked. That's the only way I know of that will stop the v6 auto gateway from showing up.

I plan on making some updates to the wiki doc after the hangout. I ran through the whole process a couple times this week and had no problems. The gateways showed up automatically as expected and everything worked. There were a few minor differences to the wiki doc but nothing earth shattering.

Ok, figured out what was wrong on my configuration!
The Captive Portal is not working with ipv6 and prevent the RA daemon to work properly.

Thread can be closed

Thanks

@Satras:

….
I'm currently talking (again) to my ISP and try to convince him.. but I guess he won't listen.

Normally, an ISP is considered as a BIG company (several millions of clients) so implementing IPv6 "for you" would be pure fiction.

I'm using a big (biggest) French ISP "Orange" (+16 000 000 clients, mostly ADSL and some fiber links). They still think about "IPv6", because they have to switch the entire country to mixture of IPv6 and IPv4 in one go. Nice aspect: this is France so, first, they 'talk' about it (for the last 5 years already)  ;)

I'm using https://tunnelbroker.net/ services for years now. This means that all my PC's and other devices  have an native IPv4 and IPv6 access.
Works great !!

Looks like policy based routing is the answer

to bring up a tunnel with HE you have to allow ping to your public IP on your wan..  I have set this up so many times, it really is like 20 seconds tops to get a tunnel going.

Btw I noticed you have a ipv4 icmp rule on your lan - but your notes say ipv6?  And its kind pointless since you have a any any rule from your lan that would allow icmp anyway.

"Enabling the adapter, even with no clients connecting, leads to very long DNS lookup times, or faiilure to resolve, and much slower page loads for browsers behind the firewall."

Huh??  What is having a hard time to resolve?  You do understand even if you query via IPv4 for a fqdn if there is AAAA record you most likely get that returned as well since many dns clients default to query both..

If you get back a AAAA (ipv6 address for a fqdn) and your client prefers and has ipv6 it will try to use that..  But what does this have to do with pfsense having a link local address?  I use ipv6 on some interfaces in pfsense and none on other interfaces that I am not using IPv6 in that network.. Yes those interfaces still get link local as shown above..

Your posting of this

inet6 2001:5<foo>9:4125:5501 prefixlen 128
and
inet6 2601:248:<foo>:44c6 prefixlen 64

This is NOT a none setting on the interface.. Where are you saying this is coming from??  If you have an interface set to NONE for ipv6 it sure and the hell is not going to get a global ipv6 address on it.. 2000::/3

So you bring up openvpn..  I route ipv6 over one of my vpn servers connections, and then on another one I do not - so as you can see from attached one has a global ipv6 address, the other does not but both of them have link local addresses on them for ipv6..

If you are not ready to use ipv6, then make sure all your interfaces in pfsense have none set for ipv6 this is all that should have to be done..

openvpnipv6.png
openvpnipv6.png_thumb</foo></foo>

Block DNS over IPv6. Follow the wiki for the rest. End of story. Not going to explain for the zillionth time that System - General is NOT for clients.

This is working for me: https://moerbst.wordpress.com/2016/07/31/ipv6mit-pfsense-an-dsl-der-telekom/ It's in german language but with screenshots for every step, so it should be no problem :-)