@antillie:

I imagine most ISPs wont do this unless you are a large account that spends lots of money.

Depends on how you define "lots." Generally in the US if you have fiber connectivity, they're willing to do it, even if it's just a single connection you're buying with them. Looking at ~$1000 USD/month at the low end for that type of connection, though that can vary widely depending on location.

If you are sending a tagged voice VLAN to a phone along with an untagged VLAN intended to be used by the host chained off the phone and the host chained off the phone is seeing both the tagged traffic and the untagged traffic, the phone is either broken or configured incorrectly.

In my case, this problem was caused by a wireless access point in the network running OpenWRT trying to hand out IPv6 addresses when it had no business doing so. Hope this helps someone.

If everything is configured right, you'll always end up with /64 prefixes on your LAN interfaces; the /60 is the total address space delegated to you, and pfSense will split it up into up to 16 /64 prefixes, one for each interfaces configured to track the WAN.

The ICMP types you are referring to were removed from ICMPv6 for exactly the reasons you mentioned. There really isn't anything worth blocking aside from ping on a layer 3 device. There are ICMP types you might want to block on a switch, such as router advertisements, but that's layer 2 stuff.

And for the love of god don't rate limit ICMPv6 on your edge device. I knew a guy that rate limited ICMPv6 to 20 packets per minute on the linux router in his lab. He was then very confused when I brought down the entire lab by pinging his router from a windows machine with the -t option over IPv6.

Don't approach ICMPv6 with an ICMPv4 mentality. They are totally different protocols with totally different jobs that need to be handled in totally different ways.

Hi,

my ISP will provice native ipv6 in  couple of months, so, there is no need to get any kind if -IM-proper tunnel.
Tunnelbrokers are all (!) slower than the nativ ISP. In another router I used gogonet, HE and SIxxs - the are all slower than my 6to4 solution - and
the not reachable-issue didnot occur once for me…..

The point is not the tunnel, there is another bug which makes this happen - or don't you think so, then, please, explain it to me.

Cheers

4920441

Not sure if this has much if anything to do with 2.2.1, but as this is a development environment for me I was able to upgrade to version 2.2.2-DEVELOPMENT.  My issues are fixed (right now).

I will report back if they break again.

@JasonTracy:

That said, I'm interested to hear more about how you're doing this!

What ?  :D  I will outline the principle for non-tracking setups.

Comcast, I am not with them. But they supply a /60, I understood from elsewhere.
Try [Interfaces: WAN] (Advanced(Send Options=ia-pd 0)) and (prefix delegation: checked)
If you get the /60 on the WAN, then you can know your prefixnumber as the first 64 bits.

Let's assume you get a prefixnumber like 2015:911:abcd:ff80(::1) on your WAN.
The last placeholder (0) in :ff80: is actually the supplied space, your 4-bits equals 15 LAN's possibly.
Now in webgui pfSense you can make a LAN-1 static as 2015:911:abcd:ff81::1/64 or a LAN-2 static as 2015:911:abcd:ff82::1/64. (The space available is :ff81: tru :ff8f: ).

A (PC) serverhost on LAN-1 (:ff81:) could get a number issued by you, (not by DHCPv6), say 2015:911:abcd:ff81::1001.
Or you could config a DHCPv6-Server/RA with a pool like [2015:911:abcd:ff81::1051 upto 2015:911:abcd:ff81::1100].

You make your WAN firewall rules on a wellknown server fixed IPv6 address.

So when ISP pulls/changes your 2015:911:abcd:ff8::/60, then your IPv6 LAN's and public server are securely off-line.

Ditto for Comcast.

EDIT: Sorry, it's actually just a /60 for Comcast.

@antillie:

If Comcast wants to change your IPv6 prefix there is nothing you can do to stop them. It wouldn't surprise me if they change your prefix now and then just to make it hard for you to run a server. Maybe they can sell you a business class account with a static prefix assignment?

Yeah I'm hoping it's not nefarious. :)

Issue is getting the speed/bandwidth on the business accounts. A 100MB line on Business isn't cheap…

Or, if this enhancement gets applied to PFSense then it may resolve my issue.

https://redmine.pfsense.org/issues/3029

Yes, your edge firewall is a master holding the /48. Request by slave DHCP(PD).

Stop the /52-ing internal. Peel off /64-ers from your comcast /48. Stick to /64 routing.

the guy from my ISP

@pii77:

…
Anyone with best practices on how to solve this?...

Why does an/your ISP issue a prefix /48 and not keep it the same number for you, despite you get it with DHCP6c(PD) (and they reserve the right to change/pull it ofcourse). ?

Why not just assume that your /48 is a permanent number (quasi-static) ? Because then next assign your LAN a subnet static or with DHCP6-server…

@snowyrain:

I don't know why…

As a pfSense manager yourself, that is not a very satisfying position.  :P

No, not 6to4. That 6to4 wannabe magic anycast thing is officially dead.

Yeah, this is a pfSense forum. Configuring firewalls requires you understand at least basic concepts of networking. You are totally stuck with IPv4 mentality, which just does not apply to IPv6. Everyone has a public IPv6, every box can be reached directly unless you block the traffic by firewall. There is no NAT to hide behind.

So, well… here's a couple of suggestions:

1/ Install the Filer package and use that to upload whatever custom scripts you have (Diagnostics - Filer)
2/ Install the Cron package and use that to maintain your custom cronjobs (Services = Cron).

This way, the mods will actually survive upgrades.

Attenuating the default. For me will do:
[System: Gateways: Edit gateway] WAN_DHCP6; Probe Interval=8; Down=32;

Dude, you do NOT 1:1 NAT IPv6 like this. WTF. There's NPt for IPv6.

P.S. Filed a bug: https://redmine.pfsense.org/issues/4536

(Note @OP: Fixing that bug will prevent you from configuring similar BS. Meanwhile, kindly remove that nonsense yourself.)