6RD + Charter is confirmed working in 2.2.1-Release!

Thanks to Ermal, Chris & Will for following through with this

Feel free to read about the process: https://redmine.pfsense.org/issues/2882

@virgiliomi:

There's a bug regarding IPv6 not returning after modem reset… I added some comments back in February about it, even with the "Use IPv4 connectivity as parent interface" option enabled.

https://redmine.pfsense.org/issues/3290

Thanks for the pointer, I'm now watching this issue.  It sounds like your experience is the same as mine.

@jvangent100:

Well mine Always comes up after reboot, but it disconnects frequently.
…
Will watch relevant logs and hope to find out why I am getting frequent disconnects (sometimes twice a day). Could periodically killing and starting DCHPc6 help ?

Some past experience.

Assure a MAC-derived fe80 linklocal on the WAN, do not rely on one compounded from privacy-extensions.

If the other side pulls the line (too long for apinger), then IPv4 will recover but IPv6 may not. But then a (re)fresh PPPoE disconnect/connect will solve. [Status: Interfaces]

If a disconnect is (IPv4 & IPv6), then test relaxation (factor 4 to 8 (Probe Interval, Down)) for apinger [System: Gateways: Edit gateway].

Periodically restarting, like frequent config changes, can introduce instance problems for dhcp6c like new PID is established and old is not flushed.

The thinking is: If you have IPv6 disabled, you'd want to be notified that people are attempting to use IPv6 when you told the firewall you do not want IPv6 to be used. It's a security measure.

If you want to ignore IPv6, enable it and add some floating rules to block w/o logging.

@hda:

OK, sounds plausible. Would you be willing to show us the final settings of the DTv130 for this case ?

I've added a few screenshots, they're a bit messy, i didn't clean up the config yet.

snapshot6.png
snapshot6.png_thumb
snapshot7.png
snapshot7.png_thumb
snapshot8.png
snapshot8.png_thumb
snapshot9.png
snapshot9.png_thumb
snapshot10.png
snapshot10.png_thumb

If you can use link-local, you should. It won't change like some can. Imagine you have a local IPv6 network where the prefix changes periodically (DHCP6-PD, etc).

There is no benefit to using the actual interface IP over the link-local at a network level except in cases when it may be easier for a person to remember.

It's just an odd concept for those familiar with IPv4 to grasp.

All clients will always have a link-local address, even if they don't yet have an actual routable IPv6 address, so it's always more reliable to talk to a link-local address if you can.

@koos147:

…
is it correct that the router advertisement is on the LAN tab?
...

Ofcourse. The LAN has its own unique public IPv6 and can have a switch with, for instance 8, computing devices on it.
Then this LAN could have its own RA settings like allow Static and (SLAAC or not). Then another LAN could only have RA for DHCP6-server.

Simply disable ipv6 on the lan interface of your router should get rid of these. Do not disable ipv6 on your clients, it's not like this is some scary thing, modern operating systems prefer ipv6 and for good reason.

Where do you adjust that?

@johnpoz:

HE tunnel is stable, my /64s from my /48 never change ;)  I have no plans on going back to isp ipv6 any time soon.

+1. Examples of IPv6 "implementation" on some local ISPs:

A huge xDSL provider: when you ask for IPv6, you get CGN IPv4 instead of your current shiny public IPv4 that has not changed for years, plus one (!!!) /64. No /60, /56 or anything like that possible. The /64s are dynamic and changing all the time. Awesome.  ::) Major cable provider:  testing only, using dual-stack lite, IPs changing all the time, a general yuck…  ;D Small local WISP: Huh, what's IPv6? Oh, so you want a public /29 instead? But we are running short of IPv4s...  ::) ::) ::) (They actually have the - deprecated - 6to4 available without even knowing.)

IPv6 needs ICMP to function properly.

Here's one: http://blogs.cisco.com/security/icmp-and-security-in-ipv6

You get an /48 space supply. Of this /48 you can chop something like say /56 up into subnets of /64 (these are 255 LAN's or NIC's)

Reliable communication goes with /64.

So you can do a Static like 2A02:babe:face:1::1/64 for LAN-1
And you can do a Static like 2A02:babe:face:2::1/64 for LAN-2

Suppose you connect a switch to LAN-1.
Then you can attach a PC on that switch (to LAN-1) give it a Static, say 2A02:babe:face:1::beef

And you need RA to set on Router Only if you do Static, else no routing…

@Banane:

I now switched the FritzBox to a Draytek Vigor 130 VDSL modem and set it to PPPoE-Passtrough.
Where do I have to set up the VLAN, at the Vigor 130 or at the pFsense firewall ?
At the moment i disabled the VLAN tagging at the VDSL modem and set it up for the WAN interface in pFsense.
I can connect via PPPoE and receive a Ipv4-address. Does this mean the VLAN is configured right ?
How do I have to set up IPv6 (DHCPv6/SLAAC).

Good move !

VLAN is at pfSense, Draytek-130 is absolutely pass-tru to ISP-node.

Why do you need VLAN(), because of separate ISP tagging of the Internet, Phone and TV ?

If you get an IPv6 that basically doesn't change, then go Static (+SLAAC if you wish) or DHCP6-server for your LAN.
Else you have to stick to Track-Interface for the LAN. This will do out-of-the-box. Issue /64 addressing i.e. 2a02:2028:xyzt:klmn:…../64

Prior and besides LAN-config, you need to know the connection protocol to ISP for WAN, probably with dhcp6(c)(PD).
Find out by experimentation or ask them the ISP.

That ifconfig output does not look good. Having a prefixlen of 56 on a LAN will break every SLAAC device out there because RADVD will advertise a /56. RADVD can become confused, as in your case, because there is a mismatch between what comcast is offering and what DHCPv6 Prefix Delegation size has been set to. You must set DHCPv6 Prefix Delegation size to 56 to match what comcast provides. This in turn will cause RADVD to offer a /64 to LAN.

If you check /etc/var/radvd.conf and the prefix line is anything other than /64 at the end, LAN connectivity will not work for IPv6. I already went through this a while back: https://forum.pfsense.org/index.php?topic=83524.0

The link provided by kejianshi even mentions the possible need for setting it to 56.

Is 32,000 a big number? (I ran out of fingers - Let me take my shoes off)

/48 works really well - I think I have about 5 right now.  I will give them back if people start running out.

I agree with derelict.

Hmmm just a guess, is it possible that no RA is being send because client already exists in NDP table?

Ever get anywhere with your issue?

@digitalsushi:

we have a comcast router we are leasing because we have a static v4 /28 routed to us with a comcast rip client configuration we are not allowed to run on our own hardware.  This router's configuration is locked in place - if we used our own router, we could do the /60 PD req no problem. I should have mentioned this earlier but I didnt want to take my own thread off topic.

This was a critical piece of info.

Comcast doesn't support more than /64 on their own gateway devices. They don't yet support "sub-delegation", where you would be able to have a /60 or /56 on their gateway (which is required to be used for static IP addressing) and then sub-delegate prefixes to other routers (like pfSense).

That's why you can't get more than a /64, because you're using Comcast's gateway.

If the static IPv4 addresses weren't necessary, then you would be fine to use pfSense as your only router (have theirs put into Bridge mode, or buy a modem-only device) and request a /60 or /56 for IPv6.