@br8bruno said in So close on IPv6 yet so far away - Can't get to internet over IPv6 despite everything seeming to be in place.: Not really sure, but I will as the ISP They will ask you to execute a traceroute to, for example, 8.8.8.8 The second, third, maybe fourth IP listed is theirs - on of their equipment. Pick any of these, as long as they answer to ping. Further on, you'll will find the main 'highway Internet core routers'.

@NickyDoes IPv6 gets quite tricky when it comes to pfSense. Like with IPv4 there is no support for automatic client DNS nameregistration in IPv6, so either you have to register all clients/servers manually (SLAAC clients and Static IP clients) or in some products the DHCPv6 server can register its clients in DNS - but not on pfSense though (so manually it is….). Also - IPv6 on most/all clients use something called privacy extensions, so if you use SLAAC you cannot create pr. Client outbound firewall rules. You have to allow og deny everything equally for the intire subnet. With privacy extensions clients will pick a new random IPv6 address every day for oubound connections. You could experiment with the new MAC address based firewall rules though…

@rsaanon, looking for an update. Did you ever get IPv6 working smoothly with Google Fiber? Do you still have Google Fiber? What is your PD size now? @jimp said in pfSense host gets IPv6 from ISP (Google Fiber) but not LAN clients: I just showed you what a working setup looks like and what a working server sends. Your server is not sending that, thus your server is not working properly. Getting a working WAN address is not the same as getting a working and viable prefix delegation from upstream. One can work while the other is broken.

Looks like I was lacking "rapid commit" under advanced IP options. I tried to post instructions here but it keeps getting flagged as Spam. Check out https://www.reddit.com/r/PFSENSE/comments/1duuc6o/ipv6_troubles_unstable_pppoe_ipv6_address_via/ for the full post.

@JonathanLee said in IPv6 HE tunnel broker and Netflix quick fix idea: This fixed my issues 100% anyone else parse AAAA and A dns records like this? That issue is very old. Hit the search button - its just above : [image: 1721814205482-979fea0f-8b0a-4338-afa4-9be21a3aeefa-image.png] The issue has even a pfBlockerng solution made for it : [image: 1721814277228-99d7ab85-cb14-44e3-958e-e48648d7256f-image.png] Check the check box. Add all the host names that should not be resolved to AAAA. Done.

@JonathanLee Yes, I've been aware of that for coming up on 30 years.

@JonathanLee said in HE tunnel broker questions: I went the old way of wan only The old way ? If your uplink is rather big, like a Gigagbit or way more, it's the dangerous way. Incoming, Internet originated traffic, is normally dropped without any further actions taken. If you decide to have that traffic analyzed by, for example, snort, then you expose yourself to a much greater DOS risk : the more traffic comes in, the harder snort is going to "snort" on it. Now, all it takes it : I, with my bots, send you a loads of 'suspect' traffic and your firewall comes to a crawling halt. Remember : you can not stop the the traffic coming into your WAN, only your ISP can. If you want to spend a zillion CPU cycles on every bad packet, and lots of these are coming in, your firewall will get overloaded.

@JonathanLee don't use bang rules.. If you don't want lan net to talk to opt net, then put in a block rule for opt net above your allow. Yes the network/subnet aliases would be the ipv4 or ipv6 networks on said interfaces.

@lmat said in Static IPv6 "gateway does not lie within one the chosen interface's subnets": I ran the packet capture for several minutes: tcpdump -vvv -ttt -i igb0 icmp6; and got the following: Use the packet capture that's in pfSense. You may have to install it. Then post the capture file here. It's a lot easier to examine the capture with Wireshark that what packet capture displays. Here's what a router advertisement looks like in Wireshark: [image: 1721322715178-ae550191-613d-491b-bc38-83746130322c-image.png] And when expanded, selecting IPv6 info: [image: 1721322792298-1f6587bd-bae2-4ff2-8f09-66e18495c283-image.png]

@Shack Why not just go with IPv6 and get rid of all the crap that's become necessary to keep IPv4 going? Stuff like NAT break things and CGNAT even more things. Because of NAT we need STUN for VoIP and some games. So, it's hack upon hack just to get around the IPv4 address shortage. On top of this, IPv6 cleans up some of the things in IPv4. For example, ARP predates IPv4 and was used because it was available. With IPv6, the functionality of it has been rolled into ICMPv6 with some other features added. Other things improve security and more. According to Vint Cerf, the guy who created it, IPv4 was intended only as a proof of concept and he expected the final protocol would have a much larger address space. With my ISP, I have a single IPv4 address which requires NAT to support multiple devices. With IPv6, I get a /56 prefix, which provides 256 /64s, each of which contains 18.4 billion, billion addresses. NAT also breaks the end to end transparency, which the network gods had intended.

@JacktheSmack said in If internet goes down, IPV6 won't work until reboot: The release cadence has slowed down significantly from when I started using pfSense in 2014 or 2015. Slow down doesn't mean going away.. The product has come a long way since then, lots more to it.. Plus there is + and TNSR, their release schedule has always been when it ready really. If you want faster releases, move to plus.. ;)

@patrickdickey52761 yeah understanding where the split is for prefixes can be tricky.. Glad you got it sorted.. Now what you going to do with IPv6 to be honest? I have yet to find an actual need for it.. There is not 1 single resource on the internet I would want to get to that requires IPv6 ;) Its just a play thing to be honest, I mostly just leave it off. I can turn it on with a click if need to test something.. Yeah sure if you were behind a cgnat or something and you wanted others to be able to get to some resources on your network.. But it is the future and never hurts to learn new things - If you are actually interested in ipv6, I would check out the free cert you can get from HE.. You can get a pretty nice tshirt once you get to sage level. I still have mine from 2011 when I did it.. You would of thought IPv6 would of actually gotten somewhere by now - sadly nope.. Other than great use for the billions of phones on the planet. My isp doesn't even provide it..

@luckman212 Hi, I am using pFsense plus 24.03, I am still having same issue where WAN interface only got a local IPv6 and not a IPv6 assigned by FIOS, is a problem when I configured CoDel Limiters for Bufferbloat, limiters work fine for IPv4 but not for IPv6 since it doesn't have a IPv6 and can identify traffic going through the WAN. I tried your patch and I was unable to make work. Are you aware if pFsense plus 24.03 already fixed this issue, and let me know what is the configuration we have to use to make WAN to obtain and IPv6 or how to make the onfiguring CoDel Limiters for Bufferbloat to work with IPv6 traffic. Thanks.

@SteveITS It's a home account with an owned Netgear Nighthawk CM2000. There were times where it would work AS IS, didn't need to specify the WAN for a /64 and no RA check. But most of the times, I'd have to specify /64 and Don't wait RA checked or else I'd get no IPv6 on LAN. Weird...

I have Fidium fiber they said it’s still on IPv4 so I stated using HE tunnel broker service.

Forgive me if I'm misunderstanding what you're wanting to do, but on pfSense you can set up a Prefix Delegation Pool in the DHCPv6 Server settings for the interface to which the UDM is connected. Assuming the UDM supports PD it should request a prefix from pfSense which will then take care of the routing. Also, as you might already be aware, an easy way to disable NAT for IPv4 is to switch to Hybrid Outbound NAT and add a "NO NAT" rule for IPv4 for the interface the ISP device is connected to.

after a bunch of screwing around, I have it working. I wrote up what I found here: https://forum.netgate.com/topic/188676/ipv6-dhcp-client-with-att-fiber-without-gateway-working In particular: In the instructions at [https://docs.netgate.com/pfsense/en/latest/recipes/authbridge.html], section Add Modem-WAN Bridge Rule, the instructions say to set Protocol Any. If you do this, the DHCP6 requests from the modem will be forwarded through PFSENSE to the ONT and cause XID mismatch errors. This should instead be set for Protocol IEEE 802.1X. and a lot of rebooting or it will not work.