@hda:

Why is it reporting, where to look and adjust ?

Found a factor for the sendmsg:

When created a IPv6-static LAN with a switch plugged-in,
and set Services: Router advertisements: (Router Only),
but no hosts active/connected.

Solution: change to Services: Router advertisements: (Disabled).

Retry with 2.2 release, still have to run it manually?

I don't have much expectations from dhcpv6/radvd
I don't think they are important for me. I can even disable them and configure each VM with static IPv6.

All I want to do is to implement the following:
"routable doesn't mean reachable"

Just need the pfsense box to be a ipv6 firewall/gateway for VMs on LAN

Thanks!!

@balubeto:

@hda:

@balubeto:

… Enable IPv4 NAT encapsulation of IPv6 packets ...

WHY do you need IPv6 ?
IPv6 is meant as a public addressing system that you manage with inbound/outbound allowances.

Because I have some programs that also use the IPv6 protocol.

Can you mention an example, a typical program that wants to go public while there is no public IPv6, but that will refuse to take the IPv4 instead ?

What brand-type of MoDem-Router/Switch do you have ?
Is your Internet Service Provider able to offer you IPv6 ?

Here's the feature request for it…

https://redmine.pfsense.org/issues/3029

Since this morning the LAN interface had no public IPv6 address, and now I returning on pfSense and the LAN interface has received its IPv6 address ..
Why must wait several hours before the interface obtains its IPv6 address?

Now :

But if I reboot pfSense now I know I should not have IPv6 address on my LAN interface for some hours…

@Maarten90:

… some say that setting a MTU of 1492 fixes this...

Salvation of (jumbo) MTU issues for IPv6 are actually beyond control of the end-user; RFC4638 must come into effect first at all locations. The other problem is that many global server-admins block IPv6 ICMP signals. So the test is useless or excluded.

The best you can do, I think, is maybe set the value to 1492 at the first host which is your FB. [see FB>Internet>Account Info>IPv6>Addtional Settings>] So then the FB announces the right thing to pfSense (and you let that box to the default 1500)

(Sofar I experience no webpage problems, my ISP FB-config ships max MTU 1492 as a temp. solution)

N.B. some config changes require a reboot in download sequence of the 2 cascading boxes, and then a DHCP6(PD) ISP refresh-cycle (upto 1 or 2 hrs). So look & wait until your pfSense-LAN IPv6 number is back and up…

Hi Leeph,
I've exactly the same issue as you! Suddenly, my IPv6 connectivity dropped and I also detected that outgoing packets are sent to the ovpns1 interface!?
Could you please give more details about your fix?

<update>Here is the route which affects my traffic:

ff02::%ovpns1/0 fe80::200:24ff:fed0:6950%ovpns1 U 0 78423 1500 ovpns1</update>

Tx!
@xme

Ended up opting out and getting a Cisco EPC3825 that can do both pure bridge and "IP Address Pass-through " feature. In other word no double NAT issues and Fritz!Box half locked config from operator.

@gadams999:

Do you have a Comcast provided router or your own? My SMC router is only giving /64 PD's. I think customer routers/modems are getting /56's according to Comcast, but still collecting info.

Any device being used as a MODEM (either leased or owned) can have whatever router is connected request whatever prefix size is available based on your class of service (residential /60 or business /56).

Any device being used as a GATEWAY - a modem and router combined into one unit - will only likely request a /64. If a GATEWAY device is put into BRIDGE MODE (some allow you to do this in the web-based GUI, some require calling Comcast), this essentially makes it function similar to a MODEM, and your own router can request whatever prefix size is available based on your class of service.

Comcast has been moving away from renting regular modems, and mostly rents gateway devices now. This has allowed them to raise their rental fees ("We're renting you more than just a modem now, we're renting you a modem AND router!") as well as have some management control over the router portion.

Hi!

I experienced the same problems. I was able to fix this with the attached patch. I'm not sure but probably we should file a bug report.

The problem is that tcp resets get filtered as the 'pass out' rule for  the firewall itself is limited to TCP SYN pakets. However I still receive no ICMPv6 unreachables if i'm trying to reject IPv6 udp traffic.

Here the patch:

diff --git a/filter.inc b/filter.inc index c49403a..a4e3c45 100644 --- a/filter.inc +++ b/filter.inc @@ -2854,8 +2854,8 @@ EOD;         $ipfrules .= << <eod<br># let out anything from the firewall host itself and decrypted IPsec traffic -pass out inet all keep state allow-opts label "let out anything IPv4 from firewall host itself" -pass out inet6 all keep state allow-opts label "let out anything IPv6 from firewall host itself" +pass out inet all flags any keep state allow-opts label "let out anything IPv4 from firewall host itself" +pass out inet6 all flags any keep state allow-opts label "let out anything IPv6 from firewall host itself" EOD;</eod<br>

Cheers

If you're getting a WAN IPv6 address and a LAN prefix via DHCP…

The IPv6 setting for your WAN interface should be set to DHCP.

On the LAN interface, you should set your IPv6 setting to Track Interface, then in the IPv6 section select WAN as the interface to be tracked. If you're getting a /64 prefix from your provider then the field below should be 0.

It appears to be working now.  All I did was go into the LAN interface in the interfaces section of pfSense, (changed nothing) clicked save, and then did the same on my WAN.

As I said, consistently inconsistent .

@kejianshi:

You will like it.  Too bad its not replaced IPV4 significantly yet.

Looking forward to it …. might be ready to retire when it finally become mainstream.

Was afraid of this answer. Yes, it´s a good thing - for me the admin. Not sure, my users will appreciate as much as I do.

Thanks
    Martin

I persuaded my colocation service provider to allocate a range of IPv4's to me so my panic is over.
I even considered buying a /24 range of IPs, but that would cost around £2100 which didn't strike me as fun.

I'll test IPv6 slowly - seems to me we're a long way from actually using IPv6 in Europe. Probably decades.