So i was playing with MikroTik RotuerOS and it picks up and distributes ip6 address right away, only config needed is enabling ip6.

What is different about how RouterOS is requesting the address vs. pfsense?

Having your ipv6 subnet and IPs become dynamic doesn't make it useless - Just much less useful as a server.

Which is probably the intent.

Dump the native IPV6 if it becomes annoying and grab a hurricane electric /48 that never changes.

Can you just put them on different LANs or VLANs? Comcast will give you up to 16 /64 prefixes, so you could just put the "open" hosts in one (basically, a DMZ) and the locked down ones in another.

Some more info.

I enabled DHCP6 on my WAN side, then went to check the interface status. Turns out the IPv6 of fe80::213:5fff:fe05:bde2 is actually my Gateway IPv6.

Should I allow this traffic to go through from my Gateway IPv6?

Thanks!

I finally get my IPv6 connexion working with pfSense 2.1.4-RELEASE (i386) . Here are the steps I followed :

checked "Allow IPv6" in "System: Advanced: Networking" enabled "Static IPv6" on the WAN interface and set IPV6_ADDR with /128 prefix let "IPv6 Upstream Gateway" to "none" run "route change -inet6 default IPV6_ADDR" (without %pppoe) enabled "Static IPv6" on LAN interface and set IP with /64 prefix checked "Enable DHCPv6 server on LANX interface" in "Services: DHCPv6 server" let "Router Advertisement" to "Disabled" added some IPv6 rules for LANX traffic

Right.. seemingly working when i did the following:

Put a notch on "Only request a IPv6 prefix, do not request a IPv6 address " on my WAN dhcp6 setting.

Also followed the other advice around and put LAN on "Track interface", added a WAN firewall rule to allow inbound source UDP 547, destination UDP 546

Internal clients get ipv6 address, and get 10/10 on the test-ipv6.com page.

Well.. guess every ISP is different perhaps?

C

@avink:

This very much resembles the thing I have.
I always have to start the DHCPv6 by hand. In my opinion it is because the PPPoE isn't stable when the DHCPv6 is starting.

I actually got the dhcp6c command from your bugreport on redmine, thanks for that  ;)
Running dhcp6c in a tmux by hand now, seems stable so far.

If i set the WAN interface to DHCP6 and delegation size to 48 (according to my ISP), and LAN interface to "Track Interface:WAN", my WAN gets a address like this:

IPv6 Link Local fe80::202:1eff:fef2:8981%xl0  IPv6 address 2001:4610:a:b::xxx  Subnet mask IPv6 128 Gateway IPv6 fe80::2a0:a50f:fc7a:8b00

And my LAN gets:

IPv6 Link Local fe80::1:1%bge0  IPv6 address 2001:4641:7766:0:21a:a0ff:xxxx:xxxx  Subnet mask IPv6 64

And internal clients also gets a IPV6 address..

However, im unable to ping anything related to IPV6.

ping6 ipv6.google.com PING6(56=40+8+8 bytes) 2001:4641:7766::34cf:6c49:85df:9bb8 --> 2a00:1450:400f:803::1001 ^C --- ipv6.l.google.com ping6 statistics --- 3 packets transmitted, 0 packets received, 100.0% packet loss

Ive added a WAN firewall rule to allow IPV6 UDP Source Port:547 Destination Port: 546. I also added WAN rule to allow IPV6 ICMP.

What am i doing wrong? :)

C

I am really looking forward to have a dynamic NPt that tracks my DHCP PD assignment

@razzfazz:

Pass-through as in VT-d?

Yes, Intel VT-d aka DirectPath I/O in VMware ESXi. The parent interface's name is "igb0". In contrast, the other two WAN interfaces were called "vmx3f1"/"vmx3f2" on pfSense 2.1 and are now called "vmx1"/"vmx2" on 2.2. By the way, I've switched from 2.1.3 to 2.2 since my last message in this thread.

@razzfazz:

The point is, the WAN interface that's the parent for your tunnel cannot be behind a NAT (including the NAT that many desktop virtualization solutions use for their virtualized interfaces by default) unless you set up the correct forwarding (proto 41 – note, not port 41! – needs to be forwarded to your tunnel endpoint).

There's no NATing going on anymore (for the tunnel's parent interface at least). After your post I've set the upstream DSL modem to operate in transparent bridge mode and let pfSense do all the PPPoE magic. pfSense displays the exact same IPv4 address on that interface that various "What's my IP address?"-websites show me (like this one). Now that I figured I needed to use the "Update Key" instead of my password, pfSense's DynDNS client seems to work just fine, too. HE is constantly aware of any IP address changes. The tunnel is still not up however. :-X

Edit: It's working!
Well, after deleting my old tunnel and creating a new one and updating all the settings in pfSense accordingly I was finally able to ping servers via IPv6, but unfortunately most of the requests simply timed out. I stumbled across this video on youtube suggesting to set the MTU to the lowest possible value. So after setting the MTU to 1280 in pfSense and the HE control panel I got rid of that odd timeout problem.

Still, I noticed some minor flaws:
1.) Gateway monitoring is stuck on "pending", no matter what I set the monitor IP to. (I just disabled monitoring for now.)
2.) A second/bogus GW popped up that I simply can't remove. It doesn't show up in exported settings, but as soon as I import the settings it's there again.
3.) The box on the right side of the tunnel interface on the first page of pfSense is blank where it should show the IPv6 address I assume. This behavior doesn't change whether or not I set "IPv6 Configuration Type" to none or static, providing the IPv6 address myself. Fixed as per 2.2-ALPHA (amd64) built on Fri May 23 08:08:31 CDT 2014!

However, thank you for your time razzfazz!

Am I alone with this ?

I played with the Pool and the Router advisement but no luck so far… any help ? Please

I set the MSS to 1000, and then it started working.
No idea why it has to be so low, and it could probably be a bit higher, but I haven't been bothered to check.

@priller:

1e100.net is Google.

Correct. See: https://support.google.com/faqs/answer/174717?hl=en

Yeah, for android devices is a must, they only use SLAAC.

Hey, thanks for the replies. I'll look into setting it up as a transparent firewall.

Thank you podilarius,

I've turned off the default logging in the logger settings and do not see anymore ipv6 anything logging - which is what I would prefer.