so since i probably can not make ipv6 for the client network work with my current setup i want to get ridd of the ISPs router (speedport w724v) completely and let pfsense handle everything solely (as it was before we switched to voip). what i need is some sort of DECT base station that does VOIP or can "forward" VOIP to a asterisk (i'm not exactly sure how this would look like, voip is new to me) are there all-in-one boxes that can do this and don't require to be the main router to the internet?  (so i just have to open the ports for it in the firewall/NAT) i could also set up an VM with asterisk, but i somehow need the hardware to connect the phones via DECT and if the hardware has to be plugged in the server it has to work when on pci-passthrough on vmware esxi

i understand you. its just for educational purposes and its easy since it dont require software on the clients.

Just to keep you updated… It works, today morning IPv6 was up and running, but there is one thing strange: The "Dynamic DNS" panel shows the wrong (old) IP in red. But I just saw, that there were some fixes for the upcoming 2.2, so I am relaxed.

@mjtrainor: Interesting that em0 would have a IPv4 problem, since that's been problem free. Is miniupnpd strictly UPnP? If so, it's possible that's not working, it's not something we use very often. Yes, that's for UPnP (and NAT-PMP) only, so probably doesn't matter for you. Could just be a timing-related issue. And suggestions on what to look at for this? I'd fire up packet captures on your pfSense box's WAN and LAN interface and then try to ping an external address from a LAN client. I'm assuming you do have a firewall rule that allows IPv6 traffic from "LAN network" (as opposed to something hard-coded)?

How do you enable both DHCP-PD and the DHCP6 server? Any interfaces configures as "track interface" (i.e., use delegated prefix) don't even show up in the DHCP6 server configuration for me at all…

@hda: My understanding of IPv6. Don't route other or larger (i.e. /48) than a /64. And static IP's are a /128. Nope. Being static has nothing to do with how large a subnet is. IPv6 must be assigned in /64s per interface. So a /64 for LAN, a /64 for DMZ, a /64 for WIFI. You can assign smaller subnets than that, but it's not recommended (auto configuration breaks, since it expects to be able to fit the mac address in the IP address). And with the large number of /64s in a /48 you'll run out of rack space before you can allocate all the /64s, trust me  ;)

ah, found out the issue. we have a /56 (256 IPv6 /64 blocks so I have changed IP6v subnet on lan of pfsense from 2A00:xxxx:xxxx:5:21D:AAFF:FEB9:F000 to 2A00:xxxx:xxxx:4:21D:AAFF:FEB9:F000 I can now ping 2A00:xxxx:xxxx:4:21D:AAFF:FEB9:F000 from the internet

Problem solved. Turns out it was a setting on my NIC. I needed to change "Large Send Offload v2 (IPv6)" to disabled. This is found in Device Manager > Network Adapters > <right click="" your="" adapter="">Properties > Advanced Hope this helps someone! Todd</right>

Hi jyppy65 I also have two ipv6 link local address on my pppoe0 interface but I can't report any problems with that. Do you have any problem with that ? regards supermega

Pretty much what it says: When that option is enabled, the DHCP request sent out by pfSense will include info on what size prefix we would like to have delegated to us (which the DHCP server may or may not honor – hence, "hint"); without that option, the DHCP request will just ask for a prefix without specifying the desired length, so the DHCP server will generally just delegate a prefix with some default size, and that obviously may not match what you selected as "prefix delegation size" in pfSense.

You can add it as an IP Alias VIP. It will exist along with the auto-generated version. That can also be disabled with a sysctl, but it's not recommended to do so since it could have unintended consequences.

I know this is an old thread – but I had a similar problem.  I am using DHCPv6;  Windows 7 would obtain an address from DHCPv6 and the default route from the router.  The default route would be there (as seen via "route print") for 30 minutes.  Then it would disappear. I found that the default Windows Firewall allows ICMPv6 ONLY from fe80::/64.  Normally, this is fine, however, in our infinite wisdom, we set the router's link-local address to be fe80:42::1  (which isnt part of the fe80::/64 subnet).  If we let it pick its own link-local, (the default) it would have been OK. Thus, the initial default gateway appeared because Windows requested it via Router Solicitation.  But it was unable to hear the periodic Router Advertisement messages after that in order to keep that default route alive.  It timed out after 30 minutes and disappeared. We've since changed our router's link-local address to be fe80::42:1 (which IS part of fe80::/64).

Well - If you have a default ipv6 gateway, all the IPV6 traffic on the lan will try to go there. So, I think if you put a pass-all firewall rule on the lan for anything originating from a 2002 ip and then at the bottom in the advanced section of that rule change the gateway from default top the correct gateway, your traffic will go out over the correct gateway. I have not tried this with IPV6 but seems it should work.

So i was playing with MikroTik RotuerOS and it picks up and distributes ip6 address right away, only config needed is enabling ip6. What is different about how RouterOS is requesting the address vs. pfsense?

Having your ipv6 subnet and IPs become dynamic doesn't make it useless - Just much less useful as a server. Which is probably the intent. Dump the native IPV6 if it becomes annoying and grab a hurricane electric /48 that never changes.

Can you just put them on different LANs or VLANs? Comcast will give you up to 16 /64 prefixes, so you could just put the "open" hosts in one (basically, a DMZ) and the locked down ones in another.

Some more info. I enabled DHCP6 on my WAN side, then went to check the interface status. Turns out the IPv6 of fe80::213:5fff:fe05:bde2 is actually my Gateway IPv6. Should I allow this traffic to go through from my Gateway IPv6? Thanks!

I finally get my IPv6 connexion working with pfSense 2.1.4-RELEASE (i386) . Here are the steps I followed : checked "Allow IPv6" in "System: Advanced: Networking" enabled "Static IPv6" on the WAN interface and set IPV6_ADDR with /128 prefix let "IPv6 Upstream Gateway" to "none" run "route change -inet6 default IPV6_ADDR" (without %pppoe) enabled "Static IPv6" on LAN interface and set IP with /64 prefix checked "Enable DHCPv6 server on LANX interface" in "Services: DHCPv6 server" let "Router Advertisement" to "Disabled" added some IPv6 rules for LANX traffic

Right.. seemingly working when i did the following: Put a notch on "Only request a IPv6 prefix, do not request a IPv6 address " on my WAN dhcp6 setting. Also followed the other advice around and put LAN on "Track interface", added a WAN firewall rule to allow inbound source UDP 547, destination UDP 546 Internal clients get ipv6 address, and get 10/10 on the test-ipv6.com page. Well.. guess every ISP is different perhaps? C