"I think deafult ftp access is passive mode."

Well that would depend on the client now wouldn't it - If I ftp from command line in windows defaults to active.  If I type ftp on my ubuntu server its active. Unless I use -P

-p    Use passive mode for data transfers. Allows use of ftp in environments where a firewall prevents con‐
          nections from the outside world back to the client machine. Requires that the ftp server support the
          PASV command. This is the default if invoked as pftp.

Why do you think ftp helper should be doing anything in pfsense on ipv6?  There is no nat in ip6 - so why would the helper be needed.

How are you sure your hitting the ipv6 address?  That site resolves ipv4 as well

ftp.arnes.si.          7200    IN      A      193.2.1.88

What I can tell you is I can connect just fine to that server via IPv6 be it passive or active. Snipped a bit out for brevity

–--
05:49:25 Status: Connecting to [2001:1470:8000::88]:21…
05:49:25 Status: Connection established, waiting for welcome message...
05:49:25 Response: 220-
05:49:25 Response: 220-  Hello!
05:49:25 Response: 220-
05:49:25 Response: 220-  Welcome to the ARNES archive,  Please login as `anonymous' with

05:49:26 Response: 230 Login successful.

05:49:26 Status: Connected
05:49:26 Status: Retrieving directory listing...
05:49:26 Command: PWD
05:49:27 Response: 257 "/"
05:49:27 Command: TYPE I
05:49:27 Response: 200 Switching to Binary mode.
05:49:27 Command: EPSV
05:49:27 Response: 229 Entering Extended Passive Mode (|||24597|)
05:49:27 Command: LIST
05:49:27 Response: 150 Here comes the directory listing.
05:49:27 Response: 226 Directory send OK.
05:49:27 Status: Directory listing successful
–-

active with the right firewall rule to allow the traffic.

05:53:22 Status: Connecting to [2001:1470:8000::88]:21…
05:53:22 Status: Connection established, waiting for welcome message...
05:53:23 Response: 220-
05:53:23 Response: 220-  Hello!
05:53:23 Response: 220-
05:53:23 Response: 220-  Welcome to the ARNES archive,  Please login as `anonymous' with
05:53:23 Response: 220-  your E-mail address as the password to access the archive.

05:53:23 Response: 220
05:53:23 Command: USER anonymous
05:53:23 Response: 331 Please specify the password.
05:53:23 Command: PASS **************
05:53:23 Response: 230 Login successful.

05:53:24 Status: Connected
05:53:24 Status: Retrieving directory listing...
05:53:24 Command: PWD
05:53:24 Response: 257 "/"
05:53:24 Command: TYPE I
05:53:24 Response: 200 Switching to Binary mode.
05:53:24 Command: EPRT |2|2001:xx:xx:xx::666|2309|
05:53:24 Response: 200 EPRT command successful. Consider using EPSV.
05:53:24 Command: LIST
05:53:24 Response: 150 Here comes the directory listing.
05:53:25 Response: 226 Directory send OK.
05:53:25 Status: Directory listing successful
05:53:29 Status: Retrieving directory listing…
05:53:29 Command: CWD arnes
05:53:29 Response: 250 Directory successfully changed.
05:53:29 Command: PWD
05:53:29 Response: 257 "/arnes"
05:53:29 Command: EPRT |2|2001:xx:xx:xx::666|2310|
05:53:29 Response: 200 EPRT command successful. Consider using EPSV.
05:53:29 Command: LIST
05:53:30 Response: 150 Here comes the directory listing.
05:53:30 Response: 226 Directory send OK.
05:53:30 Status: Directory listing successful
–-

If I don't allow the unsolicited traffic that would be coming from the ftp server in a active mode connection it would fail..  So added this rule real quick to open my ipv6 client up.

Now what I noticed is that the source port for for the active connection to my ports that I sent in the EPRT (port command for ipv6 ftp) is not 20, not normally in ipv4 ftp in active source is 20..  But seems with this ftp server when I tell it hey come connect to me in an active connection his source port is random?  But if you allow the traffic for your ipv6 it works fine.

You need to know if your doing active or passive, allow the rules if active.  And double check your own ipv6 connection.  I use he to tunnel since not real happy with comcast native as of yet and pfsense - and tracking seems to change ipv6 range you get all the time..  Guess could prob filter out one of their dhcp servers.. But anyway clearly you can see that site works fine with ipv6.  And pfsense allows it just fine - there would be no helper in IPv6 to change anything.  Look at your firewall log and see what is not working.

ipv6rules.png
ipv6rules.png_thumb
logsofrules.png
logsofrules.png_thumb

Hi razzfazz,
Indeed, I messed up another rule!  :-X
Tx!

Note that he said '"Allow IPv6" unchecked' – he specifically does not want IPv6.

To answer some of my own questions.

Till now I have not been able to use DHCP-PD on the LAN side of pfSense. Well the client routers (CPEs) get the info but I do not know if the DHCP-PD service of pfSense actually works in creating some dynamic routes, but right now I have kind of given up on trying.
If any of you know how to utilize DHCP-PD correctly as well as "Services - Router Advertisements - RA Subnet(s)" (from Services - DHCPv6/RA - Router Advertisements) then I will be thrilled to hear about it! :-)

But in my pursuit in getting the D-LINK DIR-860L to work I have this to report:
A) I have changed the LAN from a /48 to a /64 network.
B) I have created an alias for a /56 network (a subnet of the /48 network).
C) I have created a firewall rule, so that the /56 network can gain access from the LAN of pfSense and out in the world
as well as a firewall rule on the WAN so traffic can get into that network.
D) Then I have made a route from the LAN of the pfSense router and onto the /56 network. I have used "System - Routing - Routes".
E) And then I statically configure the d-link router (meaning no use pfSenses DHCPv6/DHCP-PD).

You can see me write about it here in some posts:
http://forums.dlink.com/index.php?topic=57422.msg225586#msg225586

So the d-link router works. I have however one outstanding issue:
That is the d-link router can only gain access to the world (=Internet) and not the LAN of pfSense, which is kind of annoying, because it is then unable to access local services like other servers or computers through IPv6.

Does anyone of you have some suggestions about how to fix that without using more routers, NICs or VLANs?
And do you have an idea if the culprit is pfSense, the d-link router or me? ;-)

Hi Zeon,
Thank you for your reply!
However, to enable SLAAC on LAN side, pfSense tells me that the LAN interface must have static IP addresses.
My ISP provides me dynamic addresses (also configured via SLAAC on the WAN side). I'm confused!?

/x

On my box it doesn't work at all for IPV6, and I had to resort to traffic shaping queues which are much less practical in my application.

I compared the PPP and IPv6 exchanges between the connection with pfSense and the connection with Debian.

The PPP client is sending a PPP IPV6CP Configuration Request with 5043:b158:000:0000 in both case and the PPP server 0000:0000:0000:0001.
Then the server is sending a "Router advertisement from" fe80::1 to ff02::1

For Debian :
PPP client is sending a "Router Solicitation" from fe80:5043:b158:0:0 to ff02::2
PPP server is sending a "Router advertisement" from fe80::1 to fe80:5043:b158:0:0

For pfSense
PPP client is sending a "Neightbor Solicitation" from fe80:200:24ff:fecf:28f4 to fe80::1
PPP client is sending a "Router Solicitation" from fe80:200:24ff:fecf:28f4 to ff02::2
I don't see any new "Router advertisement" from the PPP server.

The issue seems coming from the fact there are 2 IPv6 local link  on pfSense pppoe interface:
pppoe0: flags=88d1 <up,pointopoint,running,noarp,simplex,multicast>metric 0 mtu2
        inet6 fe80::200:24ff:fecf:28f4%pppoe0 prefixlen 64 scopeid 0xd
        inet6 fe80::5043:b158:0:0%pppoe0 prefixlen 64 scopeid 0xd

I don't how to fix it.</up,pointopoint,running,noarp,simplex,multicast>

"Your CMTS is not supported at this time."

Oh well…

You're right… sure I've made a mistake the first time I tried...

But, there are still some updates problems. When my box reboots, for example, dynamic IP updates fail. So the tunnel doesn't work without my intervention.
DNS updates fails two.

Another message that appears and need acknowledge is: There were error(s) loading the rules: pfctl: DIOCXCOMMIT: Device busy - The line in question reads {0}

@clinta:

After struggling with this thinking I was having the DHCP6 won't renew issue others are seeing, I discovered that the firewall was actually blocking the DHCPv6 responses from my ISP (Comcast). Checked the firewall logs and it was the block bogon networks rule. Disabled that option on the wan interface and immediately got my DHCPv6 address and and my internal track interface started working.

Just wanted to save anyone else the trouble of discovering this.

THanks for letting me in on that tip. I will have to try this tonight when I get home. I was also having other issues with my Comcast device and that is now fixed. So hopefully I can get this working as I would love to start playing with some firewall rules.

More Updates:

I'm also seeing this error occasionally now as well. It's under my System Logs > General.

"php: /services_dhcpv6.php: The command '/usr/local/sbin/dhcpd -6 -user dhcpd -group _dhcp -chroot /var/dhcpd -cf /etc/dhcpdv6.conf -pf /var/run/dhcpdv6.pid em0 gif0' returned exit code '1', the output was 'Internet Systems Consortium DHCP Server 4.2.5-P1 Copyright 2004-2013 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Wrote 0 leases to leases file. Bound to *:547 Unsupported device type 240 for "gif0" If you did not get this software from ftp.isc.org, please get the latest from ftp.isc.org and install that before requesting help. If you did get this software from ftp.isc.org and have not yet read the README, please read it before requesting help. If you intend to request help from the dhcp-server@isc.org mailing list, please read the section on the README about submitting bug reports and requests for help. Please do not under any circumstances send requests for help directly to the authors of this software - please send them"

No idea what this error message is trying to tell me, or if it's even causing a problem.

I took a few screenshots. The only thing I keep reading is that if you can ping an ipv6 address from your pfsense machine everyone keeps saying you don't have a ipv6 allow rule set under firewall rules.

I have set an ipv6 allow all rule under my WLAN ruleset. My WLAN network is what i'm trying to configure for IPv6.

IPv6 ping from pfsense box - success:

My WLAN network, showing IPv6 allow all rule:

My WAN ruleset, I put an IPv6 allow all rule, though it shouldn't be needed as i'm using a HE tunnel, WAN shouldn't see any IPv6, only IPv4, mabye?

Checked Diagnostics > pfInfo, this em0 interface is my WLAN network. It shows v6 out working, but v6 in isn't having any data/traffic. I think this is the problem here, problem is I don't know what would control that v6 in flow, as I said I already have an ipv6 allow all rule set on my WLAN firewall ruleset.

Any ideas based off these images?

ETA:You may now notice different IPv6 address structure in this post than previous post. I found a post, sorry closed link & don't know where it is anymore, but someone was having trouble with a HE tunnel & he had to delete his tunnel & remade it & his issue was magically fixed. My original tunnel was made Sept 2011, so i deleted it & made another w/o success.

Update:Tried setting up IPv6 on a server I have on a wired interface to rule out equipment problems. My WLAN uses a powerline network adapter which then runs to the wireless router. I think the powerline network adapter isn't playing nice with IPv6. I believe it's blocking IPv6 communication. I'm going to try running my router w/o that to fix that particular problem. However now on the server I can see the link local talking to my router, but it's still not getting a IPv6. Here is a packet capture of what I see.

Yes, checked my powerline network adapter. It doesn't support IPv6. So that's why WLAN was having issues. However I can see my server talking to the pfSense router about LL addresses. So i'm not sure why the server isn't getting ipv6.

For reference the "d0a8" address is the LL of the server. Also now the pfinfo chart shows ip6 in on the server interface. So that's fixed. Any possibilities why i'm still not getting IPv6?

09:59:02.395087 IP6 fe80::b5e8:eb2c:47d1:d0a8 > ff02::2: ICMP6, router solicitation, length 16 09:59:02.395296 IP6 fe80::20e:4ff:feb7:6c77 > ff02::1: ICMP6, router advertisement, length 120 09:59:02.414326 IP6 fe80::b5e8:eb2c:47d1:d0a8.546 > ff02::1:2.547: UDP, length 86 09:59:03.413791 IP6 fe80::b5e8:eb2c:47d1:d0a8.546 > ff02::1:2.547: UDP, length 86 09:59:05.413737 IP6 fe80::b5e8:eb2c:47d1:d0a8.546 > ff02::1:2.547: UDP, length 86 09:59:09.030341 IP6 fe80::20e:4ff:feb7:6c77 > ff02::1: ICMP6, router advertisement, length 120 09:59:09.413743 IP6 fe80::b5e8:eb2c:47d1:d0a8.546 > ff02::1:2.547: UDP, length 86 09:59:14.740678 IP6 fe80::20e:4ff:feb7:6c77 > ff02::1: ICMP6, router advertisement, length 120 09:59:17.419506 IP6 fe80::b5e8:eb2c:47d1:d0a8.546 > ff02::1:2.547: UDP, length 86 09:59:23.399642 IP6 fe80::20e:4ff:feb7:6c77 > ff02::1: ICMP6, router advertisement, length 120 09:59:33.423158 IP6 fe80::b5e8:eb2c:47d1:d0a8.546 > ff02::1:2.547: UDP, length 86 09:59:35.516024 IP6 fe80::20e:4ff:feb7:6c77 > ff02::1: ICMP6, router advertisement, length 120 09:59:45.561251 IP6 fe80::20e:4ff:feb7:6c77 > ff02::1: ICMP6, router advertisement, length 120 10:00:05.152375 IP6 fe80::20e:4ff:feb7:6c77 > ff02::1: ICMP6, router advertisement, length 120 10:00:05.422338 IP6 fe80::b5e8:eb2c:47d1:d0a8.546 > ff02::1:2.547: UDP, length 86 10:00:20.486835 IP6 fe80::20e:4ff:feb7:6c77 > ff02::1: ICMP6, router advertisement, length 120 10:00:36.010342 IP6 fe80::20e:4ff:feb7:6c77 > ff02::1: ICMP6, router advertisement, length 120 10:00:48.593356 IP6 fe80::20e:4ff:feb7:6c77 > ff02::1: ICMP6, router advertisement, length 120 10:01:00.057210 IP6 fe80::20e:4ff:feb7:6c77 > ff02::1: ICMP6, router advertisement, length 120

That is a huge topic.  It would probably be best to do a little background reading, then come back if you have specific questions related to pfSense.

To get you started:

IPv6 Comparison with IPv4: http://en.wikipedia.org/wiki/IPv6#Comparison_with_IPv4
IPv4 and IPv6: A Comparison: http://www.myitforum.com/articles/1/view.asp?id=6720
Side-by-Side Difference: http://www.techsutram.com/2009/03/differences-ipv4-vs-ipv6.html

@Ofloo:

Listen, I can understand if you didn't "know", but these issues are there from august we are November, I'm not saying there's any way they should donate their time or whatever, just don't label it stable which was done in September ! Even when there where still issues, regarding ipv6.

You certainly come across as very wound-up by this!  I'm nothing to do with the project. I'm just a fellow user, who is also vaguely disappointed by the quality of the IPv6 support in 2.1-release.  I don't have the time to join the project and fix things, either.

Stop ranting, because it will achieve nothing, other than possibly to demotivate the one or two people who might be persuadable to actually fix this stuff.

If you can't live with pfSense for what it is and always will be (very cheap, not very stable) then you should find something better.

Our rent contract forces us to use this provider and our provider forces the router. Basically we are fucked. I don't want to move just because of this. So I have to live with it.

Sure, I'd thought of the m0n0wall alternative. It looked like a good alternative, until I discovered it does not support the more advanced schedule features that I require.