Check out the advanced options on limiters, you can set artificial latency (and loss) there, though that would affect the whole connection and not just the initial packets.

@cmb: Checking "Allow IPv6" only removes the block all inet6 rules. Understood! Your allowing v6 would be on the tunnel, assuming WAN is your Internet connection with v4 only that has the 6to4 tunnel. In that case, your WAN only sees v4 traffic, and your tunnel rules would allow or deny v6 traffic inbound on the tunnel. But my tunnel is part of the WAN page as you can see above.  So there are no "tunnel rules" to be had.  In fact I must built the rules on the WAN tab for them to be effective. There aren't any rules permitting IPv6 other than what's user-configured. I can guarantee that Ive made no rules to allow any IPv6 traffic of any kind from the WAN or any Tunnel side as Ive been working on this. In fact I reproduced it on my lab machine tonight.  The rules page I posted the shot of above is how I have things set up now. But without any of the v6 rules it readily passes the traffic. I tried this also using DHCP6 on another machine and did not have the same findings.

@ghsmith: POSTSCRIPT: I am having a minor problem. In the above configuration, if I modify any aspect of the LAN interface in the web configurator, I loose all IPv6 connectivity until I reboot. I think this is because the router advertisement daemon (radvd) dies when I "apply changes". Ya, that is a problem, without a solution that I know of.  Making a change, or dropping the link on the LAN interface will do it too. FWIW, I'm on 2.1.1-PRERELEASE  (Mar 7) and the problem is there.  I restarted the switch pfSense is connected to just today and the LAN lost it's IPv6 prefix.  Only thing I could do to get it back was reboot pfs. REPORTED HERE:  https://forum.pfsense.org/index.php/topic,73492.0.html

There is no such feature with IPv6. Read: NOT implemented in the DHCP server. Also read RFC 6939. BTW, here's a nice quick summary slideshow on DHCPv6 state/implementation/pitfalls.

Atlantisman: I know this might not be much, but I might have some info you can use. Well, first of all, try to take whatever IPv6 (global unicast) address e.g. your computer might have within your google routers IPv6 network. Then visit e.g.: http://ipduh.com/ipv6/whois/ or https://www.ultratools.com/tools/ipv6InfoResult And then copy/paste your IPv6 address and see what subnet prefix (length) you get returned (as well as your ISPs /32 route). Now what is interesting is if the subnet prefix is e.g. /48,  /56, /60 or something else. Because even though the google router might give your LAN a /64 prefix it is probably to let SLAAC work. Your actually provided network might be larger e.g. a /56 subnet prefix. What you then could do is to setup your pfsense box manually without any fancy configuration but where you just configure your WAN address to be the wan address of your google router (even though you are not going to use the google router of course) Your google routers WAN might have a /64 subnet. But the actual provided network to you might be larger e.g. /48 or /56. If you are not provided with the WAN address e.g. by a google manual or a web interface then simply try to: traceroute6 google.com The first print out is likely the address of your own router/the google router (your LAN subnet). Then right after this subnet the WAN address of your WAN gateway (not your google router, but the gateway your google router uses) is printed. It might have an address that ends with ::1. Then you are likely to use the same subnet address, but instead it should probably end with ::2 - anyway it does not matter a lot if the WAN subnet is /64 - but it could be /127 - in that case i am not sure how well pfsense works. (pfsense 2.1 does not seem to support /127 addresses when configuring static routes on the LAN site - but that is a whole other story.) Thereafter try to setup your LAN. Now if you want to use SLAAC in your LAN you have to use /64 prefix which means you limit your network e.g. if the entire network provided is e.g. /48 or /56. But anyway - you can try to see if it works taking the lower /64 part of the larger network. If it works you can try to take the next /64 prefix and see if that also works and let you have traffic route out and into your network. Remember to set https://your_router/services_router_advertisements.php?if=lan (Services DHCPv6 Server/RA - Router Advertisements) to either Managed or assisted (depending on what you want). Else you might want to use wireshark again on the WAN interface but this time searching for http://wiki.wireshark.org/ICMPv6 ICMPv6 packets regarding http://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol#Technical_details . If some of it works then fine else try to see if your google router has a web interface (located as the default route address - perhaps some:address::1 ) with some configuration info. E.g. if the google router uses PPP. Actually here is a site that has a PPP example with ICMPv6 with a screen shot from something that looks like wireshark: https://sites.google.com/site/amitsciscozone/home/ppp/ipv6-ipv4-over-ppp Hopy you can use at least some of it :-) Cheers Anders

@bruor: …. This almost seems like a routing issue.  If anyone can help suggest ways to narrow this down or find any changes that may have caused this glitch I'd be grateful.  I'm willing to reboot my firewall a few times in the name of making this a better product! pfSense-Full-Update-2.1.1-PRERELEASE-amd64-20140221-1118.tgz fixes this for me - outbound connections now get sent to the default IPv6 gateway via teh PPPoE interface, not via re0_vlan10 (which is my "physical" interface that PPP packets arrive on.) Hasn't fixed the IPv6 connections coming in from the internet, like email delivery or web browsing into my server yet.

Give a try with a snapshot from late tomorrow since behaviour should be improved.

Never mind. Apparently apinger was restarting after being stopped. Just disabled it for each of the gateways and all is good now.

Happy to hear it worked out in the end :)

Hi Pertan, I'm not sure you will be able to get 6RD working with 2.1. I'm using 6RD with a 2.1 build from way back in January 2013 & it works great, but sometime after that there were some changes made that broke 6RD and I was never able to get it working again. Here's the ticket I have open on this problem: https://redmine.pfsense.org/issues/2882 There are some allusions to a mis-configuration but I was never able to divine out what that mis-configuration might be. Currently the problem, whatever it might be, is scheduled to be in pfsense 2.2 but I'm afraid that proper ipv6 will be in general use before that ships. -Will

"I think deafult ftp access is passive mode." Well that would depend on the client now wouldn't it - If I ftp from command line in windows defaults to active.  If I type ftp on my ubuntu server its active. Unless I use -P -p    Use passive mode for data transfers. Allows use of ftp in environments where a firewall prevents con‐           nections from the outside world back to the client machine. Requires that the ftp server support the           PASV command. This is the default if invoked as pftp. Why do you think ftp helper should be doing anything in pfsense on ipv6?  There is no nat in ip6 - so why would the helper be needed. How are you sure your hitting the ipv6 address?  That site resolves ipv4 as well ftp.arnes.si.          7200    IN      A      193.2.1.88 What I can tell you is I can connect just fine to that server via IPv6 be it passive or active. Snipped a bit out for brevity –-- 05:49:25 Status: Connecting to [2001:1470:8000::88]:21… 05:49:25 Status: Connection established, waiting for welcome message... 05:49:25 Response: 220- 05:49:25 Response: 220-  Hello! 05:49:25 Response: 220- 05:49:25 Response: 220-  Welcome to the ARNES archive,  Please login as `anonymous' with 05:49:26 Response: 230 Login successful. 05:49:26 Status: Connected 05:49:26 Status: Retrieving directory listing... 05:49:26 Command: PWD 05:49:27 Response: 257 "/" 05:49:27 Command: TYPE I 05:49:27 Response: 200 Switching to Binary mode. 05:49:27 Command: EPSV 05:49:27 Response: 229 Entering Extended Passive Mode (|||24597|) 05:49:27 Command: LIST 05:49:27 Response: 150 Here comes the directory listing. 05:49:27 Response: 226 Directory send OK. 05:49:27 Status: Directory listing successful –- active with the right firewall rule to allow the traffic. 05:53:22 Status: Connecting to [2001:1470:8000::88]:21… 05:53:22 Status: Connection established, waiting for welcome message... 05:53:23 Response: 220- 05:53:23 Response: 220-  Hello! 05:53:23 Response: 220- 05:53:23 Response: 220-  Welcome to the ARNES archive,  Please login as `anonymous' with 05:53:23 Response: 220-  your E-mail address as the password to access the archive. 05:53:23 Response: 220 05:53:23 Command: USER anonymous 05:53:23 Response: 331 Please specify the password. 05:53:23 Command: PASS ************** 05:53:23 Response: 230 Login successful. 05:53:24 Status: Connected 05:53:24 Status: Retrieving directory listing... 05:53:24 Command: PWD 05:53:24 Response: 257 "/" 05:53:24 Command: TYPE I 05:53:24 Response: 200 Switching to Binary mode. 05:53:24 Command: EPRT |2|2001:xx:xx:xx::666|2309| 05:53:24 Response: 200 EPRT command successful. Consider using EPSV. 05:53:24 Command: LIST 05:53:24 Response: 150 Here comes the directory listing. 05:53:25 Response: 226 Directory send OK. 05:53:25 Status: Directory listing successful 05:53:29 Status: Retrieving directory listing… 05:53:29 Command: CWD arnes 05:53:29 Response: 250 Directory successfully changed. 05:53:29 Command: PWD 05:53:29 Response: 257 "/arnes" 05:53:29 Command: EPRT |2|2001:xx:xx:xx::666|2310| 05:53:29 Response: 200 EPRT command successful. Consider using EPSV. 05:53:29 Command: LIST 05:53:30 Response: 150 Here comes the directory listing. 05:53:30 Response: 226 Directory send OK. 05:53:30 Status: Directory listing successful –- If I don't allow the unsolicited traffic that would be coming from the ftp server in a active mode connection it would fail..  So added this rule real quick to open my ipv6 client up. Now what I noticed is that the source port for for the active connection to my ports that I sent in the EPRT (port command for ipv6 ftp) is not 20, not normally in ipv4 ftp in active source is 20..  But seems with this ftp server when I tell it hey come connect to me in an active connection his source port is random?  But if you allow the traffic for your ipv6 it works fine. You need to know if your doing active or passive, allow the rules if active.  And double check your own ipv6 connection.  I use he to tunnel since not real happy with comcast native as of yet and pfsense - and tracking seems to change ipv6 range you get all the time..  Guess could prob filter out one of their dhcp servers.. But anyway clearly you can see that site works fine with ipv6.  And pfsense allows it just fine - there would be no helper in IPv6 to change anything.  Look at your firewall log and see what is not working. [image: ipv6rules.png] [image: ipv6rules.png_thumb] [image: logsofrules.png] [image: logsofrules.png_thumb]

Hi razzfazz, Indeed, I messed up another rule!  :-X Tx!

Note that he said '"Allow IPv6" unchecked' – he specifically does not want IPv6.

To answer some of my own questions. Till now I have not been able to use DHCP-PD on the LAN side of pfSense. Well the client routers (CPEs) get the info but I do not know if the DHCP-PD service of pfSense actually works in creating some dynamic routes, but right now I have kind of given up on trying. If any of you know how to utilize DHCP-PD correctly as well as "Services - Router Advertisements - RA Subnet(s)" (from Services - DHCPv6/RA - Router Advertisements) then I will be thrilled to hear about it! :-) But in my pursuit in getting the D-LINK DIR-860L to work I have this to report: A) I have changed the LAN from a /48 to a /64 network. B) I have created an alias for a /56 network (a subnet of the /48 network). C) I have created a firewall rule, so that the /56 network can gain access from the LAN of pfSense and out in the world as well as a firewall rule on the WAN so traffic can get into that network. D) Then I have made a route from the LAN of the pfSense router and onto the /56 network. I have used "System - Routing - Routes". E) And then I statically configure the d-link router (meaning no use pfSenses DHCPv6/DHCP-PD). You can see me write about it here in some posts: http://forums.dlink.com/index.php?topic=57422.msg225586#msg225586 So the d-link router works. I have however one outstanding issue: That is the d-link router can only gain access to the world (=Internet) and not the LAN of pfSense, which is kind of annoying, because it is then unable to access local services like other servers or computers through IPv6. Does anyone of you have some suggestions about how to fix that without using more routers, NICs or VLANs? And do you have an idea if the culprit is pfSense, the d-link router or me? ;-)

Hi Zeon, Thank you for your reply! However, to enable SLAAC on LAN side, pfSense tells me that the LAN interface must have static IP addresses. My ISP provides me dynamic addresses (also configured via SLAAC on the WAN side). I'm confused!? /x

On my box it doesn't work at all for IPV6, and I had to resort to traffic shaping queues which are much less practical in my application.