Nevertheless, the proper way to set this up should be to set the "DHCPv6 prefix delegation size" on your WAN interface to whatever your provider actually gives you (apparently /48 in your case) and then set your LAN interface to "track interface" with "IPv6 prefix ID" set to a one of the possible sub-prefixes (0-ffff for a /48). Does that not work for you?

It may have… not sure since it happened overnight. Can't see any logs that would indicate link failure and the link is point to point Ethernet.

Yes, you'd either need either a second physical interface or a switch that supports VLANs (or at least passes VLAN tags through unmodified).

Unless you actually want to allow all incoming IPv6 traffic from the WAN through to the LAN side (probably not a good idea), you'll have to create pass rules for the services that you want to expose. Because your LAN prefix is dynamically assigned by Comcast (and changes e.g. on every reconnect), you can't (easily) create a pass rule that only applies to your server and not to all the other machines on your LAN as well. An easy way around this problem is to put all your public machines on a separate interface (and prefix) and add a rule that allows the desired traffic to e.g. "OPT1 subnet" (which will just match whatever prefix is assigned to that interface at any given time).

The 192.168.100.x addresses handed out by DOCSIS modems prior to registration are very short leases, and a proper address provided by your ISP's DHCP server should have been assigned within 30 seconds of the modem completing registration. At this point pfSense should have updated the default route.

If your modem is DOCSIS 3.0 it likely didn't need a firmware update at all. The reconfiguration for IPV6 happens at the CMTS end of the connection with your modem only needing a reset. For a modem to be certified for DOCSIS 3.0 it must support dual stack out of the box.

It's not avail as a visual option but it is enabled in the mpd config. I know it works cause I requested the option to be enabled over a year ago.

Here is my log file from 2.1 Release with ipv6cp enabled.

Sep 24 14:45:32 ppp: [wan] 894c:be78:d0b8:0407 -> 0090:1a00:0243:0fe0
Sep 24 14:45:32 ppp: [wan] IPV6CP: LayerUp
Sep 24 14:45:32 ppp: [wan] IPV6CP: state change Ack-Sent –> Opened
Sep 24 14:45:32 ppp: [wan] IPV6CP: rec'd Configure Ack #1 (Ack-Sent)
Sep 24 14:45:32 ppp: [wan] IPV6CP: state change Req-Sent –> Ack-Sent
Sep 24 14:45:32 ppp: [wan] IPV6CP: SendConfigAck #161
Sep 24 14:45:32 ppp: [wan] IPV6CP: rec'd Configure Request #161 (Req-Sent)

@razzfazz:

That said, it would be very nice if the miniupnpd version included in pfSense supported WANIPv6Firewall / pinholes / PCP.

Last time we tried to enable IPv6 for miniupnpd, it broke in various ways. Maybe a newer version would help there, but at the time we tried it, it was the most current version available. It has been a while though, we may revisit that for 2.2.

Since the anti-locking rules are applied to the LAN interface.

You should unblock the webUI to be reachble from your WAN interface after that change.

I'm having the same issue where the WAN IPv6 address does not show up anywhere in the GUI or the SSH menu and also the "WAN address" alias can not be used for firewall rules.

At the same time, doing an ifconfig on the WAN interface shows there is a public IPv6 address bound to it.

This has been the same for the last month of the 2.1-RC builds and is also the same in 2.1-RELEASE. Supposedly the fix will arrive in 2.1.1-RELEASE.

ovpns1: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500         options=80000 <linkstate>inet6 fe80::20d:b9ff:fe2c:f47c%ovpns1 prefixlen 64 scopeid 0xb         inet 10.0.88.1 --> 10.0.88.1 netmask 0xffffff00         inet6 2001:470:xxx:xxx::1 prefixlen 64         nd6 options=3 <performnud,accept_rtadv>Opened by PID 21993</performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast>

Maybe the browsers on the client machines are preferring DHCP with IPV4 DHCP servers.

You're right - link local addresses end with the interface name they're connected via/to.  The % is the delimiter char.
Because fe80:: is a /64 there is no way for a host to know which interface its out unless that info is stored with the IP…. think arp tables for each interface in v4-speak.

So you can do things like this to source your ping from em0_vlan200
ping6 fe80::xxxx:xxxx:xxxx:xxxx%em0_vlan200

Or just this to let the host pick the best ipv6 address to source from.
ping6 fe80::xxxx:xxxx:xxxx:xxxx

I'm having a similar issue on the current 2.1 RELEASE.  I set my lan interface as static IPv6, fe80::1/64 and when I bring up the DHCPv6/RA page it is completely blank.  Am I configuring this wrong?  I'm use DHCPv6 on my Comcast interface and it gets an IP just fine.  Just not sure how to get IP's out to my clients with radvd going.

EDIT:  I got this going.  I switched to using track interface on the LAN and  DHCP6 with /64 prefix delegation request  on the Comcast WAN and everything came up.

SPF is not the same as a PTR, and how would that solve your problem when you just stated that gmail doesn't accept email from servers that don't have PTR.

"FYI - google won't accept email via smtp over IPv6 if you don't have a reverse DNS v6 record for your mailserver's v6 address."

You stated that spf is not sufficient - now your saying it is?

"Having a valid SPF record with IPv6 included isn't sufficient."
"I managed to work around it by updating my SPF record to specifically include a v6 address."

If your isp supplies you with a /64 then they should provide the the ability to update your own ptr.  Hurricane electric allows for this with the /48 or /64s they give you for free.

Who is your isp?

Hi I have been doing lots of tests and the problem is solved.

1. if you are in different subnets then activate System > Advanced > Networking: Allow IPv6. After that enable proper Firewall rules to allow traffic.

2. If you are in the same subnet pFsense does not interfere with AirPlay. In my case the problem was my WiFi Router that didn’t hade enable the IPv6 traffic for internal network.

Sergio Handal.

Ok i guess ill give more info to see troubleshoot the problem. My setup is re0 is my local lan ethernet and re1 is my connection to my adsl modem.
I use PPPoE  on my wan(re1) interface. From what i managed to check so far is that instead of checking pppoe0 interface for my ipv6 address it checks re1.
Maybe i understood wrong when i was selecting re1 as my wan interface? Should i have checked pppoe0? But its not created till i logging thru pppoe so it cant be.
Maybe my set up is not supported for ipv6? And my re1 should have access to ipv6? i.e. I turn my modem back again to a router, it gets an ipv6 address and re1 gets an ipv6 address and everything works?

I access firewalls frequently over IPv6 by hostname (Firefox won't connect to an SSL-enabled IPv6 host by IP address… it's been that way for years and they need to fix that already) and have had no issues.

Do you have the same issue accessing by IPv6 on the LAN? Or just WAN?

I can access a VM here by IP in Chrome over IPv6 and it was OK.

If it was a general POSTing issue, you wouldn't be able to login.

Are you sure you didn't login with an account that you gave the "deny config write" permission to?

Well, managed or assisted, depending on what you need. (E.g., the Bitten Fruit™ machines still use radvd for the privacy IPv6 addresses even with DHCPv6, IIRC.)

Okay thank you.