@athurdent:

I think you would need an extra /64 (or bigger) IPv6 subnet routed to your WAN IPv6 IP by your provider. You should use the /64 only as transport net between your VM and the provider router. You can use that extra /64 net on the LAN side for DHCP then.

He is indeed correct. You need a subnet routed to an address in your linking subnet. Typically here in New Zealand we are given a /64 or /112 linking subnet between our router and the ISP. The ISP then tells us what /48 or /56 subnet they will route us and to which IP address in the linking range. We then set the PFsense WAN to that address and it works great.

@athurdent:

As far as I know, German T-Com's IPv6 capable lines are dual-stack, not 6to4. I think the OP means IA-PD. Here's a link to the other topic regarding his setup:
http://forum.pfsense.org/index.php/topic,65123.0.html

Right, but that is another access I use.  German Telekom does not equip every access with dual stack, the older ones are only IPv6 by 6to4.

Cheers,

4920441

Goes nowhere. From my POV, blocking ICMP is a pretty useless and as far as IPv6 goes, also completely broken idea. So, we'll agree to disagree.

I talked to CMB a few weeks ago and he probably will consider NAT66…
There really are use cases for NAT66. As i told earlier especiallay if you have to use ISP hardware that cannot be changed, doesn't get reconfigured, too small delegated prefix etc...

Thanks for the bridging Firewall info, that could be of help. Didn't think of that :-)

Allthough NAT is bad in general it wouldn't be too hard to implement it in pfSense; PF supports NAT66 and it would only require small change to the GUI.

There has been even code for the pfSense GUI

https://github.com/pfsense/pfsense/pull/427   <- even discussed on the forum here…

We are in talks with QSC. They will setup correct Prefix Delegation, so that we hopefully have autoconfiguration pwith pfsense.

+1 on that, need a tunnel iface for that with WAN as parent, not ethernet. The howto should get you started pretty quickly.

IPV6LAN
Use the HE client IPv6 address as the interface IPv6 address

IPV6DMZ
You’re going to type your HE client IPv6 address into the IPv6 address box.

And if not what kind of IPv6 adrdress I should use :) instead of the one in the manual?

Kind regards
Simon

I don't use snort for anything; not worth the myriad of false positives.

No, you don't need any second range from another tunnel broker. Please, read the howto more carefully, it works perfectly fine.

Use 2.1RC snapshots.

P.S. You need at least /64 to get usable IPv6 on a router (one network); /56 or better for multiple subnets. /128 is definitely useless (very much doubt it's the case anyway).

that's it: I deleted dhcpd6.leases  and dhcpd6.leases~ in /var/dhcpd/var/db

solved

That said, there are still some issues being sorted out with DHCP-PD; see this thread in the 2.1 snapshot section.

According to this article: http://www.zw3b.fr/linux/reseaux/ipv6-derriere-une-freebox-routeur-linux

My ISP (Free), send a /64 prefix, which does not allow to have sub-networks.

So one of the solution is to create a bridge between LAN and WAN.
with:

ebtables -t broute -A BROUTING -p ! ipv6 -j DROP
brctl addbr br0
ifconfig br0 up
brctl addif br0 eth0
brctl addif br0 eth1

I have created a bridge in >Interfaces > Bridge
BRIDGE0 : WAN, LAN

But what else now?