I try a ping to the gateway and a remote IPv6 address (from pfSense) every time I make a change to see if its up, and haven't been able to ping it yet.
Nevertheless, the proper way to set this up should be to set the "DHCPv6 prefix delegation size" on your WAN interface to whatever your provider actually gives you (apparently /48 in your case) and then set your LAN interface to "track interface" with "IPv6 prefix ID" set to a one of the possible sub-prefixes (0-ffff for a /48). Does that not work for you?
Yes, you'd either need either a second physical interface or a switch that supports VLANs (or at least passes VLAN tags through unmodified).
Unless you actually want to allow all incoming IPv6 traffic from the WAN through to the LAN side (probably not a good idea), you'll have to create pass rules for the services that you want to expose. Because your LAN prefix is dynamically assigned by Comcast (and changes e.g. on every reconnect), you can't (easily) create a pass rule that only applies to your server and not to all the other machines on your LAN as well. An easy way around this problem is to put all your public machines on a separate interface (and prefix) and add a rule that allows the desired traffic to e.g. "OPT1 subnet" (which will just match whatever prefix is assigned to that interface at any given time).
The 192.168.100.x addresses handed out by DOCSIS modems prior to registration are very short leases, and a proper address provided by your ISP's DHCP server should have been assigned within 30 seconds of the modem completing registration. At this point pfSense should have updated the default route.
If your modem is DOCSIS 3.0 it likely didn't need a firmware update at all. The reconfiguration for IPV6 happens at the CMTS end of the connection with your modem only needing a reset. For a modem to be certified for DOCSIS 3.0 it must support dual stack out of the box.
That said, it would be very nice if the miniupnpd version included in pfSense supported WANIPv6Firewall / pinholes / PCP.
Last time we tried to enable IPv6 for miniupnpd, it broke in various ways. Maybe a newer version would help there, but at the time we tried it, it was the most current version available. It has been a while though, we may revisit that for 2.2.
I'm having the same issue where the WAN IPv6 address does not show up anywhere in the GUI or the SSH menu and also the "WAN address" alias can not be used for firewall rules.
At the same time, doing an ifconfig on the WAN interface shows there is a public IPv6 address bound to it.
This has been the same for the last month of the 2.1-RC builds and is also the same in 2.1-RELEASE. Supposedly the fix will arrive in 2.1.1-RELEASE.
You're right - link local addresses end with the interface name they're connected via/to. The % is the delimiter char.
Because fe80:: is a /64 there is no way for a host to know which interface its out unless that info is stored with the IP…. think arp tables for each interface in v4-speak.
So you can do things like this to source your ping from em0_vlan200
ping6 fe80::xxxx:xxxx:xxxx:xxxx%em0_vlan200
Or just this to let the host pick the best ipv6 address to source from.
ping6 fe80::xxxx:xxxx:xxxx:xxxx
I'm having a similar issue on the current 2.1 RELEASE. I set my lan interface as static IPv6, fe80::1/64 and when I bring up the DHCPv6/RA page it is completely blank. Am I configuring this wrong? I'm use DHCPv6 on my Comcast interface and it gets an IP just fine. Just not sure how to get IP's out to my clients with radvd going.
EDIT: I got this going. I switched to using track interface on the LAN and DHCP6 with /64 prefix delegation request on the Comcast WAN and everything came up.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
