I'm sorry but enabling privacy extensions on a router does not make any sense. You will want to enable these on your clients.

NAT64 allows an IPv6 only client to reach an IPv4 server [1]. There exists an implementation for OpenBSD [2] but probably not yet for FreeBSD. If I remember correctly the targeted version was once FreeBSD 9, but Ermal might know better as he is/was involved [3,4].

[1] http://www.slideshare.net/IOSHints/nat64-and-dns64-in-30-minutes
[2] http://ecdysis.viagenie.ca/
[3] http://lists.freebsd.org/pipermail/freebsd-pf/2011-February/006011.html
[4] http://lists.freebsd.org/pipermail/freebsd-pf/2012-January/006411.html

After talking with my ISP, wondering why it is that the tunnel to them doesnt work

They informed me I did have IPV6 enabled in the control panel when I log in to check my account ::)

Just need to swap some details over once i get home, makes me wonder why it is I went through the hassle of the one for SixXS, lol

Regardless of NAT or no NAT, you can still firewall it so that only connections to the ports you allow through to each system will pass through the router.

@johnpoz:

^ so your quoting

http://www.ipv6now.com.au/primers/benefits.php

Why??  Your other post is gibberish as well.  Thinking your going to start spamming some sort of nonsense as soon as you can post links?

Better to use the option to notify moderators so we know about them.

I tried to ping even the firewall and there's no response.
yes rules are in place to allow all v6 to all and nothing

I double checked again today the v6 tunnels functionality…
ran a ping to google from my pf box...

PING google.com (173.194.33.35) from 68.150.1xx.xxx: 56 data bytes
64 bytes from 173.194.33.35: icmp_seq=0 ttl=56 time=74.204 ms
64 bytes from 173.194.33.35: icmp_seq=1 ttl=56 time=75.006 ms
64 bytes from 173.194.33.35: icmp_seq=2 ttl=56 time=73.949 ms

--- google.com ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 73.949/74.386/75.006/0.450 ms
PING6(56=40+8+8 bytes) 2001:470:x:xxx::x --> 2607:f8b0:400a:801::1007
16 bytes from 2607:f8b0:400a:801::1007, icmp_seq=0 hlim=59 time=57.728 ms
16 bytes from 2607:f8b0:400a:801::1007, icmp_seq=1 hlim=59 time=59.010 ms
16 bytes from 2607:f8b0:400a:801::1007, icmp_seq=2 hlim=59 time=58.224 ms

--- google.com ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 57.728/58.321/59.010/0.528 ms

This already happen.

I find a pfsense Bugtrack. Maybe this is the Problem

http://redmine.pfsense.org/issues/2483

I'm trying to set a IP alias for the WAN Interface.

Is there a workaround ? Like over the CLI ??

I found this Link  but I can't find the rc.conf file in pfsense.

http://lists.freebsd.org/pipermail/freebsd-questions/2009-February/192845.html

The IPv4 and IPv6 that i get over DHCP from the ISP are working. The IPv6 that I get from the DHCP is in the same Range (/64).

Update

I upgraded to the newest Version of pfsense (BETA 0 ) now the Virtual IP Addresses for v6 are working

Closed

lol alwas something simple.

thank-you
rody

I finally got all my stuff configured tonight, and had this issue at first but I have been able to make rules that allow my systems to be accessible from the internet.  I followed thishttp://doc.pfsense.org/index.php/Using_IPv6_on_2.1_with_a_Tunnel_Broker ipv6 guide to setup my connection with HE and then added a rule like you see below, before putting in the rule I was unable to ping my ipv6 address or connect to anything on my ipv6 address (going outbound was fine).  Basically it is a rule for the opt interface i created for the ipv6 that is an allow everything ipv6 with a desitination of my server ipv6 address.

Here is a paste of HE portscan and ping test for my ipv6 ip after i put this rule in.

Starting Nmap 5.00 ( http://nmap.org ) at 2012-07-24 21:07 PDT
Interesting ports on 2001:470:x:xx::ff78:
Not shown: 999 closed ports
PORT  STATE SERVICE
22/tcp open  ssh

Nmap done: 1 IP address (1 host up) scanned in 1.70 seconds

ipv6ruleed.png
ipv6ruleed.png_thumb

i think they are suggesting using prefix delegation with dhcp 6.

Set the wan to dhcp6 and set the prefix size to 56.

On the lan page you can select track interface for ipv6 and fill in a number. 0 is fine too.

That should be it although you might need a reboot. I think the current version goes about it better.

There might be a race condition here where it has not yet set the LAN address to ::1.

I'm still considering switching out the wide dhcp6 client since others have reported it going away without any logs. It's been on the roadmap for a while, looks it needs to happen.

The intention is to always configure <prefix>::1 on the router for the sake of simplicity.</prefix>

Hey thanks, see, important info!  ;D

Just did a gitsync, and checked the doc - yup that should work, thanks!

I tried to enable track interface on a couple of my LAN-interfaces.
What happens, is that both interfaces get the same link local address, fe80::1:1 (loopback ip?)
Even when i disable IPv6 on both these interfaces, fe80::1:1 is still the active link local address.

I have two physical interfaces, one for WAN and one where all my LAN interfaces are VLAN-tagged. All LAN and OPT-interfaces are renamed.

The log also outputs this when i track the WAN-interface:

Jul 7 12:38:57 php: /interfaces.php: Accept router advertisements on interface re0_vlan112
Jul 7 12:38:57 check_reload_status: Reloading filter
Jul 7 12:39:00 dhcp6c[4326]: dhcp6_ctl_authinit: failed to decode base64 string
Jul 7 12:39:00 dhcp6c[4326]: dhcp6_ctl_authinit: failed to decode base64 string
Jul 7 12:39:00 dhcp6c[4326]: client6_init: failed initialize control message authentication
Jul 7 12:39:00 dhcp6c[4326]: client6_init: failed initialize control message authentication
Jul 7 12:39:00 dhcp6c[4326]: client6_init: skip opening control port
Jul 7 12:39:00 dhcp6c[4326]: client6_init: skip opening control port

Hey John,

When are you guys planning on rolling IPv6 out to Business Class customers? I've been dying to implement IPv6 at work haha. We have a SMCD3G-CCR modem, which doesn't appear to be certified for IPv6 yet on your mydeviceinfo site.

Thanks,
Derek

Now that I know what to look for, I might be able to catch whatever caused the problem next time it happens. I'll post here again if I can get this info.

I did notice a problem with connectivity today. Inbound connections were not being routed to hosts behind pfsense. The packets would arrive but pfsense would drop them. Outbound connections worked so it was like being under NAT. After I rebooted pfsense, all inbound connections worked and the /128 address of pfsense shows up in traceroutes. The /128 definitely seems needed for normal operation at least with my config with Comcast.

Which I do but it does become a bit of a pain to click through roughly 50 rules when you have those nice check boxes right beside each one that could be tied to a disable/enable button.

@databeestje:

Do you even see a ipv6 autoconfigured address on the wan?

Nope, my problem is not that i cant communicate via ipv6, but that i dont get one at all on the wan interface.

Could be that whatever segment i am on from my ISP, ipv6 is just not enabled at all.

Well.. some day :)

C

The combined protocol rules are pretty new, so if it doesn't work let us know.

Finally, the problem was resolved by deleting the HE tunnel and creating a new tunnel as suggested by databeestje (thanks).