lol alwas something simple. thank-you rody

I finally got all my stuff configured tonight, and had this issue at first but I have been able to make rules that allow my systems to be accessible from the internet.  I followed thishttp://doc.pfsense.org/index.php/Using_IPv6_on_2.1_with_a_Tunnel_Broker ipv6 guide to setup my connection with HE and then added a rule like you see below, before putting in the rule I was unable to ping my ipv6 address or connect to anything on my ipv6 address (going outbound was fine).  Basically it is a rule for the opt interface i created for the ipv6 that is an allow everything ipv6 with a desitination of my server ipv6 address. Here is a paste of HE portscan and ping test for my ipv6 ip after i put this rule in. Starting Nmap 5.00 ( http://nmap.org ) at 2012-07-24 21:07 PDT Interesting ports on 2001:470:x:xx::ff78: Not shown: 999 closed ports PORT  STATE SERVICE 22/tcp open  ssh Nmap done: 1 IP address (1 host up) scanned in 1.70 seconds [image: ipv6ruleed.png] [image: ipv6ruleed.png_thumb]

i think they are suggesting using prefix delegation with dhcp 6. Set the wan to dhcp6 and set the prefix size to 56. On the lan page you can select track interface for ipv6 and fill in a number. 0 is fine too. That should be it although you might need a reboot. I think the current version goes about it better.

There might be a race condition here where it has not yet set the LAN address to ::1. I'm still considering switching out the wide dhcp6 client since others have reported it going away without any logs. It's been on the roadmap for a while, looks it needs to happen. The intention is to always configure <prefix>::1 on the router for the sake of simplicity.</prefix>

Hey thanks, see, important info!  ;D

Just did a gitsync, and checked the doc - yup that should work, thanks!

I tried to enable track interface on a couple of my LAN-interfaces. What happens, is that both interfaces get the same link local address, fe80::1:1 (loopback ip?) Even when i disable IPv6 on both these interfaces, fe80::1:1 is still the active link local address. I have two physical interfaces, one for WAN and one where all my LAN interfaces are VLAN-tagged. All LAN and OPT-interfaces are renamed. The log also outputs this when i track the WAN-interface: Jul 7 12:38:57 php: /interfaces.php: Accept router advertisements on interface re0_vlan112 Jul 7 12:38:57 check_reload_status: Reloading filter Jul 7 12:39:00 dhcp6c[4326]: dhcp6_ctl_authinit: failed to decode base64 string Jul 7 12:39:00 dhcp6c[4326]: dhcp6_ctl_authinit: failed to decode base64 string Jul 7 12:39:00 dhcp6c[4326]: client6_init: failed initialize control message authentication Jul 7 12:39:00 dhcp6c[4326]: client6_init: failed initialize control message authentication Jul 7 12:39:00 dhcp6c[4326]: client6_init: skip opening control port Jul 7 12:39:00 dhcp6c[4326]: client6_init: skip opening control port

Hey John, When are you guys planning on rolling IPv6 out to Business Class customers? I've been dying to implement IPv6 at work haha. We have a SMCD3G-CCR modem, which doesn't appear to be certified for IPv6 yet on your mydeviceinfo site. Thanks, Derek

Now that I know what to look for, I might be able to catch whatever caused the problem next time it happens. I'll post here again if I can get this info. I did notice a problem with connectivity today. Inbound connections were not being routed to hosts behind pfsense. The packets would arrive but pfsense would drop them. Outbound connections worked so it was like being under NAT. After I rebooted pfsense, all inbound connections worked and the /128 address of pfsense shows up in traceroutes. The /128 definitely seems needed for normal operation at least with my config with Comcast.

Which I do but it does become a bit of a pain to click through roughly 50 rules when you have those nice check boxes right beside each one that could be tied to a disable/enable button.

@databeestje: Do you even see a ipv6 autoconfigured address on the wan? Nope, my problem is not that i cant communicate via ipv6, but that i dont get one at all on the wan interface. Could be that whatever segment i am on from my ISP, ipv6 is just not enabled at all. Well.. some day :) C

The combined protocol rules are pretty new, so if it doesn't work let us know.

Finally, the problem was resolved by deleting the HE tunnel and creating a new tunnel as suggested by databeestje (thanks).

Never touched that part. Add a redmine ticket for it. i hope i can get to it next week. Might be small. Don't know.

@jimp: Netflix turned on IPv6 for streaming, so I bet he.net and friends are really feeling a bit of a bandwidth spike. :-) I've been expecting the day that happens is the day they stop offering free IPv6 tunnels (as tons of people outside the US will start using it to have US IPs), so we'll see. They do appear to put a 1 Mb limit on the tunnels at least at times, sometimes I can get 10+ Mbps, sometimes it flatlines right at 1 Mb, so that's not all that useful for Netflix given the highest quality SD stream seems to be around 3-4 Mbps continuous.

I did a whitelist for pfBlocker, will test when it changes IP (is working fine atm). Also, Snort isn't showing any IPv6 attack, only IPv4.  So it needs to gets updated.

Got my fiber installed today, finally. 6RD worked like a charm, so obviously my problems were related to PPP for some reason. I'm happy, but if you'd like to continue to pursue this and need any more data from me, just let me know. Thanks.

@cmb: NAT is the most common solution there. Or if you have a requirement for public IPs directly on servers, a separate private subnet on a VLAN. Best to isolate hosts that are publicly reachable and those that aren't anyway. Thanks fort he advice - added in a separate NIC onto PFsense and made a separate network for servers requiring public IPs. Works fine. Only thing is I needed to set a manual oubound NAT rule for the private IPv4 interface range

Yes there are now official snapshots, we have not blessed a particular one for general consumption though, although we do have fixed a largish list of bugs. You can find them at http://snapshots.pfsense.org

Yup should work fine  :D