Correct, you make firewall rules on the ipv6 interface to allow traffic into your lan ipv6 address. It is routing as it should.

Default firewall rule is to block everything and allow what you need.

@codemaster:

@Daboom

I'm using PPPoE connection too on my pfsense and running IPv6 from he.net . I haven't got any issue regarding default gateway on IPv4 or IPv6. But i noticed that your connection is pppoe1 unline me, my interface shows pppoe0

pppoe0: flags=88d1 <up,pointopoint,running,noarp,simplex,multicast>metric 0 mtu 1492         inet6 fe80::205:5dff:fe7b:b589%pppoe0 prefixlen 64 scopeid 0x8         inet 60.xxx.xxx.xxx --> 219.xxx.xxx.xxx netmask 0xffffffff         nd6 options=3<performnud,accept_rtadv></performnud,accept_rtadv></up,pointopoint,running,noarp,simplex,multicast>

I know maybe it's not an issue whether it's pppoe0 or pppoe1, but that's what i found in my interface assignment and plus i've managed to surf IPv6 sites without any problem now. Do tell me if you need further info on my conf

I used to use a HE ipv6 tunnel but now I am using my isp's beta ipv6 program which requires me to use a second pppoe login which get's both a ipv4 and ipv6 info from my isp via ipcp and pppoe. anyways I still have to add the default ipv6 route to the system after a reboot or reconnect.

the resolvers at work direct queries to the root servers and that won't work. Unless the server that talks to the root is on the whitelist it's a no-go.

I have a forwarder statement for bind at work so that it uses the HE server for facebook, google etc.

Here is the log of racoon not working…

Sep 13 09:00:29 racoon: [VPN1]: [205.xx.xx.115] ERROR: can't start the quick mode, there is no ISAKMP-SA, a5ae34896d5cf232:2e28fa92fa0948f8:000086d1 Sep 13 09:00:16 racoon: ERROR: failed to start post getspi. Sep 13 09:00:16 racoon: ERROR: encryption 7 failed. Sep 13 09:00:16 racoon: ERROR: OpenSSL function failed Sep 13 09:00:16 racoon: [VPN2]: INFO: initiate new phase 2 negotiation: 24.xx.xx.7[500]<=>24.xx.xx.69[500] Sep 13 09:00:16 racoon: [VPN2]: INFO: ISAKMP-SA established 24.xx.xx.7[500]-24.xx.xx.69[500] spi:ab349cae70c29beb:47be8288014e0c1b Sep 13 09:00:16 racoon: ERROR: encryption 7 failed. Sep 13 09:00:16 racoon: ERROR: OpenSSL function failed Sep 13 09:00:16 racoon: [VPN2]: [24.xx.xx.69] NOTIFY: couldn't find the proper pskey, try to get one by the peer's address. Sep 13 09:00:15 racoon: INFO: begin Aggressive mode. Sep 13 09:00:15 racoon: [VPN2]: INFO: initiate new phase 1 negotiation: 24.xx.xx.7[500]<=>24.xx.xx.69[500] Sep 13 09:00:15 racoon: [VPN2]: INFO: IPsec-SA request for 24.xx.xx.69 queued due to no phase1 found. Sep 13 09:00:12 racoon: ERROR: such policy already exists. anyway replace it: 10.69.7.0/24[0] 10.77.2.0/24[0] proto=any dir=in Sep 13 09:00:12 racoon: ERROR: such policy already exists. anyway replace it: 10.77.2.0/24[0] 10.69.7.0/24[0] proto=any dir=out Sep 13 09:00:12 racoon: ERROR: such policy already exists. anyway replace it: 10.9.143.0/24[0] 10.77.2.0/24[0] proto=any dir=in Sep 13 09:00:12 racoon: ERROR: such policy already exists. anyway replace it: 10.77.2.0/24[0] 10.9.143.0/24[0] proto=any dir=out Sep 13 09:00:12 racoon: ERROR: such policy already exists. anyway replace it: 10.0.0.0/24[0] 10.77.2.0/24[0] proto=any dir=in Sep 13 09:00:12 racoon: ERROR: such policy already exists. anyway replace it: 10.77.2.0/24[0] 10.0.0.0/24[0] proto=any dir=out Sep 13 09:00:12 racoon: ERROR: such policy already exists. anyway replace it: 2001:470:xx:dcb::/64[0] 2001:470:xx:dcb::1/128[0] proto=any dir=in Sep 13 09:00:12 racoon: ERROR: such policy already exists. anyway replace it: 2001:470:xx:dcb::1/128[0] 2001:470:xx:dcb::/64[0] proto=any dir=out Sep 13 09:00:12 racoon: ERROR: such policy already exists. anyway replace it: 10.77.2.0/24[0] 10.77.2.1/32[0] proto=any dir=in Sep 13 09:00:12 racoon: ERROR: such policy already exists. anyway replace it: 10.77.2.1/32[0] 10.77.2.0/24[0] proto=any dir=out Sep 13 09:00:12 racoon: INFO: unsupported PF_KEY message REGISTER Sep 13 09:00:12 racoon: [Self]: INFO: 24.xx.xx.7[500] used as isakmp port (fd=15) Sep 13 09:00:12 racoon: [Self]: INFO: 24.xx.xx.7[500] used for NAT-T Sep 13 09:00:12 racoon: [Self]: INFO: 24.xx.xx.7[4500] used as isakmp port (fd=14) Sep 13 09:00:12 racoon: [Self]: INFO: 24.xx.xx.7[4500] used for NAT-T Sep 13 09:00:12 racoon: INFO: Reading configuration from "/var/etc/racoon.conf" Sep 13 09:00:12 racoon: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/) Sep 13 09:00:12 racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net) Sep 13 09:00:06 racoon: INFO: racoon process 25694 shutdown Sep 13 09:00:06 racoon: ERROR: encryption 7 failed. Sep 13 09:00:06 racoon: ERROR: OpenSSL function failed Sep 13 09:00:06 racoon: INFO: caught signal 15 Sep 13 09:00:04 racoon: ERROR: failed to start post getspi. Sep 13 09:00:04 racoon: ERROR: encryption 7 failed. Sep 13 09:00:04 racoon: ERROR: OpenSSL function failed Sep 13 09:00:04 racoon: [VPN2]: INFO: initiate new phase 2 negotiation: 24.xx.xx.7[500]<=>24.xx.xx.69[500]

Here is the result of ps

# ps -A|grep racoon 28441  ??  Ss    0:00.02 /usr/local/sbin/racoon -f /var/etc/racoon.conf 29993  0  R+    0:00.00 grep racoon

When I use the exact same command from a ssh shell it works.

@johnpoz:

isn't all traffic that is blocked by the default rule logged?  So it must be allowing multicast on ipv4?  But not on ipv6 link-local addresses?

exactly. Your LAN rules aren't permitting your link local sourced traffic, where with v4 they're sourced from a LAN IP which is permitted. Granted it's not forwarding that multicast traffic, but it's not blocking it either with v4.

Thank you, this worked. If anyone wants to upgrade to IPv6 & is having problems due to freebsd ftp servers not serving git correctly.

Go here, http://www.freebsd.org/doc/handbook/mirrors-ftp.html

I used Primary mirror sites. Find a link to git. Pathname should be similar to the denied pathname that it was unable to find on main freebsd server. Do sudo su, then run pkg_add -r <url to="" git.tbz="">. Installed it for me, then it worked.</url>

Yeee, the method I mentioned before can work perfectly. :-)
However, it seems Captive Portal cannot save most configuration. Why? I think I should open a new thread on this.

Hey wagonza, thanks for the reply!

I'm won't have the time today to futz around with it, but will tomorrow… and iirc, I used to have all that info plugged in to the DHCP server config page but then pulled it out for some reason or another. I'll replace it all tomorrow and post back, but that makes total sense, thanks again man!

added validation to only pick up on ipv6 nameservers.

@kionez:

Where I'm wrong? I've installed from a wrong source?

I've just missed a step!

Updated to "2.1-DEVELOPMENT (i386) built on Mon Sep 5 04:07:51 EDT 2011" via Auto Update, then gitsync and now /sbin/route seems working fine.

If i remove the default route for inet6, then "change" it ,route gives "No such process" error, but then the new default is set!

thanks

k.

Ok, I've edited the original fbegin.inc with the necessary layout changes to make it work with the widescreen package. I've uploaded a copy here and I found a thread discussing a similar issue in the packages forum where I've also uploaded it.

Edit: Sorry, the version of fbegin.inc I had didn't have the DHCPv6 Relay link in the Services menu. I've reuploaded the new version.

fbegin.inc.txt

Thanks!!!  ;D I'm back up and running.

Hmm. Tried again today to go from my working snap 08/05 to the latest…
IPv6 connection wasn't working and also WLAN was broken...the SSID showed up but my iPhone didn't get an ip address assigned...

Well back to my good ole snap then ;-)

that one should be fixed right about now, was introduced when I added link local gateways support (which is completely valid).

The gogo client is not supported yet. It's on the todo list for dynamic tunnels.
Jim added a HE.net dyndns type that will fixup the tunnel IP for you if you change WAN address. The Sixxs tunnel obviously can't do that.

The gogo client is a nice way to completely autoconfigure the entire machine, but that doesn't fit well with the rest of the pfSense mechanics.

Thanks to CMB, i found my problem.

I had an old dhcp config for this interface. I had to delete it manualy from the XML config, then restore it.
Now working flawlessly :)

Well, normall filterdns does that, but some other parts of the system might use host instead.

Filterdns definitely used for the aliases and firewall rules though.
But resolving from the firewall is not the issues that others are seeing, with dig or otherwise.

Okay, thanks.  I gave it a try using managed, just so dns would work right.  So far, so good - I pass the test-ipv6 site :)  Great work on this!

If you save the alias and then edit it should work. Known issue that needs a javascript person to look at.

It's already fixed in git, a sync should just pick it up.