You can use the pfSense 2.0 image and then overlay the ipv6 tree via gitsync

When there is no status file we show gathering data. When we 1st write out the status file it is online until apinger marks it down after 10 timeouts.

There already is a open ticket in redmine for importing a newer upnpd binary that supports some bare ipv6 and the ipv6firewallcontrol function from the igd 2.0 specification.

@iFloris:

The above code works fine for me. I had to add "; to the end of line 2337.```
   $ipfrules .= "table <bogonsv6>persist file "/etc/bogonsv6"\n</bogonsv6>

I'm sorry, ";" was eaten by copy-paste.

@Michael:

because of this: http://forum.pfsense.org/index.php/topic,40953.msg215068.html#msg215068

Thanks for the catch, I've fixed that line and everything seems fine so far.

Thanks for the info.  I just realized that after I got console connectivity into the device.  Boooo.  I managed to install the 2.0 official release but it was just not usable at all.  I'll probably wait to get myself one of the ALIX setups instead.

LoboTiger

Because ip4 and ip6 are entirely seperate you can operate entire carp clusters seperately.

There have been no binary changes since 2.0 was released so at this point you can still overlat the code with git sync.

We will be merging more ip6 changes soon that will require newer binaries. That means you will need to track the ipv6 images tree. It is always safe to gitsync to the ip6 tree on those images.

You might want to mention your full setup when asking for help, you made no mention of using squid until I brought it up.  You sure you not bouncing off some other proxy?  And what it reports is that your local squid setup?

I believe there is a log you can check to see what dns squid adds – I believe it is /var/squid/log/

You should see it adding nameservers from your squid.conf, etc.

But for troubleshooting dns related issues, I would most likely remove squid from the equation -- how do you know its not just squid that is not working, and actually related to a dns issue?

I don't see where you actually did a direct query to pfsense for dns to verify it did not resolve, etc.

@johnpoz

Pardon me for making you confused on my problem. I'd try my best to explain in future regarding my problem, please do accept my sincere apologies.

@asterix ,@johnpoz and all

Actually my assigned tunnel (not the Routed /64 or /48) address is 2001:470:35:bd::1 and ::2 (server and client address). Referring to my post #1, i can surf ipv6 websites using the 2001:470:35:bd::XXXX without any problem but i can't figure out how to use my 2001:470:36:bd: address nor the Routed /48 .

After fiddling much and head-banging on the desk, i've managed to figure it out as per outlined below :

1. Follow the guide using http://doc.pfsense.org/index.php/Using_IPv6_on_2.0
2. Stop at step no 7 http://doc.pfsense.org/index.php/Using_IPv6_on_2.0#Setup_LAN_for_IPv6 . READ throughly and READ IT AGAIN. It says you need to get the Routed IPv6 /64 Address which is in my case is 2001:470:36:bd: NOT the 2001:470:35:bd: .

Of course this is where i assign my LAN interface with 2001:470:35:bd and the whole DHCPv6 Server range to my client. It works, but not the expected result in the end. And also this is where my mistakes whereby i've misread the guide, pardon me again, my bad.

I hope my case can help somebody out there if they every stumble upon such thing. And also, i've managed to get my rDNS working and "bind it" to my domain name. So to the newbies, pfsense team has made a very comprehensive guide and it's a good one, do read it and this time if you ever come across any problem, read and read it again because somewhere along the lines lies the answer to your question.

Thank you pfsense team, dev and moderator! thanks to all especially databeestje, johnpoz, asterix and trmentry you guys rocks!

This is not fatal. But here I needed to send the route to a single host through a specific Gateway and that's noticed.
Temporarily increased the option to start cycle.

    if(is_ipaddrv4($pconfig['network'])) {         $size = 33;     } else {         $size = 129;     }     for ($i = $size; $i >= 1; $i--): ?>

Thank you !!

Not sure if I need to start a different thread but I have a new issue with 2.1-DEVELOPMENT (amd64) built on Tue Sep 13 17:05:32 EDT 2011

At least once every day the DNS functionality dies. The service itself is started but it ceases to function. Re-starting the DNS forwarder service does not work. Only way is to reboot the machine. No logs about anything failing.

This is really getting irritating now as the DNS dies any time with no prior warnings. Any clues?

My DNS is the following order. Earlier I just kept IPv6 DNS but adding IPv4 DNS doesnt make a difference.

2620:0:ccc::2
2620:0:ccd::2
208.67.222.222
208.67.220.220

IPv6 code will not break anything on the IPv4 front because it is a entirely seperate address family.

That said, there have been moments during the development that broke one thing, the other, or the entire tree. Which is to be expected really. There are busy and quiet periods every now and then, the last month was quiet.

Expect a flurry of activity soon though, hackathon is coming up which should bring up something.

Correct, you make firewall rules on the ipv6 interface to allow traffic into your lan ipv6 address. It is routing as it should.

Default firewall rule is to block everything and allow what you need.

@codemaster:

@Daboom

I'm using PPPoE connection too on my pfsense and running IPv6 from he.net . I haven't got any issue regarding default gateway on IPv4 or IPv6. But i noticed that your connection is pppoe1 unline me, my interface shows pppoe0

pppoe0: flags=88d1 <up,pointopoint,running,noarp,simplex,multicast>metric 0 mtu 1492         inet6 fe80::205:5dff:fe7b:b589%pppoe0 prefixlen 64 scopeid 0x8         inet 60.xxx.xxx.xxx --> 219.xxx.xxx.xxx netmask 0xffffffff         nd6 options=3<performnud,accept_rtadv></performnud,accept_rtadv></up,pointopoint,running,noarp,simplex,multicast>

I know maybe it's not an issue whether it's pppoe0 or pppoe1, but that's what i found in my interface assignment and plus i've managed to surf IPv6 sites without any problem now. Do tell me if you need further info on my conf

I used to use a HE ipv6 tunnel but now I am using my isp's beta ipv6 program which requires me to use a second pppoe login which get's both a ipv4 and ipv6 info from my isp via ipcp and pppoe. anyways I still have to add the default ipv6 route to the system after a reboot or reconnect.

the resolvers at work direct queries to the root servers and that won't work. Unless the server that talks to the root is on the whitelist it's a no-go.

I have a forwarder statement for bind at work so that it uses the HE server for facebook, google etc.

Here is the log of racoon not working…

Sep 13 09:00:29 racoon: [VPN1]: [205.xx.xx.115] ERROR: can't start the quick mode, there is no ISAKMP-SA, a5ae34896d5cf232:2e28fa92fa0948f8:000086d1 Sep 13 09:00:16 racoon: ERROR: failed to start post getspi. Sep 13 09:00:16 racoon: ERROR: encryption 7 failed. Sep 13 09:00:16 racoon: ERROR: OpenSSL function failed Sep 13 09:00:16 racoon: [VPN2]: INFO: initiate new phase 2 negotiation: 24.xx.xx.7[500]<=>24.xx.xx.69[500] Sep 13 09:00:16 racoon: [VPN2]: INFO: ISAKMP-SA established 24.xx.xx.7[500]-24.xx.xx.69[500] spi:ab349cae70c29beb:47be8288014e0c1b Sep 13 09:00:16 racoon: ERROR: encryption 7 failed. Sep 13 09:00:16 racoon: ERROR: OpenSSL function failed Sep 13 09:00:16 racoon: [VPN2]: [24.xx.xx.69] NOTIFY: couldn't find the proper pskey, try to get one by the peer's address. Sep 13 09:00:15 racoon: INFO: begin Aggressive mode. Sep 13 09:00:15 racoon: [VPN2]: INFO: initiate new phase 1 negotiation: 24.xx.xx.7[500]<=>24.xx.xx.69[500] Sep 13 09:00:15 racoon: [VPN2]: INFO: IPsec-SA request for 24.xx.xx.69 queued due to no phase1 found. Sep 13 09:00:12 racoon: ERROR: such policy already exists. anyway replace it: 10.69.7.0/24[0] 10.77.2.0/24[0] proto=any dir=in Sep 13 09:00:12 racoon: ERROR: such policy already exists. anyway replace it: 10.77.2.0/24[0] 10.69.7.0/24[0] proto=any dir=out Sep 13 09:00:12 racoon: ERROR: such policy already exists. anyway replace it: 10.9.143.0/24[0] 10.77.2.0/24[0] proto=any dir=in Sep 13 09:00:12 racoon: ERROR: such policy already exists. anyway replace it: 10.77.2.0/24[0] 10.9.143.0/24[0] proto=any dir=out Sep 13 09:00:12 racoon: ERROR: such policy already exists. anyway replace it: 10.0.0.0/24[0] 10.77.2.0/24[0] proto=any dir=in Sep 13 09:00:12 racoon: ERROR: such policy already exists. anyway replace it: 10.77.2.0/24[0] 10.0.0.0/24[0] proto=any dir=out Sep 13 09:00:12 racoon: ERROR: such policy already exists. anyway replace it: 2001:470:xx:dcb::/64[0] 2001:470:xx:dcb::1/128[0] proto=any dir=in Sep 13 09:00:12 racoon: ERROR: such policy already exists. anyway replace it: 2001:470:xx:dcb::1/128[0] 2001:470:xx:dcb::/64[0] proto=any dir=out Sep 13 09:00:12 racoon: ERROR: such policy already exists. anyway replace it: 10.77.2.0/24[0] 10.77.2.1/32[0] proto=any dir=in Sep 13 09:00:12 racoon: ERROR: such policy already exists. anyway replace it: 10.77.2.1/32[0] 10.77.2.0/24[0] proto=any dir=out Sep 13 09:00:12 racoon: INFO: unsupported PF_KEY message REGISTER Sep 13 09:00:12 racoon: [Self]: INFO: 24.xx.xx.7[500] used as isakmp port (fd=15) Sep 13 09:00:12 racoon: [Self]: INFO: 24.xx.xx.7[500] used for NAT-T Sep 13 09:00:12 racoon: [Self]: INFO: 24.xx.xx.7[4500] used as isakmp port (fd=14) Sep 13 09:00:12 racoon: [Self]: INFO: 24.xx.xx.7[4500] used for NAT-T Sep 13 09:00:12 racoon: INFO: Reading configuration from "/var/etc/racoon.conf" Sep 13 09:00:12 racoon: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/) Sep 13 09:00:12 racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net) Sep 13 09:00:06 racoon: INFO: racoon process 25694 shutdown Sep 13 09:00:06 racoon: ERROR: encryption 7 failed. Sep 13 09:00:06 racoon: ERROR: OpenSSL function failed Sep 13 09:00:06 racoon: INFO: caught signal 15 Sep 13 09:00:04 racoon: ERROR: failed to start post getspi. Sep 13 09:00:04 racoon: ERROR: encryption 7 failed. Sep 13 09:00:04 racoon: ERROR: OpenSSL function failed Sep 13 09:00:04 racoon: [VPN2]: INFO: initiate new phase 2 negotiation: 24.xx.xx.7[500]<=>24.xx.xx.69[500]

Here is the result of ps

# ps -A|grep racoon 28441  ??  Ss    0:00.02 /usr/local/sbin/racoon -f /var/etc/racoon.conf 29993  0  R+    0:00.00 grep racoon

When I use the exact same command from a ssh shell it works.

@johnpoz:

isn't all traffic that is blocked by the default rule logged?  So it must be allowing multicast on ipv4?  But not on ipv6 link-local addresses?

exactly. Your LAN rules aren't permitting your link local sourced traffic, where with v4 they're sourced from a LAN IP which is permitted. Granted it's not forwarding that multicast traffic, but it's not blocking it either with v4.

Thank you, this worked. If anyone wants to upgrade to IPv6 & is having problems due to freebsd ftp servers not serving git correctly.

Go here, http://www.freebsd.org/doc/handbook/mirrors-ftp.html

I used Primary mirror sites. Find a link to git. Pathname should be similar to the denied pathname that it was unable to find on main freebsd server. Do sudo su, then run pkg_add -r <url to="" git.tbz="">. Installed it for me, then it worked.</url>

Yeee, the method I mentioned before can work perfectly. :-)
However, it seems Captive Portal cannot save most configuration. Why? I think I should open a new thread on this.