Netgate 3100 behind a box

ggpf

Hi,
I get Netgate/PFsense uptodate 25.07.1-RELEASE
My ISP offer fixed IPv4 and ICMPv6 /64
In my case I have IPv4 82.64.90.xxx /32 and 2102:E0A:9D7:xxx/64
I turn off the routed mode and I turn ON bridged mode.
On my WAN interface I get my correct IPv4 82.64.90.xxx with gateway 82.64.90.254
On IPv4 everything works fine.
Now IPv6 it is not the case.
On my WAN interface (mvneta2) I set IPV6 configuration to DHCP6
on Use IPv4
connectivity as parent interface ON
Request only an IPv6 prefix ON
DHCPv6 Prefix Delegation size 64
Send IPv6 prefix hint ON
Do not wait for a RA ON

Now on the Services -> DHCPV6 Server -> LAN
Enable DHCPv6 server on LAN interface ON
Deny Unknown Clients Allow all clients
DNS Registration Track Server
Early DNS Registration Track server
Address Pool Range From ::1000 To ::2000
Delegated Prefix /56
Delegated Length 56
Enable DNS OFF

On Firewall -> Rules -> WAN I open two things
IPv6 destination This Firewall ports 546-547
and
IPv6 ICMP from everywhere
Now from SSH session I am running this command:
tcpdump -vvv -ni mvneta2 udp port 546 or udp port 547

And in this other one I am running
killall dhcp6c
/usr/local/sbin/dhcp6c -Df -c /var/etc/dhcp6c.conf -p /var/run/dhcp6c.pid mvneta2
I get this :
Sep/26/2025 23:03:35: reset a timer on mvneta2, state=INIT, timeo=0, retrans=891
Sep/26/2025 23:03:35: Sending Solicit
Sep/26/2025 23:03:35: a new XID (b791e8) is generated
Sep/26/2025 23:03:35: set client ID (len 14)
Sep/26/2025 23:03:35: set elapsed time (len 2)
Sep/26/2025 23:03:35: set option request (len 4)
Sep/26/2025 23:03:35: set IA_PD prefix
Sep/26/2025 23:03:35: set IA_PD
Sep/26/2025 23:03:35: transmit failed: Permission denied
Sep/26/2025 23:03:35: reset a timer on mvneta2, state=SOLICIT, timeo=0, retrans=1091
Sep/26/2025 23:03:37: Sending Solicit
Sep/26/2025 23:03:37: set client ID (len 14)
Sep/26/2025 23:03:37: set elapsed time (len 2)
Sep/26/2025 23:03:37: set option request (len 4)
Sep/26/2025 23:03:37: set IA_PD prefix
Sep/26/2025 23:03:37: set IA_PD
Sep/26/2025 23:03:37: transmit failed: Permission denied
Sep/26/2025 23:03:37: reset a timer on mvneta2, state=SOLICIT, timeo=1, retrans=2083
Sep/26/2025 23:03:39: Sending Solicit
Sep/26/2025 23:03:39: set client ID (len 14)
Sep/26/2025 23:03:39: set elapsed time (len 2)
Sep/26/2025 23:03:39: set option request (len 4)
Sep/26/2025 23:03:39: set IA_PD prefix
Sep/26/2025 23:03:39: set IA_PD
Sep/26/2025 23:03:39: transmit failed: Permission denied
Sep/26/2025 23:03:39: reset a timer on mvneta2, state=SOLICIT, timeo=2, retrans=3982
Sep/26/2025 23:03:43: Sending Solicit
Sep/26/2025 23:03:43: set client ID (len 14)
Sep/26/2025 23:03:43: set elapsed time (len 2)
Sep/26/2025 23:03:43: set option request (len 4)
Sep/26/2025 23:03:43: set IA_PD prefix
Sep/26/2025 23:03:43: set IA_PD
Sep/26/2025 23:03:43: transmit failed: Permission denied
Sep/26/2025 23:03:43: reset a timer on mvneta2, state=SOLICIT, timeo=3, retrans=8065
Sep/26/2025 23:03:51: Sending Solicit

And nothing appears on my first ssh session it seems transmit failed permission denied
and in this case I don't understand why Permission denied ?

Any help and idea will be great.
Thank you very much to read me.
GG.

SteveITS

@ggpf said in Netgate 3100 behind a box:

On Firewall -> Rules -> WAN I open two things
IPv6 destination This Firewall ports 546-547

Are you serving something to the Internet? No open ports are required for a DHCP client.

To simplify a bit I would set LAN IPv6 to None and just focus on getting an address on WAN.

DHCPv6 Prefix Delegation size 64

This would be what your asking for from your ISP.

Delegated Prefix /56

But you're trying to set up a much larger one on LAN? Like I said disable LAN for now and add that later. You may need to reverse those and have WAN ask for a /56 or /60 and LAN gets a /64. Usually LAN can be set to Track Interface. Then at the end try to configure DHCPv6 on LAN.

ggpf

Hi,

Are you serving something to the Internet?

Yes.

When I turn on the routed mode on my box I have this config and it works. :(

To simplify a bit I would set LAN IPv6 to None and just focus on getting an address on WAN.

Ok I will

DHCPv6 Prefix Delegation size 64

Yes.

ggpf

Hi,

on the GUI in WAN -> IPv6 I configure DCHP6 with :
IPv4 connectivity as parent interface = ON
Request a IPv6 prefix/information through the IPv4 connectivity link = ON
DHCPv6 Prefix Delegation size = 64
Send IPv6 prefix hint = ON
Do not wait for a RA = OFF
I save this conf and I apply, to be sure I disable WAN interface and I enable again.
USing SSH I run this command :
ifconfig mvneta2 and I get
mvneta2: flags=1008a43<UP,BROADCAST,RUNNING,ALLMULTI,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: WAN
options=800bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,LINKSTATE>
ether 00:08:a2:12:47:d1
inet 82.64.90.XXX netmask 0xffffff00 broadcast 82.64.90.255
inet6 fe80::208:a2ff:fe12:47d1%mvneta2 prefixlen 64 scopeid 0x8
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
I don't have IPv6 from my ISP
I I understand when I validate DHCPv6 on WAN interface I have to get the dhcp6c_wan.conf on /var/etc/
When I run ls -l /var/etc/dhcp6c* I don't get
ls -l /var/etc/dhcp6c* give me
-rwxr-xr-x 1 root wheel 520 Sep 27 12:45 /var/etc/dhcp6c_wan_dhcp6withoutra_script.sh
-rwxr-xr-x 1 root wheel 312 Sep 27 12:45 /var/etc/dhcp6c_wan_script.sh

Over the UI in Status -> Services I don't that DHCPv6 is not not in the list. :(
Without this file dhcp6c_wan.conf the service cannot start.

Regards.
GG.

SteveITS

@ggpf
Is this required by your ISP?

“Use IPv4 Connectivity as Parent Interface
:
When set, the IPv6 DHCP request is sent using IPv4 on this interface, rather than using native IPv6. This is only required in special cases when the ISP requires this type of configuration.”

546-547

What did you configure to listen on these posts on pfSense ? I suspect the answer is, nothing, and the ports shouldn’t be open.

ggpf

@SteveITS Normally PFSense send SOLICIT on 546 et wait ADVERTISE or Reply on 547

I am running
killall dhcp6c
/usr/local/sbin/dhcp6c -Df -c /var/etc/dhcp6c.conf -p /var/run/dhcp6c.pid mvneta2
in other ssh session I am running :
tcpdump -vvv -ni mvneta2 udp port 546 or udp port 547
And nothing sent to my ISP and I get this message
Sep/26/2025 14:56:11: Sending Solicit Sep/26/2025 14:56:11: set client ID (len 14) Sep/26/2025 14:56:11: set elapsed time (len 2) Sep/26/2025 14:56:11: set option request (len 4) Sep/26/2025 14:56:11: set IA_PD prefix Sep/26/2025 14:56:11: set IA_PD Sep/26/2025 14:56:11: transmit failed: Permission denied

SteveITS

@ggpf it’s extremely rare to run your own DHCP server on WAN. If you are, pfSense creates hidden rules to allow that. If you are not, you need open no ports on WAN.

For the permission error see https://forum.netgate.com/topic/195602/transmit-failed-permission-denied

…and ensure IPv6 is enabled.