Netgate 3100 behind a box
- 
 Hi, 
 I get Netgate/PFsense uptodate 25.07.1-RELEASE
 My ISP offer fixed IPv4 and ICMPv6 /64
 In my case I have IPv4 82.64.90.xxx /32 and 2102:E0A:9D7:xxx/64
 I turn off the routed mode and I turn ON bridged mode.
 On my WAN interface I get my correct IPv4 82.64.90.xxx with gateway 82.64.90.254
 On IPv4 everything works fine.
 Now IPv6 it is not the case.
 On my WAN interface (mvneta2) I set IPV6 configuration to DHCP6
 on Use IPv4
 connectivity as parent interface ON
 Request only an IPv6 prefix ON
 DHCPv6 Prefix Delegation size 64
 Send IPv6 prefix hint ON
 Do not wait for a RA ONNow on the Services -> DHCPV6 Server -> LAN 
 Enable DHCPv6 server on LAN interface ON
 Deny Unknown Clients Allow all clients
 DNS Registration Track Server
 Early DNS Registration Track server
 Address Pool Range From ::1000 To ::2000
 Delegated Prefix /56
 Delegated Length 56
 Enable DNS OFFOn Firewall -> Rules -> WAN I open two things 
 IPv6 destination This Firewall ports 546-547
 and
 IPv6 ICMP from everywhere
 Now from SSH session I am running this command:
 tcpdump -vvv -ni mvneta2 udp port 546 or udp port 547And in this other one I am running 
 killall dhcp6c
 /usr/local/sbin/dhcp6c -Df -c /var/etc/dhcp6c.conf -p /var/run/dhcp6c.pid mvneta2
 I get this :
 Sep/26/2025 23:03:35: reset a timer on mvneta2, state=INIT, timeo=0, retrans=891
 Sep/26/2025 23:03:35: Sending Solicit
 Sep/26/2025 23:03:35: a new XID (b791e8) is generated
 Sep/26/2025 23:03:35: set client ID (len 14)
 Sep/26/2025 23:03:35: set elapsed time (len 2)
 Sep/26/2025 23:03:35: set option request (len 4)
 Sep/26/2025 23:03:35: set IA_PD prefix
 Sep/26/2025 23:03:35: set IA_PD
 Sep/26/2025 23:03:35: transmit failed: Permission denied
 Sep/26/2025 23:03:35: reset a timer on mvneta2, state=SOLICIT, timeo=0, retrans=1091
 Sep/26/2025 23:03:37: Sending Solicit
 Sep/26/2025 23:03:37: set client ID (len 14)
 Sep/26/2025 23:03:37: set elapsed time (len 2)
 Sep/26/2025 23:03:37: set option request (len 4)
 Sep/26/2025 23:03:37: set IA_PD prefix
 Sep/26/2025 23:03:37: set IA_PD
 Sep/26/2025 23:03:37: transmit failed: Permission denied
 Sep/26/2025 23:03:37: reset a timer on mvneta2, state=SOLICIT, timeo=1, retrans=2083
 Sep/26/2025 23:03:39: Sending Solicit
 Sep/26/2025 23:03:39: set client ID (len 14)
 Sep/26/2025 23:03:39: set elapsed time (len 2)
 Sep/26/2025 23:03:39: set option request (len 4)
 Sep/26/2025 23:03:39: set IA_PD prefix
 Sep/26/2025 23:03:39: set IA_PD
 Sep/26/2025 23:03:39: transmit failed: Permission denied
 Sep/26/2025 23:03:39: reset a timer on mvneta2, state=SOLICIT, timeo=2, retrans=3982
 Sep/26/2025 23:03:43: Sending Solicit
 Sep/26/2025 23:03:43: set client ID (len 14)
 Sep/26/2025 23:03:43: set elapsed time (len 2)
 Sep/26/2025 23:03:43: set option request (len 4)
 Sep/26/2025 23:03:43: set IA_PD prefix
 Sep/26/2025 23:03:43: set IA_PD
 Sep/26/2025 23:03:43: transmit failed: Permission denied
 Sep/26/2025 23:03:43: reset a timer on mvneta2, state=SOLICIT, timeo=3, retrans=8065
 Sep/26/2025 23:03:51: Sending SolicitAnd nothing appears on my first ssh session it seems transmit failed permission denied 
 and in this case I don't understand why Permission denied ?Any help and idea will be great. 
 Thank you very much to read me.
 GG.
- 
 @ggpf said in Netgate 3100 behind a box: On Firewall -> Rules -> WAN I open two things 
 IPv6 destination This Firewall ports 546-547Are you serving something to the Internet? No open ports are required for a DHCP client. To simplify a bit I would set LAN IPv6 to None and just focus on getting an address on WAN. DHCPv6 Prefix Delegation size 64 This would be what your asking for from your ISP. Delegated Prefix /56 But you're trying to set up a much larger one on LAN? Like I said disable LAN for now and add that later. You may need to reverse those and have WAN ask for a /56 or /60 and LAN gets a /64. Usually LAN can be set to Track Interface. Then at the end try to configure DHCPv6 on LAN. 
- 
 Hi, Are you serving something to the Internet? Yes. When I turn on the routed mode on my box I have this config and it works. :( 
  
  
  To simplify a bit I would set LAN IPv6 to None and just focus on getting an address on WAN. Ok I will DHCPv6 Prefix Delegation size 64 Yes. 
- 
 Hi, on the GUI in WAN -> IPv6 I configure DCHP6 with : 
 IPv4 connectivity as parent interface = ON
 Request a IPv6 prefix/information through the IPv4 connectivity link = ON
 DHCPv6 Prefix Delegation size = 64
 Send IPv6 prefix hint = ON
 Do not wait for a RA = OFF
 I save this conf and I apply, to be sure I disable WAN interface and I enable again.
 USing SSH I run this command :
 ifconfig mvneta2 and I get
 mvneta2: flags=1008a43<UP,BROADCAST,RUNNING,ALLMULTI,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
 description: WAN
 options=800bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,LINKSTATE>
 ether 00:08:a2:12:47:d1
 inet 82.64.90.XXX netmask 0xffffff00 broadcast 82.64.90.255
 inet6 fe80::208:a2ff:fe12:47d1%mvneta2 prefixlen 64 scopeid 0x8
 media: Ethernet autoselect (1000baseT <full-duplex>)
 status: active
 nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
 I don't have IPv6 from my ISP
 I I understand when I validate DHCPv6 on WAN interface I have to get the dhcp6c_wan.conf on /var/etc/
 When I run ls -l /var/etc/dhcp6c* I don't get
 ls -l /var/etc/dhcp6c* give me
 -rwxr-xr-x 1 root wheel 520 Sep 27 12:45 /var/etc/dhcp6c_wan_dhcp6withoutra_script.sh
 -rwxr-xr-x 1 root wheel 312 Sep 27 12:45 /var/etc/dhcp6c_wan_script.shOver the UI in Status -> Services I don't that DHCPv6 is not not in the list. :( 
 Without this file dhcp6c_wan.conf the service cannot start.Regards. 
 GG.
- 
 @ggpf 
 Is this required by your ISP?“Use IPv4 Connectivity as Parent Interface 
 :
 When set, the IPv6 DHCP request is sent using IPv4 on this interface, rather than using native IPv6. This is only required in special cases when the ISP requires this type of configuration.”546-547 What did you configure to listen on these posts on pfSense ? I suspect the answer is, nothing, and the ports shouldn’t be open. 
- 
 @SteveITS Normally PFSense send SOLICIT on 546 et wait ADVERTISE or Reply on 547 I am running 
 killall dhcp6c
 /usr/local/sbin/dhcp6c -Df -c /var/etc/dhcp6c.conf -p /var/run/dhcp6c.pid mvneta2
 in other ssh session I am running :
 tcpdump -vvv -ni mvneta2 udp port 546 or udp port 547
 And nothing sent to my ISP and I get this message
 Sep/26/2025 14:56:11: Sending Solicit Sep/26/2025 14:56:11: set client ID (len 14) Sep/26/2025 14:56:11: set elapsed time (len 2) Sep/26/2025 14:56:11: set option request (len 4) Sep/26/2025 14:56:11: set IA_PD prefix Sep/26/2025 14:56:11: set IA_PD Sep/26/2025 14:56:11: transmit failed: Permission denied
- 
 @ggpf it’s extremely rare to run your own DHCP server on WAN. If you are, pfSense creates hidden rules to allow that. If you are not, you need open no ports on WAN. For the permission error see https://forum.netgate.com/topic/195602/transmit-failed-permission-denied …and ensure IPv6 is enabled.