how do i set pfsense to get ipv6 from isp

JKnott

@firefox said in how do i set pfsense to get ipv6 from isp:

They say I get an ipv6 address

Are you getting a WAN address? Also, packet captures can do wonders when trying to solve problems. Try this:

Shut down pfsense & unplug WAN cable
Reboot pfsense and run Packet Capture on the WAN port, filtering on port 546 or 547
Plug in WAN cable
Post the capture file here

BTW, it really can help if you mention your ISP, in case someone else here has experience with them.

stephenw10

Enable 'Debug' in the dhcpb6 client settings. Check the dhcp logs after connecting.

If you are pulling a prefix only you want see that unless you have an internal interface set to use it.

Steve

firefox

@jknott
I wrote that my ISP is CCC IN israel

Are the settings that appear on the screenshots I uploaded correct?

Maybe there
I need to change something

JKnott

@firefox

Sorry, I must have missed that. However, I see you gave a prefix delegation size of 64. If your ISP provides only a /64, then you can't pass IPv6 onto your LAN. If the ISP provides a different size then you use that number. For example my ISP provides a /56, which I can then split into 256 /64s on the LAN side.

stephenw10

Yeah, I pull a /56 here with link-local on WAN.

You could pull a /64 and use it only on LAN. Make sure you are requesting the correct prefix size though. I have seen that fail if it's not exactly what the ISP is offering.

firefox

@jknott
i try that again
And now I see the ipv6

why it says offline packetloss ?

MikeV7896

@firefox
Your ISP's router may not be responding to IPv6 ping requests. Maybe do a IPv6 traceroute (you might need to temporarily disable monitoring to do this, see below) and try using hop #3 or 4 as the monitoring IP address, or use something more global like Google DNS or something. Or you can change the gateway setting to disable the monitoring (System > Routing > [edit the IPv6 gateway] > check "Disable Gateway Monitoring"), though that might affect failover if you have dual WAN.

JKnott

@virgiliomi

Or not use gateway monitoring. I don't use it, as it doesn't do much for most users.

firefox

@jknott

updating
I returned everything to the previous state
Ipv4 only
Because for some reason everything works slowly
I currently will not use ipv6 maybe I will try again in a few months

stephenw10

Yeah, that's typical of having partial v6 connectivity. Most operating systems will try to use it first if they think they have a v6 connection. If that is broken you have to wait for it to timeout before it tries v4 resulting in a pretty bad experience!

firefox

@stephenw10
Is there a way around this?
Any page loaded in a second or two
Loads after 10 or 20 seconds

stephenw10

You can probably configure the clients to use only IPv4 or use v4 by default.

Otherwise you need to either have fully functioning IPv6 or none.

Steve

johnpoz

While you can normally adjust a OS preference to ipv4 from v6. Some devices are more difficult than others, and can be difficult to actually disable completely.

If you are having issues with ipv6 - the simple solution is just not provide it at all.. Which is easy enough to disable at pfsense. Its much easier to do that way, then trying to configure each client to not use ipv6 or prefer v4 over, etc.

I don't provide any automatic IPv6 to any clients on any of my vlans. But I can configure clients on the vlans I have it enabled manually to use it..

firefox

i disabled ipv6
on my pc
Now it works properly

Thanks

AKEGEC

@firefox said in how do i set pfsense to get ipv6 from isp:

i disabled ipv6
on my pc
Now it works properly

Thanks

Smart move! Here you can see why:
https://www.youtube.com/watch?v=Vt4Jl4t43ug

JKnott

@akegec

I wouldn't put much stock in what that guy says. He doesn't understand IPv6 enough to make those claims. In fact some of what he said is nonsense.

I made some comments on on that video last month.

@ firefox

As for IPv6, that is where the world is moving, so disabling IPv6 is not the fix. All you're doing is hiding the problem. If your ISP has a problem and they can't/won't fix it, there's always he.net.

stephenw10

Yes, a fully functional IPv6 connection is the way forward here.

johnpoz

@jknott said in how do i set pfsense to get ipv6 from isp:

In fact some of what he said is nonsense.

haha - "some" its pretty much all nonsense, I wasn't going to sit through 30 minutes of nonsense.. so just skipped through it.. Every part I stopped on was just nonsense.

Some of his comments as well - don't read books, don't read rfc's - watch videos? Come on!

I would agree disable ipv6 is not a "fix" What it is, is a way for you to get up to speed with your understanding before you use what yes is the future.

Until such time that you have a NEED there is no reason to have it enabled unless you actually understand how it works, how to secure it and how it functions to be able to troubleshoot it when things go wrong.

Many users have it and don't even know, they might not be having any problems, they might not attribute issues they are having with IPv6, etc.

Do you have a web server running if you don't need one, do you have ftp running when you don't need one.

Security 101 says if your not using something - then it shouldn't be enabled. If you have no use for ipv6 then there is little reason for you to have it up and running. Unless your actively going to be using it, or experimenting with it.

I would not say you should disable your IPv6 unless you're having issues. But if you are, there is nothing wrong with just turning it off until such time that you actually need it. Or are willing to spend the time needed to get up to speed and properly configure your network for its use.

You can for sure bring up ipv6 in limited fashion to use and play without until such time your are comfortable and know enough to properly deploy it across your full network.

What is nice about pfsense - it gives you the ability to do just that. Vs some soho router where it on or off, with limited ability to manage it or monitor it, etc.

The mentioned hurricane electric is a very controlled way to bring ipv6 into your network. Limit its scope or not. With no need to have to deal with your isp lack of ipv6 support or inadequate type of deployment.

JKnott

@johnpoz said in how do i set pfsense to get ipv6 from isp:

haha - "some" its pretty much all nonsense,

That pretty much sums up his videos. I have tried to watch a couple of others but couldn't stomach them. I guess he's one of these "experts" who's read a couple of magazine articles and now knows all there is to know.

It reminds me of a job I was on a few years ago, where the woman, who was the office manager, got annoyed because I plugged my computer into the switch with a CAT 5 patch cord. She was convinced it was going to affect her network, which we'd just cabled with CAT 6. She knew that because her husband (he's a veterinarian) had read some magazine articles.

firefox

Thank you all
Although I would like it to work properly
I currently do not really need ipv6
I wanted it to work to test something
And it's probably not easy
One of the times I tried I was left without an internet connection
So i had to restart pfsense and select restore to previous state
Because no matter what I did it was left without an internet connection

If it was as simple as changing the settings and clicking apply
I would do that
But as I wrote down
I was left without internet
And even if I changed the settings to the previous mode it did not work

Only when I started pfsense and selected restore to previous state
It's back to work