Hmm, maybe adding a static route would solve this? If you go to System, Routes and Static routes.

@mdollenbacher said in IPv6 Ports mittels Firewall blocken: Wenn ich jetzt der VM die Bridge mit dem WAN Interface (vmbr0) zuweise und mit einer IPv6 aus dem Subnetz ausstatte kann ich sie von außen anpingen. Ist das normal so? Dazu kenne ich dein Virtualisierungssetup nicht gut genug um da zu sagen "yay" or "nay". Aber wenn du der pfSense auf dem WAN bspw 1234:5678:xyz::3 gibst, einen IPv6 Ping von extern machst und du in deiner pfSense dann auf dem WAN einen ICMP6 Blocked Ping auf die ::3 siehst, dann funktioniert scheinbar zumindest alles bis dahin erstmal sauber. Wenn die pfSense dann selbst mit nem Ping-Test bspw. ipv6.google.com pingen kann (was nur via v6 auflöst, deshalb guter Test), dann sollte das soweit OK sein. Ich verstehe auch noch nicht so ganz wozu ich jetzt noch ein Subnetz benötige, sind in dem Subnetz nicht genügend IPs oder verwechsle ich da grad was komplett. Moment, nein, ja. :) Habe ich oben bereits geschrieben. Ja man KANN in IPv6 auch Netze kleiner als /64 vergeben, es wird aber von allen Obergremien von Netzwerkern in den RFCs darauf hingewiesen, dass das nur in Ausnahmefällen und nicht gern getan werden soll. Es gibt genug IP6 Prefix-Range, dass einem nicht die Prefixe ausgehen werden, nur weil man statt eines /127 oder /126 Transfernetzes zwischen 2 Geräten ein komplettes /64er Prefix nutzt. Wie schon oben beschrieben, IPv6 ist nicht IPv4. Es gibt völlig andere Techniken und Möglichkeiten mit IPv6 und diese benötigen zur korrekten Funktion ein Prefix mit /64er Größe. Außerdem gibt's keine NAT mehr. Zumindest nicht in der Form die man kennt und selbst dann sollte das nicht im Normalfall genutzt werden. Da dein /64er Prefix also extern auf dem WAN aufliegt, kannst du es innen auf dem LAN nicht benutzen. Punkt. Gleiches Spiel wie bei jedem normalen IPv4 Netz. Wenn du extern 1.2.3.4/24 benutzt, kannst du intern nicht auch 1.2.3.4/24 nutzen. So kann kein Routing funktionieren, daher klappt das nicht. Somit brauchst du ein zweites Prefix /64 (wenns nur um dein LAN geht) oder ein größeres Prefix wie /60 oder /56 aus dem du mehrere /64er rausschneiden kannst, damit du mehr als ein LAN/VLAN hinter der pfSense mit IP6 versorgen kannst. Beispiel: ISP gibt für Server 2001:DB8:4321:8765::0/64 als Prefix. Du vergibst jetzt der pfSense bspw. 2001:DB8:4321:8765::4/64 als IPv6 und ::1 ist dein Gateway (manchmal routen sie das auch direkt via fe80:: via link-local). Jetzt hast du zwar tausende IP6 in dem Prefix zur Verfügung, aber die werden (im Normalfall) nicht zu dir geroutet, sondern du musst dir eine IP6 aus dem Netz geben um die zu nutzen (wie die ::4 auf dem WAN bspw.). Da es kein NAT gibt, kannst du jetzt aber nicht einfach die ::5 noch zusätzlich aufs WAN binden und die dann irgendwie intern reinschustern. So läuft Routing nicht. Statt dessen brauchst du eben ein weiteres Prefix wie bspw. 2001:DB8:4321:9876::0/64 das dir vom Provider dann auf die 2001:DB8:4321:8765::4 - deine pfSense IP6 - geroutet wird. Dann wird das ganze /64 deiner pfSense zugeroutet und du kannst es auf dem LAN konfigurieren. Auf dem WAN musst du dazu nichts konfigurieren. Keine Alias IP o.ä. da das Prefix dir zugeroutet wird und eh bei dir ankommt. Lediglich Firewall Regeln für IP6 IPs aus dem neue Prefix musst du eben erstellen und damit den Zugriff zulassen. Auf das LAN kommt dann bspw. 2001:DB8:4321:9876::1 und dann können deine virtuellen Server hinter der pfSense alle IP6 aus diesem neuen Prefix bekommen bzw. du kannst diese statisch konfigurieren. Bspw. 2001:DB8:4321:9876:1::1, 2001:DB8:4321:9876:2::1 oder auch 2001:DB8:4321:9876::1, ::12, ::13 - wie du dann die IPv6 Adressen nutzt oder vergibst, ist dann relativ egal. Meist bietet sich an, da ggf. was zu nutzen, was auch die IP4 erkennen lässt. Also wenn du 10.0.0.12 bspw. am Server hast, könnte man 2001:DB8:4321:9876:10::12 als IP6 nutzen, dann sieht man gleich welche Kiste das ist :) Was den Sinn o.ä. der Virtualisierung angeht, kann da vllt jemand mit mehr Proxmox Background was zu sagen :)

@Jxck Well, it certainly won't work, without it being configured on the VPN.

@jimp If states are not to be preserved, then a disable/enable (via a heartbeat mechanism or otherwise) might do the trick.. of course with a disruption of the IPv6 connectivity while the tunnel is re-establishing itself.

@Overclock said in Non local gateway IPv6: I let you inform about OVH response. Ask them how SLAAC is supposed to work with a /56. You may be able to get a single /64 to work, but the other 255 will be unusable.

I suggest you post exactly what the ISP provided to you regarding how they provisioned IPv6 to you.

@chris4916 au début c'est assez perturbant mais à la longue on s'y fait bien et au final c'est plus simple que v4. Après c'est clairement impactant sur énormément de choses comme le pare-feu, l'exposition des services, ... et les outils tels que pfSense qui doivent prendre aussi le pli ! Là mes clients peuvent tourner en IPv6 only sans soucis, j'ai un serveur Tayga qui fait NAT64 (avec les DNS64 de 1.1.1.1) pour les aider. Le soucis c'est que ce n'est pas encore compatible avec tout (Steam entre autre). Je me demande vraiment si un jour on pourra éteindre réellement IPv4

@JKnott To be really honest... A cosmic thing. Apparently not all VPN servers I've added (as client) are handing out ULA's. So on my dashboard it just looked sh*t. Plus my OCD was hyping over this. ;-) I just want one standard. So all three should give me an ULA or not. Not just one.

I have pretty much the same kind of setup provided by a local ISP. I found out that ISP providing static IPs is not so common practice. At least among PFSense forum users. I built up two different setup ("automatic" and "semi-automatic"). Not 100% sure those are according to best IPV6 practices, but I tried to do everything by the book. Not just something that happens to work. Hoping you get your IPV6 network to work and/or people here are able to assist you on that. Ax.

Thanks for the book link. I'll have to take a look. Yeah, it seems just having a willingness to learn will get you a lot of the way there. I've done similar troubleshooting type things for friends who otherwise would've just accepted unstable internet service as normal. Their ISP usually tells them everything is fine so the ISP doesn't have to spend the resources to figure it out and some of them won't really do much until you beat them over the head with hard data that they can act on after you have basically done their job for them. And even then it can be like pulling teeth as you know. I'm basically tech support for all my friends and family. I'm sure you know the feeling. My experience has come from a lot of tinkering, breaking things, and attempting to fix them before someone yells at me for it.

@JeGr said in DNS hostname for dynamic IPv6 address: Newer Hosts tend to use EUI-64 if implemented so are not "predictable" by their MAC address anymore Actually, all IPv6 addresses are EUI-64. The host part can be either MAC based, random number or other. With IPv6, the EUI-48 MAC address is converted to EUI-64 by inserting FFFE in the middle and inverting bit 7.

@JKnott: you've got my requirement upside-down. I want the pfSense firewalls, on their WAN interface, to accept RAs from the upstream routers. This is the normal behaviour for RAs. In fact, pfSense supports it if the WAN interface is configured dynamically using DHCP6 or SLAAC. I want to know if it's possible when the WAN interface is configured with a static IPv6 address. Downstream, everything is fine: fw1 fw2 | | -+---+----+- | server I can configure pfSense to send RAs only (without offering SLAAC prefix or DHCP6) I can configure the server with a static IPv6 address I can configure the server to pick up its default route via RA (e.g. Linux: accept_ra=1) That all works fine. Now I need to do the same upstream, where the pfSense WAN is the "client" and the upstream routers send RAs. You are right that I could instead use VRRP or CARP. The reasons not to do this are partly philosophical (IPv6 already provides this facility, in the form of Router Advertisements), and partly practical: the Netgear M4300-24X24F I'm using has a bug where it drops more than 90% of IPv6 CARP packets, which results in devices switching into MASTER-MASTER mode. (Aside: it also doubles IPv4 CARP packets. Go figure). I do have a case open with Netgear for this. I know how networks work, so I'm trying to ask a specific question about pfSense from pfSense experts. The question is: if I configure pfSense WAN interface with a static IPv6 address, can it also be configured to accept Router Advertisements? "Yes" or "no" from someone who knows the answer, please.

How about LAN to the IPv6 address on the pfSense WAN interface? How about LAN to the very next IPv6 hop outside the WAN? Packet capture on WAN. If the echo requests are being sent but no reply is being received, there's nothing pfSense can do about it. Complain to the ISP. It is very possible they could have something different configured (perhaps unintentionally) for the interface address/prefix and the routed, delegated /60 prefix.

So looking at the new 5.11.10 release, looks like they have added ipv6? from 5.11.5 in the release notes? Add subnet for IPv6 networks in Networks Table. I am currently running 5.10.21 which is not viable direct upgrade.. So can not test for sure until I get on 5.11.10, but you might want to try 5.11.10 if you want ipv6 with guest policy enable. But not captive portal.

@bigtfromaz said in DDNS pfSense to Windows AD DNS DHCPv6: I am in the software and services business and we have begun running into situations where some client host machines only have IPv6 because their ISPs have run out of IPv4 addresses. That means the only way they can reach my servers is via IPv6. There aren't many and they are non-US but they are important. It's probably time for the industry to switch to an IPv6-first stance (Apple and Google seem to be there already). Given the absence of vigorous competition in my area, the ISPs are putting themselves before their customers. I am betting it's a common theme. Thanks for the heads-up regarding the lack of fair play by Netflix. It's probably due to the fact that they have restricted distribution rights for content and can't be sure of your location. You could probably work around that with a guest VLAN having no IPv6. Kids are really good at getting and spreading computer viruses. A guest VLAN would help you minimize your risk. I am going to see if I can get the addresses registered in a DNS server on the pfSense and replicate to my Windows AD Server. If I write some code that turns out to be useful I'll put it on GitHub and share a link here. Yeah, there are several avenues to deal with the IPv6 and Netflix thing, but the kids are only here rarely and I have plenty of IDS/IPS protections for critical stuff. Also, it's only a home network. There are no national defense secrets, Democratic National Committee emails, or documents relating to secret payoffs to porn stars stored here ... LOL. And yes, Netflix blocks HE IPv6 blocks for precisely the reason you stated: users without strict morals use those to get around geoip blocks that Netflix has in place to enforce their distribution contracts with content owners. I wish all the ISPs of the world would just start supporting IPv6. Unfortunately that appears to be a very slow process. Even some of those that are supporting it are doing so in strange ways. They seem to be doing their darndest to avoid giving out static IPv6 addresses, for instance.

Even if your ISP doesn't provide IPv6, you can still have it, using a tunnel from hurricane electric. They are free, they perform well, they are very reliable and they work. I used one for years before my ISP implemented IPv6. There are lots people here who can help you set it up.

Ok, so the final update, I have everything fixed now (at least till now) So the final trick is to set my switch to tag port 5-8 which connect to my 4 APs apparently the tp-link APs will receice packages on it's selected wirelss VLAN + anything that's untagged (without vlan header) after change my switch to tag vlan1 on port 5-8 it ensures all the vlan1 tag won't be removed when outbound the port, which fixes the RA flood issue. Thanks everyone for the help

Solved by enabling " Enable Forwarding Mode"

This seems connected to this issue https://forum.netgate.com/topic/114786/pppoe-disconnects-requiring-reboot/2

See if using a scheme like this using both ULA and GUA-PD on the inside interfaces helps with that sort of problem. That is the recommended way to operate when an ISP insists on changing the PD. https://forum.netgate.com/post/825770 If that doesn't help you'll need to post specific details as to exactly what the ISP is doing and exactly what is causing your problems. Not a description, but screen shots and real, actual troubleshooting output. https://www.ripe.net/publications/docs/ripe-690#5--end-user-ipv6-prefix-assignment--persistent-vs-non-persistent Note that's RIPE - as in Europe. So it's their own RIR telling them they're doing it wrong, too. RFC7368 is about as close as we have to a controlling document here. https://tools.ietf.org/html/rfc7368 ULAs should be used within the scope of a homenet to support stable routing and connectivity between subnets and hosts regardless of whether a globally unique ISP-provided prefix is available. In the case of a prolonged external connectivity outage, ULAs allow internal operations across routed subnets to continue. ULA addresses also allow constrained devices to create permanent relationships between IPv6 addresses, e.g., from a wall controller to a lamp, where symbolic host names would require additional non-volatile memory, and updating global prefixes in sleeping devices might also be problematic.

So what does the config on pfSense look like vs your external server config? There must be some difference in the formatting or naming of the option to explain what is happening. Look in /var/dhcpd/etc/dhcpdv6.conf

You need to push the IPv6 /64 as a route. It needs to be distinct from the tunnel network. I assume you have more than a /64 to use? /48 or /56? Similar to how HE's TunnelBroker provides IPs, Unfortunately TunnelBroker does not work in this case because they Block CloudFlare (YES THEY FREAKING BLOCK CLOUDFLARE!!!). Based on my experiences with HE over the years, if they did in fact block these sources, they have a good reason for doing so.

Additional noteworthy observations. There was one strange thing about GIF configuration on pfSense 2.4.3 (and before?). I had to disable Outer Source Filtering on gif0 for the traffic to flow — otherwise even gateway monitoring pings were discarded upon reception: that is, if I remember correctly, ping replies were received on parent interface but rejected at GIF level. Those ping replies had proper source and destination addresses for both IPv4 and IPv6 and came in via proper interface. Of course, the IPv6 network for GIF tunnel itself was not the same as for overlaid network — but that is the case for all tunnels of all brokers. In particular, gif2 to the same broker was functioning well with Outer Source Filtering enabled by default, as well as gif1 to another broker. Right before upgrading from 2.4.3 to 2.4.4, I noticed that gif2 also needs disabling Outer Source Filtering. I had no idea on why this happened and how long ago — just switched the offending setting, and the tunnel became operational for about a couple of hours until the update took place. Same as earlier, however, gif1 to another broker was functioning with Outer Source Filtering enabled by default, and used proper parent interface even after upgrading to pfSense 2.4.4. Now that pfSense 2.4.4 is installed, I tried switching Outer Source Filtering back on and then off again — just in case — but observed no effect. That was expected indeed, as the primary issue is not with ingress filtering on local side: outgoing traffic is filtered by remote end because of improper source addresses caused by improper parent interface being used. I also tried Disable Gateway Monitoring for both gateways corresponding to gif0 and gif2. That allowed the traffic to flow out unconditionally, but only showed that any kind of traffic — not just ICMP pings — chose wrong parent interface. I once again tried changing default gateway settings, and the outcome was equally negligible. That is, sometimes I saw small bursts of legitimate traffic pass out and then in (such as my NTP server making a request and receiving a reply), but it is hard to correlate to settings change as those bursts stop soon. The other times I see legitimate inbound traffic entering proper parent interface, but somehow filtered on local side — such as incoming NTP and DNS requests with no reply from my home server [because pfSense filtered those requests out]. :puzzled:

@Norris : Pouvez vous cesser de poster ce type de message qui ne servent à rien ?

Yes, JKnott, I do have "do not allow PD Address release" checked. And you're right, there is no control over what the ISP will actually do. I think the addresses had been the same for about 2 months but it seems like a power cycle of the modem is what triggered the IP change. pfSense had little control over it. I'm actually on the phone with Comcast Xfinity now, it's taken 1h22m to get to a supervisor. Seems I've been talking a foreign language to both reps I've talked to so far. How hard is it to get a static /60 - /48 on an account? :) I'm currently finding out. It's not like I'm asking for a static IPv4, I'm not even bothering with that. ...and after the call, Comcast Xfinity confirmed they still don't hand out/sell IPv6 blocks to Residential customers. So it is what it is. Would it be a fair (acceptable?) compromise to only run DNS lookups over IPv4? It looks like if I reorder my IPv4 DNS servers System -> General to place my DCs IPv4 addresses at the top of the list (with no outside interface assigned to it), then remove the RA & DHCPv6 DNS servers - the pfSense DHCPv6 server will assign out its own IPv6 per-interface address as a DNS server, and proxy the replies from the servers, in sequence, from Settings -> General. Seems to do away with the need for a DNS forwarder, which also seems to be IPv6-dependent (i.e. only take IPv6 addresses).

It's also been in Linux for a while.

How many hours of work... Seems like quite a few to me.. So unless you get lucky and someone writes it up for their own use and shares it. You have to provide enough incentive for someone to do all the work. $100 at best at best cover an hour worth of work - this is clearly more than 1 hour to implement, etc.

@bert64 said in Setup NAT64 in pfSense: They don't need to move to IPv6, they could continue working around the shortcomings of legacy ip for years to come. Just like you could keep repairing and modifying a rusty 1980s car. Microsoft have clearly decided that it's more cost effective, easier and more secure to move to IPv6. Yes not everything needs to talk to each other, but inevitably some things will. With an IPv6 network where everything is addressable, you add the necessary allow rules and job done. With legacy ip, you might have overlapping address space so you need nat or even double nat, which then means you need to waste address space with the translated addresses too. Yep, IPv4 hasn't been adequate since the day it became necessary to use NAT. Now, we have hacks upon hacks to get around the address shortage. Of course, this is before we get to the fact that many people are behind carrier grade NAT, which means they have no means of accessing their home network with a VPN etc.. IPv6 is where the world is moving and refusing to move with it is head in the sand stupidity. The longer people refuse to move, the longer some people will be behind CG NAT.