@jbannister

SLAAC .... NPT ....
Never used these, as they are 'not needed' ( ? )

I followed the pfsense documentation as mentioned above, and was a happy IPv6 user for many years.

I advise you to validate the pfsense documentation. There is no SLAAC, even as it promises beautiful things. No NPT.
This boils down to : set up a DHCPv6 server on every LAN - with a pool, so you can static DHCP map, as the old DHCPv4 days, your devices.

I'm saying this with any in depth knowledge, but : as soon as I read NPT, there are issues .... so, it must be a complex thing.
And I tend to keep things "simple", especially my Ethernet networks and everything that is related to it.

@johnpoz
I'm only using 5 of my 256 /64s. However, I think people have learned a lot of bad habits, with having to conserve IPv4 address space. The only place where a smaller prefix makes sense is with a point to point link, where a /127 is all you need.

Thanks @jimp for the fix. I've re-tested with 23.01.b.20221221.1946 snapshot and the issue seems to be resolved.

solved by add a WAN_IGB0 interface and use it in NAT Outbound.

9b2fcfee-c934-445d-b725-d7da11b2337f-image.png

66f43f6c-9d85-4177-a228-fc0e29157020-image.png

784a3a56-3edb-423f-a98d-d4694c7c0e68-image.png

@lolo54000 said in Ipv6 configured but unable to ping internet:

In my ovh account i have 6 physical server and each have it's own ipv4 and it's own ipv6 /64 ipv6

To have a router in front, you would need:

an IPv6 for the router WAN an IPv4 for the router WAN OVH to route your other IP addresses to those IPs your servers to use your router LAN IPv4/IPv6 as their gateway

It sounds like they are simply not set up to handle a router, like you're asking for.

@mariog Thanks for the link. I'll keep an eye on this.

So, I found a GUI "bug". I had correctly set the prefix ID's in the "Tracked Interface" for each VLAN, but at the RA page, I mistakenly reinserted the prefix ID in the fields that are for static (full, not delegated) prefixes. Removed the static prefixes and everything now works. GUI should not let you enter static prefixes on a tracked interface, aside from fc00 or fd. And if it does, it should check if they are correct. One of the prefixes was ::1/64.

@unbekannt3 said in LWLcom DSL IPv6 über DHCP kein renewal:

Die Sense bekommt eine Adresse aus einem /64er Subnetz am WAN Interface zugewiesen und darauf dann mein /60er Subnetz geroutet, beides mit einer lifetime von 300.

Warum? 300er Lifetime hört sich für mich nach Quatsch an und viel zu kurz. Wenn ich da auf bspw. einer Fritzbox nachsehe, was da das Default Verhalten ist bei DHCP6 dann sehe ich da Zeiten in der Größenordnung 48h als Lease Time runtertickern. Zumindest wesentlich mehr als 300s. Das hört sich da schon entweder nach einer seltsamen/falschen Konfiguration an oder dass der ISP da Murks macht.

Da würde ich nochmal beim ISP selbst versuchen jemand technischeren an die Strippe zu bekommen, denn das klingt nicht gerade sinnvoll.

Cheers
\jens

@dwren78

Hmmm this is frustrating, could you describe what is happening in more detail? I am confused why it works when you have the Smarthub ahead of the pfsense router. I am not familiar with configuring the smart hub as a bridge, so where is the pppoe authentication done, in the smarthub or pfsense?

Are you getting a v4 address?
Is the v6 interface up?
Are you getting a link-local v6 address?

Dumb question, but I am going to ask it anyway, are you using your bt business pppoe username/password?

cheers

F

@kimble said in IPv6 Gateway monitoring broken in 2.6.0?:

Maybe it's clever enough to bind to a LAN address in that instance? I've no idea.

You have to specify a source address by using the -S option in ping. I just did it, using my LAN global address.

@quasaur said in All IPv6 Home Network:

Enjoying my SG-1100.
I wish to switch everything to IPv6 using each host’s MAC as the last three segments of the interface ID.

Unfortunately, it appears that pfSense requires the DUID of a DHCP client to assign it a static address, and no one on the planet seems to know how to get that from a MacBook running Monterey…not even Apple!

PLEASE HELP!

Screenshot 2022-02-17 at 19.49.55.png

Run the following from the terminal:-

sudo plutil -p /var/db/dhcpclient/DUID_IA.plist

andyk@mac-pro ~ % sudo plutil -p /var/db/dhcpclient/DUID_IA.plist { "DUID" => {length = 14, bytes = 0x000100012743ca95003ee1c1af07} "HostUUID" => {length = 16, bytes = 0x8d4aa329f7175da2ac8fc3e713f04f63} "IAIDList" => [ 0 => "en0" 1 => "en1" 2 => "en2" ] } andyk@mac-pro ~ %

@rvjr said in IPv6 list generated IPv4 rule:

ok, that's weird. No I'm using the standard pfBlockerNG 2.1.4_26 on pfSense 21.05.2-RELEASE. I'll try switching the list action and see if that makes any difference.

Your problem is that you are using an old unsupported version of pfBlockerNG. The maintainer of pfBlockerNG, @BBcan177, does not recommend the use of that old version. The -devel version has been in use for 2 to 3 years now and is very stable and the only version currently being updated.

Make sure that the box is checked to save your current settings and then uninstall your current version of pfBlockerNG 2.1.4.26 and then install the -devel version 3.1.0_1. This should take care of the issues you are seeing, if not, post back to the forum and someone will help you.

@pfsensation

Yep, it's green and showing online.

Thank you all for your answers and discussion. Unfortunately it’s a “real problem”. There is a person who I trusted before but this person is now in suspicion for a bad deed. While changing my passwords (way too late I did that) I saw a log in to my personal account that was definitely not made by myself. It’s possible that that person had an auto login but I also had the hunch this person spied my personal mailbox (which is of great concern because I was in touch with official entities). Well I think the chance is quite low I forgot to logout somewhere and that that device has the same /56 prefix as that person. So I can just hope that was an auto login or that person did not found anything. Thank you all.

@madtrick
The IP variable is the same, but you have to set up a special IPv6 update client so that pfSense takes the IPv6 interface address.
https://dyndns.inwx.com/nic/update?myipv6=%IP%

@andicniko

EDIT: After a factory reset and trying again, it seems it will work if 1) I state the DHCPv6 range in full (including the prefix), and 2) I state the subnet in the router advertisements settings.

For anyone else struggling to make this work, the specific settings are:

Services / DHCPv6 Server & RA / LAN / DHCPv6 Server
Range = [your desired IPv6 range in full, e.g. 1000:1000:1000:1000::2000 to 1000:1000:1000:1000::3000]

Note: DO NOT omit the prefix when stating the range. This is one of the issues that seemed to prevent my DHCPv6 server working properly (if the LAN interface is set to IPv6 Configuration Type = Static IPv6). By default, the range is stated excluding the prefix, e.g. ::2000 to ::3000. I'm not sure why this should matter, if the subnet field is already populated and aware of 1000:1000:1000:1000::, and omitting the prefix does no harm when the LAN interface is set to IPv6 Configuration Type = Track interface. Also note: I also had some trouble keeping the "Provide DNS servers to DHCPv6 clients" checkbox ticked. It is ticked by default, but seemed to untick by itself when changing and saving settings on this page. When ticking it again and saving, it would just disappear. However, it was ticked after navigating to another page and coming back. So I didn't have an issue in the end.

Services / DHCPv6 Server & RA / LAN / Router Advertisements
Subnets = [your IPv6 prefix 1000:1000:1000:1000::/64]

Note: DO NOT leave this blank. This is one of the issues that seemed to prevent my DHCPv6 server working properly (if the LAN interface is set to IPv6 Configuration Type = Static IPv6). By default this is blank, and it does no harm leaving it blank when the LAN interface is set to IPv6 Configuration Type = Track interface. I'm not sure why this should matter.

I don't know if the above are supposed to be necessary or not - apologies if I'm posting something that should be obvious. But I hope that helps someone!

@jimp said in Support for IPv6 firewall entries with dynamic delegated prefix and static host address:

While some people choose to only allow specific source hosts to specific destination hosts in a DB net, usually people don't get that fine-grained, either because the sources need to reach most if not all the resources in the target network, or because there aren't that many to bother with being that specific. Either way if someone has to get that complex with rules it's highly unusual for them to be using any kind of dynamic addressing like prefix delegation.

Now that I can completely agree with! But may I suggest that you name the feature in another way? As this works with and without prefix delegation, and is more concerned about using a shortform (host part only) on interfaces.

This is based on that I only understood the limit, when I read the sourcefile, and realized it did not use my PD, but the network the interface was assigned even if it was static.

@virgiliomi

One other point about VPNs. I use my IPv4 address for it for 2 reasons. One is I only use the VPN from my notebook computer, which I might be using from a location that only has IPv4 and the other has to do with DNS. I use a public DNS server which is configured for the IPv6 addresses that I want to make available on it. But my public IPv4 address is an alias that points to the host name provided by my ISP and is based on my cable modem and firewall MAC addresses. With the alias, the IPv6 address is never used. I could directly configure the IPv4 address, so that the IPv4 or IPv6 address would be used as appropriate, but that would then fail on the very rare occasion that my address changes.

For my site the issue has been resolved now. Been running smoothly for more than a week after increasing Router Lifetime in services_router_advertisements.php?if=lan

@ddbnj

Then I can only assume you didn't reboot pfsense. That's pretty much necessary to get the full sequence. Otherwise, you only get renewals.

Just in case someone finds this hack useful, the following is the patch I used on 2.5.0. It will only do what is intended (hardcode advertised MTU to 1480) if "Use same settings as DHCPv6 server" is unchecked under the Router Advertisements configuration settings.

src/etc/inc/services.inc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/etc/inc/services.inc b/src/etc/inc/services.inc index a3203aaaf7..1c63272ca1 100644 --- a/src/etc/inc/services.inc +++ b/src/etc/inc/services.inc @@ -130,7 +130,8 @@ function services_radvd_configure($blacklist = array()) { $radvdconf .= "\tAdvDefaultLifetime {$dhcpv6ifconf['raadvdefaultlifetime']};\n"; } - $mtu = get_interface_mtu($realif); + /*$mtu = get_interface_mtu($realif);*/ + $mtu = 1480; if (is_numeric($mtu)) { $radvdconf .= "\tAdvLinkMTU {$mtu};\n"; } else {

I don't think its really anything to do with the AP firmware.. So I don't think they will be able to fix it.. From what a few were saying has to do with the different auth that wpa3 uses..

Not sure - have not dug that deep into yet. I was really hoping to just have guest be limited to wpa3.. But I will live with this compromise.. Just thought give you a heads up if you were doing the same thing.. And you had friends come over - and you get hey this qr code thing isn't working ;)

@beremonavabi

I have never been able to understand the reasons for not supporting DHCPv6 on Android. The reasons I've read could equally apply to SLAAC.

@virgiliomi Thanks. That's a really helpful answer. I appreciate it.

I tested my IPv6 access :

I introduced a firewall rule on my HENET interface :

32f30acb-b7d8-476a-bfd3-d69a3821dc1a-image.png

I have a DNS record that point's to my WAN IPv4, not my WAN IPv6, so I had to use my IPv6 WAN IP to connect to the GUI.
I had a cert warning from my browser, of course.

But the access worked well :

63a2eab4-54c2-4efa-9ef7-04825ab0f777-image.png

"Well" means for me : knowing that my IPv6 is using a tunnel to tunnel.ne.net (Huricane IPv6 ISP) the speed was somewhat limited, about 10 Mbytes /sec.
I could browse the entire pfSense GUI very well, no hick-ups ....

edit : I'll leave the IPv6 access open for a while.
PM me, and I can even send you an 'access' so you can test drive yourself.
That is, if you promise not to change something, as this is a "live' environment ;)

@mickman99 Sorry mal wieder die späte Rückmeldung. Habe jetzt Urlaub und kann mich dem Thema wieder expliziter widmen.

Tatsächlich wird der Präfix einwandfrei auf die Interfaces verteilt und stimmen auch mit dem Präfix mit dem der FRITZ!Box überein. Laut Log der FRITZ!Box wird das verteilte Netz an das LAN Interface auch erkannt und als Exposed Host freigegeben.

Ich vertraue allerdings der Firewall der FRITZ!Box nicht so ganz. Ich richte parallel bei einem Nachbar einen OpenVPN Server über IPv6 ein. Auch dort wird der eingehender Verkehr trotz Exposed Host (natürlich nur zum Test so freigegeben) rejected. Sinn macht das nicht.

Zusätzlich ist bei meiner pfsense das Problem aufgetreten, wenn viele Daten auf einmal verarbeitet werden müssen, dass der interne DNS Server abschmiert. Da habe ich auch die Vermutung, dass es an der FRITZ!Box liegt. Der Log der Fritte verrät da allerdings nicht so viel...

@jan_berg This approach seemed to be working for me: https://wiki.cable-wiki.xyz/OPNsense

Caveats:

Can't be done through UI, needs to be executed in a shell. The tunnel will not be visible in the UI. Doesn't persist. Would need to re-execute every time the WAN comes up and has a global IPv6 assigned. Need to extract the AFTR name and its IPv6 address. In my case, the name comes through via DHCPv6 from the ISP as option 64. Could extract it via tcpdump. Then resolved it to an IP address and used that when setting up the tunnel. Breaks again if AFTR name/IP changes.

So, no real DS-Lite support in pfSense currently, but possible to set up manually.

Hmm, maybe adding a static route would solve this? If you go to System, Routes and Static routes.

Hey,

ich habs jetzt hinbekommen, also nicht selber :/. Mein Freund hat mir geholfen und es geht jetzt.
Vielen dank für die ganze Hilfe.

LG
Mathias

@Jxck

Well, it certainly won't work, without it being configured on the VPN.

@jimp If states are not to be preserved, then a disable/enable (via a heartbeat mechanism or otherwise) might do the trick.. of course with a disruption of the IPv6 connectivity while the tunnel is re-establishing itself.

@Overclock said in Non local gateway IPv6:

I let you inform about OVH response.

Ask them how SLAAC is supposed to work with a /56. You may be able to get a single /64 to work, but the other 255 will be unusable.

I suggest you post exactly what the ISP provided to you regarding how they provisioned IPv6 to you.

Salut ici !

J'ai un peu revu ma copie concernant l'utilisation du /56 fournis par Orange.

Je n'utilise plus le fichier de configuration /usr/local/etc/dhcp6c_wan_new.conf, je suis revenu à une configuration tel que décrite ici : https://wiki.virtit.fr/doku.php/kb:linux:pfsense:remplacer_sa_box_orange_par_un_pfsense

Au niveau de l'interface WAN j'ai juste ajouté DHCPv6 Prefix Delegation size = 56, voici la configuration de l'interface (seulement pour l'IPv6):

WAN

Le fait de déterminer le préfixe côté WAN permet d'avoir côté LAN (ou autres interfaces) la possibilité d'utiliser l'option Track Interface:

LAN: Track interface

Mais en l'état rien ne fonctionne, les clients n'obtiennent pas d'adresse IPv6 😧

Du coup côté LAN je me suis résigné à détermine l'adresse IPv6 de façon statique:

LAN: Static IPv6

Quelqu'un a déjà eu l'expérience d'utiliser l'option Track interface avec succès ?

J'imagine qu'on n'est vraiment pas loin du tout en terme de configuration mais j'ai beau tout retourner je n'y parviens pas.

Certes le fonctionnement actuel est correct, mais j'aurai souhaité atteindre la perfection en n'ayant pas à écrire le préfixe en dur dans les interfaces...

@JKnott
To be really honest...
A cosmic thing. Apparently not all VPN servers I've added (as client) are handing out ULA's. So on my dashboard it just looked sh*t.
Plus my OCD was hyping over this. ;-)

I just want one standard. So all three should give me an ULA or not.
Not just one.