@unbekannt3 said in LWLcom DSL IPv6 über DHCP kein renewal:

Die Sense bekommt eine Adresse aus einem /64er Subnetz am WAN Interface zugewiesen und darauf dann mein /60er Subnetz geroutet, beides mit einer lifetime von 300.

Warum? 300er Lifetime hört sich für mich nach Quatsch an und viel zu kurz. Wenn ich da auf bspw. einer Fritzbox nachsehe, was da das Default Verhalten ist bei DHCP6 dann sehe ich da Zeiten in der Größenordnung 48h als Lease Time runtertickern. Zumindest wesentlich mehr als 300s. Das hört sich da schon entweder nach einer seltsamen/falschen Konfiguration an oder dass der ISP da Murks macht.

Da würde ich nochmal beim ISP selbst versuchen jemand technischeren an die Strippe zu bekommen, denn das klingt nicht gerade sinnvoll.

Cheers
\jens

@dwren78

Hmmm this is frustrating, could you describe what is happening in more detail? I am confused why it works when you have the Smarthub ahead of the pfsense router. I am not familiar with configuring the smart hub as a bridge, so where is the pppoe authentication done, in the smarthub or pfsense?

Are you getting a v4 address?
Is the v6 interface up?
Are you getting a link-local v6 address?

Dumb question, but I am going to ask it anyway, are you using your bt business pppoe username/password?

cheers

F

@kimble said in IPv6 Gateway monitoring broken in 2.6.0?:

Maybe it's clever enough to bind to a LAN address in that instance? I've no idea.

You have to specify a source address by using the -S option in ping. I just did it, using my LAN global address.

@quasaur said in All IPv6 Home Network:

Enjoying my SG-1100.
I wish to switch everything to IPv6 using each host’s MAC as the last three segments of the interface ID.

Unfortunately, it appears that pfSense requires the DUID of a DHCP client to assign it a static address, and no one on the planet seems to know how to get that from a MacBook running Monterey…not even Apple!

PLEASE HELP!

Screenshot 2022-02-17 at 19.49.55.png

Run the following from the terminal:-

sudo plutil -p /var/db/dhcpclient/DUID_IA.plist

andyk@mac-pro ~ % sudo plutil -p /var/db/dhcpclient/DUID_IA.plist { "DUID" => {length = 14, bytes = 0x000100012743ca95003ee1c1af07} "HostUUID" => {length = 16, bytes = 0x8d4aa329f7175da2ac8fc3e713f04f63} "IAIDList" => [ 0 => "en0" 1 => "en1" 2 => "en2" ] } andyk@mac-pro ~ %

@rvjr said in IPv6 list generated IPv4 rule:

ok, that's weird. No I'm using the standard pfBlockerNG 2.1.4_26 on pfSense 21.05.2-RELEASE. I'll try switching the list action and see if that makes any difference.

Your problem is that you are using an old unsupported version of pfBlockerNG. The maintainer of pfBlockerNG, @BBcan177, does not recommend the use of that old version. The -devel version has been in use for 2 to 3 years now and is very stable and the only version currently being updated.

Make sure that the box is checked to save your current settings and then uninstall your current version of pfBlockerNG 2.1.4.26 and then install the -devel version 3.1.0_1. This should take care of the issues you are seeing, if not, post back to the forum and someone will help you.

@pfsensation

Yep, it's green and showing online.

Thank you all for your answers and discussion. Unfortunately it’s a “real problem”. There is a person who I trusted before but this person is now in suspicion for a bad deed. While changing my passwords (way too late I did that) I saw a log in to my personal account that was definitely not made by myself. It’s possible that that person had an auto login but I also had the hunch this person spied my personal mailbox (which is of great concern because I was in touch with official entities). Well I think the chance is quite low I forgot to logout somewhere and that that device has the same /56 prefix as that person. So I can just hope that was an auto login or that person did not found anything. Thank you all.

@madtrick
The IP variable is the same, but you have to set up a special IPv6 update client so that pfSense takes the IPv6 interface address.
https://dyndns.inwx.com/nic/update?myipv6=%IP%

@andicniko

EDIT: After a factory reset and trying again, it seems it will work if 1) I state the DHCPv6 range in full (including the prefix), and 2) I state the subnet in the router advertisements settings.

For anyone else struggling to make this work, the specific settings are:

Services / DHCPv6 Server & RA / LAN / DHCPv6 Server
Range = [your desired IPv6 range in full, e.g. 1000:1000:1000:1000::2000 to 1000:1000:1000:1000::3000]

Note: DO NOT omit the prefix when stating the range. This is one of the issues that seemed to prevent my DHCPv6 server working properly (if the LAN interface is set to IPv6 Configuration Type = Static IPv6). By default, the range is stated excluding the prefix, e.g. ::2000 to ::3000. I'm not sure why this should matter, if the subnet field is already populated and aware of 1000:1000:1000:1000::, and omitting the prefix does no harm when the LAN interface is set to IPv6 Configuration Type = Track interface. Also note: I also had some trouble keeping the "Provide DNS servers to DHCPv6 clients" checkbox ticked. It is ticked by default, but seemed to untick by itself when changing and saving settings on this page. When ticking it again and saving, it would just disappear. However, it was ticked after navigating to another page and coming back. So I didn't have an issue in the end.

Services / DHCPv6 Server & RA / LAN / Router Advertisements
Subnets = [your IPv6 prefix 1000:1000:1000:1000::/64]

Note: DO NOT leave this blank. This is one of the issues that seemed to prevent my DHCPv6 server working properly (if the LAN interface is set to IPv6 Configuration Type = Static IPv6). By default this is blank, and it does no harm leaving it blank when the LAN interface is set to IPv6 Configuration Type = Track interface. I'm not sure why this should matter.

I don't know if the above are supposed to be necessary or not - apologies if I'm posting something that should be obvious. But I hope that helps someone!

@jimp said in Support for IPv6 firewall entries with dynamic delegated prefix and static host address:

While some people choose to only allow specific source hosts to specific destination hosts in a DB net, usually people don't get that fine-grained, either because the sources need to reach most if not all the resources in the target network, or because there aren't that many to bother with being that specific. Either way if someone has to get that complex with rules it's highly unusual for them to be using any kind of dynamic addressing like prefix delegation.

Now that I can completely agree with! But may I suggest that you name the feature in another way? As this works with and without prefix delegation, and is more concerned about using a shortform (host part only) on interfaces.

This is based on that I only understood the limit, when I read the sourcefile, and realized it did not use my PD, but the network the interface was assigned even if it was static.

@virgiliomi

One other point about VPNs. I use my IPv4 address for it for 2 reasons. One is I only use the VPN from my notebook computer, which I might be using from a location that only has IPv4 and the other has to do with DNS. I use a public DNS server which is configured for the IPv6 addresses that I want to make available on it. But my public IPv4 address is an alias that points to the host name provided by my ISP and is based on my cable modem and firewall MAC addresses. With the alias, the IPv6 address is never used. I could directly configure the IPv4 address, so that the IPv4 or IPv6 address would be used as appropriate, but that would then fail on the very rare occasion that my address changes.

For my site the issue has been resolved now. Been running smoothly for more than a week after increasing Router Lifetime in services_router_advertisements.php?if=lan

@ddbnj

Then I can only assume you didn't reboot pfsense. That's pretty much necessary to get the full sequence. Otherwise, you only get renewals.

Just in case someone finds this hack useful, the following is the patch I used on 2.5.0. It will only do what is intended (hardcode advertised MTU to 1480) if "Use same settings as DHCPv6 server" is unchecked under the Router Advertisements configuration settings.

src/etc/inc/services.inc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/etc/inc/services.inc b/src/etc/inc/services.inc index a3203aaaf7..1c63272ca1 100644 --- a/src/etc/inc/services.inc +++ b/src/etc/inc/services.inc @@ -130,7 +130,8 @@ function services_radvd_configure($blacklist = array()) { $radvdconf .= "\tAdvDefaultLifetime {$dhcpv6ifconf['raadvdefaultlifetime']};\n"; } - $mtu = get_interface_mtu($realif); + /*$mtu = get_interface_mtu($realif);*/ + $mtu = 1480; if (is_numeric($mtu)) { $radvdconf .= "\tAdvLinkMTU {$mtu};\n"; } else {

I don't think its really anything to do with the AP firmware.. So I don't think they will be able to fix it.. From what a few were saying has to do with the different auth that wpa3 uses..

Not sure - have not dug that deep into yet. I was really hoping to just have guest be limited to wpa3.. But I will live with this compromise.. Just thought give you a heads up if you were doing the same thing.. And you had friends come over - and you get hey this qr code thing isn't working ;)

@beremonavabi

I have never been able to understand the reasons for not supporting DHCPv6 on Android. The reasons I've read could equally apply to SLAAC.

@virgiliomi Thanks. That's a really helpful answer. I appreciate it.

I tested my IPv6 access :

I introduced a firewall rule on my HENET interface :

32f30acb-b7d8-476a-bfd3-d69a3821dc1a-image.png

I have a DNS record that point's to my WAN IPv4, not my WAN IPv6, so I had to use my IPv6 WAN IP to connect to the GUI.
I had a cert warning from my browser, of course.

But the access worked well :

63a2eab4-54c2-4efa-9ef7-04825ab0f777-image.png

"Well" means for me : knowing that my IPv6 is using a tunnel to tunnel.ne.net (Huricane IPv6 ISP) the speed was somewhat limited, about 10 Mbytes /sec.
I could browse the entire pfSense GUI very well, no hick-ups ....

edit : I'll leave the IPv6 access open for a while.
PM me, and I can even send you an 'access' so you can test drive yourself.
That is, if you promise not to change something, as this is a "live' environment ;)

@mickman99 Sorry mal wieder die späte Rückmeldung. Habe jetzt Urlaub und kann mich dem Thema wieder expliziter widmen.

Tatsächlich wird der Präfix einwandfrei auf die Interfaces verteilt und stimmen auch mit dem Präfix mit dem der FRITZ!Box überein. Laut Log der FRITZ!Box wird das verteilte Netz an das LAN Interface auch erkannt und als Exposed Host freigegeben.

Ich vertraue allerdings der Firewall der FRITZ!Box nicht so ganz. Ich richte parallel bei einem Nachbar einen OpenVPN Server über IPv6 ein. Auch dort wird der eingehender Verkehr trotz Exposed Host (natürlich nur zum Test so freigegeben) rejected. Sinn macht das nicht.

Zusätzlich ist bei meiner pfsense das Problem aufgetreten, wenn viele Daten auf einmal verarbeitet werden müssen, dass der interne DNS Server abschmiert. Da habe ich auch die Vermutung, dass es an der FRITZ!Box liegt. Der Log der Fritte verrät da allerdings nicht so viel...

@jan_berg This approach seemed to be working for me: https://wiki.cable-wiki.xyz/OPNsense

Caveats:

Can't be done through UI, needs to be executed in a shell. The tunnel will not be visible in the UI. Doesn't persist. Would need to re-execute every time the WAN comes up and has a global IPv6 assigned. Need to extract the AFTR name and its IPv6 address. In my case, the name comes through via DHCPv6 from the ISP as option 64. Could extract it via tcpdump. Then resolved it to an IP address and used that when setting up the tunnel. Breaks again if AFTR name/IP changes.

So, no real DS-Lite support in pfSense currently, but possible to set up manually.

Hmm, maybe adding a static route would solve this? If you go to System, Routes and Static routes.

Hey,

ich habs jetzt hinbekommen, also nicht selber :/. Mein Freund hat mir geholfen und es geht jetzt.
Vielen dank für die ganze Hilfe.

LG
Mathias

@Jxck

Well, it certainly won't work, without it being configured on the VPN.

@jimp If states are not to be preserved, then a disable/enable (via a heartbeat mechanism or otherwise) might do the trick.. of course with a disruption of the IPv6 connectivity while the tunnel is re-establishing itself.

@Overclock said in Non local gateway IPv6:

I let you inform about OVH response.

Ask them how SLAAC is supposed to work with a /56. You may be able to get a single /64 to work, but the other 255 will be unusable.

I suggest you post exactly what the ISP provided to you regarding how they provisioned IPv6 to you.

Salut ici !

J'ai un peu revu ma copie concernant l'utilisation du /56 fournis par Orange.

Je n'utilise plus le fichier de configuration /usr/local/etc/dhcp6c_wan_new.conf, je suis revenu à une configuration tel que décrite ici : https://wiki.virtit.fr/doku.php/kb:linux:pfsense:remplacer_sa_box_orange_par_un_pfsense

Au niveau de l'interface WAN j'ai juste ajouté DHCPv6 Prefix Delegation size = 56, voici la configuration de l'interface (seulement pour l'IPv6):

WAN

Le fait de déterminer le préfixe côté WAN permet d'avoir côté LAN (ou autres interfaces) la possibilité d'utiliser l'option Track Interface:

LAN: Track interface

Mais en l'état rien ne fonctionne, les clients n'obtiennent pas d'adresse IPv6 😧

Du coup côté LAN je me suis résigné à détermine l'adresse IPv6 de façon statique:

LAN: Static IPv6

Quelqu'un a déjà eu l'expérience d'utiliser l'option Track interface avec succès ?

J'imagine qu'on n'est vraiment pas loin du tout en terme de configuration mais j'ai beau tout retourner je n'y parviens pas.

Certes le fonctionnement actuel est correct, mais j'aurai souhaité atteindre la perfection en n'ayant pas à écrire le préfixe en dur dans les interfaces...

@JKnott
To be really honest...
A cosmic thing. Apparently not all VPN servers I've added (as client) are handing out ULA's. So on my dashboard it just looked sh*t.
Plus my OCD was hyping over this. ;-)

I just want one standard. So all three should give me an ULA or not.
Not just one.

I have pretty much the same kind of setup provided by a local ISP. I found out that ISP providing static IPs is not so common practice. At least among PFSense forum users.
I built up two different setup ("automatic" and "semi-automatic"). Not 100% sure those are according to best IPV6 practices, but I tried to do everything by the book. Not just something that happens to work.
Hoping you get your IPV6 network to work and/or people here are able to assist you on that.

Ax.

@gary201 The issue from July 2019 was resolved without them really going into detail about what was happening during their large maintenance/migration. When I got in touch with them they were still in the "putting out fires" mode. They made a note of my issue, emailed me a few days later when they had a fix in place for me to verify, and all was good.

Around December 2nd of 2020 I did have an IPv6 outage after a maintenance window. No IPv6 traffic was routing. I also tried different machines directly wired to the ONT at that time to verify it wasn't something on my end (not that I had changed anything). I reached out to them and they were able to in their words, "remove a filter" and it fixed my issue. I'm not sure how helpful that is, but it's all they told me.

@JeGr said in DNS hostname for dynamic IPv6 address:

Newer Hosts tend to use EUI-64 if implemented so are not "predictable" by their MAC address anymore

Actually, all IPv6 addresses are EUI-64. The host part can be either MAC based, random number or other. With IPv6, the EUI-48 MAC address is converted to EUI-64 by inserting FFFE in the middle and inverting bit 7.

@JKnott: you've got my requirement upside-down.

I want the pfSense firewalls, on their WAN interface, to accept RAs from the upstream routers.

This is the normal behaviour for RAs. In fact, pfSense supports it if the WAN interface is configured dynamically using DHCP6 or SLAAC. I want to know if it's possible when the WAN interface is configured with a static IPv6 address.

Downstream, everything is fine:

fw1 fw2 | | -+---+----+- | server I can configure pfSense to send RAs only (without offering SLAAC prefix or DHCP6) I can configure the server with a static IPv6 address I can configure the server to pick up its default route via RA (e.g. Linux: accept_ra=1)

That all works fine. Now I need to do the same upstream, where the pfSense WAN is the "client" and the upstream routers send RAs.

You are right that I could instead use VRRP or CARP. The reasons not to do this are partly philosophical (IPv6 already provides this facility, in the form of Router Advertisements), and partly practical: the Netgear M4300-24X24F I'm using has a bug where it drops more than 90% of IPv6 CARP packets, which results in devices switching into MASTER-MASTER mode. (Aside: it also doubles IPv4 CARP packets. Go figure). I do have a case open with Netgear for this.

I know how networks work, so I'm trying to ask a specific question about pfSense from pfSense experts. The question is: if I configure pfSense WAN interface with a static IPv6 address, can it also be configured to accept Router Advertisements? "Yes" or "no" from someone who knows the answer, please.

How about LAN to the IPv6 address on the pfSense WAN interface?

How about LAN to the very next IPv6 hop outside the WAN?

Packet capture on WAN. If the echo requests are being sent but no reply is being received, there's nothing pfSense can do about it. Complain to the ISP.

It is very possible they could have something different configured (perhaps unintentionally) for the interface address/prefix and the routed, delegated /60 prefix.

So looking at the new 5.11.10 release, looks like they have added ipv6?

from 5.11.5 in the release notes?
Add subnet for IPv6 networks in Networks Table.

I am currently running 5.10.21 which is not viable direct upgrade.. So can not test for sure until I get on 5.11.10, but you might want to try 5.11.10 if you want ipv6 with guest policy enable. But not captive portal.

@bigtfromaz said in DDNS pfSense to Windows AD DNS DHCPv6:

I am in the software and services business and we have begun running into situations where some client host machines only have IPv6 because their ISPs have run out of IPv4 addresses. That means the only way they can reach my servers is via IPv6. There aren't many and they are non-US but they are important.

It's probably time for the industry to switch to an IPv6-first stance (Apple and Google seem to be there already). Given the absence of vigorous competition in my area, the ISPs are putting themselves before their customers. I am betting it's a common theme.

Thanks for the heads-up regarding the lack of fair play by Netflix. It's probably due to the fact that they have restricted distribution rights for content and can't be sure of your location. You could probably work around that with a guest VLAN having no IPv6. Kids are really good at getting and spreading computer viruses. A guest VLAN would help you minimize your risk.

I am going to see if I can get the addresses registered in a DNS server on the pfSense and replicate to my Windows AD Server. If I write some code that turns out to be useful I'll put it on GitHub and share a link here.

Yeah, there are several avenues to deal with the IPv6 and Netflix thing, but the kids are only here rarely and I have plenty of IDS/IPS protections for critical stuff. Also, it's only a home network. There are no national defense secrets, Democratic National Committee emails, or documents relating to secret payoffs to porn stars stored here ... LOL.

And yes, Netflix blocks HE IPv6 blocks for precisely the reason you stated: users without strict morals use those to get around geoip blocks that Netflix has in place to enforce their distribution contracts with content owners.

I wish all the ISPs of the world would just start supporting IPv6. Unfortunately that appears to be a very slow process. Even some of those that are supporting it are doing so in strange ways. They seem to be doing their darndest to avoid giving out static IPv6 addresses, for instance.

Even if your ISP doesn't provide IPv6, you can still have it, using a tunnel from hurricane electric. They are free, they perform well, they are very reliable and they work. I used one for years before my ISP implemented IPv6. There are lots people here who can help you set it up.