IPv6 + HE tunnel –> interface subnet mask = 128

  • Hello everyone,

    I have just configured my pfSense to use Hurricane Electric as IPv6 tunnel (I followed the tutorial).
    The gateway and interface work fine, but the interface of the new interface (GIF) is set with a subnet mask of 128 bits (attachment)
    and the DHCPv6 server seems to provide this info inside DHCP release…
    –> inet6 xx:xx:…:xx  prefixlen 128

    then network not reachable, of course.

    Somebody could kindly help me to solve this problem ?

  • Banned

    That is by design and absolutely not a problem here. No idea what are you doing with DHCP on the GIF interface, obviously you should NOT have any DHCP enabled there, WTH.

  • Ah, ok.
    Not a problem here.

    This is a good news… and a bad.
    Because now I have absolutely no clue about why my DHCPv6 server provides IP address with subnet mask 128.

  • Ok, I processed some other tests.

    I use a machine under Windows.
    I see the IPv6 config easier than under Linux.
    The address is correct according to the DHCP, but there is no IPv6 gateway.

  • Banned

    Errr. You should enable RA in the first place (and set that to Assisted or other suitable mode). DHCPv6 is not exactly required for anything here.

  • Check the prefix length on your LAN IPv6 setup (the dropdown box after the "IPv6 Address" field), it should be 64. It sounds like you have 128 there now.

  • Hum, LAN seems correctly set…


  • RA seems active too…

  • Banned

    Do NOT set the thing to managed.

  • Do NOT…
    Ok, ok. but tell me what to do, not what to do NOT instead.

    Tried Assisted + high/normal/low –> still /128 (and the IP is not in the range I set…)

  • Banned

    I have hard time figuring where you are seeing /128. (As noted above, the /128 on GIF interfaces is NORMAL). In general, DHCPv6 is NOT needed for IPv6. Leave it disabled and move on if it does not work for you.

  • subnet mask appears here.

    And yes, IPv6 is needed to manage my pool of addresses from a centralized place.
    I cannot take the risk that my servers change their IP.

    «Not use something» is never a solution to a problem.

    And I want to understand why the DHCP does not work. Imagine : network addressing works well since many decades without any issues. Why a simple DHCP configuration is so complicated ?

  • Banned


    I cannot take the risk that my servers change their IP.

    Your servers won't change their IP with SLAAC. You really should do some reading into how IPv6 works.


    (Plus, if that's the concern, they should be set to static in the first place.)

  • Ok dude, let me explain :

    My IP address range is provided by Hurricane Electric right now. I use HE because my ISP does not provide IPv6.
    I have one /64 subnet.
    But, later, my ISP will surely provide IPv6 addresses (progress cannot be stopped). Then, I will have a new one subnet. If I set all my servers manually,  that mean I wiil change all the manual config in all my servers, one by one.

  • After some tests, autoconfig stateless gives fe80::… (but /64)
    Of course, it cannot see the gateway and the whole world.

  • Banned


    After some tests, autoconfig stateless gives fe80::… (but /64)

    Uh eh, no it doesn't. Flush whatever you have set up there down the drain, reboot, and do it again, step by step…  https://doc.pfsense.org/index.php/Using_IPv6_with_a_Tunnel_Broker. Reboot.

    This works in ~10 different places for me and it works for loads of other people. You are doing something plain wrong.

  • I already followed the tutorial for configuring my pFsense. Good tutorial.
    Tunnel works fine.

    I cannot simply reboot the firewall as well. Many services/servers are running. I have to schedule a period of time (late in the night or early in the morning) to do that.

    I have to test step by step…
    If I find what the problem was, I will post  new message.

    Many thanks for your help.

  • Banned


    I already followed the tutorial for configuring my pFsense.

    Apparently not properly.

  • The future will say…

  • LAYER 8 Global Moderator

    So confused on the use of IPv6 here.. So you have a bunch of servers that your wanting to serve up to the public via ipv6?  And your just waiting for your isp to give you that?  Is that going to be owned by you, or controlled by you?  Or just some random ipv6 they give you?

    Do you have ipv6 space registered with arin?  Or same in your region?

    How many servers do you have exactly?  Are they in some colo?  Your not using ipv6 anywhere else in your network?  While ok 1 /64 is fine for your typical home user where everything is on same layer 2.  I don't really see how that is viable on any actual network be it home power user or small business etc.. Once you graduate beyond typical home user.. You would have more than 1 segment.  So how exactly are you using just 1 /64?

    I play with ipv6 on my home network, and 1 /64 is pointless..  I use a /48 from HE..

    While I applaud playing with and attempting to learn IPv6 - I sure and the F would not deploy it in any sort of production network until you are fully up to speed on all of the aspects in doing that.. Sorry but it seems you need a bit more play/study time before any sort of production use..

  • @johnpoz:

    … Sorry but it seems you need a bit more play/study time before any sort of production use..

    … and the good news is : HE.net has everything covered for you - they will actually really cover you !!
    It starts here : http://he.net and click on : http://ipv6.he.net/certification and when done, use their "free" tunnel offer.
    No more questions ^^ and a very original T-shirt for free.

  • I am pretty sure there is an issue with the latsest version of pfSense (2.3.4). I cannot put my finger on it. At least not yet.

    On my production firewall, I received the IPv6 from my provider using DHCPv6. I also got 128 subnet preventing anything to work. As I also owned a /48 from HE. I installed a second pfsense where I can play with at will using my production firewall to provide DHCPV6 and subnet delegation.

    During all my test, I always got a 128 subnet on my test firewall (sniffing the network shows the correct /64 announcement). I try many different configuration without success. Sometimes if I used SLAAC on my test firewall it works fine (reconfiguring the main firewall accordingly) , switching to DHCPv6 seems to provide the correct result…

    It is inconsistent and so far I could not create a test that provide each time the same results that would allow a good basis to fill a bug report...

    I am still searching but this 128 subnet appears after I installed the latest release. My next step will be to install an older realease on my test firewall....I'll let you know the outcome.

Log in to reply