IPv6 delegating prefix not working after upgrade

  • Ok, so I'm not positive that 2.4.3 broke this (I'm sure other people would have noticed) but it was working on 2.4.2 (whichever the most recent release was) and afaik, the only thing I've changed since then is the upgrade to 2.4.3.

    The network consists of draytech vigor130 modem -> pfsense -> tplink switch -> google wifi. With lots of devices both wired (hanging off the switch (IPv6 works just fine there) and wireless ones having off the google wifi (IPv6 worked just fine till the upgrade to 2.4.3, now doesnt). All on BT infinity fttc

    I get a /56 from my isp (2a00:23c5:xxxx:2e:: I use track interface to get the /64 2a00:23c5:xxxx:2e00:: to my lan interface. I think have prefix delegation handing out another /64 2a00:23c5:xxxx:2e01:: in this case, to the google wifi device. I have a firewall rule on the LAN, to allow all from 2a00:23c5:xxxx:2e01::/64 and a static route setup from 2a00:23c5:xxxx:2e01::/64 to the WAN ipv6 gateway.

    This all worked till the upgrade, ipv6 test site, and pings from wireless devices all worked ok. Since the upgrade, I am still getting ipv6 addresses on the wireless devices, but no connectivity to the wider world (op ipv6, ipv4 still works fine).

    My ipv6 addresses didnt change through the reboot after the upgrade, which was my first through (have the DUID and dont send release flag options set to keep the same 'dynamic' ipv6 block.

    What I can see happening now, from packet captures, (specifically using pings in this case) is that that requests hit the LAN side of pf, but it never sees the response packets. On the WAN side, I can see the requests going out, and the replies coming back in, so the ISP is routing stuff back to me, but pf doesnt seem to know how to route them back to the LAN, which is what I thought the static route did. And used to do, last week.

    Any suggestions where to look would be much appreciated. (also, its quite possible my ipv6 setup isnt ideal, I'm completely new to it, but like I said, it was working last week.


  • Guessing its a different issue. I never get a global address on the wan interface, have to check 'request prefix only' for my ISP. Thats working as before. Also, the google wifi is getting the correct /64 delegated to it, I can see that in the DHCP6 status, and in the addresses assigned to devices connected to it. Also, the ISP is correctly routing packets on the 2nd /64 back to me, its just they arent being routed to the LAN by pf

  • Was this an upgrade or a completely clean reinstall? If was the latter, the DUID from pfsense may be causing problems. With my ISP, if I do a clean install without changing the WAN MAC address, it will not grant a prefix until the existing lease has expired. The reason for this is their edge router (Nokia) is configured to not allow more than one active lease for a given MAC address. I've been burned on this a couple of occasions.

  • It was an upgrade. I'm still getting the same global address from my ISP, and the isp is still routing replies to traffic fro both /64s that I'm sending request from, to pf. pf is just not routing the replies to /64 tha it delegates downstream to the google wifi, on to it. They arrive at the WAN port, and go no further. No firewall logs of them being blocked. Its as if after the upgrade, it cant see the route back to the lan for that prefix.

    IPv6 Trafffic for th /64 that is directly trcked by the LAN interface is still working fine, its just replies to the delegated /64 that are not getting back to the LAN