IPv6 doubts

  • Greetings from Portugal. Mi ISP here (Vodafone) assigns me a /56 prefix; namely 2001:818:d9d9:ba00::/56. The IPv6 addresses are doled out through SLAAC from the ISP fiber ONT. So far, so good. I think I can set up the WAN interface in my pfSense to receive its IP SLAACly, or set up a static IPv6 within the range of my delegated prefix. I mean, I hhave 256 prefixes to do it, so why not? Here goes, 2001:818:d9d9:ba00::fffe/64, with default gateway set at 2001:818:d9d9:ba00::1. Now that is my WAN interface set up, it works, I can ping6, and everything is smooth as silk. On to the LAN side: Same idea, right? I set an IPv6 address in the same subnet of my assigned prefix, set gateway to none (because it is after all a LAN address), set my DNS servers and all should be fine and dandy, with my clients behind pfsense receiving an Internet-pingable IPv6 address. Right? Wrong. Wrong, because although I get an IPv6, external addresses (google.com, microsoft.com,, etc.) get a nice, juicy, "Time out" when pinged. Am I missing something here? Have I done everything "by the book" as they say, or should I look at enabling static routes between the ba00 and ba01 subnets through loopback, or set NAT66 with a ULA, and then use that ULA as my dhcp6 range? Have I missed any firewall black magic? I would appreciate any help available in this matter.


  • Your post is a bit confusing. Typically, the ISP uses DHCPv6-PD to assign the prefix to your network. Then the router, such as pfSense can be configured to assign individual /64s to the various interfaces. Do you have IPv6 addresses available on your LAN? And please, Please, PLEASE forget about NAT. It's a hack to get around the IPv4 address shortage.

    One you have IPv6 up and running you'll notice you have multiple GUAs on your computers. One will be permanent and the others temporary, typically a new one every day, with a lifetime of 7 days. Point your DNS to the permanent one. On Windows, it will likely by a random number and on Linux, MAC address based. The temporary addresses are always random number based.

  • Dear @JKnott, if my post seems confusing I am sorry, it was unintentional. The fact is, my ISP is not using DHCP-PD to spread IPv6 GUA from its router to my pfSense box. It is using SLAAC to do so, and this information comes straight from the ISP itself. I do have IPv6 GUA in my LAN generated by my pfSense box DHCPv6 server; what I do not have is Internet connectivity from any one of them. I have checked and double checked, time and again. by connecting a client directly to the router, and once it is connected I do get IPv6 addresses with IPv6 connectivity to the Internet, while when the same client is connected behind the pfSense box it fails the ipv6 tests and ping6 reports timeouts to the WAN address. I hope this made the situation more clear, and I do understand twhat you say about NAT, and I agree, but my ISP (by its own admission) has other ideas, it will not do DHCPv6 prefix subdelegation.

  • LAYER 8 Global Moderator

    how are they giving you a /56 with slaac?

    I think maybe some sort of communication breakdown here. Do you mean they hand your router an IP on its wan via slaac and then you can get your /56 via delegation?

    What is the address you get on your wan - what is the prefix size?

    When you state they assigned you this 2001:818:d9d9:ba00::/56, I would take it they routed that to you - if so then your golden you can break that up into /64 and assign to your different networks.

  • @johnpoz: As per your request, the router has in its web interface the following information: The prefix is 2001:818:d9d9.ba00/56, the gateway IP is 2001:818:d9d9:ba00::1. When I called the ISP complaining that I did not get Internet connectivity for any device behind my pfSense and asking how did I have to set up the prefix subdelegation, they told me that IP address distribution from the ISP's router is not made through DHCPv6 but through SLAAC. Using the ISP's own suggestion I assigned the WAN port on the pfSense box a static address, which works. Given that I can't break up the /56 and slice it and dice it to my heart's content -- I have tried, to frustrating failure.

  • LAYER 8 Global Moderator


    If your isp is giving you a /56 via slaac that is utterly borked!!! There are 2 legit prefixes /64 and /128

    How about you just let your wan be slaac and setup that /56 broken up behind you and see if that works... How is that isp try and rollout ipv6 and just do not have clue one.. Did nobody at this isp read any of the rfcs?

  • LAYER 8 Netgate

    Post the output for your WAN interface from Status > Interfaces.

  • LAYER 8 Global Moderator


    Off topic sorry - tried sending you a chat.. But you have them blocked.. Your link to the use this diagram is not working. Would guess since the change to nodebb vs smf

  • LAYER 8 Netgate

    OK yeah chat should be fixed. Waiting for the attachments from the old forum to be sussed out before I hassle that diagram.

  • @Derelict : Of course, as soon as I get home I'll post the relevant info.

  • @johnpoz apparently not, I have exactly zero clue as to why they'd give me a whole /56, only to deny it to me by giving me /64 addresses through SLAAC from their router, smh...

  • @derelict as per your request here's the requested snapshot

    0_1527531319227_2018-05-28 (2).png

  • LAYER 8 Netgate

    OK that's a /64 on WAN so that is what I would expect.

    Is that statically-configured or is that what is on the interface when WAN is configured for SLAAC?

    LAN looks good as well. I would:

    (At least temporarily) Pass ICMPv6 (any) traffic on WAN from source any to destination 2001:818:d9d9:ba00::/56

    ping6 2001:818:d9d9:ba01::fffe from the outside someplace.

    See if you get a response. If so, you can start looking at why LAN isn't working. If not, verify you can ping6 to 2001:818:d9d9:ba00::fffe. If not your pings are probably not working. if so, packet capture on WAN for IPv6 traffic for 2001:818:d9d9:ba01::fffe and test the ping6 to that again. Stop the capture and see if you can see the echo requests coming in from the ISP. If so, you can proceed to figure out why there is no response. If not, you need to nail down the ISP as to exactly how they are provisioning this /56.

  • Galactic Empire

    You've got a bridge interface set up with IP addresses on each interface and the bridge, thought you should only have IP addresses on the bridge interface.


  • @derelict this is statically configured. I haven't tried using SLAAC, will attempt to do so now.

  • LAYER 8 Netgate

    Not at all what I recommended you do but OK.

  • LAYER 8 Netgate

    @nogbadthebad Yeah I haven't even started with the bridge yet. First thing is to see if this ISP is even sending the traffic.

    @cmpsalvestrini Why are you complicating things that aren't working yet with things like interface bridges? Why do you feel the need to do that?

  • Galactic Empire

    Pings to the WAN interface work.

    mac-pro:~ andy$ ping6 2001:818:d9d9:ba00::fffe
    PING6(56=40+8+8 bytes) 2a02:8010:XXXX:X::14 --> 2001:818:d9d9:ba00::fffe
    16 bytes from 2001:818:d9d9:ba00::fffe, icmp_seq=0 hlim=252 time=50.847 ms
    16 bytes from 2001:818:d9d9:ba00::fffe, icmp_seq=1 hlim=252 time=51.265 ms
    16 bytes from 2001:818:d9d9:ba00::fffe, icmp_seq=2 hlim=252 time=50.797 ms
    16 bytes from 2001:818:d9d9:ba00::fffe, icmp_seq=3 hlim=252 time=50.751 ms
    16 bytes from 2001:818:d9d9:ba00::fffe, icmp_seq=4 hlim=252 time=51.085 ms

  • @derelict I-m still on the static, I fiddled with the LAN side a bit and I have as follows:
    Interfaces status:

    0_1527533428032_2018-05-28 (3).png


    0_1527533458688_2018-05-28 (4).png

    I know I was complicating things, I removed the bridge and I am trying to be a good boy and use a ULA and the (famous? infamous? nefarious?) NPt service. I get as follows in my client:

    0_1527533576396_2018-05-28 (5).png

    All dandy, until:

    0_1527533619063_2018-05-28 (6).png

  • LAYER 8 Netgate

    Right. the other doesn't but that could be rules.

  • Galactic Empire

    You have a invert match rule on your wan interface.

  • LAYER 8 Netgate

    OK now everything is completely different. I would request that you stop making wholesale changes and perform the requested steps.

    It is not up to you to be good and use ULA. It is up to the ISP not to be bad to give you something usable.

  • LAYER 8 Netgate

    And the destination is WAN net not the entire /56 so you won't be able to ping anything on the inside /64s. Please re-read my suggested actions above.

  • @derelict That's what happens when one starts thinking and having weird ideas. Let me fix that and I'll get back to you.

  • Galactic Empire


    I just noticed the ! I know how much you like them :)

  • @Derelict Okay. Things have been fixed to the way they were before, eliminating the bridge (Bad, bad idea I had). I apologize for not following the procedure. I have been dealing with this for the past 2 months trying to get IPv6 working and, well, let's say frustration is a bad counselor. Anyhow, as requested:


    Firewall rule:
    0_1527534822159_2018-05-28 (1).png

  • Galactic Empire


    Are you sure you've fully removed the bridge, I can still see the bridge line in the screenshot.

  • LAYER 8 Netgate

    OK with those rules in place I should be able to ping 2001:818:d9d9:ba01::fffe but I cannot. So they are apparently not routing that to you like they said.

    I would go back to them and ask how exactly this is provisioned.

    What do I put on the WAN interface here?

    How is the /56 routed to me?

    Just ask for generic instructions for any router. It doesn't have to be pfSense-specific.

    I would also packet capture for incoming ICMPv6 packets to that address and ping it from the outside and see if they show up.

    If not I would packet capture for neighbor solicitations on WAN for that address and ping it again. If they are soliciting for a neighbor on two different /64s on WAN they are, as @johnpoz might say, borked.

  • LAYER 8 Netgate

    The bridge should not matter for this test. There should be a 2001:818:d9d9:ba01::fffe/64 address on a localhost interface that should respond. The bridge should not matter here but should be cleaned up for sure.

  • @Derelict Thank you very much, I will ask these questions to the ISP and see about configuring things properly. I'll keep you posted about progress on this issue.

  • LAYER 8 Netgate

    @derelict said in IPv6 doubts:

    I would also packet capture for incoming ICMPv6 packets to that address and ping it from the outside and see if they show up.
    If not I would packet capture for neighbor solicitations on WAN for that address and ping it again. If they are soliciting for a neighbor on two different /64s on WAN they are, as @johnpoz might say, borked.

    I would diagnose whatever you can so you can be well-prepared to deal with ISP, umm, indifference.

  • UPDATE: I've talked to my ISP again, they said they'd get back to me about it. I asked them how to st up the IPv6 so it works with pfSense, I think I may have stumped them, hehe. In the meantime I need to prepare my weapons of clobbering <rolls all the IPv6 RFCs and readies them to clobber my ISP with them> Just saying, is they are being unorthodox... to quote rock man from the fantastic four: "It's clobberin' time!"

  • @cmpsalvestrini said in IPv6 doubts:

    I think I may have stumped them, hehe

    Easy enough with first level "support". ;)

  • gets off the phone with ISP <groan> WAN IPv6 address is distributed by SLAAC ... </groan>

    I suppose I will have to set up some kind of bridge... I don't see how am I going to get my IPv6 working on the LAN side of my pfSense now. mutters darkly

  • LAYER 8 Netgate

    What do you get on the WAN if you set it to SLAAC? (I would set it to SLAAC, apply, then shut down pfSense, reboot your modem until it comes back green, then start pfSense).

    After that is the /56 routed to you? They might be doing something there. I have never seen it but they might.

    What WAN address you get really doesn't matter. It is the /56 that matters.

  • LAYER 8 Global Moderator

    you can not hand out /56 via slaac.. So how is they said they gave you a /56?

    You can assign the router an IPv6 with slaac, and then delegate the /56 with dhcp prefix delegation.

    Simple solution to make all your pain go away would be just get a tunnel from HE.. You can get a /48 from them.. Take you all of a few minutes to get it up and running.

  • LAYER 8 Netgate

    I know you can't. But if that is what they are saying that is what should be attempted. Who knows what they are doing.

    When it doesn't work, he can go back to them and say "What about the /56?" "How is that routed to me?" Because he's certainly not going to get a /56 prefix using SLAAC, as broken as that would be.

  • @cmpsalvestrini said in IPv6 doubts:

    gets off the phone with ISP <groan> WAN IPv6 address is distributed by SLAAC ... </groan>

    I suppose I will have to set up some kind of bridge... I don't see how am I going to get my IPv6 working on the LAN side of my pfSense now. mutters darkly

    Regardless of how you get your WAN address, they have to route your /56 prefix to you. This is normally done via the link local address, but can be done with whatever they assign to your WAN interface.

    On my network, I have a /56 prefix, but the WAN address is in a different one. However, my default gateway is a link local address.

    default fe80::217:10ff:fe9 UGS re0

  • blinks... Epiphany... So I use the ISP's modem link local address as gateway on my WAN interface and everything will work? And here I was setting up GUA as my gateway... forehead meets hand

  • LAYER 8 Global Moderator

    Just let your wan get its IP via slaac... Then try and setup a IP on one of your lan side interfaces with the /56 they gave you.

    If its routed to you that will work.

Log in to reply