How to correctly setup static IPv6?
- 
 Good afternoon, I have some odd, odd problems getting IPv6 to work for the LAN devices/clients here and even though I think I have set it up correctly, reality is, I have not and things aren't working. Given that remote-debugging/finding the error might be a bit complicated, I was wondering what the correct way would be to set things up. The goal is to have a very basic ISP > pfSense > LAN devices/clients. No further downstream routers etc. So what I have received from my ISP is: - A static 2001:XXX:YYYY:ZZZZ::88b4/126 network for the WAN interface, so basically I got the ::88b6/126 for the pfSense WAN interface and the ISPs gateway/router is ::88b5/126.
- A 2001:XXX:VVVV::/48 for my side of things beyond the pfSense
 At the most basic setup I did what I said above - assign the WAN interface the ::88b6/126 and the GW for it to ::88b5/126. I did/do nothing on LAN interface side of things, yet at this stage. Neither FW rules wise. So what works: - IPv6 monitoring on the WAN GW to the ::88b5/126
- traceroute6 out on the pfSense works perfectly fine to wherever I choose (google.com, any akamai host etc)
- If I (temporarily and generously) allow all IPv6 traffic in on the WAN interface / rules to the ::88b6/126 as destination, I can use i.e. http://www.traceroute6.net/ to traceroute6 also back to the pfSense's WAN interface just fine.
 Good, so far it seems to work & I removed said wide-open FW rule again. As the goal is to have LAN side's devices IPv6 access, I would be wondering/asking, what's the correct way to proceed: - Assign the LAN interface an IPv6 address out of the /48 .. i.e. a /56's ::1 with the intent then to take at least one /64 for the actual devices/client behind it
 ... well or what would be the correct approach? There will be only clients/devices, no further downstream routers/gateways...? I don't want to overcomplicate things (just yet?), so what address + network out of said /48 would/should I assign where now? Thanks! 
 -JB
- 
 @jbattermann Split up your /48 into /64's i.e:- 2a02:1234:1234::/48 split :- 2a02:1234:1234::/64 Start Range: 2a02:1234:1234:0:0:0:0:0 End Range: 2a02:1234:1234:0:ffff:ffff:ffff:ffff No. of host: 18446744073709551616 2a02:1234:1234:1::/64 LAN Start Range: 2a02:1234:1234:1:0:0:0:0 End Range: 2a02:1234:1234:1:ffff:ffff:ffff:ffff No. of host: 18446744073709551616 2a02:1234:1234:2::/64 USER Start Range: 2a02:1234:1234:2:0:0:0:0 End Range: 2a02:1234:1234:2:ffff:ffff:ffff:ffff No. of host: 18446744073709551616 2a02:1234:1234:3::/64 GUEST Start Range: 2a02:1234:1234:3:0:0:0:0 End Range: 2a02:1234:1234:3:ffff:ffff:ffff:ffff No. of host: 18446744073709551616 2a02:1234:1234:4::/64 IOT Start Range: 2a02:1234:1234:4:0:0:0:0 End Range: 2a02:1234:1234:4:ffff:ffff:ffff:ffff No. of host: 18446744073709551616 2a02:1234:1234:5::/64 DMZ Start Range: 2a02:1234:1234:5:0:0:0:0 End Range: 2a02:1234:1234:5:ffff:ffff:ffff:ffff No. of host: 18446744073709551616 2a02:1234:1234:6::/64 VOICE Start Range: 2a02:1234:1234:6:0:0:0:0 End Range: 2a02:1234:1234:6:ffff:ffff:ffff:ffff No. of host: 18446744073709551616I use the last quartet as the vlan number and the ::1 as the gateway, makes things easy to remember. Go here to test afterwards https://ipv6-test.com 
- 
 @jbattermann said in How to correctly setup static IPv6?: As the goal is to have LAN side's devices IPv6 access, I would be wondering/asking, what's the correct way to proceed: Assign the LAN interface an IPv6 address out of the /48 .. i.e. a /56's ::1 with the intent then to take at least one /64 for the actual devices/client behind it With a /48 you have 65536 possible prefix IDs, ranging 0-ffff. You pick one of those for each interface or VLAN as you wish. You can use them to match VLAN ID, as I do, or whatever you wish, so long as the ID is unique. 
- 
 Thanks @NogBadTheBad & @JKnott .. that's exactly what I did last time.. or at least I think I did. In the easiest picture with just one non-VLAN-seperated LAN (again, keeping VLAN out for simplicity) and assuming @NogBadTheBad's LAN example: - What would you assign the pfSense's LAN interface as address - i.e. 2001:XXX:VVVV:1::1/64 out of the 2001:XXX:VVVV:1::/64 LAN net taken as an example?
- And further on after that, what would you use/configure DHCPv6/RA wise on the LAN interface... both, just one.. neither?
- And finally, would you add/have any WAN or LAN IPv6 rules?
 It may sound like a trivial setup and questions.. my problem basically ended up being that everything worked on the pfSense box but while LAN clients could traceroute6/ping6 out just fine, i.e. no IPv6 websites could be reached without timing out and browsers/applications etc behaving the way they do in that case (if at all).. falling back to IPv4 after a while (some very quickly, some in very odd ways/extremely long timeouts etc). So if you would ignore that last paragraph and what I am trying to not run into again (and again.. not wanting to make things too complicated and more as a step-by-step and going/re-configuring along kind of approach), how would you go about the three bullet points above? Thanks! 
- 
 @jbattermann said in How to correctly setup static IPv6?: Thanks @NogBadTheBad & @JKnott .. that's exactly what I did last time.. or at least I think I did. 
 In the easiest picture with just one non-VLAN-seperated LAN (again, keeping VLAN out for simplicity) and assuming @NogBadTheBad's LAN example:What would you assign the pfSense's LAN interface as address - i.e. 2001:XXX:VVVV:1::1/64 out of the 2001:XXX:VVVV:1::/64 LAN net taken as an example? 
 And further on after that, what would you use/configure DHCPv6/RA wise on the LAN interface... both, just one.. neither?
 And finally, would you add/have any WAN or LAN IPv6 rules?I haven't set up static IPv6 for GUA addresses. I've always used track interface, where pfSense provides the base address for my /56 and then set up each interface and prefix ID. Looking at the config for static, it appears you select each /64 address from within your /48 and assign it to the interface. You also have to select /64 for the network size. You normally don't use DHCPv6 on the LAN side, unless you have a specific need to. Just use SLAAC. Also, Android devices don't work with DHCPv6. You can thank some genius at Google for that one. 
- 
 @jbattermann I used :1::1/64 as the gateway address and the following in the RA section as I have Apple devices :-  

