Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Why do I have to 'Track Interface' on LAN to WAN for IPv6 to work?

    Scheduled Pinned Locked Moved IPv6
    ipv6
    60 Posts 6 Posters 26.2k Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bmeeksB Offline
      bmeeks @JKnott
      last edited by bmeeks

      @JKnott said in Why do I have to 'Track Interface' on LAN to WAN for IPv6 to work?:

      @bmeeks said in Why do I have to 'Track Interface' on LAN to WAN for IPv6 to work?:

      There would be some labor overhead in keeping up with IPs assigned to specific users, and then modifying all that when one subscriber dropped and another was added. You could automate that to some degree, but human oversight would still be necessary.

      What labour? It's just providing the addresses associated with the DUID.

      With IPv4, the majority of ISPs simply do not have enough free network addresses to make all their users quasi-static. Of course with IPv6 this is no longer an issue, but old paradigms die slowly. This is why CGNAT is growing on the IPv4 side.

      My IPv4 address is virtually static, but the host name is as permanent as my hardware, as it's based on the modem and router MAC addresses. I also get 2 IPv4 addresses.

      Somebody somewhere has to configure something for all that to work. That's the labor I'm talking about. Even an automated system needs a human to set it up initially and then keep an eye on it.

      As for what your ISP does, that has no bearing on what other ISPs may do. If I recall, you've posted several times that your ISP is one of the big Canadian telecoms. They've owned large IPv4 address blocks for probably forever. They can likely afford to be generous with quasi-static IP assignments on residential circuits. Smaller and/or newer ISPs don't have the luxury of owning huge IPv4 blocks. They will, of necessity, have to adopt other strategies.

      My local ISP owns exactly a single /24 IPv4 netblock. They do have a large IPv6 block. They use CGNAT for the IPv4 block out of necessity. They keep saying they intend to offer IPv6 service, but so far have not gotten that off the ground. Of course they are only about 18 months old at this point, so I'm cutting them some slack. It's also true that in my town there is no other choice but cable Internet, and their speeds are asymmetrical (1 Gig down but only 50 meg up) and they also are using CGNAT now 🙁. I don't consider any type of satellite Internet service as viable (my personal opinion) due to the inherent latency. If I had zero other options, then I might consider satellite.

      johnpozJ Bob.DigB 2 Replies Last reply Reply Quote 0
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator @bmeeks
        last edited by

        @bmeeks said in Why do I have to 'Track Interface' on LAN to WAN for IPv6 to work?:

        If I had zero other options, then I might consider satellite.

        Exactly.. I love the tech and ability to do it.. Making great strides - and can/could be very useful.. Hey you need internet in the middle of nowhere - clicky clicky, boom your on the internet. This is not something you would host services off of, etc.

        From my understand IPv6 is still not enabled on it - at least not globally.. But who cares - its never going to be a "hosting" solution. Why would you need inbound unsolicited inbound traffic to some connection you bring up in the middle of nowhere?

        I would never go sat, I have no need for it - because I can just get a wire.. Now if I was out in the middle of nowhere.. Sat might be better than my cell connection - shoot cell might not even be available if actually in bum f_ck ;)

        I have high hopes for the tech.. But it will never be a "replacement" for a wire..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

        1 Reply Last reply Reply Quote 0
        • johnpozJ Offline
          johnpoz LAYER 8 Global Moderator @JKnott
          last edited by johnpoz

          @JKnott said in Why do I have to 'Track Interface' on LAN to WAN for IPv6 to work?:

          That's a hanging offence!!!

          Still waiting for you to give just "one" example of why I need Ipv6.. Name one resource that I can only get to via IPv6.. Been asking for YEARS NOW!!!

          Other than some furry/midget p0rn site that billy is running out of his house and his ISP only gives him an IPv6 address.. ;)

          Told you my comment would tick off our resident fanboy ;) hehahahahha

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

          JKnottJ 1 Reply Last reply Reply Quote 0
          • JKnottJ Offline
            JKnott @johnpoz
            last edited by

            @johnpoz said in Why do I have to 'Track Interface' on LAN to WAN for IPv6 to work?:

            Still waiting for you to give just "one" example of why I need Ipv6.

            I cannot give an example for you personally, but there are a lot of people stuck behind CGNAT or no IPv4 at all. For them, IPv6 is now a necessity. Those people tend to be largely in Asia, where they never had a lot of IPv4 addresses to deploy but, even in North America, there are people stuck behind CGNAT. See message above from bmeeks: "They use CGNAT for the IPv4 block out of necessity."

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            bmeeksB johnpozJ 2 Replies Last reply Reply Quote 0
            • bmeeksB Offline
              bmeeks @JKnott
              last edited by bmeeks

              @JKnott said in Why do I have to 'Track Interface' on LAN to WAN for IPv6 to work?:

              For them, IPv6 is now a necessity.

              Depends on the specific need. For instance, I currently have no IPv6 capability. But the only thing that is preventing me from doing is directly accessing my home network via VPN where the VPN server is running on my pfSense firewall (because I'm behind CGNAT on my IPv4 address). There is nothing else on the Internet that I would reasonably want to access (that I am aware of) that I am prohibited from accessing due to me not having an IPv6 connection. I think that is @johnpoz's point. I don't require IPv6 to surf the web. And every user in the world still needs an IPv4 connection to the web in order to access the full web. There are still sites with no IPv6 address. U.S. retailer Walmart is one I found, plus amazon.com does not show an IPv6 address via nslookup (at least for me). But www.amazon.com does show an IPv6 address by way of the CDN hosting that domain. There are other examples of IPv4-only websites. I am not currently aware of any IPv6-only major website. I think I could turn the table on your statement and say instead "for everyone, IPv4 is a necessity".

              Setting up and learning IPv6 is most certainly a good thing if you have it available and you want to prepare for the future. But if your ISP has a crappy IPv6 implementation (or none at all), then you don't HAVE to use IPv6 or else some large swath of the Internet will be unavailable for you. That's just not the case right now. And that is the point @johnpoz makes. You are not required to have IPv6 to surf the web. There may be some IPv6-only ISP out there in the world someplace who only gives residential customers IPv6, but even that ISP must have IPv4 connections to the web or else there would be many sites his customers could not access. I suspect that ISP would use CGNAT for IPv4 residential customers.

              True that in areas with limited IPv4 address space where CGNAT rules in that block, having IPv6 is necessary if you want to have direct access back into your pfSense from the Internet. But even then other alternatives exist such as LogMeIn or VPS configurations where your pfSense box behind CGNAT could establish an "always on" connection to a third-party website and through that afford you secure access back into your private home network.

              I'm going to assume you don't mean to imply that in some parts of the world if you don't have IPv6 you can't use your Internet connection. I'm not aware of any place like that (not saying impossible, but I certainly have not heard of one). But when you say "IPv6 is a necessity", it seems to shade in the direction of without IPv6 you can't surf the web. It is more accurate to say that without IPv6 some things will be either hard or impossible to implement in some ISP territories.

              JKnottJ 2 Replies Last reply Reply Quote 1
              • JKnottJ Offline
                JKnott @bmeeks
                last edited by

                @bmeeks

                You mat only need a VPN, but others may have other needs.

                I don't require IPv6 to surf the web. And every user in the world still needs an IPv4

                My cell phone is IPv6 only. If I want to access an IPv4 site, my phone uses 464XLAT, where IPv6 is converted to IPv4 by my cell carrier at their office. Some ISPs use Dual Stack Lite, where users have an IPv6 connection, but CGNAT on IPv4.

                However, as I mentioned, in some parts of the world, only IPv6 is available, with some conversion mechanism for IPv4. China, for example, is working hard to have an IPv6 only Internet. With the way IPv4 addresses were handed out, the U.S. got most, Europe less and very few for Asia & Africa

                I'm going to assume you don't mean to imply that in some parts of the world if you don't have IPv6 you can't use your Internet connection.

                That is entirely the case. My cell phone is an example.

                BTW, there's some interesting history. Originally, only "class A" addresses were handed out, though they weren't called that at the time. when they realized that didn't provide enough networks, they came up with the address classes and then when that proved inadequate, they went with CIDR and variable length subnet masks. Vint Cerf had said that a 32 bit address was only intended to show the principle, but it escaped and became what the Internet used.

                Also, there's a bit about the origin of Ethernet, which had it's 43rd anniversary a couple of weeks ago:

                The Ethernet Blue Book

                Prior to this, Ethernet was only an experimental network.

                PfSense running on Qotom mini PC
                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                UniFi AC-Lite access point

                I haven't lost my mind. It's around here...somewhere...

                bmeeksB 2 Replies Last reply Reply Quote 0
                • johnpozJ Offline
                  johnpoz LAYER 8 Global Moderator @JKnott
                  last edited by

                  @JKnott said in Why do I have to 'Track Interface' on LAN to WAN for IPv6 to work?:

                  IPv6 is now a necessity.

                  No it isn't! Sorry but it isn't.. Sure if you want unsolicited inbound traffic to your connection and you don't have a public IP, then IPv6 is an option.

                  But what like 99% of the planet of internet users have zero use for unsolicited inbound traffic. Shit most ISP actually forbid hosting services anyway..

                  Forget your phone, your car etc.. That is not what I am talking about.. I am talking about billy bob on his home computer watching youtube videos and watching netflix and buying off amazon and posting on his facebook page.. They have zero care if they are behind some cgnat, or some quadruple nat or using IPv6 - they don't even know what an IP address is for gosh sake..

                  Your typical internet users doesn't give 2 shits about IPv6.. Until the user tells their isp I need IPv6 - its not going to get deployed as it should and needs to be, it just isn't.. You can think you on some holy crusade or whatever it is you think your doing..

                  They have no clue that that phone is using IPv6 -- all they know is they go to amazon.com on their phone to buy XYZ and it works..

                  Shit I thought that the game industry would drive IPv6 adoption - yet none of them actually leverage it - you know why.. Because the vast majority of their user base doesn't even have it. Not talking about Huang (黄) or Zhang (张) in some part of the world that doesn't have IPv4 space to use..

                  IPv6 in peer to peer gaming could be a changer - yet which games leverage it??? If some popular game came out and said the only way you can play is you have IPv6, or the only way you can play head to head is both of you have IPv6 - guess what the user base would rise up and tell their ISPs - hey I need IPv6.. This has yet to happen..

                  Me turning off IPv6 because I have not use, or a million other users turning it off because it does nothing for them isn't going to slow down the IPv6 adoption... You need something to drive adoption, there isn't anything - the mobile device industry that was the driving force in needing IPs because there are billions of devices have already done what they need to do. Your typical home user on their home connection has zero use for IPv6.. Until that changes your not going to see any change in the snail pace conversion to IPv6.

                  Sorry you don't like the facts.. But that is how it is..

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                  JKnottJ 1 Reply Last reply Reply Quote 0
                  • JKnottJ Offline
                    JKnott @johnpoz
                    last edited by

                    @johnpoz said in Why do I have to 'Track Interface' on LAN to WAN for IPv6 to work?:

                    I am talking about billy bob on his home computer watching youtube videos

                    Talk to Billy Bob over in Asia, in some area where IPv4 is not available or stuck behind CGNAT.

                    It's also important for blockchain:

                    ‘Blockchain needs IPv6’ in the interconnected world

                    PfSense running on Qotom mini PC
                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                    UniFi AC-Lite access point

                    I haven't lost my mind. It's around here...somewhere...

                    1 Reply Last reply Reply Quote 0
                    • bmeeksB Offline
                      bmeeks @JKnott
                      last edited by bmeeks

                      @JKnott said in Why do I have to 'Track Interface' on LAN to WAN for IPv6 to work?:

                      My cell phone is IPv6 only. If I want to access an IPv4 site, my phone uses 464XLAT, where IPv6 is converted to IPv4 by my cell carrier at their office. Some ISPs use Dual Stack Lite, where users have an IPv6 connection, but CGNAT on IPv4.

                      Sorry, but what does this have to do with anything we are talking about? You just said in the same paragraph that your phone must have IPv4 access via 464XLAT! Why does it need that? Because there are web sites on the Internet that you cannot access without an IPv4 address available to you -- be that native or some kind of NAT, you must have IPv4.

                      Conversely, what service in the world can I not currently access because I do not have IPv6? I don't talk peer-to-peer with another cell phone 🤔. @johnpoz and I are both talking about the typical PC user who wants web browsing, email, social media, and streaming. So far as I have seen on the forum here, there has never been a user posting an IPv6 question or having a problem with IPv6 who also said IPv6 was the only protocol layer offered by his ISP.

                      Don't misunderstand my point. I'm not saying IPv6 is worthless or should not ever be pursued or anything similar to that. I'm just saying it is not required as is IPv4 today. And if you have an ISP that has a poor IPv6 implementation, or some pfSense or FreeBSD IPv6 bugs are tripping you up, disable IPv6 for now and live life until the kinks eventually get worked out. I think that's what @johnpoz is saying as well.

                      johnpozJ JKnottJ 2 Replies Last reply Reply Quote 2
                      • johnpozJ Offline
                        johnpoz LAYER 8 Global Moderator @bmeeks
                        last edited by johnpoz

                        @bmeeks exactly... Our resident ipv6 fanboy just doesn't seem seem to understand that.. And I do believe he has some issues with reading comprehension as well ;) hehehe

                        And sorry blockchain doesn't need IPv6.. Will it be useful going forward - sure..

                        Here is a question for you - turn off your IPv6.. What can you not do?? Turn off your IPv4 and your going to have a bad day that is for sure.. This has been my point for years as me and you have butted heads over this.. The OP day would be much easier and simpler if he just turned it off, because he has no actual "need" of it.. If I didn't have it - which I don't since my ISP doesn't provide it - what can I not get to.. Name 1 thing...

                        His isp has clearly provided him an IPv4 address, be that cgnat or not even.. Has he stated he needs IPv6 to do xyz? I sure haven't seen him say hey I can't do X because I can not get IPv6 to work..

                        No his complaint is his IPv6 address keep changing.. But he doesn't actually need it.. So his day would be less full of stress if he just turned it off..

                        When my pc needs IPv6 to get to something that I actually want to get to - will be the day IPv6 has arrived.. Until that time - its just a play thing.. Is it useful sure! Is it the future sure! I have never said it isn't.. But currently, and my bet is for at least the next 20 years.. I have zero use for IPv6 on the typical users PC at home surfing the web, buying stuff off amazon, streaming netflix or hulu, or posting on facebook or instragram or whatever the kids are into, etc..

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                        1 Reply Last reply Reply Quote 0
                        • Bob.DigB Offline
                          Bob.Dig LAYER 8 @bmeeks
                          last edited by Bob.Dig

                          @bmeeks said in Why do I have to 'Track Interface' on LAN to WAN for IPv6 to work?:

                          My local ISP owns exactly a single /24 IPv4 netblock. They do have a large IPv6 block. They use CGNAT for the IPv4 block out of necessity. They keep saying they intend to offer IPv6 service, but so far have not gotten that off the ground.

                          But that might be a US-thing. What I can see around my place is the massive use of something that is called DS-Lite. But even with DS-Lite, some ISPs do offer port forwarding for IPv4 via the Port Control Protocol (PCP). Basically, any customer who demands it, is getting a small range of high-ports to open with IPv4. I opted out and am still getting full Dual-Stack for now.
                          The bigger problem that I am facing is that most network equipment can't cope with the dynamic changing of the IPv6 addresses and prefixes all the time. If your internet connection is having problems, this could be several times a day...
                          So my conclusion is, use it as much as necessary and as little as possible.

                          1 Reply Last reply Reply Quote 0
                          • bmeeksB Offline
                            bmeeks @JKnott
                            last edited by bmeeks

                            @JKnott said in Why do I have to 'Track Interface' on LAN to WAN for IPv6 to work?:

                            That is entirely the case. My cell phone is an example.

                            So you are saying that unless you have an IPv6 connection as part of your home Internet connection that your cell phone will not work? That is most certainly not the case. Your phone may be completely IPv6 over the cellular network, but that is immaterial to this entire thread. We never mentioned cell phones even once, and as a user there is zero that you must do in the IPv6 world to make your phone work on the cellular networks. The carriers do all that for you behind the scenes including providing the required IPv4 translation. This thread was about difficulties with IPv6 on a pfSense box for residential Internet connectivity.

                            I am going to bow out of this discussion gracefully. You are certainly passionate about your cause, but I think you are jousting with windmills here to some degree. Nobody is saying IPv6 is worthless or will never happen. We are simply saying that adoption has been very slow in the wider Internet for a number of reasons, and plenty of ISPs around the planet have either no or a very poor implementation of it currently. For folks affected by one of those issues, lack of IPv6 is not a current show-stopper issue for them.

                            johnpozJ JKnottJ 3 Replies Last reply Reply Quote 1
                            • johnpozJ Offline
                              johnpoz LAYER 8 Global Moderator @bmeeks
                              last edited by

                              @bmeeks

                              pancho-and-don-quixote-windmills.jpg

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                              1 Reply Last reply Reply Quote 0
                              • JKnottJ Offline
                                JKnott @bmeeks
                                last edited by

                                @bmeeks said in Why do I have to 'Track Interface' on LAN to WAN for IPv6 to work?:

                                U.S. retailer Walmart is one I found, plus amazon.com does not show an IPv6 address via nslookup (at least for me). But www.amazon.com does show an IPv6 address by way of the CDN hosting that domain.

                                Yep, I get IPv6 on Amazon, but not Wallymart.

                                I think that is @johnpoz's point. I don't require IPv6 to surf the web. And every user in the world still needs an IPv4 connection to the web in order to access the full web.

                                If all you're doing is surfing the web here, you don't need it. However, there are some parts of the world where IPv4 is not available at all. If you have it behind CGNAT, have fun trying to access your network, without using some hack. If your ISP doesn't provide IPv6, you can use a tunnel broker, such as he.net, as johnpoz does. When I first got IPv6, it was through a different tunnel broker. Prior to providing native IPv6, my ISP used 6to4 and 6rd tunnels. I've had IPv6 since May 2010.

                                IPv4 has been inadequate since the day it became necessary to use NAT. NAT, in turn, creates it's own problems, including breaking some protocols. This has resulted in hacks on hacks to get around those problems. For example, VoIP and some games have to use STUN servers to get past NAT. Sticking with IPv4 is crippling the Internet.

                                PfSense running on Qotom mini PC
                                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                                UniFi AC-Lite access point

                                I haven't lost my mind. It's around here...somewhere...

                                1 Reply Last reply Reply Quote 0
                                • JKnottJ Offline
                                  JKnott @bmeeks
                                  last edited by

                                  @bmeeks said in Why do I have to 'Track Interface' on LAN to WAN for IPv6 to work?:

                                  Sorry, but what does this have to do with anything we are talking about? You just said in the same paragraph that your phone must have IPv4 access via 464XLAT! Why does it need that? Because there are web sites on the Internet that you cannot access without an IPv4 address available to you -- be that native or some kind of NAT, you must have IPv4.

                                  464XLAT and many other things are hacks made necessary by IPv4 not being adequate to meet the needs of today's world. Major sites, such as Google, Microsoft, etc. support IPv6. As time goes on, more will too, and eventually 464XLAT will not be needed.

                                  PfSense running on Qotom mini PC
                                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                                  UniFi AC-Lite access point

                                  I haven't lost my mind. It's around here...somewhere...

                                  1 Reply Last reply Reply Quote 0
                                  • JKnottJ Offline
                                    JKnott @bmeeks
                                    last edited by

                                    @bmeeks said in Why do I have to 'Track Interface' on LAN to WAN for IPv6 to work?:

                                    We never mentioned cell phones even once, and as a user there is zero that you must do in the IPv6 world to make your phone work on the cellular networks.

                                    For many people, their phone is their access to the Internet.

                                    PfSense running on Qotom mini PC
                                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                                    UniFi AC-Lite access point

                                    I haven't lost my mind. It's around here...somewhere...

                                    1 Reply Last reply Reply Quote 0
                                    • JKnottJ Offline
                                      JKnott @bmeeks
                                      last edited by

                                      @bmeeks said in Why do I have to 'Track Interface' on LAN to WAN for IPv6 to work?:

                                      So you are saying that unless you have an IPv6 connection as part of your home Internet connection that your cell phone will not work?

                                      I have never said that. What I have been trying to point out is the world is moving to IPv6 and pretending it isn't is head in the sand thinking.

                                      PfSense running on Qotom mini PC
                                      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                                      UniFi AC-Lite access point

                                      I haven't lost my mind. It's around here...somewhere...

                                      1 Reply Last reply Reply Quote 0
                                      • bearhntrB Offline
                                        bearhntr @bmeeks
                                        last edited by

                                        @bmeeks said in Why do I have to 'Track Interface' on LAN to WAN for IPv6 to work?:

                                        You can't just pick a DHCPv6 address scope out of the blue on your side when there is no NAT. What you choose must be recognized and routed correctly by your ISP. An analogy is even if you have a static IPv4 address, you can't just choose any other IPv4 address or subnet you desire on your WAN. You must use the address and subnet provided by your ISP because their end of the connection is routing only exactly what they give you. Similarly, you must use the IPv6 prefix your ISP has assigned on your LAN because there is no NAT. Your ISP expects all of your LAN hosts to be sending and receiving traffic on an IPv6 address from the IPv6 prefix the ISP assigned to your connection. The ISP signals what that prefix is via the "Track Interface" setting.

                                        As has been mentioned in this thread, most ISPs will honor some IPv6 client settings that say "please let me keep this same IPv6 prefix". But not all ISPs will do that, and there are some situations where they need to change the prefix they gave you. In that scenario, if you were using static hard-coded IPv6 subnets on your side, your IPv6 traffic could stop working because the ISP would no longer be routing that prefix for you (since they changed it to a different one on their end). What "track interface" does is help the LAN side of pfSense, and all the hosts there, recognize when (or if) the ISP changes the IPv6 prefix. That triggers all the hosts there to obtain new addresses in the new prefix.

                                        Thanks again for hanging in there - the clouds are parting more. So in reference to your quote above... "IF" I set it to Track Interface and want to setup my DHCPv6 scope on the 2019 AD/DS server - which I have tried before - using the 2001: (that the WAN has on it from my ISP) and the 2601: that is on the LAN side (which comes apparently also from ISP) - neither of them seem to work when going to the TEST IPv6 sites. I get this (see image) - and some severe lag:

                                        da57c48c-7a84-461c-8dbe-7a269610bb81-image.png

                                        If I change everything back to what I was using PRE-AD/DS (where pfSense is doing DNS-Resolver and DHCP/DHCPv6) I will get a score of 19/20 - because apparently my ISP does not give my IPv6 a HOSTNAME.

                                        I even tried the setup like this creating my own fdxx: scope - and still nothing works.

                                        @JKnott said in Why do I have to 'Track Interface' on LAN to WAN for IPv6 to work?:

                                        Your prefix, as assigned by your ISP may be changing. Make sure System / Advanced / Networking / Do not allow PD/Address release is selected. If it is and the prefix still changes, you can use Unique Local Addresses on your LAN, to provide addresses that won't change. You then use those in your DNS.

                                        bmeeksB 1 Reply Last reply Reply Quote 0
                                        • bmeeksB Offline
                                          bmeeks @bearhntr
                                          last edited by bmeeks

                                          @bearhntr:
                                          I think there may be more than one thing you have incorrect here. You must specify the correct IPv6 prefix AND also specify which of the 16 available /64 blocks you are using. I suspect you are not fully defining the required IPv6 scope in the Windows DHCPv6 server. That scope needs the entire prefix you've been delegated along with a subnet identifier to show which of the sixteen /64 subnets in your /60 prefix is being used on the LAN (and on any other network segments you might have behind your firewall).

                                          You stated that your ISP gives you a /60 block with this prefix: 2601:c4:c501:7aa0 {remainder masked}.

                                          Within this /60 block are 16 subnets, each a /64 in size, and the first one of these subnets starts with zero (0) and the last one starts with 0x0f (15). You would need to provide one of those 16 subnets as the "scope" for your Windows AD DHCPv6 server to issue IPv6 addresses from. You would also need to specify the size as /64. Do NOT use your WAN IP address anywhere on your DHCPv6 server in AD. That address is strictly for your WAN, and is not to be used anywhere else. The prefix delegated by your ISP's server is what you need for your internal networks.

                                          You have elected to mask out some of the prefix your ISP is assigning to you, so I can't give you a complete answer. But you need to put 2601:c4:c501:7aa0 and then whatever section you masked out in your post here as the IPv6 scope on your WIndows DHCPv6 server. There will also be an additional piece of the address that is something between 00 and 0x0f (to denote which of the 16 subnets you are being delegated is used on the LAN).

                                          If you set the scopes properly with the correct /64 subnet masks, then an IPv6 address assigned by your Windows DHCPv6 server will work out to the Internet. But, and this is a big but, the instant your ISP changes your prefix delegation, it will all cease to work again. This is because when the ISP changes your delegated (and thus routed) prefix, the DHCPv6 server scope has to change on your Windows DHCP server to reflect the newly delegated prefix. But there is no automated way for that to happen from the pfSense WAN all the way to the Windows DHCP server on your LAN. That's why with IPv6 prefix delegation (and not a true static IPv6 assignment by your ISP), you are better off letting pfSense do your DHCPv6. That's not the best solution, but when your ISP does prefix delegation it is the easiest route to stable IPv6 connectivity. That's because the DHCPv6 server on pfSense will get automatically updated with the necessary scope when the prefix changes. You can make it work connected differently, but it will require manual intervention on your Windows DHCPv6 server anytime your ISP assigns you a different prefix.

                                          bearhntrB 1 Reply Last reply Reply Quote 0
                                          • bearhntrB Offline
                                            bearhntr @bmeeks
                                            last edited by

                                            @bmeeks said in Why do I have to 'Track Interface' on LAN to WAN for IPv6 to work?:

                                            You have elected to mask out some of the prefix your ISP is assigning to you, so I can't give you a complete answer. But you need to put 2601:c4:c501:7aa0 and then whatever section you masked out in your post here as the IPv6 scope on your WIndows DHCPv6 server. There will also be an additional piece of the address that is something between 00 and 0x0f (to denote which of the 16 subnets you are being delegated is used on the LAN).

                                            The last 64 bytes of the IPv6 address that my ISP has give me with the Track Interface - appears to be a SLAAC address - not a DHCP6 address as I would expect - as I see no indication of it being 0-f any place. Instead it has part of the MAC Address in it. This leads me to believe that even though I have set pfSense WAN to be DHCP and DHCPv6 - the Track Interface it doing SLAAC.

                                            RA in pfSense is set to ASSISTED.

                                            bmeeksB 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.