IPv6 ULA fails on pfSense Plus 24.11 - no RAs, no ICMP6 replies, sendmsg: Permission denied
-
I’m running pfSense Plus 24.11 on a Protectli VP4630.
My ISP currently does not support IPv6 but will be deploying it later this year and I will have a fixed GUA IPv6 prefix. My plan is to use a ULA-only internal IPv6 deployment and map selected subnets to the ISP’s delegated prefix via IPv6 NPt once available. This should allow for ISP changes in future with minimal reconfiguration.
In preparation, I’ve generated a ULA prefix and am attempting to get basic IPv6 functionality working, but I’m running into problems even before introducing DHCP6, NPt etc.
What’s Not Working
If I assign a /64 subnet of the ULA to an interface and enable Router Advertisement (RA), no RAs are emitted. Confirmed using:
- pfSense’s built-in packet capture
- WireShark on a mirrored switch port
If I try to ping the interface’s link-local or ULA address from a connected PC:
- The PC sends ICMP6 “who has” neighbor solicitations
- The router never replies
If I SSH into the router:
-
I can ping its own link-local and ULA address
-
If I try to ping an IPv6 address in the ULA subnet (outside the router), I get: ping6: sendmsg: Permission denied
What I’ve Tried
-
Tested on both my production router and a clean/simple config on identical hardware
-
Captured traffic — no ICMP6 packets are emitted
-
Confirmed correct IPv6 routing entries:
ULA /64 prefix → via correct interface
Interface addresses routed via lo0 (expected behavior in FreeBSD?) -
Ensured interface is UP, and no tentative or duplicated flags on IPv6 address
-
Tried enabling/disabling RA and DHCPv6
-
Disabled pf completely via pfctl -d — no effect
My Questions
Is there a limitation in pfSense (or FreeBSD 15) that prevents IPv6 from functioning with only ULA addresses?Does IPv6 require a WAN gateway or global prefix for the kernel to treat it as routable?
Is there something I’m missing in router-initiated IPv6 traffic handling?
Any insight appreciated, happy to run more diagnostics if needed.
Thanks, -
@AMG-A35 said in IPv6 ULA fails on pfSense Plus 24.11 - no RAs, no ICMP6 replies, sendmsg: Permission denied:
My plan is to use a ULA-only internal IPv6 deployment and map selected subnets to the ISP’s delegated prefix via IPv6 NPt once available.
Have you read this? This is what I did here and it works well. Forget about using NPT as you'll have both global and ULA addresses on the interfaces. I also have a fixed prefix, though many don't. As for assigning a ULA, did you select static IPv6 on the interface page? When you get IPv6 from your ISP and add ULA, you set up RAs on the Router Advertisements page.
-
@JKnott Thanks — I hadn’t found your ULA post before, really helpful.
What I’m trying is a bit narrower: just getting ULA-only IPv6 working on a clean pfSense 24.11 install with no upstream IPv6. I’ve assigned a static ULA /64 to the interface, enabled RA (Unmanaged), and confirmed routing and interface config look fine.
But I’m seeing no Router Advertisements at all, and even from the router, pinging another ULA address on the same subnet fails with "sendmsg: Permission denied" — and no packets hit the wire.
Just trying to understand why basic IPv6 functionality doesn’t seem to work in this minimal setup.
-
@AMG-A35 Maybe you have IPv6 disabled globally.
-
@Bob-Dig that would do it! Where is that set please?
-
@AMG-A35 SystemAdvancedNetworking
-
@Bob-Dig ah I thought that setting it enabled meant all incoming IPV6 WAN traffic would be allowed in. If I'm enable is default WAN inbound still block for IPv6?
