DHCPv6 Blocks LAN Subnet Changes — How to Fix

packetspackets

pfSense: DHCPv6 Blocks LAN Subnet Changes — How to Fix

TL;DR: pfSense won't let you change your LAN subnet mask if DHCPv6 thinks it's still active — even when you've disabled it in the GUI. The fix is a one-line edit in /conf/config.xml.

---

The Problem

You go to Interfaces → LAN in pfSense, change your subnet mask (say, from /16 to /24), hit Save, and get slapped with:

The DHCP6 Server is active on this interface and it can be used only with a static IPv6 configuration. Please disable the DHCPv6 Server service on this interface first, then change the interface configuration.

So you dutifully navigate to Services → DHCPv6 Server and Services → Router Advertisement, confirm everything is disabled, and try again. Same error.

This happens because pfSense checks for the presence of an <enable> tag in the DHCPv6 config block — not whether it actually contains a value. An empty <enable></enable> tag is enough to trigger the validation error, even though the service isn't running.

The Fix

Step 1 — Open the Config Editor

Navigate to Diagnostics → Edit File in the pfSense web GUI.

In the load path field, enter:

/conf/config.xml

Click Load.

Step 2 — Find the DHCPv6 Block

Search for <dhcpdv6>. You'll find a block that looks like this:

<dhcpdv6>
    <lan>
        <enable></enable>
        <range>
            <from>::1000</from>
            <to>::2000</to>
        </range>
        <ramode>disabled</ramode>
        ...
    </lan>
</dhcpdv6>

The culprit is the empty <enable></enable> tag. pfSense sees the tag exists and treats the service as active, even though there's no value.

Step 3 — Delete the Enable Tag

Remove the entire line:

<enable></enable>

Click Save.

Step 4 — Clear the Config Cache

From Diagnostics → Command Prompt, run:

rm /tmp/config.cache

Step 5 — Apply Your Subnet Change

Go back to Interfaces → LAN, change your subnet mask, and save. It should accept the change without errors.

Why This Happens

pfSense's input validation logic checks for the existence of the <enable> tag rather than evaluating whether it contains a truthy value. When DHCPv6 is "disabled" through the GUI, the tag is emptied but not removed from the XML — leaving a ghost reference that blocks unrelated interface changes.

What Should Change

The validation should check for a non-empty <enable> value, or the GUI should strip the tag entirely when DHCPv6 is disabled. Either approach would prevent this false-positive block on legitimate subnet changes.

---

Encountered on pfSense 2.8.1. If you're hitting this, you're not alone — and now you know it's a two-minute fix.

stephenw10

This is incorrect. The "empty" tags for enabled are expected and indicate DHCPv6 is enabled, which is the default configuration.

When the service is disabled on an interface those tags are removed entirely like:

--- /conf/backup/config-1775567433.xml	2026-04-07 14:10:48.254849000 +0100
+++ /conf/config.xml	2026-04-07 14:10:48.255358000 +0100
@@ -185,7 +185,6 @@
 			<bootfile_url></bootfile_url>
 			<dhcpv6leaseinlocaltime></dhcpv6leaseinlocaltime>
 			<numberoptions></numberoptions>
-			<enable></enable>
 		</lan>
 	</dhcpdv6>
 	<snmpd>
@@ -406,7 +405,7 @@
 	<vlans></vlans>
 	<qinqs></qinqs>
 	<revision>
-		<time>1775567433</time>
+		<time>1775567448</time>
 		<description><![CDATA[admin@172.21.16.8 (Local Database): DHCPv6 Server settings saved]]></description>
 		<username><![CDATA[admin@172.21.16.8 (Local Database)]]></username>
 	</revision>

You can't save the LAN interface if you don't have the IPv6 type set to something that DHCPv6 can run on. If you want to change it you need to first disable the DHCPv6 server on LAN.

Don't believe everything AI tells you!

johnpoz

@stephenw10 said in DHCPv6 Blocks LAN Subnet Changes — How to Fix:

Don't believe everything AI tells you!

QFT