• 6RD has not worked in the builds from the past week. The snapshot I fall back to is from 1/22 but I'm not sure when it actually started. Tried the most current build today: 2.1-BETA1  (i386) built on Fri Feb 1 01:15:41 EST 2013

    Once upgraded, there is no IPv6 over the WAN. IPv6 tests fail, any sites requiring it do not load. Downgrading back to 1/22/13 immediately fixes it. I'm not sure what logs to look for. Everything looks ok in the interfaces screen and no obvious error messages in the system log.

  • I would drop to command line and see if wan_stf has been created. There was some change made to 6rd and 6to4 IPv6. You might need to use gitsync to fix it or wait for the next build.
    Try this.
    If the wan_stf is not there, drop to command line and run this:

    ifconfig stf create
    <is should="" return="" with="" stf0="">ifconfig stf0 name wan_stf

    Then in the GUI save the WAN properties and apply. This will reload the WAN stuff including the 6rd. It should all work then. This will work until a reboot. It is not loading the stf kernel module on startup and there is a fix for that in the repositories.</is>

  • wan_stf already exists.

  • Does it have the correct ipv6 address?

  • Yeah it's the right IP. Here's the info:

    wan_stf: flags=4001 <up,link2>metric 0 mtu 1280
    	inet6 2602:100:xxxx:xxxx:: prefixlen 32 
    	nd6 options=3<performnud,accept_rtadv></performnud,accept_rtadv></up,link2>

  • Can you check the FW logs to see if anything is getting blocked? Try a "tcpdump -nnvvi <wan iface="">proto 41" and see if traffic is being generated. You can check on LAN as well for IPv6 traffic with "tcpdump -nnvvi <lan iface="">ip6".
    Just need to find where the traffic is getting to so that you can determine where the problem is. You also want to check that the radvd service is started.</lan></wan>

  • Nothing in the firewall logs.

    tcpdump -nnvvi em0 proto 41 showed nothing
    tcpdump -nnvvi em1 ip6 showed traffic

    radvd is started

  • This would tell me that packets are being dropped when moving from LAN to WAN. What rules do you have setup in LAN for IPv6 traffic?
    Also, check /tmp/rules.debug as there should be 4 rules created by script for 6rd type traffic. Please make sure those are in there. They are labeled something like "# allow our proto 41 traffic from the 6RD border relay in" with the rules underneath.

  • My LAN rules is a copy of the IPv4 rule except for IPv6 traffic (allow lan to any rule).

    In rules.debug it had the following under the comment for proto 41 traffic:

    allow our proto 41 traffic from the 6RD border relay in

    pass in on $WAN proto 41 from to any label "Allow 6in4 traffic in for 6rd on WAN"
    pass out on $WAN proto 41 from any to label "Allow 6in4 traffic out for 6rd on WAN"
    pass in on $WAN inet6 from any to 2602💯xxxx:xxxx::/32 label "Allow 6rd traffic in for 6rd on WAN"
    pass out on $WAN inet6 from 2602💯xxxx:xxxx::/32 to any label "Allow 6rd traffic out for 6rd on WAN"
    antispoof for em1

  • Rebel Alliance Developer Netgate

    There were some stf fixes that went in late last week, would be best to try things again on a current snapshot.

  • Hi jimp,

    I've been having a similar problem. Using the Jan 22nd snap my 6RD connection to Charter works great. I usually update once a week, but since then (around the end of January) none of the snaps I've tried have worked. I get an ipv6 address on the outside interface but my gateway monitor never comes up and none of my ipv6 traffic seems to pass through the firewall.

    There are a couple of other users in a thread in the 2.1 forum reporting the same thing. Honestly I have no idea how to debug this, up till now all my adventures into ipv6 have "just worked", but if there are some specific things you need me to provide I would be happy to update to the current snap and provide the results for you.


  • Hi guys,

    Is there anything I can provide you with that would help get 6RD working again?

    Should I open a ticket or something?


  • Rebel Alliance Developer Netgate

    There is already a ticket open at http://redmine.pfsense.org/issues/2882 that links back to this and other threads.

  • Hi jimp,

    Indeed, I opened it!

    Just trying to get all the bases covered as this is the only problem I've had in 2.1 in a very long time.


  • See edit at bottom of post!

    I'm having the same problem as swinn, and possibly many others.
    The 6RD BR that I'm using is provided by my ISP (Telia Sweden).

    My configuration looks sane to me.
    ifconfig shows wan_stf using the correct IPv6 address, netstat shows the correct default IPv6 gateway (at least I believe so - 2001:2002:6RD-BR-IPv4-in-hex:: - where 2001:2002 is my ISP's prefix, using wan_stf as Netif).
    My LAN interface is tracking WAN and thus recieves the ::1 address of my subnet, which I can ping from computers on my LAN.

    But, the webui shows the IPv6 gateway as offline. When I try to ping the gateway from my router I get "Network is down".

    As mentioned in http://doc.pfsense.org/index.php/Using_IPv6_on_2.1_with_a_Tunnel_Broker I have added a pass ICMP-rule from my 6RD BR to my WAN address, although I'm not sure if it's working.

    IPv4 ICMP    217.209.228.xxx    *    WAN address    *    *    none

    You see, when I run tcpdump -nnvvXi em0 proto 41, I see a lot of traffic.
    Almost all of it is ICMP6 echo requests from my 6RD BR to my WAN address, but I never see my pfSense router replying to any of the echo requests.
    217.209.228.xxx is my 6RD BR, 2.248.161.xxx is my WAN IP, 2001:2002:02f8:xxxx is my IPv6 subnet/prefix.

    tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes
    20:55:00.709516 IP (tos 0x0, ttl 250, id 3570, offset 0, flags [none], proto IPv6 (41), length 72)
        217.209.228.xxx > 2.248.161.xxx: IP6 (hlim 9, next-header ICMPv6 (58) payload length: 12) 2001:0:5ef5:79fd:855:34ba:2a8d:bebb > 2001:2002:2f8:xxxx:a9ce:2fc1:a2d8:62e6: [icmp6 sum ok] ICMP6, echo request, length 12, seq 44549
    20:55:01.176129 IP (tos 0x0, ttl 250, id 5480, offset 0, flags [none], proto IPv6 (41), length 72)
        217.209.228.xxx > 2.248.161.xxx: IP6 (hlim 14, next-header ICMPv6 (58) payload length: 12) 2001:0:4137:9e76:182e:2a58:35b6:dbec > 2001:2002:2f8:yyyy:a9ce:2fc1:a2d8:62e6: [icmp6 sum ok] ICMP6, echo request, length 12, seq 50535

    From what I understand, the 6RD BR's ability to ping my router, decides whether or not I will be granted a 6RD tunnel or not.
    Now, since it seems like my pfSense router isn't responding to the ping requests sent by the BR, can this be why I'm not able to connect through it and get IPv6 access to the Internet?
    If so, how come my router doesn't respond to the requests sent by my BR? I think this is strange, since I've explicitly allowed ICMP traffic from its IP address.

    If I add another explicit ICMP pass rule for another IP address, and try to ping my router from that IP, it works without a sigh.

    Any suggestions? If you need more information to better track down my problem, just let me know and I'll post it.

    Erhm. I took another look at the output from tcpdump.
    Yes, the request is coming from my 6RD BR to my WAN address. BUT, the ICMP6 request inside is from 2001:0000:: which is the Teredo prefix, so this might be completely unrelated to the problem with 6RD tunneling.

    Another thing I noticed is this. If I setup a 6RD tunnel using the gif0 interface in the command line, it works without a problem and I can at least ping IPv6 hosts on the Internet from my router.
    Of course it doesn't show up in the webui, and I can't use it for DHCPv6 to provide the prefix for my LAN, so it's no good for a long term solution.

    ifconfig gif0 create
    ifconfig gif0 tunnel 2.248.161.xxx 217.209.228.xxx
    ifconfig gif0 inet6 2001:2002::1 prefixlen 32
    route add -inet6 default -interface gif0

  • 6rd should work with tomorrow's snapshot, my test system is working now.

  • Still not working here with charter's 6rd service.

    2.1-RC0 (amd64)
    built on Sun Jul 7 08:43:44 EDT 2013
    FreeBSD 8.3-RELEASE-p8

    After setting up the 6rd on the wan interface, and setting up IPv6 DNS servers, the pfsense unit is unable to ping or trace route any ipv6 address.

  • Hi guys,

    Same here, Charter's 6RD isn't working.

    Tried both updating my pfSense VM to the latest snap & installing a fresh new VM with the latest snaps.

    As always, please let me know if I can provide anything that would help sort this out.


  • Logs would be good together with ifconfig and routing table output.

    Latest snapshot has some automatic rules removed, due to wide covarge of auto rules, so probably check that your firewall rules are correct.

  • Any specific log file you want dumped?

    Updated to 7/11/13 morning snapshot, amd64
    I also have a firewall rule to allow icmpv6.


    em0: flags=8c02 <broadcast,oactive,simplex,multicast>metric 0 mtu 1500
            options=4219b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,wol_magic,vlan_hwtso>ether 00:15:17:82:3d:60
            media: Ethernet autoselect
            status: no carrier
    em1: flags=8c02 <broadcast,oactive,simplex,multicast>metric 0 mtu 1500
            options=4219b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,wol_magic,vlan_hwtso>ether 00:15:17:82:3d:61
            media: Ethernet autoselect
            status: no carrier
    igb0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            options=500bb <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwfilter,vlan_hwtso>ether 00:1b:21:54:db:58
            inet6 fe80::21b:21ff:fe54:db58%igb0 prefixlen 64 scopeid 0x3
            inet netmask 0xffffff00 broadcast
            nd6 options=1 <performnud>media: Ethernet autoselect (1000baseT <full-duplex>)
            status: active
    igb1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            options=500bb <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwfilter,vlan_hwtso>ether 00:1b:21:54:db:59
            inet6 fe80::21b:21ff:fe54:db59%igb1 prefixlen 64 scopeid 0x4
            inet netmask 0xffffff00 broadcast
            nd6 options=1 <performnud>media: Ethernet autoselect (1000baseT <full-duplex>)
            status: active
    igb2: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
            options=400bb <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwtso>ether 00:1b:21:54:db:5c
            inet6 fe80::21b:21ff:fe54:db5c%igb2 prefixlen 64 scopeid 0x5
            nd6 options=1 <performnud>media: Ethernet autoselect (1000baseT <full-duplex>)
            status: active
    igb3: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
            options=400b8 <vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwtso>ether 00:1b:21:54:db:5d
            inet6 fe80::21b:21ff:fe54:db5d%igb3 prefixlen 64 scopeid 0x6
            inet netmask 0xfffffff0 broadcast
            inet netmask 0xfffffff0 broadcast
            nd6 options=1 <performnud>media: Ethernet autoselect (1000baseT <full-duplex>)
            status: active
    pflog0: flags=100 <promisc>metric 0 mtu 33144
    enc0: flags=0<> metric 0 mtu 1536
    pfsync0: flags=0<> metric 0 mtu 1460
            syncpeer: maxupd: 128 syncok: 1
    lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
            options=3 <rxcsum,txcsum>inet netmask 0xff000000
            inet6 ::1 prefixlen 128
            inet6 fe80::1%lo0 prefixlen 64 scopeid 0xa
            nd6 options=3 <performnud,accept_rtadv>igb1_vlan4: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            options=3 <rxcsum,txcsum>ether 00:1b:21:54:db:59
            inet6 fe80::215:17ff:fe82:3d60%igb1_vlan4 prefixlen 64 scopeid 0xb
            nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
            status: active
            vlan: 4 vlanpcp: 0 parent interface: igb1
    igb1_vlan5: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            options=3 <rxcsum,txcsum>ether 00:1b:21:54:db:59
            inet6 fe80::215:17ff:fe82:3d60%igb1_vlan5 prefixlen 64 scopeid 0xc
            inet netmask 0xffffff00 broadcast
            nd6 options=1 <performnud>media: Ethernet autoselect (1000baseT <full-duplex>)
            status: active
            vlan: 5 vlanpcp: 0 parent interface: igb1
    igb0_vlan6: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            options=3 <rxcsum,txcsum>ether 00:1b:21:54:db:58
            inet6 fe80::215:17ff:fe82:3d60%igb0_vlan6 prefixlen 64 scopeid 0xd
            inet netmask 0xffffff00 broadcast
            nd6 options=1 <performnud>media: Ethernet autoselect (1000baseT <full-duplex>)
            status: active
            vlan: 6 vlanpcp: 0 parent interface: igb0
    igb0_vlan7: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            options=3 <rxcsum,txcsum>ether 00:1b:21:54:db:58
            inet6 fe80::215:17ff:fe82:3d60%igb0_vlan7 prefixlen 64 scopeid 0xe
            nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
            status: active
            vlan: 7 vlanpcp: 0 parent interface: igb0
    bridge0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            ether 02:94:0a:e6:35:00
            id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
            maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
            root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
            member: igb2 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 5 priority 128 path cost 2000000
            member: igb3 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 6 priority 128 path cost 2000000
    ovpns1: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
            options=80000 <linkstate>inet6 fe80::215:17ff:fe82:3d60%ovpns1 prefixlen 64 scopeid 0x11
            inet --> netmask 0xffffffff
            nd6 options=3 <performnud,accept_rtadv>Opened by PID 28948
    wan_stf: flags=4001 <up,link2>metric 0 mtu 1280
            inet6 2602:100:189f:c462:: prefixlen 32
            nd6 options=3 <performnud,accept_rtadv>v4net

    netstat -rn

    Routing tables
    Destination        Gateway            Flags    Refs      Use  Netif Expire
    default        UGS         0    34681   igb3        link#4             U           0    72897   igb1           link#4             UHS         0        0    lo0        link#12            U           0    12559 igb1_v           link#12            UHS         0        0    lo0        link#13            U           0      983 igb0_v           link#13            UHS         0        0    lo0        link#3             U           0       10   igb0           link#3             UHS         0        0    lo0         UGS         0        0 ovpns1         link#17            UHS         0        0    lo0         link#17            UH          0        0 ovpns1   link#6             U           0      233   igb3      link#6             UHS         0        0    lo0      link#6             UHS         0        0    lo0      UGHS        0        0   igb3          link#10            UH          0      359    lo0
    Destination                       Gateway                       Flags      Netif Expire
    default                           2602:100:189f:c462::4472:a501 UGS     wan_stf
    ::1                               ::1                           UH          lo0
    2602:100::/32                     link#15                       U       wan_stf
    2602:100:189f:c462::              link#15                       UHS         lo0
    fe80::%igb0/64                    link#3                        U          igb0
    fe80::21b:21ff:fe54:db58%igb0     link#3                        UHS         lo0
    fe80::%igb1/64                    link#4                        U          igb1
    fe80::21b:21ff:fe54:db59%igb1     link#4                        UHS         lo0
    fe80::%igb2/64                    link#5                        U          igb2
    fe80::21b:21ff:fe54:db5c%igb2     link#5                        UHS         lo0
    fe80::%igb3/64                    link#6                        U          igb3
    fe80::21b:21ff:fe54:db5d%igb3     link#6                        UHS         lo0
    fe80::%lo0/64                     link#10                       U           lo0
    fe80::1%lo0                       link#10                       UHS         lo0
    fe80::%igb1_vlan4/64              link#11                       U      igb1_vla
    fe80::215:17ff:fe82:3d60%igb1_vlan4 link#11                       UHS         lo0
    fe80::%igb1_vlan5/64              link#12                       U      igb1_vla
    fe80::215:17ff:fe82:3d60%igb1_vlan5 link#12                       UHS         lo0
    fe80::%igb0_vlan6/64              link#13                       U      igb0_vla
    fe80::215:17ff:fe82:3d60%igb0_vlan6 link#13                       UHS         lo0
    fe80::%igb0_vlan7/64              link#14                       U      igb0_vla
    fe80::215:17ff:fe82:3d60%igb0_vlan7 link#14                       UHS         lo0
    fe80::215:17ff:fe82:3d60%ovpns1   link#17                       UHS         lo0
    ff01::%igb0/32                    fe80::21b:21ff:fe54:db58%igb0 U          igb0
    ff01::%igb1/32                    fe80::21b:21ff:fe54:db59%igb1 U          igb1
    ff01::%igb2/32                    fe80::21b:21ff:fe54:db5c%igb2 U          igb2
    ff01::%igb3/32                    fe80::21b:21ff:fe54:db5d%igb3 U          igb3
    ff01::%lo0/32                     ::1                           U           lo0
    ff01::%igb1_vlan4/32              fe80::215:17ff:fe82:3d60%igb1_vlan4 U      igb1_vla
    ff01::%igb1_vlan5/32              fe80::215:17ff:fe82:3d60%igb1_vlan5 U      igb1_vla
    ff01::%igb0_vlan6/32              fe80::215:17ff:fe82:3d60%igb0_vlan6 U      igb0_vla
    ff01::%igb0_vlan7/32              fe80::215:17ff:fe82:3d60%igb0_vlan7 U      igb0_vla
    ff01::%ovpns1/32                  fe80::215:17ff:fe82:3d60%ovpns1 U        ovpns1
    ff02::%igb0/32                    fe80::21b:21ff:fe54:db58%igb0 U          igb0
    ff02::%igb1/32                    fe80::21b:21ff:fe54:db59%igb1 U          igb1
    ff02::%igb2/32                    fe80::21b:21ff:fe54:db5c%igb2 U          igb2
    ff02::%igb3/32                    fe80::21b:21ff:fe54:db5d%igb3 U          igb3
    ff02::%lo0/32                     ::1                           U           lo0
    ff02::%igb1_vlan4/32              fe80::215:17ff:fe82:3d60%igb1_vlan4 U      igb1_vla
    ff02::%igb1_vlan5/32              fe80::215:17ff:fe82:3d60%igb1_vlan5 U      igb1_vla
    ff02::%igb0_vlan6/32              fe80::215:17ff:fe82:3d60%igb0_vlan6 U      igb0_vla
    ff02::%igb0_vlan7/32              fe80::215:17ff:fe82:3d60%igb0_vlan7 U      igb0_vla
    ff02::%ovpns1/32                  fe80::215:17ff:fe82:3d60%ovpns1 U        ovpns1

  • @ermal:

    Logs would be good together with ifconfig and routing table output.

    Latest snapshot has some automatic rules removed, due to wide covarge of auto rules, so probably check that your firewall rules are correct.

    Hi ermal,

    Tell me what you need and I'll fire up the vm & get it for you.

    I did update the ticket here:


    a while back with the info you asked for at the time.

    I can also give you remote access to the box if you would like….whatever I can do to help!


  • Well this is strange… just as a test, I set the WAN interface to 6to4 instead of 6rd, and clicked apply. I now have an ipv6 address, and I am able to properly ping IPv6 hosts from the router, as well as visit IPv6 websites on my LAN vi track interface. Wonder if the new modem I got yesterday has anything to do with this or not.

    If it matters, I am a charter business customer.

  • Hi ddggttff3,

    Honestly, I'm surprised that worked for you. Following your suggestion I made the same change & it blanked out the 6rd section in the WAN interface config when I changed it, assuming yours did the same, I'm surprised your firewall had any idea where to send your ipv6 traffic! Making the change to 6to4 did not make my ipv6 connection work.

    As always, if there's any information I can provide to help sort this out just ask!


  • Well I just got a new modem, Model is SMCD3GN2-BIZ. I am thinking that's 1/2 the story as my old SMC did not work with 6to4, and the bootup UART log from this device mentions loading a "IPv6 over IPv4 tunneling driver".

    Also, when I set it to 6to4, it auto pulled the old IPv6 address I got with 6rd, so yay!

    So far, IPv6 6to4 has been working here with 0 issues.

    Maybe you should ask charter for a new modem? I used to have the SMCD3G-BIZ, which did not work with 6to4. Is that the modem you use?

  • I'd just like to add "Me, too"

    I use CenturyLink's 6rd's Border Relay.  I was using a 2.1 Beta snapshot from last August until I upgraded this weekend and lost 6rd functionality.

    Same symptoms as Will reports.  I didn't have much time to troubleshoot - I just fired up my HE tunnel in the meantime.

    However, I did notice this in my logs (I obfuscated my IP):

    php: : The command '/sbin/pfctl -b 2602:XX:YYYY:ZZZZ::/32 -b 2602💿ab02:4000::/32' returned exit code '1', the output was 'pfctl: illegal option – b usage: pfctl [-AdeghmNnOPqRrvz] [-a anchor] [-D macro=value] [-F modifier] [-f file] [-i interface] [-K host | network] [-k host | network ] [-o [level]] [-p device] [-s modifier ] [-t table -T command [address …]] [-x level]'

    I'd be happy to provide anything else to help get this squared away.


  • Hi vinsomething,

    Indeed, I don't really know where to start troubleshooting….for me getting 6rd up & going was a 5 minute affair and it "just worked" for a very long time.

    I have a ticket open on this and the last thing I heard from the devs was that this is "seen that on misconfigurations of pfSense". I have no idea what that misconfiguration could be and would love to get a hint to point me in the correct direction.

    I spun up my "current" pfsense vm the other day, grabbed the output of "pftop -w 150 -a -b -v rules" via the /status.php page on both my January (working) vm & the latest release as of last Saturday. I took the output from each and stuffed them into notepad++, edited out all the traffic counters & diffed them. There are 3 extra rules in the "current" rules that aren't in my January ruleset:

    100  Pass    In      Q vmx3f1          K        0        0        0      inet from to any  flags S/SA
    101  Pass    In      Q vmx3f1          K        0        0        0      inet6 from 2602:XXXX:XXXX:XXXX::/64 to any  flags S/SA
    102  Pass    In      Q vmx3f1 udp    K        0        0        0      inet6 from fe80::/64 to ff02::1:3/128 port = 5355

    Maybe that's where the problem is, maybe it's not....I have no idea. All the other rules seem to differ only in the change between "wan_st" & "stf0".

    It sucks that you updated & lost your 6rd functionality. I sure do hope this gets sorted out before 2.1 rolls out!


  • Hi guys,

    I just updated my pfsense test vm to the Thu Aug 15 build and now I don't even get an ipv6 address on my outside interface.


  • I get the same on 6 to 4. I had to unconfigure ipv6 for now.

  • Hi podilarius,

    Updating to the latest (Fri. 8/16) build has allowed my WAN interface to once again get an ipv6 address.

    6RD still doesn't function, sorry to say.