Sponsored Links

IPv6 (pfsense)

Inklin

Casual Member
This might sound dumb!

Recently IPv6 started to work on the supplied Eero after a maintenance window, so I know my area supports it now.

I have since switched to a pfsense router but I've been having issues getting IPv6 up and running, I get a /64 on WAN starting with 2a0e:1d42: though I cannot ping/traceroute IPv6 out from WAN in pfsense so I don't believe it's working properly. The LAN side is a whole different story, like if it's not working on WAN it wont work here!.

WAN:
DHCPv6 Prefix Delegation size: /56
Send IPv6 prefix hint: checked

LAN:
IPv6 Configuration Type: Track Interface
IPv6 Interface: WAN
Pv6 Prefix ID: 0

I contacted YouFibre and they contacted the technical team who said "They need to set the dhcpv6 delegated prefix and then the prefix hint should be set to /56 Under the ipv6 mode on the wan interface" which is what I have been doing, so I'm not sure if I am missing something that is causing it to not work.

Does anyone know the correct settings (YouFibre specific) so I can double check everything? They mention setting a delegated prefix, above, seperate to setting the hint to /56. I'm not quite sure what they are referring to with that!

Thanks in advance!
 
not sure about YouFibre, but for me (Aquiss/Entanet), the key setting was on the "Services/DHCPv6 Server/Router Advertisements" settings where I had to select "Assisted"

there is also a tickbox under "System, Advanced, Networking" which allows IPv6 traffic, which is not ticked by default (apparently often missed). (my 1st guess if you can't do a ping / traceroute from the firewall ;-)

Troubleshooting wise, can you see a Public IPv6 address allocated to the LAN interface (status, interfaces)?
 
Not using pfSense, sorry, however I'm requesting a prefix without hint and an address. I receive a /128 on the WAN, a /56 prefix for LAN. Rapid commit is enabled.

LAN I'm offering /64s from the /56, using EUI64 for numbering of the interfaces themselves.
 
Sponsored Links
@Al-T That is how I have it set already and I believe the checkbox you mention for Allow IPv6 is only unchecked when upgrading from older versions of pfsense, new installs it is already checked by default (as mine was).

I do not get anything issued on the LAN side except a Link Local it seems. As do my devices.
 
On my OR (PPPoE) circuit I don't need the "send prefix hint" ticked. Is the WAN address part of the allocation you are expecting?
 
Slow response, sorry! But I thought I would update to say that IPv6 did start working about a week ago, It's the same Prefix Delegation so I am assuming what was happening was that their DHCP server had issued the prefix with a 14 day lease on the Eero MAC address and I just had to wait for it to expire before it would start working in pfsense.

I do have a peculiar issue where the WAN side thinks it is down on Gateway WAN_DHCP6, the IP it gets is a /64 from 2a0e:1d42:0:: which seems to be non routable. where as the /56 on the LAN side is more like 2a0e:1d42:ffff:ff:: (changed from actual) and my devices get IP's from that range and work over the internet just fine.
 
Slow response, sorry! But I thought I would update to say that IPv6 did start working about a week ago, It's the same Prefix Delegation so I am assuming what was happening was that their DHCP server had issued the prefix with a 14 day lease on the Eero MAC address and I just had to wait for it to expire before it would start working in pfsense.

I do have a peculiar issue where the WAN side thinks it is down on Gateway WAN_DHCP6, the IP it gets is a /64 from 2a0e:1d42:0:: which seems to be non routable. where as the /56 on the LAN side is more like 2a0e:1d42:ffff:ff:: (changed from actual) and my devices get IP's from that range and work over the internet just fine.
It might be the gateway is not pingable over IPv6. If you go via System -> Routing then Edit the IPv6 gateway, and add a specific IPv6 address that you can ping in the Monitor IP option, see if that makes it happier. Ideally you want an IP address of a server that is close to you, such as their DNS server perhaps, but any should do.
 
Sponsored Links
I have tried that but the IP issued by them to the WAN seems to have no connectivity at all, I can test that with the ping tool in pfsense:

WAN Selected:
PING6(56=40+8+8 bytes) 2a0e:1d42:0:50:xxxx:xxxx:xxxx:xxxx --> 2606:4700:4700::1001

--- 2606:4700:4700::1001 ping6 statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss


LAN Selected:
PING6(56=40+8+8 bytes) 2a0e:1d42:aaaa:aaxx:xxxx:xxxx:xxxx:xxxx --> 2606:4700:4700::1001
16 bytes from 2606:4700:4700::1001, icmp_seq=0 hlim=59 time=3.204 ms
16 bytes from 2606:4700:4700::1001, icmp_seq=1 hlim=59 time=3.191 ms
16 bytes from 2606:4700:4700::1001, icmp_seq=2 hlim=59 time=3.730 ms

--- 2606:4700:4700::1001 ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 3.191/3.375/3.730/0.251 ms

This does seem to affect pfsense's ability to get packages/updates as it tries to connect out through the WAN IPv6 IP and gets no response. Only my LAN/devices seem to work with IPv6.
 
I have tried that but the IP issued by them to the WAN seems to have no connectivity at all, I can test that with the ping tool in pfsense:

WAN Selected:
PING6(56=40+8+8 bytes) 2a0e:1d42:0:50:xxxx:xxxx:xxxx:xxxx --> 2606:4700:4700::1001

--- 2606:4700:4700::1001 ping6 statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss


LAN Selected:
PING6(56=40+8+8 bytes) 2a0e:1d42:aaaa:aaxx:xxxx:xxxx:xxxx:xxxx --> 2606:4700:4700::1001
16 bytes from 2606:4700:4700::1001, icmp_seq=0 hlim=59 time=3.204 ms
16 bytes from 2606:4700:4700::1001, icmp_seq=1 hlim=59 time=3.191 ms
16 bytes from 2606:4700:4700::1001, icmp_seq=2 hlim=59 time=3.730 ms

--- 2606:4700:4700::1001 ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 3.191/3.375/3.730/0.251 ms

This does seem to affect pfsense's ability to get packages/updates as it tries to connect out through the WAN IPv6 IP and gets no response. Only my LAN/devices seem to work with IPv6.
There is a bug in the way Gateways are handled that can make pfSense think one or more gateways are down, its a race condition so it just depends on the ISP and in what order the interfaces come up. This is an issue I have with my ISP, if you want to try the fix that works for me the file is attached.

Easy to try and go back if it doesn't make a difference:

1) In pfSense use Diagnostics - Edit File
2) Browse to /usr/local/sbin and click on ppp-linkdown to open it
3) Copy the existing text and drop it into notepad or similar so you can copy it back if necessary
4) Copy over the text from the attached file to replace what is there, click Save
5) To test (no need to reboot pfSense), use Status - Interfaces and Disconnect the WAN interface, refresh the page when it drops to get the Connect Now button, and then reconnect.

The modified script is more selective in dropping some sign post files that tells other bits of pfSense the gateways are up or down. The original script will mark the IPv6 or IPv4 gateway incorrectly down during some race conditions and where IPv6 is supported and in use.

I did try raising a bug report with full details but they just closed it as a duplicate of another issue which was something else entirely, so it hasn't been fixed.
 

Attachments

Thanks Phil! I would try it but I seem to have lost my IPv6 for the time being. Very odd!

Jul 19 10:08:03 dhcp6c 19438 advertise contains no address/prefix
Jul 19 10:08:03 dhcp6c 19438 server ID:
<removed>
, pref=-1
Jul 19 10:08:03 dhcp6c 19438 status code: unspec failure
Jul 19 10:08:03 dhcp6c 19438 get DHCP option status code, len 2
Jul 19 10:08:03 dhcp6c 19438 DUID: <removed>
Jul 19 10:08:03 dhcp6c 19438 get DHCP option client ID, len 14
Jul 19 10:08:03 dhcp6c 19438 DUID:
<removed>
Jul 19 10:08:03 dhcp6c 19438 get DHCP option server ID, len 10
Jul 19 10:08:03 dhcp6c 19438 receive advertise from
<removed>
on igc0
Jul 19 10:08:03 dhcp6c 19438 reset a timer on igc0, state=SOLICIT, timeo=359, retrans=116316
Jul 19 10:08:03 dhcp6c 19438 send solicit to ff02::1:2%igc0
Jul 19 10:08:03 dhcp6c 19438 set IA_PD
Jul 19 10:08:03 dhcp6c 19438 set IA_PD prefix
Jul 19 10:08:03 dhcp6c 19438 set option request (len 4)
Jul 19 10:08:03 dhcp6c 19438 set elapsed time (len 2)
Jul 19 10:08:03 dhcp6c 19438 set client ID (len 14)
Jul 19 10:08:03 dhcp6c 19438 Sending Solicit
Jul 19 10:06:14 dhcp6c 19438 advertise contains no address/prefix
It seems they are no longer advertising the prefix.
 
Thanks Phil! I would try it but I seem to have lost my IPv6 for the time being. Very odd!

Jul 19 10:08:03 dhcp6c 19438 advertise contains no address/prefix
Jul 19 10:08:03 dhcp6c 19438 server ID:
<removed>
, pref=-1
Jul 19 10:08:03 dhcp6c 19438 status code: unspec failure
Jul 19 10:08:03 dhcp6c 19438 get DHCP option status code, len 2
Jul 19 10:08:03 dhcp6c 19438 DUID: <removed>
Jul 19 10:08:03 dhcp6c 19438 get DHCP option client ID, len 14
Jul 19 10:08:03 dhcp6c 19438 DUID:
<removed>
Jul 19 10:08:03 dhcp6c 19438 get DHCP option server ID, len 10
Jul 19 10:08:03 dhcp6c 19438 receive advertise from
<removed>
on igc0
Jul 19 10:08:03 dhcp6c 19438 reset a timer on igc0, state=SOLICIT, timeo=359, retrans=116316
Jul 19 10:08:03 dhcp6c 19438 send solicit to ff02::1:2%igc0
Jul 19 10:08:03 dhcp6c 19438 set IA_PD
Jul 19 10:08:03 dhcp6c 19438 set IA_PD prefix
Jul 19 10:08:03 dhcp6c 19438 set option request (len 4)
Jul 19 10:08:03 dhcp6c 19438 set elapsed time (len 2)
Jul 19 10:08:03 dhcp6c 19438 set client ID (len 14)
Jul 19 10:08:03 dhcp6c 19438 Sending Solicit
Jul 19 10:06:14 dhcp6c 19438 advertise contains no address/prefix
It seems they are no longer advertising the prefix.
You can just fix your own prefix if you like, if you have a static IPv6 prefix?
 
Sponsored Links
A recent update of some of their network kit that broke my internet connection for 2 days while they worked out how to fix it. As part of the getting it to work again phase I switched back to the supplied Eero and when it was finally fixed I noticed that the What's my IP page was showing an IPv6 address but when I switched back to my router (OPNSense but for all intents and purposes the same as the OP) I didn't have an IPv6 address even after selecting DHCP IPv6 on the WAN ... there was a WAN IPv6 address but the hosts on the LAN were not getting IPv6 addresses and the router itself wasn't able to ping ipv6 sites such as google though it was able to resolve the IPv6 Address.

Anyone have a recipie for getting IPv6 to work for YouFibre on an (PF/OPN)Sense router ?
 
A recent update of some of their network kit that broke my internet connection for 2 days while they worked out how to fix it. As part of the getting it to work again phase I switched back to the supplied Eero and when it was finally fixed I noticed that the What's my IP page was showing an IPv6 address but when I switched back to my router (OPNSense but for all intents and purposes the same as the OP) I didn't have an IPv6 address even after selecting DHCP IPv6 on the WAN ... there was a WAN IPv6 address but the hosts on the LAN were not getting IPv6 addresses and the router itself wasn't able to ping ipv6 sites such as google though it was able to resolve the IPv6 Address.

Anyone have a recipie for getting IPv6 to work for YouFibre on an (PF/OPN)Sense router ?
If I am honest I just had to wait in the end, it seems like they issue based on the MAC Address and a two week lock to that specific MAC, after the lock expired my pfsense gained an IPv6, their system won't recognise a change in MAC until the previous allocation expires it seems.

my pfsense:
WAN:
IPv4 Configuration Type: DHCP
IPv6 Configuration Type : DHCP6
Request only an IPv6 prefix: tick
DHCPv6 Prefix Delegation size: 56
Send IPv6 prefix hint: tick
Do not wait for a RA: tick

LAN:
IPv6 Interface: WAN
IPv6 Prefix ID: 2 (but this can be between 0 and ff)

System > Advanced > Networking:
Allow IPv6: tick
DHCP6 DUID: DUID-LLT: Based on Link-layer Address Plus Time
DUID-LLT: Link-Layer Address: MAC Address of my WAN port.

I did add a WAN firewall rule for IPv6 ICMP (with any subtype) this was to use my tbb monitor, having CGNAT on IPv4 meant I needed to use IPv6 for ping monitoring. I don't recall if the ICMP thing was required to get my prefix however.

If working you will notice that the LAN side gets a /56 and the WAN gets a /64 from a slightly different submet, though this may vary depending on what they have configured in your area.
 
System > Advanced > Networking:
Allow IPv6: tick
DHCP6 DUID: DUID-LLT: Based on Link-layer Address Plus Time
DUID-LLT: Link-Layer Address: MAC Address of my WAN port.
Be very interested to see what is returned if you go here


and post the lines from SLA downwards like this..

Screenshot_20230928_210923.webp
 
Sponsored Links
I've spent a while with a support person today and got this info too ... I think I found a "fix" for the actual router not having IPv6 connectivity though ... it looks like that although you set "request prefix only" the WAN interface is also getting a /64 ( If I'm understanding some forum posts this is assigned via SLAAC ) ... this /64 isn't routed inside YouFibre's network.
I ran an ifconfig <iface> inet6 <ipv6_addr> -alias from a shell to remove the /64 at which point you can ping using ipv6 on the router itself.
 
I've spent a while with a support person today and got this info too ... I think I found a "fix" for the actual router not having IPv6 connectivity though ... it looks like that although you set "request prefix only" the WAN interface is also getting a /64 ( If I'm understanding some forum posts this is assigned via SLAAC ) ... this /64 isn't routed inside YouFibre's network.
I ran an ifconfig <iface> inet6 <ipv6_addr> -alias from a shell to remove the /64 at which point you can ping using ipv6 on the router itself.

Thanks for this clue!

I was having the same issue with a Unifi router.

With WAN setup as DHCPv6 and PD /56 my LAN got IPv6 connectivity but nothing from my router

Set it to WAN SLAAC PD /56 and my LAN gets IPv6 conenctivty and also my router (as it is not issued it's own /128 it uses the IPv6 address of the default VLAN for outbound IPV6 connectivity)

I wonder why Youfibre issue a IPv6 address via DHCPv6 to the WAN port and then not route that address!
 
I do have to manually set my WAN IPv6 address with a command every time pfsense has been rebooted, then restart dpinger to get the interface monitor to work. I'd love to script it so I don't have to bother.

For me IPv6 isn't the smoothest, it's more jittery than the CGNAT IPv4, I'm not sure what they did last summer, but ever since then I get base latency of 3 - 4ms but with 1 - 2 spikes to 20ms on IPv6 in every minute (confirmed with various tests to various IPv6 addresses, it makes for a un-pretty tbb ping graph with a relatively big maximum latency of 20ms.
 
Just wondered if someone can help with a setting I may have missed off?
On my windows clients I notice the ipv6 dns address field is blank. Where is this info stored on pfsense so that it gets populated assuming it's required..... . Thanks
Screenshot_20240521_223331_Reddit.jpg
 
Top
Cheap BIG ISPs for 100Mbps+
Community Fibre UK ISP Logo
150Mbps
Gift: None
Virgin Media UK ISP Logo
Virgin Media £22.99
132Mbps
Gift: None
Vodafone UK ISP Logo
Vodafone £24.00 - 26.00
150Mbps
Gift: None
NOW UK ISP Logo
NOW £24.00
100Mbps
Gift: None
Plusnet UK ISP Logo
Plusnet £25.99
145Mbps
Gift: £50 Reward Card
Large Availability | View All
Cheapest ISPs for 100Mbps+
Gigaclear UK ISP Logo
Gigaclear £17.00
200Mbps
Gift: None
Community Fibre UK ISP Logo
150Mbps
Gift: None
Virgin Media UK ISP Logo
Virgin Media £22.99
132Mbps
Gift: None
Hey! Broadband UK ISP Logo
150Mbps
Gift: None
Youfibre UK ISP Logo
Youfibre £23.99
150Mbps
Gift: None
Large Availability | View All
Sponsored Links
The Top 15 Category Tags
  1. FTTP (6024)
  2. BT (3638)
  3. Politics (2720)
  4. Business (2439)
  5. Openreach (2405)
  6. Building Digital UK (2330)
  7. Mobile Broadband (2143)
  8. FTTC (2083)
  9. Statistics (1899)
  10. 4G (1813)
  11. Virgin Media (1762)
  12. Ofcom Regulation (1582)
  13. Fibre Optic (1467)
  14. Wireless Internet (1462)
  15. 5G (1404)
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms  ,  Privacy and Cookie Policy  ,  Links  ,  Website Rules