@lufu83 thank you for that unifi post from years ago. This was the most stupid issue I had the displeasure of fixing. I could not get my windows machines to ping6 cross vlan because of this and spent hours trying to fix it until I come across your post.

@adude42069 I can check next time this comes up in our network. As I mentioned (a ways) above I reduced the lifetimes to improve the behavior. In our specific case I'm not rebooting pfSense, I'm making manual changes.

@johnpoz said in Netflix and HE tunnel broker: No gua, no ula - not even a link-local, so why and the F would it ask for AAAA for?? Lazy freaking programing if you ask me. Good question. If there are no local IPv6 interfaces to talk to, I'm curious what the advantage is knowing that an AAAA exists for a host that will be contacted over A anyway. I've a possible reason in front of me, the one and only Firefix plugin I use : [image: 1773127237304-4cc14808-f093-4491-9b04-2d62263ab906-image.png] edit : the plugin is he.net powered. It shows me for every web site I visit what I'm using : A or AAAA, and it also shows what other sites are visited when the page was retrieved. [image: 1773127312570-36fdb069-8ff7-4888-a2ce-c2c8e65d6013-image.png] I can image that when this Firefox plugin is used, these AAAA requests are made. But if it isn't used ? @SteveITS said in Netflix and HE tunnel broker: Edit: also FWIW we found HE tunnels were rate limited. I mean they are free, so hard to complain, but bandwidth was about 1/3 of our IPv4 connection speed. Because the POPs have cost involved Some of them are marked as "can't add any new clients anymore" == they are 'full'. If they would throw hardware on it, tunnel.he.net would become a real, free VPN alternative **, which would need even more hardware. ** he.net uses a tunnel = IPv6 packets are encapsulated into a IPv4 packets = the GIF protocol, which is, afaik, not encrypted. Not a big deal as all traffic is TLS already anyway.

As @patient0 said, pfSense already handles this case. It should just work. If there's a zero UDP checksum on the IPv4 side pf will calculate it when it translates the packet to IPv6.

@aivxtla Not being able to check your own IPv6 address for something like DDNS would lead be to believe that your IPv6 routes were not properly setup, because for that to work you need AAAA DNS resolution for the IP check service (1) and a fully IPv6-based route to it; but, needless to say, all of this is quite the guessing game. In any case, I'm glad it's working for you now! (1) Perhaps ironically, performing DNS resolution for AAAA records does NOT require IPv6 to be working, because you can always contact a DNS resolver over IPv4 and ask it for a AAAA record: -> drill -Q www.google.com IN AAAA @1.1.1.1 2607:f8b0:4006:803::2004 And, of course, you can also do the opposite: drill -Q one.one.one.one IN A @2001:4860:4860::8888 1.0.0.1 1.1.1.1

yup, the issue still persists also with 2.8.1. According to RIPE (https://www.ripe.net/publications/docs/ripe-690/) no such feature would be needed, but ISPs assigning dynamic prefixes make this feature a must-have to not loose IPv6 connection for the preferred lifetime of the SLAAC RA (which is 4h by default)

@JonathanLee Interesting. What we're living through now is the partial realization of what I somewhat mistakenly believed Web 3.0's 'semantic web' concept from a quarter-century ago was all about. I.e., tell the 'search engine' what you're looking for in natural human language, and it will deliver. Berners-Lee originally expressed his vision of the Semantic Web in 1999 as follows: I have a dream for the Web [in which computers] become capable of analyzing all the data on the Web – the content, links, and transactions between people and computers. A "Semantic Web", which makes this possible, has yet to emerge, but when it does, the day-to-day mechanisms of trade, bureaucracy and our daily lives will be handled by machines talking to machines. The "intelligent agents" people have touted for ages will finally materialize.

@Gertjan said in IPv6 Prefix Delegation Host-Address: Ask them Here you go (about 4 years ago): https://redmine.pfsense.org/issues/12600 https://redmine.pfsense.org/issues/12602 Btw. I add ASN for the ISPs in question to the TS-forward via pfBlocker. This works good for IPv6, but still, it would be nice to have even more control...

@Mission-Ghost If we're asking the important questions, why use a packet filter to transport Ethernet frames?

@IonutIT Check "NAT64 Prefix Override" on System > Advanced, Firewall/NAT

@JKnott Yeah, agreed it's a CC thing. I've already registered a tunnel through HE/tunnelbroker because as much as I'm a masochist for the things I want to try and do on my home network just because I can and find them fun to play with... trying to even contact Comcast let alone actually get to more than first tier support is a form a masochism that just doesn't excite me. It's Comcastic! [vent] Add to this that my Netgear M7 Pro drops out in IP-Passthrough mode and now it doesn't offer an IPv4 address anymore, in either IP-PT or NAT mode [end vent] .... yeah, I've go all the masochism I could want right now. ...and that's exactly the response opcode that I get. Identity Association for Prefix Delegation Option: Identity Association for Prefix Delegation (25) Length: 71 IAID: 00000000 T1: 0 T2: 0 Status code Option: Status code (13) Length: 55 Status Code: NoPrefixAvail (6) Status Message: No prefix available on Link 'ca-sanrafael-acr07-link' [Edit: trying to determine why the forum keeps saying this is spam and refusing to post]

@citroklar said in How I set up prefix delegation to carve out /60 subnets from a /56 prefix: But as those /64 subnets cannot be split further, I wanted larger Prefix Delegations - /60s, for both of my internal networks to be precise. (A /56 can be split into 16 /60 subnets.) I couldn't find a way to do this in the gui, so please enlighten me if I missed something there. Take a look on the System / Routing / Gateways page.

If you're making changes and they simply don't appear then I would start at /usr/local/www/services_dhcpv6_edit.php and follow the various linked include files to find functions used there. The rabbit hole can be deep!

Credits to Grok (xAI) – Full IPv6 Boot Watchdog Script with Daily Reboot Limit Thanks to Bob.Dig, Gertjan, and the community for all the help and ideas along the way. But in the end, I went full nuclear with Grok's help to solve the annoying "IPv6 gateway pending" / DHCPv6 fails at boot issue on 25.11 (and earlier versions) with ixgbe/ix interfaces. Grok helped build, debug, refine, and harden this script over dozens of iterations — from parsing issues in ash, ambiguous redirects, long shutdown delays, false positives, to daily reboot protection and input validation. Big thanks to Grok for turning a frustrating problem into a reliable workaround! What the script does Runs automatically after boot Checks if all specified interfaces (INTERFACES=) have at least one global IPv6 address (2000::/3 range, non-link-local) If yes → exits cleanly (no reboot) If no → waits a timeout period (default 120 s of checking) → reboots pfSense Safety: max 2 reboots per calendar day — prevents endless loops if ISP has outage Counter resets automatically at midnight Manual reset: rm /var/db/ipv6_watchdog_reboot_count Extra: Early exit if any interface is physically down (no carrier) Quiet: Logs only important events to syslog (via logger) — no spam Robust: Validates config (interfaces exist, no spaces, numbers valid, etc.) Recommended Installation (fast shutdown, no delays) Save the script (anywhere, e.g. /usr/local/etc/ipv6_watchdog.sh):vi /usr/local/etc/ipv6_watchdog.sh #!/bin/sh # /usr/local/etc/ipv6_watchdog.sh # IPv6 Global Address Watchdog for pfSense - Built with Grok (xAI) # Daily reboot limit (max 2/day), quiet syslog logging, input validation, early exit if link down # More info at: https://forum.netgate.com/topic/199716/25.11-ipv6-gateway-pending/11?_=1767700010718 # ================= CONFIG ================= TIMEOUT=120 # seconds (min 30) INITIAL_DELAY=60 # seconds (min 10) CHECK_INTERVAL=20 # seconds (min 5) INTERFACES="ix2,ix3" # comma-separated, NO spaces! MAX_REBOOTS_PER_DAY=2 LOG_TO_SYSTEM_LOGS=1 # 1 = syslog (recommended), 0 = file # ================= VALIDATION & LOGGING ================= validate_positive_int() { local var="$1" name="$2" min="${3:-1}" if ! echo "$var" | grep -qE '^[0-9]+$'; then logger -t ipv6_watchdog "ERROR: $name must be positive integer (got '$var')" exit 1 fi if [ "$var" -lt "$min" ]; then logger -t ipv6_watchdog "ERROR: $name >= $min (got $var)" exit 1 fi } validate_positive_int "$TIMEOUT" "TIMEOUT" 30 validate_positive_int "$INITIAL_DELAY" "INITIAL_DELAY" 10 validate_positive_int "$CHECK_INTERVAL" "CHECK_INTERVAL" 5 validate_positive_int "$MAX_REBOOTS_PER_DAY" "MAX_REBOOTS_PER_DAY" 1 if [ "$LOG_TO_SYSTEM_LOGS" != "0" ] && [ "$LOG_TO_SYSTEM_LOGS" != "1" ]; then logger -t ipv6_watchdog "ERROR: LOG_TO_SYSTEM_LOGS must be 0 or 1" exit 1 fi if [ -z "$INTERFACES" ]; then logger -t ipv6_watchdog "ERROR: INTERFACES is empty" exit 1 fi if echo "$INTERFACES" | grep -q '[[:space:]]'; then logger -t ipv6_watchdog "ERROR: INTERFACES contains spaces (use 'ix2,ix3')" exit 1 fi OLD_IFS="$IFS"; IFS=','; set -- $INTERFACES; IFS="$OLD_IFS" for iface; do iface=$(echo "$iface" | tr -d '[:space:]') if ! ifconfig "$iface" >/dev/null 2>&1; then logger -t ipv6_watchdog "ERROR: Interface '$iface' does not exist" exit 1 fi done # ================= DETECTION ================= has_global_ipv6() { local iface="$1" local addrs addrs=$(ifconfig "$iface" 2>/dev/null | grep 'inet6 ' | grep -v 'fe80::' | \ sed -E 's/.*inet6[[:space:]]+([0-9a-fA-F:]+).*/\1/') [ -z "$addrs" ] && return 1 echo "$addrs" | grep -qE '^(2|3)' return $? } # ================= MAIN ================= START=$(date +%s) # Early exit if any interface down for iface; do iface=$(echo "$iface" | tr -d '[:space:]') if ! ifconfig "$iface" 2>/dev/null | grep -q 'status: active'; then logger -t ipv6_watchdog "Interface $iface DOWN → watchdog exiting early" exit 0 fi done current_date=$(date '+%Y-%m-%d') if [ -f "$COUNT_FILE" ]; then read saved_date saved_count < "$COUNT_FILE" 2>/dev/null || { saved_date=""; saved_count=0; } else saved_count=0 fi if [ "$saved_date" != "$current_date" ]; then logger -t ipv6_watchdog "New day ($current_date) → reset count to 0" saved_count=0 fi logger -t ipv6_watchdog "IPv6 watchdog starting (count: $saved_count / $MAX_REBOOTS_PER_DAY)" if [ "$saved_count" -ge "$MAX_REBOOTS_PER_DAY" ]; then logger -t ipv6_watchdog "Daily limit reached ($MAX_REBOOTS_PER_DAY). Skipping today." exit 0 fi sleep "$INITIAL_DELAY" while [ $(( $(date +%s) - START )) -lt "$TIMEOUT" ]; do all_good=1 for iface; do iface=$(echo "$iface" | tr -d '[:space:]') if ! has_global_ipv6 "$iface"; then all_good=0 break fi done [ $all_good -eq 1 ] && exit 0 sleep "$CHECK_INTERVAL" done logger -t ipv6_watchdog "CRITICAL TIMEOUT after ${TIMEOUT}s - no global IPv6" new_count=$((saved_count + 1)) if [ "$new_count" -le "$MAX_REBOOTS_PER_DAY" ]; then logger -t ipv6_watchdog "Rebooting ($new_count of $MAX_REBOOTS_PER_DAY today)" echo "$current_date $new_count" > "$COUNT_FILE" /sbin/shutdown -r now "IPv6 watchdog timeout (daily $new_count/$MAX_REBOOTS_PER_DAY)" else logger -t ipv6_watchdog "Daily limit reached. No reboot today." fi exit 1 Make it executable: chmod +x /usr/local/etc/ipv6_watchdog.sh Install Shellcmd package if not present (System → Package Manager → Available Packages → shellcmd) Add Shellcmd entry (Services → Shellcmd → Add):Command (paste exactly): /bin/sh -c 'nohup /usr/local/etc/ipv6_watchdog.sh >/dev/null 2>/dev/null' & Customization Tips Increase TIMEOUT=300 (5 min) if your modem takes longer to restore IPv6 Change INITIAL_DELAY if needed (give more time for interfaces to come up) Set LOG_TO_SYSTEM_LOGS=0 if you want file logging instead Add more WAN interfaces if needed: INTERFACES="ix2,ix3,igb0"

@Bob.Dig My ISP Information AS 3462 HINET Chunghwa Telecom Co., Ltd. Taiwan https://db-ip.com/as3462