pfSense DHCPv6 server not handing out addresses

I am currently trying to make my network fit for IPv6. Since my ISP only supports IPv4 ( I know, right?), I enabled the 6to4 tunneling on my WAN interface in pfSense. On my LAN interface, I set IPv6 configuration to “track” with an IPv6 prefix id of 1 (I figured that this is arbitrary). I enabled router advertisements on the LAN interface. When the router mode is set to “Unmanaged”, clients (a Windows 10 machine and a clean OPNsense install) get IP addresses via SLAAC as expected and can access the internet, with no DHCP involved.

However, when I set the router mode to “Managed” and enable the DHCPv6 server, clients do not get IP addresses. My understanding is that now, upon receiving a “router advertisement” packet, clients detect that the “Managed address configuration” flag is set and start the DHCPv6 routine by sending a “Solicit” packet. The screenshot of the packet capture below shows these packets.

What it doesn’t show though is the expected “DHCP advertisemtent” packet that the server is supposed to send. Does anyone have an idea what could be going on?

grafik1445×396 31.9 KB

fe80::1:1 is the link-local address of the pfSense machine, fe80::e00d:8b1d:a9ae:8397 is the link-local address of my Windows client machine.

Here are screenshots of the relevant configuration:

grafik1150×640 36.5 KB

grafik1145×829 53.4 KB

Options not shown are at default.

EDIT: There is also a rule on the LAN interface that allows IPv6 access to the firewall.

I’d like to point out as well that I know that 6to4 is deprecated, and in the long term I will need to find another solution. But since clients do actually have internet connectivity when using SLAAC, I figure that 6to4 is not the problem right now.

I’ve just switched from using 6to4 to 6in4 by Hurricane Electric. As I expected, this didn’t change anything with the DHCP problem, although I am happy to discover that ping has gone down and throughput has gone up.

Ok so I’ve wrapped this one up now.

Instead of relying on tracking the GIF interface (since I’ve now switched to 6in4/Teredo, before that I tracked the WAN interface), I have set up completely local networks (subnets of fc00::/7 ). For whatever reason, the DHCPv6 server now works. No idea why it wouldn’t hand out addresses in the 2002::/16 and 2001::/32 range.

To make my local addresses route to the internet I use NPt. I don’t know whether there are any cons to unique local addresses, but one pro is that even if my prefix changes (e.g. by switching to another ISP / tunnerl broker), local addresses stay the same.