pfSense IPv6 Setup Guide: Complete Configuration Walkthrough

pfSense is a powerful open-source firewall and router platform based on FreeBSD. Properly configuring IPv6 on pfSense enables your network to take full advantage of the modern internet while maintaining robust security. This comprehensive guide covers WAN configuration, LAN setup, DHCPv6, Router Advertisements, firewall rules, and troubleshooting for both simple and complex network scenarios.

Table of Contents

• Understanding pfSense IPv6 Architecture
• Prerequisites and Planning
• WAN Interface Configuration
• LAN Interface Configuration
• DHCPv6 Server Setup
• Router Advertisements Configuration
• IPv6 Firewall Rules
• Multiple LAN and VLAN Scenarios
• Troubleshooting Common Issues
• Testing Your Configuration

Understanding pfSense IPv6 Architecture

pfSense handles IPv6 using a dual-stack approach, running IPv4 and IPv6 simultaneously without interference. The key architectural concepts include:

Prefix Delegation

Most residential and business ISPs provide IPv6 connectivity through DHCPv6 Prefix Delegation (DHCPv6-PD). Your ISP delegates an IPv6 prefix to your pfSense WAN interface, typically:

• /56 prefix - Provides 256 /64 subnets (common for residential)
• /60 prefix - Provides 16 /64 subnets (some cable providers)
• /64 prefix - Single subnet only (less ideal but functional)

pfSense then subdivides this delegated prefix to assign /64 subnets to your internal networks (LAN, DMZ, VLANs, etc.).

Track Interface

The "Track Interface" feature is pfSense's mechanism for automatically configuring internal interfaces with subnets from the delegated prefix. When you set a LAN interface to "Track Interface" pointing to WAN, pfSense automatically:

1. Receives a prefix delegation from the ISP
2. Assigns a /64 subnet from that delegation to the LAN
3. Updates the subnet when the delegation changes
4. Handles Router Advertisements for that subnet

This eliminates manual IPv6 address management and ensures your internal networks remain functional even if your ISP changes your delegated prefix.

Router Advertisements vs DHCPv6

Unlike IPv4, where DHCP handles all client configuration, IPv6 uses two complementary mechanisms:

Router Advertisements (RA): ICMPv6 messages that provide:

• Default gateway information (essential - DHCPv6 cannot provide this)
• Network prefix information
• SLAAC (Stateless Address Autoconfiguration) enablement
• On-link determination

DHCPv6: Optional protocol that provides:

• DNS server addresses
• Domain search lists
• NTP servers
• Other configuration options
• Optionally: managed IPv6 addresses (stateful mode)

For most pfSense deployments, you'll use Router Advertisements for gateway discovery and either SLAAC or DHCPv6 for address assignment.

Prerequisites and Planning

Before configuring IPv6 on pfSense, verify the following:

1. ISP IPv6 Support

Confirm your ISP provides native IPv6 connectivity. Contact their support or check your modem's status page for:

• IPv6 WAN address assignment
• Delegated prefix information
• DHCPv6-PD support

Without ISP support, you'll need to use a tunnel broker (Hurricane Electric, etc.), which is beyond the scope of this guide.

2. pfSense Version

This guide applies to pfSense 2.6 and later (including pfSense Plus). Earlier versions may have different menu structures. Check your version under System > Update.

3. Network Planning

Determine your internal network structure:

• Single LAN setup: Simplest configuration
• Multiple LANs or VLANs: Requires careful prefix ID planning
• DMZ or guest networks: Each needs a separate /64 subnet

For a /56 delegation, you have prefix IDs 0 through ff (256 subnets). For a /60 delegation, you have prefix IDs 0 through f (16 subnets).

4. Gather Information

You'll need:

• ISP's required DHCPv6 prefix delegation size (typically /56 or /60)
• Whether your ISP requires a prefix hint
• DNS preferences (ISP-provided or custom like Google/Cloudflare)

WAN Interface Configuration

The WAN interface connects pfSense to your ISP and receives the IPv6 prefix delegation. Most residential and business connections use DHCPv6 with prefix delegation.

Accessing WAN Configuration

1. Log into pfSense web interface (typically https://192.168.1.1)
2. Navigate to Interfaces > WAN
3. Scroll to the IPv6 Configuration section

DHCPv6 Configuration (Most Common)

For ISPs that provide IPv6 via DHCPv6 Prefix Delegation:

IPv6 Configuration Type:

• Select DHCP6 from the dropdown

DHCPv6 Prefix Delegation Size:

• Select your ISP's delegation size from the dropdown
  • Common values: /60, /56, /48
  • If unsure, try /60 first, then /56
  • Contact your ISP if neither works

Send IPv6 prefix hint:

• Check this box if your ISP requires a prefix hint
• Most residential ISPs do not require this
• Some ISPs (Comcast, AT&T) may require it for proper delegation

Request only an IPv6 prefix:

• Leave unchecked unless your ISP specifically requires it
• When unchecked, pfSense requests both an address and a prefix (standard behavior)
• When checked, only requests a prefix (rare requirement)

Configuration Example:

IPv6 Configuration Type: DHCP6
DHCPv6 Prefix Delegation size: 60
Send IPv6 prefix hint: [checked] (for most ISPs)
Request only an IPv6 prefix: [unchecked]

Click Save and Apply Changes at the bottom of the page.

SLAAC Configuration

Some ISPs provide IPv6 through SLAAC (Stateless Address Autoconfiguration) with prefix delegation:

IPv6 Configuration Type:

• Select SLAAC from the dropdown

Configuration ID:

• Leave blank unless your ISP requires a specific value

DHCPv6 Prefix Delegation Size:

• Select the delegation size even when using SLAAC
• Many ISPs provide prefix delegation alongside SLAAC

Static IPv6 Configuration

For business connections with static IPv6 assignments:

IPv6 Configuration Type:

• Select Static IPv6 from the dropdown

IPv6 Address:

• Enter your assigned IPv6 address with prefix length
• Example: 2001:db8:1234:5678::1/64

IPv6 Upstream Gateway:

• Enter your ISP's gateway address
• Example: 2001:db8:1234:5678::1

Delegated Prefix:

• Enter the prefix your ISP delegated for internal use
• Example: 2001:db8:1234:5600::/56

PPPoEv6 Configuration

For DSL connections using PPPoE with IPv6:

1. Configure PPPoE under Interfaces > WAN
2. Set IPv6 Configuration Type to DHCP6
3. Configure prefix delegation as described above
4. PPPoE credentials go in the IPv4 configuration section

Verification

After configuring the WAN interface, verify IPv6 connectivity:

1. Navigate to Status > Interfaces
2. Check the WAN interface section
3. Verify you see:
   • An IPv6 Address (starting with 2xxx: or 3xxx:, not fe80:)
   • Track6 Prefix Delegation showing your delegated prefix

If you see no IPv6 address after 30 seconds, check your ISP connection or configuration settings.

LAN Interface Configuration

Once your WAN interface receives an IPv6 prefix delegation, configure your LAN interface to use a subnet from that delegation using the Track Interface feature.

Basic LAN Configuration

1. Navigate to Interfaces > LAN
2. Scroll to the IPv6 Configuration section

IPv6 Configuration Type:

• Select Track Interface from the dropdown

This selection reveals additional Track IPv6 Interface settings.

Track IPv6 Interface Configuration

IPv6 Interface:

• Select WAN from the dropdown
• This tells pfSense to use a subnet from the WAN's delegated prefix

IPv6 Prefix ID:

• Enter 0 (zero) for your primary LAN
• This uses the first /64 subnet from your delegated prefix
• For example, if your ISP delegates 2001:db8:1234:5600::/56:
  • Prefix ID 0 = 2001:db8:1234:5600::/64 (LAN)
  • Prefix ID 1 = 2001:db8:1234:5601::/64 (DMZ/OPT1)
  • Prefix ID 2 = 2001:db8:1234:5602::/64 (Guest WiFi)
  • And so on through prefix ID ff (255)

Manual Configuration (Optional):

• Leave blank unless you need a specific interface ID
• pfSense automatically assigns ::1 to the interface by default

Configuration Example:

IPv6 Configuration Type: Track Interface
IPv6 Interface: WAN
IPv6 Prefix ID: 0

Click Save and Apply Changes.

Static LAN IPv6 Configuration (Alternative)

If you have a static IPv6 prefix and prefer manual configuration:

IPv6 Configuration Type:

• Select Static IPv6

IPv6 Address:

• Enter the LAN interface address
• Example: 2001:db8:1234:5600::1/64
• The /64 is essential - this defines your LAN subnet

This approach requires manual updates if your ISP changes your prefix, so Track Interface is strongly preferred for dynamic scenarios.

Verification

1. Navigate to Status > Interfaces
2. Check the LAN interface section
3. Verify you see:
   • IPv6 Address (should be from the delegated prefix)
   • The address should end with ::1 (pfSense's gateway address)
   • Example: 2001:db8:1234:5600::1/64

DHCPv6 Server Setup

DHCPv6 can provide IPv6 addresses and configuration to your clients. However, unlike DHCPv4, DHCPv6 cannot provide default gateway information - that comes from Router Advertisements. You can use DHCPv6 in two modes:

• Stateful DHCPv6: Provides both addresses and configuration (DNS, domain name)
• Stateless DHCPv6: Provides only configuration; clients use SLAAC for addresses

Accessing DHCPv6 Server Configuration

1. Navigate to Services > DHCPv6 Server
2. Click the LAN tab (or whichever interface you're configuring)

Stateful DHCPv6 Configuration

For centralized address management with DHCPv6-assigned addresses:

Enable DHCPv6 server on LAN interface:

• Check this box to enable the DHCPv6 server

Range:

• From: Enter the starting IPv6 address for dynamic assignment
  • Example: 2001:db8:1234:5600::1000
• To: Enter the ending IPv6 address
  • Example: 2001:db8:1234:5600::1fff
• Leave plenty of room outside this range for static assignments and SLAAC

Prefix Delegation Range:

• Leave empty unless you're delegating prefixes to downstream routers
• Only needed in advanced ISP or enterprise scenarios

DNS Servers:

• Option 1: Use ISP DNS - Leave blank to inherit from WAN
• Option 2: Custom DNS:
  • Google: 2001:4860:4860::8888, 2001:4860:4860::8844
  • Cloudflare: 2606:4700:4700::1111, 2606:4700:4700::1001
  • Your local DNS server's IPv6 address

Domain Name:

• Enter your local domain (e.g., home.local)
• Optional but helpful for local name resolution

Domain Search List:

• Enter additional domains for DNS search
• Optional; separate multiple domains with semicolons

Default lease time:

• Set to 86400 (24 hours) or higher
• IPv6's massive address space allows longer leases

Maximum lease time:

• Set to 604800 (7 days) or higher

Configuration Example:

Enable DHCPv6 server: [checked]
Range: 2001:db8:1234:5600::1000 to 2001:db8:1234:5600::1fff
DNS Servers: 2001:4860:4860::8888, 2001:4860:4860::8844
Domain name: home.local
Default lease time: 86400
Maximum lease time: 604800

Stateless DHCPv6 Configuration (With SLAAC)

For networks where clients should use SLAAC for addresses but receive DNS via DHCPv6:

1. Enable DHCPv6 server as above
2. Set Range fields to empty or a very small range
3. Configure DNS servers as desired
4. Set Router Advertisement mode to Assisted (configured in next section)

This configuration allows maximum client compatibility while providing centralized DNS configuration.

DHCPv6 Static Mappings

To assign specific IPv6 addresses to particular devices:

1. Scroll to DHCPv6 Static Mappings section
2. Click Add

DUID:

• Enter the client's DHCP Unique Identifier
• Find this in Status > DHCPv6 Leases for existing clients
• Format: 00:01:00:01:1c:2e:ff:9a:00:11:22:33:44:55

IPv6 Address:

• Enter the static address to assign
• Example: 2001:db8:1234:5600::50
• Must be outside your dynamic range

Hostname:

• Enter a descriptive name
• Used for identification and optional DNS registration

Description:

• Add notes about the device

Click Save and Apply Changes.

Important DHCPv6 Notes

1. Android Incompatibility: Android devices do not support DHCPv6. They require SLAAC with RDNSS (Router Advertisements with DNS). If you need to support Android, enable SLAAC.

2. Gateway Information: DHCPv6 cannot provide default gateway information. Clients learn their gateway from Router Advertisement messages, configured in the next section.

3. Firewall Rules: DHCPv6 uses UDP ports 546 (client) and 547 (server). pfSense's default LAN rules allow this traffic.

Router Advertisements Configuration

Router Advertisements are critical for IPv6 operation. They provide default gateway information, prefix announcements, and control whether clients use SLAAC, DHCPv6, or both.

Accessing Router Advertisement Configuration

1. Navigate to Services > Router Advertisement
2. Click the LAN tab (or whichever interface you're configuring)

Router Advertisement Modes

Router mode:

Select the appropriate mode based on your desired client behavior:

Unmanaged:

• Clients use SLAAC only (auto-configuration)
• No DHCPv6 server needed
• Most compatible with all devices including Android
• Best for: Simple home networks, maximum compatibility

Managed:

• Clients must use DHCPv6 for addresses
• SLAAC is disabled
• Requires functioning DHCPv6 server
• Does not work with Android devices
• Best for: Enterprise environments requiring address tracking

Assisted:

• Clients use SLAAC for addresses
• DHCPv6 provides additional configuration (DNS, domain name)
• Maximum compatibility
• Best for: Networks with Android devices that need centralized DNS

Stateless DHCP:

• Similar to Assisted
• Clients use SLAAC for addresses
• DHCPv6 for configuration only
• Best for: Modern mixed-device networks

Router Priority:

• Set to Normal unless you have multiple IPv6 routers
• If you have redundant routers, use High for primary, Low for backup

Recommended Configuration

For most home and small business networks:

Router mode: Assisted
Router Priority: Normal

This configuration:

• Provides maximum device compatibility (including Android)
• Allows SLAAC for address assignment
• Provides centralized DNS configuration via DHCPv6
• Automatically handles default gateway advertisement

Advanced Router Advertisement Options

RA Interface:

• Leave as default unless you have specific requirements

RA Subnet(s):

• Automatically populated based on interface configuration
• Shows the prefixes being advertised

Default Valid Lifetime:

• How long the prefix is valid (default: 86400 seconds / 24 hours)
• Clients will deprecate addresses when this expires

Default Preferred Lifetime:

• How long addresses are preferred (default: 14400 seconds / 4 hours)
• After this time, clients may generate new privacy addresses

RA Flags:

• Managed Address Configuration Flag (M): Set by Router mode selection
• Other Configuration Flag (O): Set by Router mode selection
• Typically you don't need to manually configure these

Configuration for Different Scenarios

Maximum Compatibility (Home Network):

Router mode: Assisted

Clients use SLAAC; DHCPv6 provides DNS.

Enterprise with Address Tracking:

Router mode: Managed
DHCPv6 Server: Enabled with address range

Note: Breaks Android device connectivity.

SLAAC Only (No DHCPv6):

Router mode: Unmanaged
DHCPv6 Server: Disabled

Clients auto-configure; no centralized DNS control.

Click Save after configuring Router Advertisements.

IPv6 Firewall Rules

Proper IPv6 firewall configuration is essential for security. Unlike IPv4, where NAT provided incidental security through address translation, IPv6 devices are globally addressable. Your firewall rules are your primary defense.

Default pfSense IPv6 LAN Rules

By default, pfSense includes a rule on the LAN interface that allows all IPv4 and IPv6 traffic outbound. Verify this exists:

1. Navigate to Firewall > Rules
2. Click the LAN tab
3. Look for a rule with:
   • Action: Pass
   • Interface: LAN
   • Address Family: IPv6 or IPv6+IPv4
   • Source: LAN net
   • Destination: Any

If this rule exists, your LAN clients can access the internet over IPv6. If it's missing, you'll need to create it.

Essential ICMPv6 Rules

Unlike ICMPv4, which could be largely blocked, ICMPv6 is essential for IPv6 operation. Critical ICMPv6 types include:

• Type 1: Destination Unreachable
• Type 2: Packet Too Big (essential for Path MTU Discovery)
• Type 128: Echo Request (ping)
• Type 129: Echo Response (ping reply)
• Type 133-137: Neighbor Discovery Protocol (NDP)

Good news: pfSense's default rules handle this correctly. The "Default allow LAN to any" rule permits ICMPv6 traffic.

Important: Never completely block ICMPv6. Your IPv6 network will break without it.

WAN IPv6 Firewall Rules

By default, pfSense blocks all unsolicited inbound traffic on the WAN interface (both IPv4 and IPv6). This default-deny approach is secure and recommended.

To verify default WAN rules:

1. Navigate to Firewall > Rules
2. Click the WAN tab
3. You should see minimal rules, typically only for specific services you're hosting

The implicit deny rule blocks everything not explicitly allowed.

Creating Custom IPv6 Rules

To host services accessible over IPv6, create explicit allow rules.

Example: Allow IPv6 HTTP/HTTPS to Web Server

1. Navigate to Firewall > Rules
2. Click the WAN tab
3. Click Add (bottom of list)

Configure:

• Action: Pass
• Interface: WAN
• Address Family: IPv6
• Protocol: TCP
• Source: Any
• Destination: Single host or alias
  • Enter your web server's IPv6 address
  • Example: 2001:db8:1234:5600::10
• Destination Port Range:
  • From: HTTP (80)
  • To: HTTP (80)
• Description: Allow IPv6 HTTP to web server

Click Save and create a second rule for HTTPS (port 443).

Example: Allow IPv6 SSH to pfSense

To access pfSense's SSH over IPv6:

1. Enable SSH under System > Advanced > Admin Access
2. Navigate to Firewall > Rules > WAN
3. Click Add

Configure:

• Action: Pass
• Interface: WAN
• Address Family: IPv6
• Protocol: TCP
• Source: Any (or restrict to specific addresses for security)
• Destination: WAN address
• Destination Port Range: SSH (22)
• Description: Allow IPv6 SSH to pfSense

Best Practices for IPv6 Firewall Rules

1. Default Deny: Never create an "allow all" rule on WAN
2. Least Privilege: Only allow specific ports to specific destinations
3. Use Aliases: Create aliases for frequently used addresses or ports
4. Mirror IPv4 Rules: Your IPv6 security policies should match IPv4
5. Don't Block ICMPv6: Allow essential ICMPv6 types (especially Type 2)
6. Log Suspicious Activity: Enable logging on deny rules during troubleshooting
7. Use Description Fields: Document the purpose of each rule

Firewall Rule Order

pfSense processes rules top-to-bottom, first-match-wins. Order your rules:

1. Block rules (if any specific blocks needed)
2. Allow rules for specific services
3. Default allow LAN to any (bottom of LAN rules)
4. Implicit deny-all (automatic on WAN)

Common Firewall Rule Mistakes

Mistake 1: Blocking All ICMPv6 Never create a rule blocking protocol ICMPv6 entirely. This breaks Path MTU Discovery and Neighbor Discovery.

Mistake 2: Enabling Bogon Blocking on LAN Under Interfaces > LAN, don't check "Block bogon networks" for IPv6. This blocks link-local addresses (fe80::/10) which are essential for Router Advertisements and Neighbor Discovery.

Mistake 3: No Stateful Rules Always use stateful firewall rules (enabled by default in pfSense). The "keep state" option allows return traffic for established connections.

Multiple LAN and VLAN Scenarios

For networks with multiple internal segments (DMZ, guest WiFi, VLANs), each needs its own /64 subnet from your delegated prefix.

Planning Multiple Subnets

Given a /60 delegation (16 subnets available), you might allocate:

• Prefix ID 0: LAN (trusted devices)
• Prefix ID 1: DMZ (servers)
• Prefix ID 2: Guest WiFi
• Prefix ID 3: IoT devices
• Prefix ID 4: Security cameras
• Prefix IDs 5-f: Reserved for future use

For a /56 delegation (256 subnets), you have much more flexibility.

Configuring Additional Interfaces

Example: Setting up DMZ (OPT1) with IPv6

1. Navigate to Interfaces > OPT1 (or your DMZ interface)
2. Enable the interface if not already enabled

IPv6 Configuration:

• IPv6 Configuration Type: Track Interface
• IPv6 Interface: WAN
• IPv6 Prefix ID: 1 (or your chosen prefix ID)

Click Save and Apply Changes.

DHCPv6 for Additional Interfaces

1. Navigate to Services > DHCPv6 Server
2. Click the OPT1 (or DMZ) tab
3. Configure as you did for LAN:
   • Enable DHCPv6 server
   • Set address range (e.g., ::1000 to ::1fff)
   • Configure DNS servers

Router Advertisements for Additional Interfaces

1. Navigate to Services > Router Advertisement
2. Click the OPT1 (or DMZ) tab
3. Set Router mode to your desired mode (typically Assisted or Unmanaged)
4. Click Save

Firewall Rules for Additional Interfaces

For DMZ or guest networks, you typically want to:

• Allow outbound internet access
• Block access to other internal networks
• Allow specific services (if DMZ hosts servers)

Example: Guest WiFi Rules

Navigate to Firewall > Rules > OPT2 (Guest WiFi), then create:

Rule 1: Block access to LAN

• Action: Block
• Address Family: IPv6
• Source: OPT2 net
• Destination: LAN net
• Description: Block guest access to LAN

Rule 2: Block access to DMZ

• Action: Block
• Address Family: IPv6
• Source: OPT2 net
• Destination: OPT1 net
• Description: Block guest access to DMZ

Rule 3: Allow internet access

• Action: Pass
• Address Family: IPv6
• Source: OPT2 net
• Destination: Any
• Description: Allow guest internet access

Order matters - block rules must come before allow rules.

VLAN Configuration with IPv6

For networks using 802.1Q VLANs:

1. Create VLANs under Interfaces > Assignments > VLANs
2. Assign VLAN interfaces under Interfaces > Assignments
3. Configure each VLAN interface with Track Interface and unique Prefix ID
4. Configure DHCPv6 and Router Advertisements per VLAN
5. Create firewall rules per VLAN

Each VLAN gets its own /64 subnet from your delegated prefix, identified by the Prefix ID.

Verification of Multiple Subnets

1. Navigate to Status > Interfaces
2. Verify each interface shows a unique IPv6 address from delegated prefix
3. Example:
   • LAN: 2001:db8:1234:5600::1/64 (prefix ID 0)
   • DMZ: 2001:db8:1234:5601::1/64 (prefix ID 1)
   • Guest: 2001:db8:1234:5602::1/64 (prefix ID 2)

Troubleshooting Common Issues

Issue 1: No IPv6 Address on WAN

Symptoms:

• WAN interface shows no IPv6 address
• Status > Interfaces shows only fe80:: (link-local)

Diagnosis:

1. Navigate to Status > System Logs > System
2. Search for "dhcp6c" messages
3. Check for errors about prefix delegation

Solutions:

• Verify ISP supports IPv6 (contact them to confirm)
• Try different DHCPv6 Prefix Delegation sizes (/60, /56, /48)
• Toggle "Send IPv6 prefix hint" on/off
• Check if your modem has IPv6 enabled
• Reboot cable/DSL modem completely (power cycle)
• Check Status > Interfaces for error messages

Advanced debugging:

# SSH to pfSense and run:
dhcp6c -d -D -c /var/etc/dhcp6c_wan.conf igb0  # Replace igb0 with WAN interface

Look for ISP responses or timeouts.

Issue 2: WAN Has IPv6 but No Delegated Prefix

Symptoms:

• WAN shows IPv6 address
• No prefix delegation information in Status > Interfaces
• LAN has no IPv6 addresses

Diagnosis: Check if any LAN interfaces are configured with Track Interface. pfSense only requests prefix delegation if at least one interface is tracking the WAN.

Solutions:

1. Configure at least one LAN interface with Track Interface
2. Ensure "Request only an IPv6 prefix" is unchecked on WAN
3. Try checking "Send IPv6 prefix hint" on WAN
4. Verify DHCPv6 Prefix Delegation size matches ISP requirement
5. Restart dhcp6c service: Status > Services, restart dhcp6c

Issue 3: LAN Has No IPv6 Addresses

Symptoms:

• WAN shows IPv6 and delegated prefix
• LAN interface shows no IPv6 address or only fe80::

Diagnosis:

• Check LAN configuration is set to Track Interface
• Verify Prefix ID is valid (0 through f for /60, 0 through ff for /56)

Solutions:

1. Navigate to Interfaces > LAN
2. Verify IPv6 Configuration Type is "Track Interface"
3. Verify IPv6 Interface is "WAN"
4. Try Prefix ID 0
5. Click Save and Apply Changes
6. Check Status > Interfaces for updated LAN IPv6 address

Issue 4: Clients Not Getting IPv6 Addresses

Symptoms:

• pfSense has IPv6 on WAN and LAN
• Client devices show no IPv6 address (or only fe80::/10 link-local)

Diagnosis: Check Router Advertisement and DHCPv6 configuration:

1. Navigate to Services > Router Advertisement > LAN
2. Verify Router mode is not "Disabled"
3. Check Services > DHCPv6 Server > LAN
4. Verify DHCPv6 server is enabled (if using stateful mode)

Solutions:

• Set Router mode to Assisted (most compatible)
• Ensure DHCPv6 range is configured properly
• Check firewall rules allow DHCPv6 (ports 546/547)
• Verify client device has IPv6 enabled
• On client, release and renew IPv6 address
• Try rebooting the client device

Client-side testing:

Windows:

ipconfig /release6
ipconfig /renew6
ipconfig /all

Linux:

sudo dhclient -6 -r eth0
sudo dhclient -6 -v eth0
ip -6 addr show

macOS:

sudo ipconfig set en0 AUTOMATIC-V6
ifconfig en0 inet6

Issue 5: Clients Have IPv6 but No Internet Access

Symptoms:

• Clients have IPv6 addresses
• Cannot ping IPv6 addresses (e.g., 2001:4860:4860::8888)
• IPv4 works fine

Diagnosis: Check firewall rules and routing:

1. Navigate to Firewall > Rules > LAN
2. Verify a rule allows LAN IPv6 to any destination
3. Check Diagnostics > States for IPv6 connections

Solutions:

• Verify LAN firewall rule allows IPv6 (protocol IPv6 or IPv6+IPv4)
• Check "Block bogon networks" is NOT enabled on LAN interface
• Test from pfSense itself: Diagnostics > Ping, target 2001:4860:4860::8888
• If pfSense can ping but clients can't, it's a firewall rule issue
• If pfSense can't ping, it's a WAN/ISP routing issue

Issue 6: IPv6 Connectivity is Intermittent

Symptoms:

• IPv6 works sometimes, fails other times
• Connection drops and reconnects

Diagnosis: Check for prefix delegation changes:

1. Navigate to Status > System Logs > System
2. Search for "prefix changed" or "dhcp6c"
3. ISP may be changing your delegated prefix

Solutions:

• Some ISPs change prefixes frequently (poor practice)
• Enable logging: Status > System Logs > Settings, enable DHCPv6 logging
• Contact ISP about prefix stability
• Consider requesting static IPv6 prefix (business account)
• If using dynamic DNS, ensure it updates with prefix changes

Issue 7: DHCPv6 Server Not Handing Out Addresses

Symptoms:

• Clients get SLAAC addresses but not DHCPv6 addresses
• DHCPv6 lease table is empty

Diagnosis: Check Router Advertisement mode and flags:

1. Navigate to Services > Router Advertisement > LAN
2. Check Router mode setting

Solutions:

• Set Router mode to Managed (DHCPv6 only) or Assisted (both)
• Verify DHCPv6 range is properly configured
• Check clients support DHCPv6 (Android does not)
• Force client to request DHCPv6 (renew as shown above)
• Check firewall allows UDP 546/547

Issue 8: "No IPv6 Connectivity" After pfSense Upgrade

Symptoms:

• IPv6 worked before upgrade
• Stopped working after pfSense version upgrade

Solutions:

1. Reboot pfSense: Diagnostics > Reboot
2. Release and renew WAN DHCPv6: Status > Interfaces, click refresh icon
3. Check interface configurations weren't reset
4. Reconfigure Track Interface settings if needed
5. Review release notes for IPv6-related changes

Issue 9: IPv6 DNS Not Working

Symptoms:

• IPv6 connectivity works (can ping addresses)
• Cannot resolve hostnames over IPv6

Diagnosis: Check DNS configuration:

1. Navigate to System > General Setup
2. Verify DNS servers are configured
3. Check if DNS servers support IPv6

Solutions:

• Configure IPv6 DNS servers: Services > DHCPv6 Server > LAN
• Use well-known IPv6 DNS:
  • Google: 2001:4860:4860::8888, 2001:4860:4860::8844
  • Cloudflare: 2606:4700:4700::1111, 2606:4700:4700::1001
• Test DNS from client:

nslookup google.com 2001:4860:4860::8888

• Enable DNS Resolver to handle IPv6: Services > DNS Resolver, ensure it's enabled

Issue 10: pfSense Reboots and IPv6 Breaks

Symptoms:

• IPv6 stops working after pfSense reboot
• Requires manual intervention to restore

Solutions:

1. Wait 2-3 minutes after reboot for DHCPv6 to complete
2. Navigate to Status > Services
3. Restart "dhcp6c" service if it's stopped
4. Check Status > System Logs > System for errors during boot
5. May indicate ISP connectivity issue or configuration problem

Advanced Debugging Commands

SSH into pfSense and use these commands:

# Check WAN DHCPv6 client status
/usr/local/sbin/dhcp6c -d -D -c /var/etc/dhcp6c_wan.conf igb0  # Replace igb0

# Show IPv6 addresses on all interfaces
ifconfig | grep inet6

# Show IPv6 routing table
netstat -rn -f inet6

# Check Router Advertisement daemon
radvdump  # Shows received RAs

# Capture DHCPv6 traffic
tcpdump -ni igb0 -vvv port 546 or port 547  # Replace igb0

# Test IPv6 connectivity from pfSense
ping6 2001:4860:4860::8888

# Show active IPv6 connections
sockstat -6

# Check DHCPv6 server leases
cat /var/dhcpd/var/db/dhcpd6.leases

Testing Your Configuration

After configuring IPv6 on pfSense, thorough testing ensures everything works correctly.

Test 1: Verify pfSense Interfaces

1. Navigate to Status > Interfaces
2. Check WAN interface:
   • IPv6 Address: Should be a global address (2xxx: or 3xxx:)
   • Track6 Prefix Delegation: Should show your delegated prefix
3. Check LAN interface:
   • IPv6 Address: Should be from delegated prefix with ::1
4. Check additional interfaces if configured

Test 2: Verify DHCPv6 Leases

1. Navigate to Status > DHCPv6 Leases
2. Check for client devices receiving addresses
3. Verify addresses are from expected range

Test 3: Check Client IPv6 Addresses

On a client device:

Windows:

ipconfig /all

Look for "IPv6 Address" (not Teredo or 6to4).

Linux:

ip -6 addr show

Look for "scope global" addresses.

macOS:

ifconfig en0 | grep inet6

Verify the address is from your delegated prefix.

Test 4: Connectivity Testing from Client

Ping IPv6 Addresses:

# Windows
ping -6 2001:4860:4860::8888

# Linux/macOS
ping6 2001:4860:4860::8888

Test DNS Resolution:

# Windows
nslookup google.com

# Linux/macOS
dig AAAA google.com

Verify you receive IPv6 (AAAA) records.

Test 5: Comprehensive Online Testing

Use https://test-ipv6.run from a client device on your network. This comprehensive testing tool checks:

• IPv4-only connectivity - Verifies IPv4 still works
• IPv6-only connectivity - Confirms IPv6 is functional
• Dual-stack test - Tests sites with both A and AAAA records
• Protocol preference - Determines which protocol your browser prefers
• Latency comparison - Measures IPv4 vs IPv6 response times
• Overall readiness score - Grades your IPv6 deployment

What to expect:

• 10/10 score with green indicators - Perfect configuration
• Your IPv6 address displayed - Confirms global connectivity
• Dual-stack test passing - Verifies both protocols work

If test-ipv6.run shows failures, it will indicate which specific test failed:

• IPv6 connectivity test failed: Check WAN and LAN configuration
• Dual-stack test failed: Check firewall rules or DNS resolution
• High latency: May indicate ISP routing issues

Test 6: Firewall Rule Verification

1. Navigate to Diagnostics > States
2. Filter by IPv6
3. Verify you see active IPv6 connections
4. This confirms firewall rules are allowing traffic

Test 7: Test from External Network

From a device outside your network with IPv6:

# Test ping (if allowed by firewall)
ping6 your-wan-ipv6-address

# Test hosted services
curl -6 http://[your-wan-ipv6-address]/

# Test SSH (if allowed)
ssh -6 user@your-wan-ipv6-address

Test 8: Check Logs for Errors

1. Navigate to Status > System Logs > System
2. Search for "dhcp6c" or "radvd"
3. Look for errors or warnings
4. Healthy logs show successful prefix delegation and renewals

Best Practices and Recommendations

Security Best Practices

1. Firewall Rules: Maintain strict inbound rules on WAN, allowing only necessary services
2. Don't Block ICMPv6: Allow essential ICMPv6 types (especially Type 2: Packet Too Big)
3. Keep Firmware Updated: Regularly update pfSense for security patches
4. Disable Unused Services: Turn off services you don't need
5. Monitor Logs: Regularly review firewall logs for suspicious activity

Configuration Best Practices

1. Use Track Interface: Prefer Track Interface over static IPv6 for internal networks
2. Assisted Router Mode: Use "Assisted" for maximum client compatibility
3. Longer DHCP Leases: IPv6 allows longer lease times (days or weeks)
4. Document Prefix IDs: Keep a record of which Prefix ID is assigned to which network
5. Test After Changes: Always verify connectivity after configuration changes

Network Design Best Practices

1. One /64 Per Segment: Each LAN/VLAN gets its own /64 subnet
2. Reserve Prefix IDs: Leave room for future network expansion
3. Plan VLANs First: Design VLAN structure before assigning Prefix IDs
4. Static Mappings: Use DHCPv6 static mappings for servers and network devices
5. Separate Guest Networks: Use different Prefix IDs and firewall rules for guest access

Conclusion

Configuring IPv6 on pfSense provides your network with modern internet connectivity, improved security features, and readiness for the future of networking. By following this guide, you've set up:

• WAN interface with DHCPv6 Prefix Delegation
• LAN interface(s) with Track Interface configuration
• DHCPv6 server for client address assignment
• Router Advertisements for gateway discovery
• Proper IPv6 firewall rules
• Support for multiple networks and VLANs

Remember to test your configuration thoroughly using test-ipv6.run and monitor your firewall logs for any issues. IPv6 is essential for the modern internet, and with pfSense properly configured, you're prepared for the growing IPv6-enabled web.

If you encounter issues not covered in this guide, consult the official pfSense documentation at docs.netgate.com or the pfSense community forums at forum.netgate.com.

Additional Resources

• pfSense Official Documentation: https://docs.netgate.com/pfsense/en/latest/
• IPv6 Configuration Types: https://docs.netgate.com/pfsense/en/latest/interfaces/configure-ipv6.html
• DHCPv6 Server Configuration: https://docs.netgate.com/pfsense/en/latest/services/dhcp/ipv6.html
• Router Advertisements: https://docs.netgate.com/pfsense/en/latest/services/dhcp/ipv6-ra.html
• Firewall Rule Best Practices: https://docs.netgate.com/pfsense/en/latest/firewall/best-practices.html
• Test Your IPv6 Connectivity: https://test-ipv6.run