Configuring IPv6 in pfSense - Complete Guide
IPv6 in pfSense operates alongside IPv4 in dual-stack mode: both protocols function simultaneously on the same interfaces. IPv6 configuration involves three main stages: configuring the WAN interface to obtain an IPv6 address and prefix from the ISP, setting up the LAN interface to distribute addresses to clients, and creating firewall rules for IPv6 traffic.
Before starting, confirm that your ISP provides IPv6 connectivity and determine the connection type (native DHCPv6, PPPoE with IPv6, tunnel). Also verify that IPv6 is not globally disabled in pfSense: System - Advanced - Networking, the Allow IPv6 option must be checked.
WAN IPv6 Connection Types
Static IPv6
Used when the ISP assigns a fixed IPv6 address and prefix. Configuration:
- Navigate to Interfaces - WAN
- Under IPv6 Configuration Type, select Static IPv6
- Enter:
- IPv6 Address - the WAN interface address (e.g., 2001:db8::2/64)
- IPv6 Upstream Gateway - the ISP gateway address (e.g., 2001:db8::1)
- Save and apply changes
Static configuration is appropriate for data centers and organizations with a dedicated IPv6 prefix (/48 or /56).
DHCPv6
The most common connection type for residential and enterprise users. pfSense requests an IPv6 address and delegated prefix via DHCPv6:
- Navigate to Interfaces - WAN
- Under IPv6 Configuration Type, select DHCPv6
- Configure DHCPv6 parameters:
- DHCPv6 Prefix Delegation size - the size of the requested prefix. Typical values: /56 (256 /64 subnets), /60 (16 /64 subnets), /64 (single subnet). Set the value matching your ISP’s offering
- Send IPv6 prefix hint - enable to request a specific prefix size
- Do not wait for a RA - enable if the ISP does not send a Router Advertisement before DHCPv6
Important: the Prefix Delegation size must exactly match what the ISP provides. If the ISP delegates /56 but you request /48, delegation will fail. When the size is unknown, try /64, then /60, then /56.
SLAAC
Stateless Address Autoconfiguration - pfSense forms its IPv6 address based on Router Advertisements from the upstream router:
- Navigate to Interfaces - WAN
- Under IPv6 Configuration Type, select SLAAC
SLAAC does not support prefix delegation, so LAN clients will not automatically receive global IPv6 addresses. SLAAC on WAN is suitable when pfSense acts as an end device rather than an IPv6 router.
6to4
A tunneling mechanism that encapsulates IPv6 within IPv4. Used when the ISP does not provide native IPv6:
- Navigate to Interfaces - WAN
- Under IPv6 Configuration Type, select 6to4 Tunnel
pfSense automatically generates an IPv6 address based on the WAN IPv4 address. The 2002::/16 prefix is reserved for 6to4.
Limitation: 6to4 is considered deprecated (RFC 7526). Performance depends on the nearest 6to4 relay and can be unreliable. Consider a tunnel broker as a more dependable alternative.
6rd (IPv6 Rapid Deployment)
An ISP-managed extension of 6to4. The ISP provides 6rd tunnel parameters:
- Navigate to Interfaces - WAN
- Under IPv6 Configuration Type, select 6rd Tunnel
- Enter the ISP-provided parameters:
- 6rd Prefix - the IPv6 prefix from the ISP
- 6rd Border Relay - the ISP relay address
- 6rd IPv4 Prefix Length - the IPv4 prefix length
Tunnel Broker
Hurricane Electric (tunnelbroker.net) and other tunnel providers offer free IPv6 tunnels:
- Register at tunnelbroker.net and create a tunnel
- In pfSense, navigate to Interfaces - Assign - GIFs
- Create a GIF interface:
- Parent Interface - WAN
- GIF Remote Address - the HE server IPv4 address
- GIF Tunnel Local Address - your tunnel IPv6 address (Client IPv6 Address)
- GIF Tunnel Remote Address - the HE server IPv6 address (Server IPv6 Address)
- Assign the created GIF interface as a new interface (Interfaces - Assign)
- Configure the IPv6 gateway through this interface
- Use the routed /48 or /64 from HE for LAN subnets
LAN IPv6 Configuration
Router Advertisements (RA)
Router Advertisements are the primary IPv6 autoconfiguration mechanism on LAN. Configuration:
- Navigate to Services - Router Advertisements
- Select the LAN interface
- Configure the RA mode:
| Mode | Description | When to Use |
|---|---|---|
| Router Only | Router only, no address distribution | When addresses are assigned statically |
| Unmanaged | SLAAC without DHCPv6 | Simple networks without need for DNS/NTP from DHCPv6 |
| Managed | DHCPv6 only, no SLAAC | Full address control through DHCPv6 |
| Assisted | SLAAC + DHCPv6 for additional parameters | Recommended for most networks |
For the Assisted mode (most versatile):
- Clients obtain IPv6 addresses via SLAAC
- DNS servers and other parameters are delivered via DHCPv6
- Ensures compatibility with Android devices (which do not support DHCPv6 for addressing)
Track Interface
If WAN receives a delegated prefix via DHCPv6, use Track Interface to automatically assign a subnet to LAN:
- Navigate to Interfaces - LAN
- Under IPv6 Configuration Type, select Track Interface
- Configure:
- IPv6 Interface - select WAN (or the interface with DHCPv6)
- IPv6 Prefix ID - the subnet identifier (0 for the first, 1 for the second, etc.)
With a delegated /56 prefix on WAN, each LAN interface receives a /64 subnet from that prefix. The Prefix ID determines which specific /64 subnet is assigned.
DHCPv6 Server
For managed addressing (Managed RA) or delivering additional parameters (Assisted RA):
- Navigate to Services - DHCPv6 Server & RA
- Select the LAN interface
- Enable DHCPv6 Server
- Configure the address range and parameters:
- Range - the address range for dynamic assignment
- DNS Servers - IPv6 DNS server addresses (leave blank to use the pfSense address)
- Domain Search List - domain search list
Dual-Stack Configuration
In dual-stack mode, pfSense handles IPv4 and IPv6 traffic simultaneously. Key considerations:
- Each interface has independent IPv4 and IPv6 settings
- Firewall rules are separated: distinct tabs for IPv4, IPv6, and IPv4+IPv6
- NAT applies only to IPv4. For IPv6, use NPt (Network Prefix Translation) if needed
- DNS Resolver serves queries over both protocols automatically
- Gateways for IPv4 and IPv6 are configured independently
For proper dual-stack operation, ensure:
- Both protocols are configured on WAN and LAN
- Default gateways are configured for both protocols (System - Routing)
- DNS servers are specified for both protocols (System - General Setup)
- Firewall rules permit required traffic for both protocols
IPv6 Firewall Rules
IPv6 firewall rules are managed on the same interface tabs but filtered separately. When creating a rule, select the Address Family:
- IPv4 - rule applies to IPv4 traffic only
- IPv6 - rule applies to IPv6 traffic only
- IPv4+IPv6 - rule applies to both protocols
Required IPv6 Rules
For proper IPv6 operation on LAN, create the following rules:
- Allow ICMPv6: IPv6 is critically dependent on ICMPv6 (NDP, Path MTU Discovery). Blocking ICMPv6 breaks IPv6 connectivity
Action: Pass
Interface: LAN
Address Family: IPv6
Protocol: ICMPv6
Source: LAN net
Destination: any- Allow outbound traffic: basic rule for LAN client internet access over IPv6
Action: Pass
Interface: LAN
Address Family: IPv6
Protocol: any
Source: LAN net
Destination: anyWarning: IPv6 does not use NAT by default. Every device on the LAN receives a globally routable address. The firewall is the only layer of protection. Design IPv6 rules carefully, particularly on the WAN interface.
Blocking Inbound IPv6
By default, pfSense blocks all inbound traffic on WAN (implicit deny). For IPv6, this means external hosts cannot initiate connections to your LAN devices despite those devices having global addresses. This behavior mirrors the effect of NAT in IPv4 but is implemented purely through the firewall.
NPt (Network Prefix Translation)
NPt translates IPv6 prefixes, similar to 1:1 NAT in IPv4. Use cases:
- Masking the internal IPv6 prefix when changing ISPs
- Providing stable internal addresses when using dynamic prefixes from the ISP
- Multihoming with multiple ISPs
NPt configuration:
- Navigate to Firewall - NAT - NPt
- Add a rule:
- Interface - WAN
- Internal IPv6 Prefix - ULA prefix of your internal network (e.g., fd00:1::/64)
- Destination IPv6 Prefix - global prefix from the ISP
NPt does not modify packet contents beyond the addresses, so it does not break protocols sensitive to NAT.
Troubleshooting IPv6
No IPv6 Connectivity
If LAN clients do not receive IPv6 addresses or have no IPv6 connectivity:
- Check WAN: Status - Interfaces. Verify the WAN interface has received an IPv6 address and gateway
- Check prefix delegation: Status - Interfaces - WAN, look for the Delegated Prefix line. If the prefix is absent, the issue is with DHCPv6 from the ISP
- Check RA: Services - Router Advertisements. Ensure the mode is not set to Disabled
- Check rules: verify ICMPv6 is permitted on LAN
- Test from pfSense: Diagnostics - Ping, select WAN IPv6 address as source, ping 2001:4860:4860::8888 (Google DNS IPv6)
Prefix Delegation Issues
If WAN obtains an IPv6 address but prefix delegation fails:
- Verify the requested prefix size matches the ISP’s offering
- Enable the Send IPv6 prefix hint option on WAN
- Try enabling Do not wait for a RA - some ISPs do not send RA
- Check DHCPv6 logs: Status - System Logs - DHCPv6
- Contact the ISP to confirm the supported Prefix Delegation size
Clients Have Addresses but No Connectivity
If clients have IPv6 addresses but cannot reach the internet:
- Check the IPv6 default route: Diagnostics - Routes, IPv6 tab. Confirm the default route (
::/0) exists and points to the WAN gateway - Check LAN rules: ensure rules allow IPv6 traffic from LAN net
- Check MTU: Path MTU Discovery relies on ICMPv6 Packet Too Big messages. If ICMPv6 is blocked, MTU negotiation fails and packets are lost
For additional firewall rule details, see the pfSense firewall rules section. For general diagnostic procedures, refer to the troubleshooting guide . VLAN configuration with IPv6 is covered in the VLAN section.