"
I think I found the problem.
I had an IKEA DIRIGERA hub on the network. It's used for the remote to my daughter's closet lightning to work.
Safe to say, ipv6 is probably not IKEA's strong suite; it is announcing itself as a router and sending RA to that effect on the network.
My private IPv6 prefix is on fd02, but saw strange new prefixes as fd09 and fd11 popping up on the network (this was not happening on opnSense for some reason).
But as I got no leads here (no worries) I then switched back to the new pfSence 2.8.
While IPv6 worked there out of the box, sort of, I had issues there too.
It still handled it's own gateways and LAN and WAN correctly, it was just clients being misled.
I got my first hint as static IPv6 settings worked, but DHCP clients got bogus addresses
But I also got them fd09 and fd11 on a machine with static ipv6 so obviously it wasn't DHCP; it was RA's.
but I saw rouge private IPv6 prefixes being announced on the net.
Finally tracked it down using wireshark.
Turned it off and the problems went away once the addresses became stale.
As that killed the lightning I then moved to another ip-net I have.
I have two physical nets; one behind the firewall (now again pfSense I am sad to say), and one behind my ISP's router (I need it for TV services etc).
So it is now mucking up IPv6 there too, but to no ill effect, it's not neeeded there/I don't care.
So this all told me it's time to get a L3 switch with VLAN's and do some network segmentation.
But it also sort of hints it's not really good idea that a firewall looses is primary function due to rouge RA's, allowing another device to usurp the gateway like that. At least not without some sort of config for it imo.
That said, sorry for going back to pfSense.
Will try out the new stuff in 2.8; might be back soon.
I had an IKEA DIRIGERA hub on the network. It's used for the remote to my daughter's closet lightning to work.
Safe to say, ipv6 is probably not IKEA's strong suite; it is announcing itself as a router and sending RA to that effect on the network.
My private IPv6 prefix is on fd02, but saw strange new prefixes as fd09 and fd11 popping up on the network (this was not happening on opnSense for some reason).
But as I got no leads here (no worries) I then switched back to the new pfSence 2.8.
While IPv6 worked there out of the box, sort of, I had issues there too.
It still handled it's own gateways and LAN and WAN correctly, it was just clients being misled.
I got my first hint as static IPv6 settings worked, but DHCP clients got bogus addresses
But I also got them fd09 and fd11 on a machine with static ipv6 so obviously it wasn't DHCP; it was RA's.
but I saw rouge private IPv6 prefixes being announced on the net.
Finally tracked it down using wireshark.
Turned it off and the problems went away once the addresses became stale.
As that killed the lightning I then moved to another ip-net I have.
I have two physical nets; one behind the firewall (now again pfSense I am sad to say), and one behind my ISP's router (I need it for TV services etc).
So it is now mucking up IPv6 there too, but to no ill effect, it's not neeeded there/I don't care.
So this all told me it's time to get a L3 switch with VLAN's and do some network segmentation.
But it also sort of hints it's not really good idea that a firewall looses is primary function due to rouge RA's, allowing another device to usurp the gateway like that. At least not without some sort of config for it imo.
That said, sorry for going back to pfSense.
Will try out the new stuff in 2.8; might be back soon.
