pfSense

I'm using a pfSense appliance in a temporary role mainly to enable "proper" IPv6 support on our network, though it will eventually replace our current firewall. The fact that our pfSense appliance is currently not at the edge of our network is mostly irrelevant to this, but is mentioned in case it is useful.

Currently, our internal network is now running dual-stack IPv4/IPv6, and pfSense's Router Advertisements are used to announce a private prefix (something under fc00::/7). However, neither of our upstream providers support IPv6 -- and thus we cannot route IPv6 traffic out of our network (IPv6 tunnel providers notwithstanding).

However, pfSense adds a route for ::/0 regardless of how it is configured. This has a a few undesirable side effects:

• When Windows clients (and probably others) resolve a domain name that returns a mixture of A/AAAA records, they may favor attempting to use an IPv6 address. However, they seem to be smart enough to ignore that address if they don't have a route to it. Advertising a default route prevents this behavior (from the client's perspective, all IPv6 addresses are reachable)

• It may not be desirable to advertise a default route even if IPv6 is available upstream/via a tunnel provider, depending on network configuration and sysadmin preferences.

I've been able to suppress this behavior on my local install by making minor changes to /etc/inc/services.inc (which generates the radvd.conf file), thus establishing that radvd already has the capabilities to do this -- it's just a matter of having the web interface capable of configuring it.