Bug #8435


DHCPv6 unusable in certain circumstances (US AT&T Fiber, etc.)

Added by Justin Coffman about 6 years ago. Updated almost 2 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:


pfSense's implementation of DHCPv6 prefix delegation is unusable in edge ISP configurations. AT&T Fiber in the United States, for example, commits the entire /60 to the customer's on-premises gateway, even if the gateway is (as) bypassed (as it can be). The pfSense appliance behind the gateway can only request delegation for one /64 at a time, even if multiple /64s are to be delegated. In other words, if I have four LAN subnets, I would need to request four separate /64s from the gateway, rather than a single /62 to then be doled out by the pfSense firewall.

Unfortunately, pfSense only allows for a single delegated prefix over the WAN. If a /63, /62, /61, etc. is configured, it is ignored by the gateway. The problem is that setting a prefix length of /64 for DHCPv6 on WAN means that only a single LAN interface can be given that delegated prefix. There is no configuration structure within pfSense (that I have found) that allows one to individually request a /64 prefix for EACH so-configured LAN interface.

Actions #1

Updated by Jim Pingle over 4 years ago

  • Category set to Interfaces
Actions #2

Updated by Nathan Ollerenshaw almost 2 years ago

Can confirm; there is a workaround that was documented in the forums.

interface igb3 {
        send ia-na 0;
        send ia-pd 0;
        send ia-pd 1;
        request domain-name-servers;
        request domain-name;
        script "/var/etc/";
id-assoc na 0 { };
id-assoc pd 0 {
        prefix-interface igb1 {
                sla-id 0;
                sla-len 0;
id-assoc pd 1 {
        prefix-interface igb2 {
                sla-id 0;
                sla-len 0;

A "send ia-pd" stanza for each delegation you want, and an equivalent "id-assoc" entry.

Note that if you want this to work with NpT you need to remove the prefix-interface sections for each id-assoc. That will claim the PD but not assign it to an interface, so you can do NpT as normal.

I suggest adding a tickbox to the ui that says "Enable for AT&T Fiber" with some kind of snarky comment as the helptext about how AT&T doesn't know what they're doing.


Also available in: Atom PDF