These instructions are adapted from the original document, http://iserv.nl/files/pfsense/ipv6/
Hello, welcome to the page detailing the process of getting experimental IPv6 support in pfSense 2.0 working.
IPv6 support is currently not available in pfSense 2.0, The code detailed below is RELEASE CANDIDATE quality software, it mostly complete but is still a work in progress.
There are some IPv6-ready 2.1-RC images with IPv6 support at http://snapshots.pfsense.org
If you upgraded your installation from 2.0.x or before to 2.1, you must enable IPv6 support by navigating to System > Advanced on the Networking tab, and checking "Allow IPv6". New 2.1 installs have this option enabled by default.
ICMP is required for IPv6 to work. If you have a firewall in place on your clients, make sure that ICMP over IPv6 is allowed.
If using a tunnel broker account, be sure to pick a provider as close to you as possible. Latency can be a killer and will creep up in strange ways.
[removed a bunch of gitsync bits]
Since recent changes in 2.1 make gitsync harmful to come from 2.0.x (binary changes are required), download a new snapshot/upgrade file from http://snapshots.pfsense.org/
I am assuming here that you have already registered for an account with Hurricane Electric or Sixxs on http://www.tunnelbroker.net or www.sixxs.net. After registering an account and getting your first /64 IPv6 assigned you can set up the gif tunnel on the pfSense side.
Don't forget that you will need to enable ICMP on the WAN interface, if you block ICMP the tunnelbroker will not allow you to set up a tunnel. The source IP on this rule should be the remote endpoint IP of your gif tunnel, or 'any'.
Now you can navigate to the assign gif interfaces screen on pfSense where you can enter the address information from Hurricane Electric. In some themes, go to Interfaces > (assign) and then click the GIF tab.
Note that you can use either 128 or 64 for the prefix lengh. Some people have had issues with /64, some have issues with /128, but in most cases, either should work. If you have trouble with one, try the other, but be sure to match it up with the config you use below.
Enter a description and save
Note: If you are attaching a tunnel to a dynamic WAN IP, look at "Keep your Tunnel Endpoint Up-To-Date" later in this document.
You can the press + on the interfaces assign screen where it will be shown as a OPT interface. In this example, the OPT interface is named HeNetV6.
With the OPT interface now assigned you can enable the OPT interface from the Interfaces menu and assign the IPv6 bits.
Here you should use the HE "Client IPv6 address" as the interface IPv6 address. You can use a subnet mask of /64 here. You can also use /128 if you chose that on the GIF interface. Some people have had problems using /128, others have had problems using /64. If one doesn't work for you, try the other, but be sure to adjust the mask on the GIF cofiguration as well. Typically one would want 128 bits as it is a tunnel link. This prevents fe80:: link local addresses from appearing on the link.
The screenshot below shows the already assigned the gateway. You can add a gateway by clicking the "add a new one" link.
Now you need to edit the IPv6 gateway created in the last step, and select the default gateway bit since this will most likely be your IPv6 default gateway.
It should now be listed as online
You can set up the LAN interface for a combined static ipv4 and ipv6 network. What you need to enter on the LAN IPv6 address is a address in the "Routed /64" subnet that you got from HE. You will need to request another /64 from Sixxs after getting your tunnel working. It is important to note that the routed /64 range is different from the tunnel /64!
The example below uses ::1 as that is the easiest by far. Anything in the routed subnet works.
Of course you want the computers on the LAN to automatically pick up the IPv6 Address instead of assiging it manually. Go to the DHCPv6 Service page. (Services > DHCPv6)
It has a mode option where you can select what sort of router advertisements should be sent. Either unmanaged (advertise only), managed (dhcp6 only) or assisted (use stateless address with dhcp for the dns)
Now go to Firewall > Rules on the LAN tab, and add a rule to pass IPv6 traffic out from LAN to any, just like the rule you have for IPv4.
Without an IPv6 allow rule, no traffic will get out.
At this point your LAN client should now pick up a IPv6 Address and find the pfSense router as it is now advertising itself on the LAN. You can check with http://test-ipv6.com if your connection is succesfully detected.
If you have a dynamic IP on the WAN connecting the tunnel, you can use the "HE.net Tunnelbroker" DynDNS type to update it when your IP changes.
To set that up:
You can find more information about the IPv6 support in the pfSense forum at http://forum.pfsense.org/index.php/board,52.0.html
World IPv6 Day may have passed, but now you can make every day IPv6 day.
Adapted from http://iserv.nl/files/pfsense/ipv6/