@quux Hello, thank you for your reply. Yes, IPv6-ICMP is allowed in and out. I even tried to allow in/out INET6 without success.

But I just found the explanation and the solution.
My PF setup is correct.
As I installed #wireguard I must set gateway_enable="YES" and ipv6_gateway_enable="YES" in /etc/rc.conf.
This last setting set net.inet6.ip6.forwarding to 1 (sysctl). But this setting blocks automatic IPv6 gateway settings get by IPv6 SLAAC. Even with #pf disabled in /etc/rc.conf but with only ipv6_gateway_enable="YES", IPv6 is correctly set but no IPv6 gateway is set. I cannot ping6 or curl an IPv6 URL.
To bypass this, I must add ipv6_gateway_router="<IPv6-router-address>" in /etc/rc.conf.
#freebsd #ipv6 #slaac #wireguard #pf #bsdcafe

Shout out to #eir - once you get past the (endless) hassle of the the install so far the performance is excellent #ipv4 #ipv6 #ipv6-pd #slaac #publicip

What's the favorite chat tool of the #network engineers? ... #SLAAC 🥁
#DadJokes #BadJokes

This might worth the shot... Anyone running #opnsense on a #proxmox server and has #ipv6 enabled on the Wan interface via #slaac?

Anyone have thoughts on what might prevent #SLAAC from working on a network for which stateful #ipv6 address configuration works just fine? Details are in https://unix.stackexchange.com/q/725361/4989 if you're curious.

The target system is obviously seeing router advertisements and configures the correct default route. Router advertisements have the "A" flag set, and the "accept_ra" sysctl is "2" for this interface.

It's one thing setting up #IPv6 the way you want it, but having #FreeBSD jails on the bridge whose member is egress was another level for me. First, having #DHCPv4, #DHCPv6 and #SLAAC on the same network was somewhat hard to achieve. Then came filtering. The hard part about it is how to drop everything on the host, but not drop packets which flow towards jails. After a while, I learned PF has <self>. And then I learned that fe80::/10 is special, and in what way is it special. The result is current pf.conf template I came up with: https://github.com/cbsd/reggae/blob/master/templates/pf.conf

When all that started working, I wanted my isc-dhcpd and isc-dhcpd6 to register A and AAAA records in nsd. The result of that effort is https://github.com/cbsd/reggae/blob/master/templates/reggae-register.sh and it is far from perfect. I set myself a goal of not using anything outside base OS, so it took a while to handle IPv6 addresses.

If you're asking your self why i did all this, it's because I wanted to learn about dual stack and what are the problems. I am by no means network engineer, only a sys admin who decided to learn more about networking.

- #RFC7217: A Method for Generating Semantically Opaque Interface Identifiers with #IPv6 Stateless Address Autoconfiguration (#SLAAC) https://www.bortzmeyer.org/7217.html https://wiki.archlinux.org/index.php/IPv6#Stable_private_addresses

- #RFC7721: #Security and #Privacy Considerations for #IPv6 Address Generation Mechanisms https://tools.ietf.org/html/rfc7721

- A Brief #History of Recent Advances in #IPv6 #Security, Part I: Addressing https://www.si6networks.com/2020/08/06/a-brief-history-of-recent-advances-in-ipv6-security-part-i/

Ugh, does anyone know how to #slaac with #systemd #networkd? I am confused and not able to find much information online (probably missing some important keywords to search for). #linux #unix