How I Configured IPv6 on My Home Network Using pfSense and an AT&T BGW210 Gateway

Introduction

IPv6 adoption has been steadily growing, and configuring it correctly in a home network can improve gaming, streaming, and overall connectivity. In this post, I’ll walk through how I set up IPv6 on a pfSense router behind an AT&T BGW210 gateway. This setup provides fully functional IPv6 for all devices on the LAN while keeping the network secure.

Network Overview

ISP: AT&T U-verse
Gateway/Modem: AT&T BGW210 (model 700 series)
Router: pfSense 2.7.2-RELEASE
LAN Devices: Mix of macOS, Windows, and smart home devices
IPv6 Goal: Enable full IPv6 connectivity for LAN devices, including gaming and VoIP, with minimal configuration and proper inbound/outbound traffic control.

Key IPv6 Challenges with BGW210

The BGW210 is a typical AT&T gateway, which presents a few unique challenges:

It provides only a single /64 IPv6 subnet to downstream routers in IP Passthrough mode.
It does not support full prefix delegation to multiple LAN subnets.
The WAN interface of pfSense receives a single IPv6 address, and the delegated prefix is “virtual” — pfSense cannot track it automatically.

As a result, a standard Track Interface setup won’t work. Instead, we assign a static IPv6 to the pfSense LAN interface and use Router Advertisements (RA) to let clients auto-configure their own addresses.

pfSense IPv6 Configuration

WAN Interface

IPv6 Configuration Type: DHCP6
Do Not Wait for RA: Checked (required for AT&T)
Prefix Delegation Size: 60 (ignored by AT&T, still recommended)
Send IPv6 Prefix Hint: Checked
IPv4 as Parent: Checked
Firewall Consideration: Allow ICMPv6 inbound (all types recommended for proper connectivity)

LAN Interface

IPv6 Configuration Type: Static IPv6
IPv6 Address: 2600:xxxx:xxxx::1/64 (redacted example)
Router Advertisements (RA) Mode: Assisted
DNS via RA: Enabled, mirrored from DHCPv6

Notes:

Prefix length /64 is required.
Clients receive addresses automatically via SLAAC.
Temporary privacy addresses are generated automatically by macOS, Windows, etc.

Firewall Rules

LAN (Outbound)

Rule Type: Pass
Address Family: IPv4 + IPv6 (combined)
Protocol: Any
Source: LAN net
Destination: Any

WAN (Inbound)

Allow ICMPv6: Protocol ICMP, Type: any (ensures RA, NDP, and PMTU work)
Optional: Specific TCP/UDP ports for gaming or VoIP

NAT is not required for IPv6; firewall rules handle inbound/outbound traffic.

Client Verification (macOS Example)

Open Terminal and run:


ifconfig en0 | grep inet6

Expected output:


inet6 2600:xxxx:xxxx::abcd prefixlen 64 autoconf
inet6 2600:xxxx:xxxx::ef12 prefixlen 64 autoconf temporary
inet6 fe80::xxxx prefixlen 64 scopeid 0xf

Global IPv6 addresses (2600:…) are assigned via RA/SLAAC.
Temporary addresses are for privacy.
fe80:: is the link-local address.

Test connectivity:


ping6 google.com

Additional Settings

I found out also through this page that the AT&T gateway has limited states so we should limit the number of states on pfSense to not go over it.

Set the pfSense state limit in Advanced -> Firewall & NAT -> Firewall Maximum States

to 7500 as suggested

Why This Setup Works

All LAN devices automatically receive a global IPv6 address from the pfSense LAN /64.
ICMPv6 rules ensure proper Neighbor Discovery, Path MTU, and RA messages.
Games and VoIP apps that support IPv6 can connect directly without NAT.
Minimal configuration is required — no manual IP assignment on each device.

Conclusion

Even with AT&T’s BGW210 gateway, which only provides a single /64 and limited prefix delegation, it is possible to configure a fully functional IPv6 LAN using pfSense. The key is to assign a static IPv6 on the LAN interface, enable RA in Assisted mode, and allow ICMPv6 traffic on the WAN.

This setup ensures modern devices get the benefits of IPv6 automatically while keeping your network secure and accessible for gaming and VoIP.

Sarit's Blog

Sunday, November 09, 2025

Configuring IPv6 on pfSense Behind an AT&T BGW210 Gateway