There’s a few ways to do this, I think the simplest, if you have the PCIE slot room would be to buy an ethernet card that supports 10/5/2.5/1GbE network speed negotiation.
But since I only have one real usable slot in my pfSense machine, and I need 10G for LAN, I opted for a dual-port Mellanox ConnectX-3 SFP card that I purchased off of eBay for $21 USD. An incredible buy. I would definitely recommend putting a fan on the heatsink if you have room, or blowing across the card is even better to help cool the SFP modules themselves. Especially when using ethernet modules, they run hotter than fiber modules.
Per the previous guide, I updated my /conf/dhcp6_att.conf to replace interface re0 with interface mlxen1 (by process of elimination or checking ifconfig to determine which slot is which. What the bracket of the card calls port 0 actually was my mlxen1 interface, in this case.
In pfSense, you will see it negotiate as 10Gbase-CX4. The speed of the port does not matter, assuming it supports your standard 1G/10G SFP+ port speeds. The module is what matters. The modules SFP end will interface with the port at 10Gbase-CX4, and the ethernet side of the module will interface with your modem at 5Gbase-T. You’ll have to login to your AT&T modem to confirm the speed of the client (under Device > Device List). Make sure you’re connected to the 5G port on the back of your AT&T BGW320!
As I only pay for the 1G plan, I am at least now able to pull the full speed.
I’ve spent the last few days making this work properly across multiple VLANs, because AT&T does NOT even REMOTELY conform to any kind of industry standard for dishing out IPv6 blocks or addresses.
Normally your WAN would receive a /56 block from an ISP, giving you 00-FF in blocks to assign off of that. And everything you read online says AT&T gives out a /60, which is true. But it’s misleading if you’re expecting to be able to USE that /60. You cannot. You cannot give your WAN adapter a /60 prefix, it does not work that way. It will always be a /64. (we’re not talking about a custom ONT SFP module here or what-not, obviously some people have made it work that way).
So, assuming you just want to use the AT&T BGW320 as-is, and you want multiple IPv6 prefixes, here’s my quick little guide on that.
On the BGW320:
Turn all 3 settings to On under Home Network > IPv6
Under Firewall > Packet Filter, click to Disable Packet Filters (Note: This is not required for this guide, but you should just let pfSense handle packets if that’s your router)
Under Firewall > IP Passthrough – Allocation Mode: Passthrough – Passthrough Mode: DHCPS-fixed – Passthrough Fixed MAC Address: pfSense WAN adapter MAC address
Under Firewall > Firewall Advanced: I would recommend Reflexive ACL, ESP ALG, SIP ALG be turned Off.
pfSense Configuration
Under Interfaces > WAN – IPv6 Configuration Type: DHCP6
Note: If you only ever want 1 prefix to use for your LAN, and don’t plan to use any other /64 blocks, you do not have to use a custom configuration and could essentially stop here. Set DHCPv6 Prefix Delegation Size to 64 and that’s it, leave the rest of the boxes unchecked. Your WAN will get the passthrough address from the BGW320, and then you’ll have one prefix delegated to use which you can assign statically on your LAN adapter.
If you want multiple /64 prefixes to use, you will need to SSH into your pfSense machine. As that is kind of out of the scope of this guide, but basically use PuTTY or ssh from a linux machine to your pfSense LAN IP, and login with your admin credentials. The menu should say to enter option 8 for a shell I believe.
At the shell, type ls /var/etc/dhcp6*.conf to list your dhcp6 configuration file. It should either be dhcp6c.conf or dhcp6c_wan.conf in some cases I have read. Mine was dhcp6c.conf. We need to copy this file to a new location so we can modify it and use it as our custom WAN interface configuration file. So type cp /var/etc/dhcp6c.conf /conf/dhcp6c_att.conf
cp /var/etc/dhcp6c.conf /conf/dhcp6c_att.conf
nano -w /conf/dhcp6c_att.conf
Edit the file to include extra send ia-pd # lines. The stuff in bold is likely what will not already be in the file. But ultimately you need to start with send ia-pd 0, then 1, then 2, and so on. This is literally my current running configuration, so I hope it works for you. Do not blindly copy and paste this, make sure your interface name matches YOUR firewall, not mine! And yes, I plan to stop using a RealTek adapter soon. I also don’t think the prefix ::/64 infinity; lines are necessary but I added them just in case. The real important part is the send ia-pd lines.
interface re0 {
send ia-na 0;
send ia-pd 0; # THIS WILL BE YOUR 'f' PREFIX and will probably already be in the file
send ia-pd 1; # ADD THIS to get the next prefix after f (e)
send ia-pd 2; # ..and so on, up to send ia-pd 7 if needed, for a total of 8 usable /64 blocks
request domain-name-servers;
request domain-name;
script "/var/etc/dhcp6c_wan_script.sh";
};
id-assoc na 0 { };
id-assoc pd 0 {
prefix ::/64 infinity;
};
id-assoc pd 1 {
prefix ::/64 infinity;
};
id-assoc pd 2 {
prefix ::/64 infinity;
};
To save your edited file, press CTRL-X, press Y to save, and then press Enter to overwrite the existing file. Alternatively, you can press CTRL-O and then Enter to write the changes out, and then CTRL-X to just exit.
You’ll notice that the blocks actually start at the end of the /60 from the BGW320. So if the BGW320 gives your WAN 2600:1700:a123:b340::, then your first usable /64 will be :b34F, the second is :b34E, the third would be :b34D and so on, C, B, A, 9, 8. 0-7 are reserved by the BGW320 for internal stuff apparently. Personally I’m only using 3 prefixes, and haven’t tested the limits.
Back in pfSense, under Interfaces > WAN, scroll down to DHCP6 Client Configuration, and enable the checkbox for Configuration Override. Type into Configuration File Override the following (or whatever you named your config): /conf/dhcp6c_att.conf
Save and apply your WAN changes. If all goes well, back on your BGW320 under Home Network > Status, you should see under the IPv6 section near the middle your IPv6 Delegated Prefix Subnet section, and it should list as many prefixes as you put send ia-pd’s into your dhcp6c_att.conf file.
Back in pfSense, under the lan/vlan/tunnel interface(s) you want to assign an IPv6 network to, set their IPv6 type to Static, and, e.g. with our example above, if you have 2600:1700:a123:b34f::/64 as one of your delegated prefixes, set your interface static to 2600:1700:a123:b34f::1 on a /64 subnet size. And then that interface will hold the ::1 ipv6 address on that prefix.
Edit 6-27-2026: I’ve scaled back the number of builds .. it was excessive. There’s no reason to have so many that I can think of.
Edit 6-23-2026: I am redoing the naming convention and adding EVEN MORE builds! Linux x86 builds will now be i386. I am also compiling separate i386 builds that have the ABI Hack enabled and one that is disabled. ‘abi’ builds will have it enabled.
I have taken some time to compile them as well. These are also untested but I suspect will work better than the q2repro builds below which I will probably end up deleting (Edit: I recompiled the q2repro builds with what I learned on this, they may work better if you need repro).
I was able to compile them with http support again, and the various variable fps and anticheat server builds, so you can pick either neither, a ‘vfps’ build (no anticheat), or an ‘ac’ build (anticheat, no vfps), or a vfps-ac build (both). Or none as mentioned.
There are x86 and x64 builds, so you should be able to run any mod. Also included i386 for ubuntu.
Let me know if you’re using them! I’m pretty excited that there’s at least a semi-stable repo for q2pro again!
The website now runs on symmetrical fiber (1000mbit). This doesn’t really mean anything but hopefully it feels a little snappier now. Much faster than the ~15mbit the site was running on before!
I upgraded from Spectrum cable to AT&T fiber internet. Even though I was paying for 1000/40 from Spectrum, I rarely was able to get above 20mbit for upload.
I can’t believe my last real post was so long ago… I really do want to update some of my guides.
Today I realized my VPN has been setup kind-of-wrong the last oh… 4 years or so. I’ve just never had a reason to notice as I was always accessing internal things.
So, an updated WireGuard Guide for pfsense 2.7.2 will be forthcoming soon!
I’m also just working on adding some better CSS support to my powershell server status script as well. I will soon get that online.
Update 2025: man, I suck. Sorry all, I just lost motivation for a while. I move on to other projects fairly readily, and I’ve just been so tired. I still plan to do this at some point.
That’s right! If you didn’t know, powershell is (nearly?) completely cross-platform.
I’ve recently been working on a server status script for work and I chose to do it in powershell. It does threaded pings, generates html files, etc.
With zero modifications at all the script runs flawlessly on both Ubuntu Linux and my Orange Pi. All I had to do was extract the powershell tarball, chmod +x pwsh and run the script.
Truly awesome.
What blew my mind was Powershell was markedly faster on my Pi than it was on my Ubuntu server.
I’ll be posting more about the script soon, as I need to figure out some things still. But it will be released in due time. I really like it!
Afterwards, install with dpkg -i tzdata_2024a-0ubuntu0.23.10_all.deb
Afterwards, you can do apt upgrade to upgrade to the latest one in the apt repo that was failing.
Hope this helps someone!
dpkg: error processing package tzdata (–configure): installed tzdata package post-installation script subprocess returned error exit status 10 Errors were encountered while processing: tzdata needrestart is being skipped since dpkg has failed
I just figured this out, and it’s too cool not to share. I have business grade switches at my house, so I have various VLANs setup already. You’ll need that in place to make this work, and have your port tagging in place already, etc.
This requires no additional configuration on the host. In the below, I’ve included two examples — default_lan and vlan5. So if you just want to give a container an IP on your local LAN, you can use default_lan for that. And if you’re looking to create a service on a vlan IP, you can use vlan5 as an example for that.
EDIT: YOU MAY NEED TO modprobe 8021q (and/or add it to /etc/modules)
You do not need to include default_lan in order to use a vlan. This also of course works great in Portainer.
networks:
default_lan: # the name you'll reference in the service configuration
driver: ipvlan
driver_opts:
parent: enp1s0d1 # the interface on your docker host that it will tunnel through
ipam:
config:
- subnet: 10.1.1.0/24 # your networks subnet
gateway: 10.1.1.1 # your networks gateway
vlan5:
driver: ipvlan
driver_opts:
parent: enp1s0d1.5 # I've added '.5' for vlan 5
ipam:
config:
- subnet: 10.1.5.0/24 # the vlans subnet
gateway: 10.1.5.1 # the vlans gateway
services:
service_on_lan:
networks:
default_lan:
ipv4_address: 10.1.1.51
service_on_vlan:
networks:
vlan5:
ipv4_address: 10.1.5.55
I have not tested, but I believe you can also just add another two subnet and gateway lines for ipv6 routing as well, and then specify your ipv6_address in the service.
You can also use macvlan instead, which will give the container a unique MAC address that you can see on your network. I have found the best way to do this is individually per-IP, at least for my needs. Otherwise you can easily run into duplicate IP problems.
networks:
macvlan5_5: # the name you'll reference in the service configuration, and I give _5 as the IP
driver: macvlan
driver_opts:
parent: enp1s0d1.5 # the interface on your docker host and .# for the vlan #
ipam:
config:
- subnet: 10.1.5.0/24 # your networks subnet
gateway: 10.1.5.1 # your networks gateway
ip_range: 10.1.5.5/32 # the static ip you want to assign to this networks container
And then just assign the network in your container:
Unfortunately, the container does not seem to try to register with the defined hostname so my firewall just sees a new ‘unknown’ host on the random MAC address in the arp tables.
