I would guess it's only because this is IPv6 encapsulated into IPv4 and some of the details just aren't immediately available until the traffic gets unwrapped by the gif tunnel driver.

@Gertjan: Everything is set default - except the "pay load" (in the advanced section)  set to "64", which was an advise in the past (it must be bigger as 1). You only need to set a payload size if dpinger shows 100% loss with payload size 0. This is to work around defective icmp implementations in some routers. The other thing to check for is icmp rate limiting. Either change the target or change the probe interval.

simple sniff on your lan interface would tell you if being sent..

Thanks for the replies! I understand the position on Exodus, completely…. But.... it does contain content (legal / OTC orginally) that other streaming services don't have. Most recently we binge watched all seasons of Chicago PD on Exodus because Hulu and Netflix had a limited number of episodes / seasons. I think there is an oppurtunity for an online DVR to be built and populated with OTA content. Sorry, off topic a little. I will watch the firewall logs and see if I can tweak the rules. Again, thanks for the replies.

what does the switches route have to do with anything? So are these /24 routed to you via transit??  I this public IP 74.221.222.58 so these other /24's are routed to that IP..  Not attached? If that is case then just put the /?? whatever you want to subnet them to on your opt - you sure wouldn't be setting a gateway on that interface.  And yeah it will go out your.. Just make sure you disable natting of that interface since you have not use for it.

I'd frankly start with the allow rule scheduling, results with scheduling block rules are not exactly convincing for some people due to dangling states.

Found it! I have two WAN connections, and the failover rules were misconfigured. Instead of keeping all local traffic, it was sending anything not in its own /24 out the DSL line. I fixed it by using an alias for my local VLANs instead of the incorrect "network" match. All better now, thanks.

Not unless you've configured the ladvd package.

I don't fully understand what you're trying to do, or what exactly "I can't put them it the right vlan" means, but what I can say is that with a WIFI router with DD-WRT installed it's possible to create multiple VAPs (Virtual Access Points) with tagged VLANs on one or more routers. Combine that with a switch that can do VLANs, and you can setup multiple separate WIFI networks that can be managed with pfSense.

@zarje: IPv6 is kinda strange in some ways compared to IPv4 but thanks for helping me solve this! Is it that IPv6 is kind of strange compared to IPv4, or that IPv4 made us think of things in a strange way? ;) In a LOT of ways, IPv6 makes much more sense to me than IPv4.  You have an interface.  It has it's own address in the world.  Nothing else has that address.  It's kind of like your physical home mailing address. Compare that to IPv4 and "192.168.1.1".  I bet there are more interfaces in the world with that single address than there are unique IPv4 numbers.  That would be like trying to send something via the ground postal service addressed to only "over there." In my opinion, IPv4 required so many hacks (and they are hacks) to make things work how we want, that we've grown accustomed to those hacks, and now we try to apply those same ideas to IPv6 where they aren't needed (and don't work.) I still believe that a proper daemon with kernel hooks could monitor ICMPv6 to watch for the MAC addresses of devices that announce usage of an IPv6 address (via ICMPv6 NDP NA and NS messages) and somehow use that information along with ARP and reverse DNS lookups to find the hostname of every used IPv6 on a local network. In fact, I had written something like that (and injected the information into unbound's config files) but it wasn't a daemon that monitored ICMPv6, but instead just ran every 30 minutes or so.  In that time, many IPv6 addresses would expire from the NDP table, or the IPv6 would expire very quickly after I logged it (but before the process ran again to clean up the data.)  I'll admit that I had a few other bugs, but because of the above issues, I abandoned my effort.  It was a fun exercise and I proved to myself that it was feasible. As others pointed out to me, even if I had perfected the program, it STILL would suffer from some flaws due to some devices apparently randomizing their MAC addresses!  (I haven't seen that in my home or work, but I believe others who say it's done.)  It also couldn't ever recognize an IPv6 address if it never sees the address to begin with.  (Of course, if it never sees the address, then there isn't any traffic using the address, so it really doesn't matter.) Oh, and even with the above program, assuming it was working PERFECTLY, you'd still be experiencing the same problem (because pfsense refreshes it's alias tables on a schedule… so it might take quite a bit of time before it'd notice a new ipv6 address associates with a given hostname.) However, ALL that being said...  pfsense is still one of the better router/firewall/UTM type programs for dealing with IPv6.  Most others either completely ignore that IPv6 exists, or they have barely half-baked hacks that kind of support very specific cases of IPv6 (such as only supporting static IPv6 /128 addresses) (Can you tell that I'm passionate about this subject? ;)) Take care Gary