I tried restarting pfSense as well as my clients, and it didn't seem to help on the day. However the following day everything started working fine.
I am all good now.
My first thought was to delete this post. But I am leaving it up in case someone else faces a similar situation in the future. As unhelpful as it sounds, waiting a day might make the problem go away :-)

Have to chime in here on the value of this feature. I'm a bit confused as to the response saying it cannot be done, though. I am probably misreading that in the overall context. This feature is in OPNsense, so programmatically it can be done.

@alnico

Both the WAN and LAN addresses are on the same box. Just a few days ago, I was testing my OpenVPN while on my LAN. Worked fine. Connecting from elsewhere, to the LAN, is the same thing, just in the opposite direction. Just make sure your firewall will pass UDP port 1194.

@sloopbun Me to :-)

UPDATE: This issue is not specific to the use of large mtg (jumbo frames). It affects ICMP6 generally in this configuration. I don't know if the issue is due to the VLAN or the combination of a VLAN on a bridge. IPv4 is not affected and ICMP message sizes (with do-not-fragment set) respect the configured mtu.

@JKnott I guess my question wasn't well phrased. I'll post a rephrased version as a new question and delete this question in a few hours.

@SteveITS I seem to have gotten it to work, but I'm not quite sure how. I'll download the old pre-v6 and current configs and diff them.

And, BTW I have a modem-only connection (non-Xfinity device) without any routing or NAT. pfSense runs on a Zotac CI323-nano mini-pc.

@IonutIT said in Why does pfsense run dhcpv6 and slaac by default?:

RFC6724 mandates that IPv4 is preferred over ULA IPv6 but IPv6 GUA is preferred over IPv4. You can obviously manually bypass this by breaking RFC in Linux systems but can't be done for other embedded systems.

I guess my computer hasn't read that RFC. Neither have I for that matter.

host firewall
firewall.jknott.net has address 172.16.0.1
firewall.jknott.net has IPv6 address fd48:1a37:2160:0:4262:31ff:fe12:b66c

ping firewall
PING firewall(firewall.jknott.net (fd48:1a37:2160:0:4262:31ff:fe12:b66c)) 56 data bytes
64 bytes from firewall.jknott.net (fd48:1a37:2160:0:4262:31ff:fe12:b66c): icmp_seq=1 ttl=64 time=0.313 ms
64 bytes from firewall.jknott.net (fd48:1a37:2160:0:4262:31ff:fe12:b66c): icmp_seq=2 ttl=64 time=0.162 ms
64 bytes from firewall.jknott.net (fd48:1a37:2160:0:4262:31ff:fe12:b66c): icmp_seq=3 ttl=64 time=0.136 ms
64 bytes from firewall.jknott.net (fd48:1a37:2160:0:4262:31ff:fe12:b66c): icmp_seq=4 ttl=64 time=0.120 ms

@johnpoz
Hi John
That was fast:-)

Sorry that my explanation was not clear enough.
fc00:18f:11ab:3010::1 and fc00:18f:11ab:3010:0:0:0:1 is the default gateway for the subnet on the interface. That was what I tried to explain by saying I change the IPv6 number of the interfaces from short to long or the otherway.
So no the server have the same IPv6 number all the time ending on 11 (fc00:18f:11ab:3010::11).
Configuration of the Interfaces:
IPv4 Configuration Type: Static IPv4
IPv6 Configuration Type: Static IPv6

Static IPv6 Configuration
IPv6 address
fc00:18f:11ab:3010::1/64 (Short)
or
fc00:18f:11ab:3010:0:0:0:1/64 (Long)

Regards
Henning

@chill_out Personally I normally just have it use loopback.. And I am back to that - I don't really need my dns going out my HE tunnel..And other than that test of theirs have no need of it.

My ISP has, after weeks of fighting them on the matter, admitted that this is in fact their fault.

I would delete this thread, but I cannot.

@Fandangos said in Ipv6 almost working?:

https://www.reddit.com/r/ipv6/comments/evv7r8/ipv6_and_netflix/

Is this beyond what the end user is able to solve?

That was years ago (the reddit post : more the 4 years). When Netflix, like everybody else started to use IPv6. Netflix, for very understandable reasons don't want me to look at season 10 of Walking Dead, while it's already old and out in other countries. They use my IPv6 to 'know' where I connect from.
The thing is : they had not mapped the entire Ipv6 into a a GEO IPv6 database to determine where I connect from. [ 😊 and now they know that they will never be able to do so, as there isn't enough materiel on planet earth to build all the hard disks to store this database ]
Some IPv6 ranges, tough, are already listed : the ones from huricane.net for example, some sort of VPN IPV6 supplier. I was using them as they offered a good IPv6 implementation (way better as many ISP today).

The solution was an easy one : pfBlockerng !

Like this :

229110bf-a604-473e-9916-a319272cbd73-image.png

There is a list on this forum with all (there are several) netflix domain names that you have to enter.
Netflix, from then on, will be accessed over IPv4, and you'll be fine.

@tmoore said in Setting up ipv6 with one /64 allocation:

For what it's worth my ISP is Teksavvy. I phoned in to them this morning and asked them to give me a /56 address delegation which they have done. So now I have a /56.

Are you connected via Bell or Rogers? If Rogers, you might want to check the Rogers config. A friend of mine is with Teksavvy on Rogers. Another friend used be be with them on Bell.

As for that pending gateway, you have to provide a monitor address that responds to pings. For mine, I ran traceroute to Google and picked the first address that responded. That address is 2607:f798:10:10d2:0:241:5615:217. It might be different for you, depending on where you are.

@Kenneth_H said in IPv6 with framed IPv6-prefix:

it does however seem strange that the lease time is around 5 minutes

My lease time is over 164 hours.