The WAN side has nothing to do with the LAN side.  In fact, you don't even need a public address on the WAN side, as routing is usually done using the link local address.  In fact, routing doesn't even require any address. The route can be specified by a point to point interface.  However, your WAN IP address could easily be one out of a /64 prefix that's separate from your LAN prefix.  Having the WAN address within the LAN prefix wouldn't work.  I'll describe what I have here, though I'm no longer using a tunnel.  My WAN port has an IPv6 address and I also have a /56 prefix, which is then split into individual /64s.  The WAN prefix is significantly different from either my /56 or any of my /64 prefixes, so there's no conflict between the WAN and LAN sides.  Any address that's not within my /56 is elsewhere.  I don't care whether they're on my ISP or not, they're just elsewhere and pfSense sends packets for them out the WAN interface to my ISP.  Beyond that, I don't know or care what happens.  It should be the same with you on Start.  I suggested using traceroute, as it will show whether the packets actually leave your pfSense firewall or not.  If they do, the problem is elsewhere.  If they don't, it's with pfSense.

@JKnott:

Does the prefix change?  If not, a MAC based SLAAC address is pretty much static.  On Windows there is also a random number address that does not change.

Unfortunately, the prefix does change.  It is a unique use case, for sure.  DHCPv6 may be able to help us, if we work around its limitations in the GUI.

On IPv4, we deal with the situation by putting each set of virtual IPs on a different NIC (along with a separate NIC for all outgoing NAT traffic).  This solution lets us change our set of public IPs immediately with no changes to the LAN addressing.  With IPv6 port forwarding, this could be done for IPv6 using site-local addresses for the destinations (DHCPv6 or static).  Otherwise I'd need to configure the DHCPv6 server to assign correct world-routable addresses with static mappings to each host.  The problem is that it's not easy to change the DHCPv6 static mappings in bulk, and the other records would be deleted, not deactivated.

In any case, it's only public services that I want to apply port forwarding to.  All outbound Internet traffic would be through a routed subnet with no NAT.

Without going into the details, did you check that

System / Advanced / Networking / Allow IPv6 is enabled?

Interfaces / WAN / Request a IPv6 (global routing) prefix is checked?

The Interfaces / WAN / DHCPv6 Prefix Delegation size is set to 56 (or whatever the ISP offers)?

Interfaces / WAN / Send IPv6 prefix hint is checked?

Services / DHCPv6 Server & RA / LAN / Router Advertisements / Router mode is set to unmanaged?

Make sure that ICMP is allowed for IPv4 and IPv6 (though endpoints might still block IPv6 ICMP by default)

This is essentially a generic guide, initially written for German Telekom, and described with more details somewhere else.

@wkearney99:

…
... I'll leave ipv6 for another time.

Know that you can have a 'real' IPv6 /56 on your network within 5 minutes : see what https://he.net can offer you right now - for free. pfSense has all the logic already on board, it just needs to be activated.
I'm using he.net for years now, as my ISP promised IPv6 since "2000" - and they just started to upgrade their boxes with some crappy IPv6 /64 support (to "small" for me).
he.net is the very next best thing, and very often far more better as what ISP's actually deliver.

@bawitdaba:

It looks like for some reason on my LAN interface I had checked "Block Bogon Networks" which blocked all Link-Local IPv6 Traffic such as DHCPv6. My clients pull addresses now from DHCPv6 yay!

Thanks, just got bitten by this one myself, trying to protect the internet from my devices going bad ;(

Do you know what settings your isp requires? The edge router may not even provide an ip address for the wan. You must request a prefix size that is supported. The edge router may only support one size. It may require you to only request a prefix, not a prefix and an address. If your router isn't asking for a supported configuration, nothing will be delegated.

@Ofloo:

never mind spoke to soon :/

The port has vlan tags of several vlans enabled so not quite sure what you're refering to when you're talking about retagging the traffic, .. but i think what you're saying i already did.

What is connected to that port? Is the connected device VLAN aware? Is it setup for multiple VLANs? Is this happening on more then one port with more then one device/client?

Best bet is to use wireshark on a port that has this issue and look at the RA packets, confirm they are tagged at all and correctly for the VLAN for the subnet being advertised, if they are then set your sights on the client/s.

would there be any issues due to the built-in ethernet switch?

–jason

@m3nt0r123:

I have a simple home network. Just a handful of devices with an AP providing WiFi. I realized that a number of devices are using IPV6 instead of static IPV4 addresses I assigned. I read through the documentation and am thoroughly confused and need some guidance.

Pure IPv6 devices exist when you force them to use only IPv6. I guess you didn't,, so they all ask (DHCP) for an IPv4 and, if they can handle it, an IPv6.

@m3nt0r123:

I want to ensure my traffic shaping (PRIQ) works as intended and that my packages function as intended as well. I have floating rules for traffic shaping to prioritize traffic but imagine those rules are not applied since an IPV6 lease is assigned to the device rather than the static IPV4.

Can't tell, never shaped anything in my life.

@m3nt0r123:

Should I disable IPV6?

Maybe, for the time being.
But guidance isn't what you need. IPv6 is a huge subject. As "IPv4", you'll have to go through the "learning phase".

@m3nt0r123:

Am I able to apply PRIQ to IPV6? Is it already applied?

Never heard that shaping, or "PRIQ" is IPv4-only.

@m3nt0r123:

Should my other packages work as expected (pfblockerng, suricata)?

pfblockerng will work well - checkup with their support. But you should know that that the concept of "lists with bad IPv6" will never work out in the future, it's simply to big. Using DNSBL still works.

suricata is more an packet inspection tool. These are still the same. The "IPv4" or "IPv6" is just the envelop that transports the packet.

The thing is : as a firewall operator you do not have a choice, you should become friends with IPv6.
Remember : a firewall handles IP packets. And IP means : IPv4 or IPv6, knowing that IPv4 will fade out (in the next decade so you have some time ;))

Agree, you are right, all the services that depended upon a static IP long ago moved to AWS, so I should just ditch it, good thought.

Esp since Route53 works beautifully with pF's dynDNS updater.. Is there nothing that pF won't do (better) ?

Thx for all answers.

@JKnott:

You could also use Packet Capture or Wireshark to see if pfSense is actually sending out RAs with the wrong gateway, or if they're coming from elsewhere.  You have to filter on ICMP6 to capture them.  If you use Packet Capture, you may want to download the capture file and use Wireshark to examine it, as Wireshark provides more info than the list shown in Packet Capture.

You were right. I wiresharked it and found out that my old EdgeMax router was sending out router advertisements. Factory reset the darn thing and all is right on the network. At least, it wasn't DNS.  Thank you for you help.

Some updates:

I recently switched to a new ISP (BT Infinity) so decided to give this another go. Unfortunately the exact same ACK dropping issue still happens with BT's Smart Hub (Home Hub 6A). This time I come across this post https://ttlexpired.co.uk/2016/02/12/ipv6-tunnel-and-failing-tcp-sessions/ describing a very similar issue from an engineer working for SKY and he concluded this is a bug with Broadcom SoC's "flow cache" mechanism, and by disabling flow cache the issue can be mitigated. Both my old SKY router SR102 and BT's new hub use Broadcom's SoC, so I have a strong suspicion that this is indeed the root cause.

I'm no longer with SKY so can't experiment with it, but for anyone stumbling across this post via Google, you might be able to play with it by compiling your own SR102 firmware from SKY's GPL tarball and try to disable flow cache. Unfortunately BT has yet to release the source code for its Smart Hub, so I'm still stuck.

Wan is not static,  when this happens 6rd appears to be up and the Lan hands out valid v6 addresses just no routes are assigned.

I've also been noticing issues with other things.  I got the kids a switch for Xmas and had to set up a hybrid outbound NAT rule but it only works for awhile and then I have to go back in and edit/save to get the switch connectivity working again.

I could do that, but my ISP allocates me a dynamic address - is there a way of allocating a /64 prefixed space to a virtual IP block? I can't work it out, nor can I find any documentation on how to do so.

If your wanting to use ipv6 for some clients and not others you have 2 ways to go about it if you ask me..

Complete static do not run RA, do not run dhcpipv6.. Any clients that want to use ipv6 will have to be setup static ipv6 to be able to talk to pfsense, and get outbound on it, etc.  This allows you to easy firewall and only allow specific IPs that you set on clients.  Your going to want to turn off privacy ipv6 on the client as well or they will just use some random ipv6 in the prefix you setup as their outgoing source IPv6..

You can setup RA and or dhcpv6, etc..  But disable ipv6 on the client completely..  This might not be available on some clients, refer to option 1

I use option 1… It allows me to use ipv6 on the devices I want to use ipv6 on while not have to worry about it on other devices..  Actually sort of a hybrid of 1 and 2 - since I also disable ipv6 on any device I can that I am not going to be using it on..