I think the solution is true: need more than a /64 Reading about NDP on Wikipedia made some sense and I managed to find a document on RIPE.NET that explained about the importance of being a /64 or more.. I consider my question answered :(

@anthonys Glad to hear it. Yeah, ISPs sometimes cause their own problems, as the staff doesn't fully understand the differences between IPv4 and IPv6. When I had that problem last year, I had to educate both tier 2 support and the senior tech about what was actually happening. They knew the basics of IPv6, but not some of the finer points. At least you got relatively quick response from your ISP on this. It took me 3 months and a lot of work to get the people who should have fixed the problem to do anything. Since I had my own router, they refused to do anything, even though both the tier 2 guy and senior tech told them it was an ISP problem. What finally did the trick is the senior tech brought his own modem to my home and saw the problem. He then went to the head end and tried with 4 different CMTS. The failure only occurred with the one I was connected to. This was weeks after I provided the error (see above) to them. BTW, I have decades of experience with telecommunications, computers and networks and so had the ability to work through this problem. A regular customer wouldn't have a hope of getting it resolved.

@IsaacFL Yes, I know the RA has both. People have to get away from the IPv4 way of thinking. There are essentially unlimited addresses available. You can have multiple addresses on an interface. In my case, I have link local, GUA and ULA. I could even have multiple GUA & ULA if I wished. Sometimes you just want a local network for some devices that share the same network as the devices that connect to the Internet. As mentioned, there is an issue with pfSense where it forgets to apply the GUA prefix, when ULA is also used. As far as I'm concerned, that's a bug.

making some progress with my learning :) I can create a ULA for the interface and use that in the listen field too. This feels better, the GLA is used purely for external traffic, and the ULA internally for IPv6 lookups. still open for feedback if I'm being crazy/stoopid here. It wouldn't be the first time! :-D

Found the issue and all is working well. If anyone else runs into the same problem I did here is the fix. If you are running HA units and your creating a wan ipv6 carp address you must leave leading 0's on. So you cant take the leading 0's off to shorten the address. :0001 cannot be :1 shortening works fine everywhere else but with the carp IP for some reason you cannot do this. I found a thread from 4 years ago on redmine that was very similar to this issue and there was some activity on it from a few weeks ago so I'm wondering if the issue has resurfaced. Either way I'm glad i got it working now :) If anyone from netgate sees this I am running the current stable version as of today. 5/15/20

I see that there are no clear instructions for this scenario. As I like experiments I'll try to find it out just by trying to do this. Of curse it will help if somebody could tell that there is no way to configure pfSense behind NAT to properly handle IPv6 with tunnel broker (HE) Just for quick summary this is my setup: Internet <--> ISP modem (as bridge) <--> pfSense on real device (main router with public IP) <--> pfSense on virtual box (test router) <--> virtual box test network And as mentioned in first post I plan to learn by configuring IPv6 on "test router".

@JKnott thanks, I might try that to experiment. However, it seems this has been verified and input as a bug on this thread. Hoping maybe the Netgate folks get to it in a future release... properly getting track interface to work with multiple IP addresses on a LAN interface including GUA and ULA. Definitely some funky routing and "which interface gets priority or sends the traffic and can route" going on... both on the pfSense side (which they can control), as well as the various client OS's (Windows, Mac, Linux, etc). All of them do it differently. Windows machines here always seem to ping everything just fine... Mac's not so much. If anyone finds a fix / workaround (possibly a script to pull and add the ULA VIP after 5-10 seconds whenever the WAN goes up/down)... let me know and I'd be happy to test it. Best Regards, dg6464

@JKnott I misunderstood that I needed an extra interface to tie the VIP to. But I see I can just create one and tie it to the WAN interface. I just confirmed this works as expected.

Hello, and sorry for the delay. I reverted to using my ISP native IPv6 and fixed the horrible stability issues by settings LAN's MSS to 1440 after reading https://forum.netgate.com/topic/73573/massive-http-ipv6-connectivity-issues and fiddling with values. I kept using NPt, and used /64 on all interfaces. All seem perfect now, including multi-wan load balancing. Thank you for your help.

@JKnott Good advice, thank you :-) I bought a copy today.

@bplein No, missing or bad RAs will cause clients to lose the prefix, leaving them only with link local addresses. I just checked my network and see RAs every minute or so. Examining the RA may give you a clue to the problem.

@stephenw10 Yes, I decided to just nuke this tread. Not sure how to delete the whole thread but I don't have time to work on this right now. Thanks for the suggestion.

maybe "Get IPv6 through IPv4"

@Bob-Dig Did some more testing and the problem was probably an interface problem with hyper-v, everything is good now.

FINALLY, success! After retrying what should have worked the first time, but didn't, I can report I have a /56 and proper delegations to the different segments. The problem was the ISP, even after a modem reboot, would be inconsistent issuing IPv6 configs. It was 24 hours of tweaking and rebooting. Thanks for the advice, it did help to narrow down the options.

@pwood999 said in BT Ultrafast IPv6 not working through PfSense: no easy way to talk to somebody that actually understands !! That has nothing to do with the current situation!

@Gilera said in Issues with IPv6 PD over PPPoE IPv4: Learning everyday about ipv6........@JKnott, why do i only get a link local ipv6 address on the WAN? I do not have that option selected. You do in that screen capture you posted. That's why I mentioned it.