One other thing you may want to try. Put your modem into gateway mode and see if it works properly. If it does, then the problem is with pfSense. If it doesn't it's with your ISP. My experience shows the tech support will not work on a problem if a customer firewall/router is used. So, use the gateway mode to determine where the problem is.

Thanks @Derelict I think I have it working now. I had a couple of problems with the way I was trying to do it. I ended up having edge-pf delegate /60 subnets so that internal-pf could use /64 subnets on its lans. The biggest catch, that had me scratching my head for ages, is the dhcpd service seems to need to be restarted; or a reboot. I'm not exactly sure which situation requires which but just saving a new configuration or restarting an interface isn't enough. After I have all this working I'll post my config to help the next novice like me.

Thanks for the help @Derelict and @JKnott. I now have my WAN and LAN interfaces looking like they are working as they should. I can also successfully ping and traceroute to the public ipv6 address I found. For others who may have similar problems I found this post useful to understand a little more about how track interface works. My next hurdle is to get prefix delegation working from the pfsense that connects to the internet to the pfsense that does internal routing and services. I'm having some trouble with that but I'll create a new post for it since it's outside of this topic.

Well, I got it working last night... oddly enough the problem was actually due to the bug I mentioned in my original post - https://redmine.pfsense.org/issues/5999. Because IP aliases break tracking I had removed my IPv6 interface from CARP. That meant that my secondary was picking up some percentage of the IPv6 traffic on the LAN. It still had routes to my old ISP over the v6 tunnel, so it was sending some of the traffic out that way. The solution for the moment was to turn the secondary off, I'm going to do some more config tweaking tonight and see if I can get to a state (probably with no IPv6 on the secondary) where I can leave it on-line so I have at least some level of failover.

@bbusa said in Native IPv6 from Telekom using GPON and PPPoe [solved]: They had misinformation on the phone, and that created the confusion. Misinformation from an ISP? WOW, that's a first!!! Yeah, right. IPv6 from my ISP worked well from the start, three years ago, until I ran into a problem around New Years. With my own testing, I had determined the problem was at the ISPs office and later was even able to identify the failing system. It took me 3 months to get the problem resolve and I often found myself having to teach the support people how IPv6 worked. Hopefully, the support will improve, as ISPs get more experience with IPv6.

Having multiple GUAs on a host puts a lot of the burden on that host for choosing the desired source address for a particular connection. The pfSense routing role could be handled right now using existing policy routing rules based on the source IPv6 address. This source, out this WAN, that source, out the other WAN. But the decision moved to the host as to which source address is used for a particular connection.

@mikael-ljung-mikeonline-se I think best practice is to use GUA for everything. If you have a broken ISP that changes the prefix then ULA is a way to work around that.

@PabloAbonia said in IPV6 with Windows 10 DNS and Link-Local Address used for Global Address: Address #2 is the preferred address which is not assigned from pfSense via DHCPv6, and is generated by Windows 10. It is derived from the prefix, and the fe80 address in address found under #4 This is entirely normal. With IPv6, you have a 64 bit prefix and 64 bit suffix. With the consistent address (MAC or random) it will have exactly the same suffix as the link local. You will see this even more, if you also use Unique Local Addresses. Then you will see the same suffix for link local, Unique Local Addresses and Global Unique addresses. With the privacy addresses, you will also have GUA and ULA with matching suffixes. Entirely normal.

Yeah, I had the PrefixID set but was calling it a NetID. Sorry for the confusion. Got IPv6 working by changing the LAN DHCPv6 Server + RA setting called "Delegation Prefix Size" to a 64 on the DHCPv6 Server + RA settings for the LAN interface and unchecking "Use DHCPv6 Server Settings" in the DNS Configuration at the bottom. Still not sure why that fixed it. But got a 10/10 with no warnings at https://test-ipv6.com. Settings from here were helpful getting it to the point I had it before: https://forum.netgate.com/post/619372 Now time to make sure I have policies set properly...Routable IPs in an internal network are a new level of fun. The VPN issue in particular. https://docs.netgate.com/pfsense/en/latest/vpn/ipv6-and-vpns.html Cheers.

We're not talking about point-to-point links, bro. I don't have time to make every forum response cover every possible caveat.

@derelict said in IPv6 default route disappears: Vote with your deutchemarks, people. They are called Euros for years, ya' know? Problem is, that those small little pearls are mostly local ISPs in specific regions or cities. Even if I'd wanted to go all out and "shut up and take my money", it won't get me far. In most non-crowded places you're happy if you can get DSL with PPPoE or Cable from the same few companies. There are only some like e.g. DG / Deutsche Glasfaser / "german fiber" that will get you FTTH or FTTB. So more often then not, voting with ones wallet isn't possible as no other/better service is available.

With the exception of the DHCP setup, the following works for me for a little while, but I suspect the issue on my end is something else. https://techielibrarians.com/index.php/2017/06/08/native-ipv6-with-comcast-business-and-pfsense-2-3/ Those instructions are for the old gateway modem type, but I'm on the Cisco and it seems to work.

Ok, so the final update, I have everything fixed now (at least till now) So the final trick is to set my switch to tag port 5-8 which connect to my 4 APs apparently the tp-link APs will receice packages on it's selected wirelss VLAN + anything that's untagged (without vlan header) after change my switch to tag vlan1 on port 5-8 it ensures all the vlan1 tag won't be removed when outbound the port, which fixes the RA flood issue. Thanks everyone for the help

Even if your ISP doesn't provide IPv6, you can still have it, using a tunnel from hurricane electric. They are free, they perform well, they are very reliable and they work. I used one for years before my ISP implemented IPv6. There are lots people here who can help you set it up.

Thanks for the sanity check. I got a few IPv6 digits reversed. Fixing the typo fixed the routing. :)

@Derelict I am certain I have come across some sort of bug in pfsense that when IPv6 is enabled, IPv4 performance decreases by about 2mb/s both up and down. I have done lots of testing tonight and Telstra's router does not suffer this issue, only pfsense. The moment I turn off IPv6, I get my full speeds back. The moment I turn on IPv6, I lose 2mb/s down and up on IPv4. I cannot replicate that on Telstra's router. I maintain full speeds on IPv4 with IPv6 enabled on Telstra's router. What additional information would you need to help isolate what this bug would be?

I guess this feature is not available on pfSense. It is a sad news as the situation will become worse over time. IPv6 over IPv4 was the 1st phase of IPv6 implementation. Now we are on the second phase were we are moving to IPV4 over IPv6, as ISP started increasing their IPv6 capable gear. We will see this increasing and this phase will last years IPv4 will eventually go away. However, looking at the trend, I wont be surprised if it takes over 30 years to get there.