I fixed it. I had to create an any/any rule on the LAN for icmpv6 traffic. There's actually an ICMPv6 protocol choice when your making a new rule for this specific thing. Once I did that those logs stopped showing up. Very little is using the rule, it's all been Link-Local addresses so far.

ULA has nothing to do with DHCPv6.  ULA is the IPv6 equivalent of IPv4 RFC 1918 addresses.  You can use it with SLAAC, DHCPv6 or manual configuration. just like global addresses.  I'd also recommend reading a good tutorial on IPv6.

huh?

What version where you using before?  The interfaces you have IPv6 setup on would be listed under RA where you can enable it or not, etc.  And set its mode of operation, etc.

ra-interface.png
ra-interface.png_thumb

Thanks for your insightful comment.  It turns our you were right.  I had set up a bridge to get my 5 static IP addresses from Comcast onto a private VLAN.  Somewhere–and I'm still not sure where, the RA packets were leaking onto my LAN.  RA packets are IP6 packets, and I would think they could be filtered by PFSense even on a bridge, but apparently that is not the case.

My work-around is to plug all of the interfaces that need a public IP directly into the Comcast router, and leave all of the others on my switch.  It's a little disappointing because I can't watch the traffic with PFSense, but it is working, and I'm not able to set my own nameservers.

^^^^
And in the process you've lost IPv6 entirely, which is dumb as that's where the world is moving to.  Perhaps it would have been better to set up a 6in4 tunnel as backup for IPv6.  Many people use he.net for that.

Thanks to both of you for your input.  I am trying to fix this as per the last post.

I have used an Asus Merlin with ipv6 and as far as I know it cannot delegate a prefix. It just hands out individual addresses.

You should probably ask on the Merlin forum though.

https://www.snbforums.com/forums/asuswrt-merlin.42/

@Gertjan:

I'm using he.net myself for IPv6, which means the prefix is always the same.
So, the good old 'static MAC/DUID' reservation works great - DNS registration included.

Thanks for the hint. I found this redmine entry:
https://redmine.pfsense.org/issues/2017
and can confirm, that DNS registration for static DHCPv6 leases works fine.

But this is not an option for my setup. The clients are dynamic and the network is to big to maintain static dhcp leases.

I've done some further research to the topic.
In the redmine request the developer mentioned that the hostname is not send from the dhclient. I found out that this was an issue in the isc dhclient which is solved in version 4.3.
See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=670865

I checked the Debian dhclient.conf and can confirm that there is an entry with:
send host-name = gethostname();

So I guess the hostname should be send now.

I checked then the dhcp6.leases file and found out that isc-dhcpd has no field for the hostname for ipv6.
I found nothing in the ISC DHCPd tracker if they are working on this to add the hostname on the dhcp6.leases file.

I found out that if dnsmasq is used as DHCP and DNS Server it should be possible to have DNS client registration with ipv6 out of the box.
Unfortunately pfsense uses isc-dhcpd and I think there is no option to change this from a user perspective.

You could for sure give it a static inside whatever prefix you get.  But if they happen to hand you a different prefix all your scopes can change on you.

Why they don't just assign customer prefix XYZ, /48 should be what they give you and be done with it..

If you want static and your ISP will not give you one - just head over to hurricane electric and grab the free /48 they will give you.  Now you have all the statics you want ever.. And what is nice is even if you change ISP you can just keep that /48.. Even if your isp doesn't support ipv6 you still have that /48, etc..

I have had the same prefix since 2013.. And even can setup PTR on any of the IPs I want in that /48 and recently moved to isp that doesn't have any IPv6 and means nothing to me.. Since it took all of 2 seconds to setup my tunnel again with all my boxes able to have the same exact ipv6 address they had with the previous isp.

Really the only draw back to tunnel is a few extra ms latency vs native connectivity - depending on where the nearest pop and where HE peers with your isp, etc.  But they have pops all over the world.

https://www.tunnelbroker.net/status.php

It is reaching upto my WAN port of Pfsense
I am not authorized to share IP details

Sadly, gwf can't do bridge and mesh which is why I got gwf really.

As it stands I have pfsense with a dhcpv6 server handing gwf a ipv6 address and prefix, but it doesn't seem to have internet access on wifi connected devices.  There has to be something I'm missing.  Hopefully someone has had some luck and can share what they have done.

I tried an online tool to traceroute to an address, and you are right about pfsense just dropping it, at least as far as I could tell.

There shouldn't be any reason any internal device doing it, so it should be ok. I just wanted to make sure didn't get a nasty note from my ISP.

What he said

screenshot-2018-04-30-11-16-05.png
screenshot-2018-04-30-11-16-05.png_thumb

Thanks.  That gave me the information I needed.  A few more searches later and I was able to adjust my configuration to resolve the issue.  I had been using IPv6 with Unique Local Addresses but didn't want to switch my configuration around until I was able to confirm everything was working.  Because none of my interfaces had "Track Interface" set, it wasn't actually requesting an address.  Once I set my LAN to track the WAN, I received an address and prefix.  Thanks!

Well a followup to let others know the final outcome.

First, many thanks to all who helped me.  I truly appreciate spending your time on my problems!

As it turns out, all I could get from my ISP was
1. A (pseudo) static IPv4 which I get by PPPoE (same address guaranteed but always assigned through PPPoE negotiation.
2. A dynamic /128 assigned by DHCPv6 over the PPPoE connection
3. A (pseudo) static /56 assigned by DHCPv6-PD over the PPPoE connection
Note that the IPv6 communication between the router and the ISP uses a link local address, NOT the /128.  In fact, the /128 is not needed at all (as you will see)!

Here is how I configured:
1. Per the requirements of my ISP, I configured the WAN IPv4 as PPPoE and the WAN IPv6 as DHCP over the IP4 link with a /56 prefix.  From this I found out my /56.
2. I then chose a prefix ID of ff for WAN addresses, 00 for LAN and 01 for VoIP (another inside LAN).
3. I created a WAN virtual IP/IP alias from the WAN /64 I chose and the mac address of the WAN adapter.
4. I made the LAN and VoIP interface IPv6 assignment to be Track Interface tracking the WAN /56 using prefix IDs 00 and 01 respectively
5. I enabled DHCPv6 and RA on LAN and VoIP
6. "normal" firewall rules (especially adding ICMPv6 req on WAN)

Kinda simple.

The amazing thing is that the IPv6 "WAN address" as known by pfSense (e.g. for binding OpenVPN etc) IS THE ALIAS!!!  This, it turns out, is ideal for me.  The ONLY dynamic address (the DHCPv6 assigned global WAN address) is totally irrelevant as I now have a static IPv6 global address!!  In fact the dynamic WAN address doesn't even show up in the GUI Status|Interfaces though it does show in command line ifconfig.

The only place I have hardcoded an address (which I don't particularly like to do) is the alias.  One place. Just one.

Finally, I added other things I use such as OpenVPN servers, OpenVPN clients etc. etc.

All told, I'm very happy with what you people helped me set up and I'm testing it extensively.

Ah going for your HE cert nice!!!  Love the T-Shirt…

Been Sage Since Jan of 2011 ;)

I enabled the setting. The prefix no longer changes when I reboot the pfsense box, but a power cycle of the cable modem still changes the prefix.

I am considering sending the fe80:: address of the pihole as DNS ip since that won't change.

Still does not solve the problem, but it is a possible workaround.

Thanks for the input.