@johnpoz said in avoid using IPv6 for host/domain: Could you give an example site that does this? That was one of my SIP providers, here is the message I see after login: Sorry, your IP address is marked as high risk or you're accessing our web site through IP proxy or VPN. We can't provide a service to you. I'll try the script suggested, thanks!

@jimp said in Firewall rules bug?: Yeah it was a validation problem. GIGO. I added some frontend and backend validation. Put those changes in by hand, and it does parse the above case correctly, throws a red The following input errors were detected: The specified source address is not a valid IPv6 prefix perfect!

@alankeny said in Static addresses for servers: Thanks for confirming this. I started with how-to guides that kept referring to EUI-64 addresses based on the MAC with “ff:fe” in the middle. I couldn’t find any of these, since it doesn’t seem like they’re really used very much any more. I k They are. They're default on Linux, but Windows defaults to a random number. However, it can be configured to use the MAC address instead.

Nice digging. Thanks for getting back.

@johnpoz @Derelict Is there another way? Can I do something with Virtual IP maybe? (If I don't want a tunnel broker)

@donzalmrol said in How to retrieve my IPv6 default gateway?: I was in the understanding that I would have a IPv6 gateway in the same range (2a02:.../56) like I have with my public IP (81.83.0.1/19). No.

Nothing new here? Am I the only one with these strange things happening?

@mrsunfire Thanks for the recommendation. I went with a Netgear CM700 and it works!

OK, now you have to determine if traffic for 2001:818:d9d9:ba00::/56 is arriving on your interface. Set up a packet capture like this and start it. The try to do stuff with it like ping6 2001:818:d9d9:ba01::1/56 from the outside, telnet to it from the outside, etc. Then stop the capture and see what is there. If you need someone to ping6 it from the outside holler. Hmm. This is interesting: [image: 1527707708131-screen-shot-2018-05-30-at-12.14.34-pm.png]

Get a tunnel to hurricane and a /48 and use static addressing. https://doc.pfsense.org/index.php/Using_IPv6_with_a_Tunnel_Broker

"Please go back and look at the times when you said a link local address could not be used." Where did Derelict ever say that link-local can never be used? He did clearly point out the RFC that clearly states 2 scenario's where they do not work. "However, there are two cases where using a link-local address as the   next-hop clearly does not work.  One is when the static route is an   indirect (or multi-hop) static route.  The second is when the static   route is redistributed into another routing protocol.  In these   cases, the above text from RFC 4861 notwithstanding, either a GUA or   ULA must be used." I think this horse has been beaten enough ;)

I fixed it. I had to create an any/any rule on the LAN for icmpv6 traffic. There's actually an ICMPv6 protocol choice when your making a new rule for this specific thing. Once I did that those logs stopped showing up. Very little is using the rule, it's all been Link-Local addresses so far.

ULA has nothing to do with DHCPv6.  ULA is the IPv6 equivalent of IPv4 RFC 1918 addresses.  You can use it with SLAAC, DHCPv6 or manual configuration. just like global addresses.  I'd also recommend reading a good tutorial on IPv6.

huh? What version where you using before?  The interfaces you have IPv6 setup on would be listed under RA where you can enable it or not, etc.  And set its mode of operation, etc. [image: ra-interface.png] [image: ra-interface.png_thumb]

Thanks for your insightful comment.  It turns our you were right.  I had set up a bridge to get my 5 static IP addresses from Comcast onto a private VLAN.  Somewhere–and I'm still not sure where, the RA packets were leaking onto my LAN.  RA packets are IP6 packets, and I would think they could be filtered by PFSense even on a bridge, but apparently that is not the case. My work-around is to plug all of the interfaces that need a public IP directly into the Comcast router, and leave all of the others on my switch.  It's a little disappointing because I can't watch the traffic with PFSense, but it is working, and I'm not able to set my own nameservers.