^^^^ And in the process you've lost IPv6 entirely, which is dumb as that's where the world is moving to.  Perhaps it would have been better to set up a 6in4 tunnel as backup for IPv6.  Many people use he.net for that.

Thanks to both of you for your input.  I am trying to fix this as per the last post.

I have used an Asus Merlin with ipv6 and as far as I know it cannot delegate a prefix. It just hands out individual addresses. You should probably ask on the Merlin forum though. https://www.snbforums.com/forums/asuswrt-merlin.42/

@Gertjan: I'm using he.net myself for IPv6, which means the prefix is always the same. So, the good old 'static MAC/DUID' reservation works great - DNS registration included. Thanks for the hint. I found this redmine entry: https://redmine.pfsense.org/issues/2017 and can confirm, that DNS registration for static DHCPv6 leases works fine. But this is not an option for my setup. The clients are dynamic and the network is to big to maintain static dhcp leases. I've done some further research to the topic. In the redmine request the developer mentioned that the hostname is not send from the dhclient. I found out that this was an issue in the isc dhclient which is solved in version 4.3. See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=670865 I checked the Debian dhclient.conf and can confirm that there is an entry with: send host-name = gethostname(); So I guess the hostname should be send now. I checked then the dhcp6.leases file and found out that isc-dhcpd has no field for the hostname for ipv6. I found nothing in the ISC DHCPd tracker if they are working on this to add the hostname on the dhcp6.leases file. I found out that if dnsmasq is used as DHCP and DNS Server it should be possible to have DNS client registration with ipv6 out of the box. Unfortunately pfsense uses isc-dhcpd and I think there is no option to change this from a user perspective.

You could for sure give it a static inside whatever prefix you get.  But if they happen to hand you a different prefix all your scopes can change on you. Why they don't just assign customer prefix XYZ, /48 should be what they give you and be done with it.. If you want static and your ISP will not give you one - just head over to hurricane electric and grab the free /48 they will give you.  Now you have all the statics you want ever.. And what is nice is even if you change ISP you can just keep that /48.. Even if your isp doesn't support ipv6 you still have that /48, etc.. I have had the same prefix since 2013.. And even can setup PTR on any of the IPs I want in that /48 and recently moved to isp that doesn't have any IPv6 and means nothing to me.. Since it took all of 2 seconds to setup my tunnel again with all my boxes able to have the same exact ipv6 address they had with the previous isp. Really the only draw back to tunnel is a few extra ms latency vs native connectivity - depending on where the nearest pop and where HE peers with your isp, etc.  But they have pops all over the world. https://www.tunnelbroker.net/status.php

It is reaching upto my WAN port of Pfsense I am not authorized to share IP details

Sadly, gwf can't do bridge and mesh which is why I got gwf really. As it stands I have pfsense with a dhcpv6 server handing gwf a ipv6 address and prefix, but it doesn't seem to have internet access on wifi connected devices.  There has to be something I'm missing.  Hopefully someone has had some luck and can share what they have done.

I tried an online tool to traceroute to an address, and you are right about pfsense just dropping it, at least as far as I could tell. There shouldn't be any reason any internal device doing it, so it should be ok. I just wanted to make sure didn't get a nasty note from my ISP.

What he said [image: screenshot-2018-04-30-11-16-05.png] [image: screenshot-2018-04-30-11-16-05.png_thumb]

Thanks.  That gave me the information I needed.  A few more searches later and I was able to adjust my configuration to resolve the issue.  I had been using IPv6 with Unique Local Addresses but didn't want to switch my configuration around until I was able to confirm everything was working.  Because none of my interfaces had "Track Interface" set, it wasn't actually requesting an address.  Once I set my LAN to track the WAN, I received an address and prefix.  Thanks!

Well a followup to let others know the final outcome. First, many thanks to all who helped me.  I truly appreciate spending your time on my problems! As it turns out, all I could get from my ISP was 1. A (pseudo) static IPv4 which I get by PPPoE (same address guaranteed but always assigned through PPPoE negotiation. 2. A dynamic /128 assigned by DHCPv6 over the PPPoE connection 3. A (pseudo) static /56 assigned by DHCPv6-PD over the PPPoE connection Note that the IPv6 communication between the router and the ISP uses a link local address, NOT the /128.  In fact, the /128 is not needed at all (as you will see)! Here is how I configured: 1. Per the requirements of my ISP, I configured the WAN IPv4 as PPPoE and the WAN IPv6 as DHCP over the IP4 link with a /56 prefix.  From this I found out my /56. 2. I then chose a prefix ID of ff for WAN addresses, 00 for LAN and 01 for VoIP (another inside LAN). 3. I created a WAN virtual IP/IP alias from the WAN /64 I chose and the mac address of the WAN adapter. 4. I made the LAN and VoIP interface IPv6 assignment to be Track Interface tracking the WAN /56 using prefix IDs 00 and 01 respectively 5. I enabled DHCPv6 and RA on LAN and VoIP 6. "normal" firewall rules (especially adding ICMPv6 req on WAN) Kinda simple. The amazing thing is that the IPv6 "WAN address" as known by pfSense (e.g. for binding OpenVPN etc) IS THE ALIAS!!!  This, it turns out, is ideal for me.  The ONLY dynamic address (the DHCPv6 assigned global WAN address) is totally irrelevant as I now have a static IPv6 global address!!  In fact the dynamic WAN address doesn't even show up in the GUI Status|Interfaces though it does show in command line ifconfig. The only place I have hardcoded an address (which I don't particularly like to do) is the alias.  One place. Just one. Finally, I added other things I use such as OpenVPN servers, OpenVPN clients etc. etc. All told, I'm very happy with what you people helped me set up and I'm testing it extensively.

Ah going for your HE cert nice!!!  Love the T-Shirt… Been Sage Since Jan of 2011 ;) [image: create_badge.php?pass_name=johnpoz&badge=3]

I enabled the setting. The prefix no longer changes when I reboot the pfsense box, but a power cycle of the cable modem still changes the prefix. I am considering sending the fe80:: address of the pihole as DNS ip since that won't change. Still does not solve the problem, but it is a possible workaround. Thanks for the input.

What I figured out, is that after adding a static ipv6 entry, until you restart the unbound service, it will not show in DNS Lookup. You can verify that the client got the lease, but no sign of it in DNS. So after adding entries, then I restarted unbound, then DNS lookup works. Seems to me like you shouldn't have to do that, but that is only thing that I could find that works.

You do that by creating entries for both addresses, using the same host name.

I enabled these settings in OpenWRT's LAN interface and it seems to work. The LAN interface in pfsense gets an ipv6 address and the computers on LAN get an ipv6 address. [image: TYCU8Nz.png]

Normally, IPv6 addresses are assigned via SLAAC, where the router provides the network prefix and the client device creates the suffix, using either the MAC address or a random number.  Those addresses will not change unless the prefix does.  You can filter on those addresses for incoming traffic.  However, you usually can't filter on the address for outgoing traffic, as something called privacy addresses are used, which will change daily. https://en.wikipedia.org/wiki/IPv6#Stateless_address_autoconfiguration_.28SLAAC.29

it doesn't use mac for dhcp statics.  But sure still using mac to talk on the wire.