@mrsunfire Thanks for the recommendation. I went with a Netgear CM700 and it works!

OK, now you have to determine if traffic for 2001:818:d9d9:ba00::/56 is arriving on your interface. Set up a packet capture like this and start it. The try to do stuff with it like ping6 2001:818:d9d9:ba01::1/56 from the outside, telnet to it from the outside, etc. Then stop the capture and see what is there. If you need someone to ping6 it from the outside holler. Hmm. This is interesting: [image: 1527707708131-screen-shot-2018-05-30-at-12.14.34-pm.png]

Get a tunnel to hurricane and a /48 and use static addressing. https://doc.pfsense.org/index.php/Using_IPv6_with_a_Tunnel_Broker

"Please go back and look at the times when you said a link local address could not be used." Where did Derelict ever say that link-local can never be used? He did clearly point out the RFC that clearly states 2 scenario's where they do not work. "However, there are two cases where using a link-local address as the   next-hop clearly does not work.  One is when the static route is an   indirect (or multi-hop) static route.  The second is when the static   route is redistributed into another routing protocol.  In these   cases, the above text from RFC 4861 notwithstanding, either a GUA or   ULA must be used." I think this horse has been beaten enough ;)

I fixed it. I had to create an any/any rule on the LAN for icmpv6 traffic. There's actually an ICMPv6 protocol choice when your making a new rule for this specific thing. Once I did that those logs stopped showing up. Very little is using the rule, it's all been Link-Local addresses so far.

ULA has nothing to do with DHCPv6.  ULA is the IPv6 equivalent of IPv4 RFC 1918 addresses.  You can use it with SLAAC, DHCPv6 or manual configuration. just like global addresses.  I'd also recommend reading a good tutorial on IPv6.

huh? What version where you using before?  The interfaces you have IPv6 setup on would be listed under RA where you can enable it or not, etc.  And set its mode of operation, etc. [image: ra-interface.png] [image: ra-interface.png_thumb]

Thanks for your insightful comment.  It turns our you were right.  I had set up a bridge to get my 5 static IP addresses from Comcast onto a private VLAN.  Somewhere–and I'm still not sure where, the RA packets were leaking onto my LAN.  RA packets are IP6 packets, and I would think they could be filtered by PFSense even on a bridge, but apparently that is not the case. My work-around is to plug all of the interfaces that need a public IP directly into the Comcast router, and leave all of the others on my switch.  It's a little disappointing because I can't watch the traffic with PFSense, but it is working, and I'm not able to set my own nameservers.

^^^^ And in the process you've lost IPv6 entirely, which is dumb as that's where the world is moving to.  Perhaps it would have been better to set up a 6in4 tunnel as backup for IPv6.  Many people use he.net for that.

Thanks to both of you for your input.  I am trying to fix this as per the last post.

I have used an Asus Merlin with ipv6 and as far as I know it cannot delegate a prefix. It just hands out individual addresses. You should probably ask on the Merlin forum though. https://www.snbforums.com/forums/asuswrt-merlin.42/

@Gertjan: I'm using he.net myself for IPv6, which means the prefix is always the same. So, the good old 'static MAC/DUID' reservation works great - DNS registration included. Thanks for the hint. I found this redmine entry: https://redmine.pfsense.org/issues/2017 and can confirm, that DNS registration for static DHCPv6 leases works fine. But this is not an option for my setup. The clients are dynamic and the network is to big to maintain static dhcp leases. I've done some further research to the topic. In the redmine request the developer mentioned that the hostname is not send from the dhclient. I found out that this was an issue in the isc dhclient which is solved in version 4.3. See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=670865 I checked the Debian dhclient.conf and can confirm that there is an entry with: send host-name = gethostname(); So I guess the hostname should be send now. I checked then the dhcp6.leases file and found out that isc-dhcpd has no field for the hostname for ipv6. I found nothing in the ISC DHCPd tracker if they are working on this to add the hostname on the dhcp6.leases file. I found out that if dnsmasq is used as DHCP and DNS Server it should be possible to have DNS client registration with ipv6 out of the box. Unfortunately pfsense uses isc-dhcpd and I think there is no option to change this from a user perspective.

You could for sure give it a static inside whatever prefix you get.  But if they happen to hand you a different prefix all your scopes can change on you. Why they don't just assign customer prefix XYZ, /48 should be what they give you and be done with it.. If you want static and your ISP will not give you one - just head over to hurricane electric and grab the free /48 they will give you.  Now you have all the statics you want ever.. And what is nice is even if you change ISP you can just keep that /48.. Even if your isp doesn't support ipv6 you still have that /48, etc.. I have had the same prefix since 2013.. And even can setup PTR on any of the IPs I want in that /48 and recently moved to isp that doesn't have any IPv6 and means nothing to me.. Since it took all of 2 seconds to setup my tunnel again with all my boxes able to have the same exact ipv6 address they had with the previous isp. Really the only draw back to tunnel is a few extra ms latency vs native connectivity - depending on where the nearest pop and where HE peers with your isp, etc.  But they have pops all over the world. https://www.tunnelbroker.net/status.php

It is reaching upto my WAN port of Pfsense I am not authorized to share IP details

Sadly, gwf can't do bridge and mesh which is why I got gwf really. As it stands I have pfsense with a dhcpv6 server handing gwf a ipv6 address and prefix, but it doesn't seem to have internet access on wifi connected devices.  There has to be something I'm missing.  Hopefully someone has had some luck and can share what they have done.

I tried an online tool to traceroute to an address, and you are right about pfsense just dropping it, at least as far as I could tell. There shouldn't be any reason any internal device doing it, so it should be ok. I just wanted to make sure didn't get a nasty note from my ISP.