What I figured out, is that after adding a static ipv6 entry, until you restart the unbound service, it will not show in DNS Lookup. You can verify that the client got the lease, but no sign of it in DNS.

So after adding entries, then I restarted unbound, then DNS lookup works. Seems to me like you shouldn't have to do that, but that is only thing that I could find that works.

You do that by creating entries for both addresses, using the same host name.

I enabled these settings in OpenWRT's LAN interface and it seems to work. The LAN interface in pfsense gets an ipv6 address and the computers on LAN get an ipv6 address.

Normally, IPv6 addresses are assigned via SLAAC, where the router provides the network prefix and the client device creates the suffix, using either the MAC address or a random number.  Those addresses will not change unless the prefix does.  You can filter on those addresses for incoming traffic.  However, you usually can't filter on the address for outgoing traffic, as something called privacy addresses are used, which will change daily.

https://en.wikipedia.org/wiki/IPv6#Stateless_address_autoconfiguration_.28SLAAC.29

it doesn't use mac for dhcp statics.  But sure still using mac to talk on the wire.

There is NO default allow rules in the wan gui out of the box…

Out of the box on the wan would be block rfc1918 and bogon.  There would no other rules there unless created by the user.

There are hidden rules say for dhcp when you enable dhcp on the wan.  And there will be ipv6 rules for your wan link local if you have ipv6 enabled.

You can always view the full rule set here.
https://doc.pfsense.org/index.php/How_can_I_see_the_full_PF_ruleset

If your box is using teredo then all bets are off on the firewall rules since you just tunneled through it..

So I am guessing something firewall related I screwed up on somewhere.

One thing I've often found is it's better to start from scratch, as something might have been set that shouldn't have been.  Also, as I mentioned, keep things simple at first, to get it going, then go from there.

UPDATE:

The same exact steps were taking again this afternoon.

This time I observed the CPU level and waited until it leveled from near a 100% spike, post save/applying the interface changes, then rebooted the box.

All is good!!

It was very good for me to have a chance to read this great content. It is very useful.

I updated yesterday and it appears to be working OK, including IPv6.

It was an upgrade. I'm still getting the same global address from my ISP, and the isp is still routing replies to traffic fro both /64s that I'm sending request from, to pf. pf is just not routing the replies to /64 tha it delegates downstream to the google wifi, on to it. They arrive at the WAN port, and go no further. No firewall logs of them being blocked. Its as if after the upgrade, it cant see the route back to the lan for that prefix.

IPv6 Trafffic for th /64 that is directly trcked by the LAN interface is still working fine, its just replies to the delegated /64 that are not getting back to the LAN

I have the same problem. My LAN doesnt get an IPv6. My WAN interface receives one.

Right now I see in the logs```
Apr 2 15:46:37 dhcp6c 35833 advertise contains NoPrefixAvail status
Apr 2 15:46:37 dhcp6c 35833 Sending Solicit

@router_wang:

@JKnott:

…is there some reason why you don't want your WiFi on the same network as your local LAN?  The last time I did that was back in the 802.11b days, when only the insecure WEP encryption was available.  Then I had the WiFi on the outside of my firewall and used a VPN to access my network.  Currently, I just have an access point, not router, connected directly to my LAN, using WPA2 for encryption.

Guest WiFi access. Also "facebook" syndrome. Why let rogue cellphone apps inventory and probe your network.

I don't think a guest Wifi was the intent of the OP.  There's no reason why you can't have both LAN and guests on their own prefix.  Regardless, my point was there isn't much need to keep WiFi devices off of the local LAN, as WPA2 is quite secure.  That was not the case with WEP.

For anyone else reading this thread, I also had to configure my WAN interface for VLAN 201, set my WAN MTU to 1472 and MSS to 1448 then set my LAN interface MSS to 1448.