There is NO default allow rules in the wan gui out of the box… Out of the box on the wan would be block rfc1918 and bogon.  There would no other rules there unless created by the user. There are hidden rules say for dhcp when you enable dhcp on the wan.  And there will be ipv6 rules for your wan link local if you have ipv6 enabled. You can always view the full rule set here. https://doc.pfsense.org/index.php/How_can_I_see_the_full_PF_ruleset If your box is using teredo then all bets are off on the firewall rules since you just tunneled through it..

So I am guessing something firewall related I screwed up on somewhere. One thing I've often found is it's better to start from scratch, as something might have been set that shouldn't have been.  Also, as I mentioned, keep things simple at first, to get it going, then go from there.

UPDATE: The same exact steps were taking again this afternoon. This time I observed the CPU level and waited until it leveled from near a 100% spike, post save/applying the interface changes, then rebooted the box. All is good!!

It was very good for me to have a chance to read this great content. It is very useful.

I updated yesterday and it appears to be working OK, including IPv6.

It was an upgrade. I'm still getting the same global address from my ISP, and the isp is still routing replies to traffic fro both /64s that I'm sending request from, to pf. pf is just not routing the replies to /64 tha it delegates downstream to the google wifi, on to it. They arrive at the WAN port, and go no further. No firewall logs of them being blocked. Its as if after the upgrade, it cant see the route back to the lan for that prefix. IPv6 Trafffic for th /64 that is directly trcked by the LAN interface is still working fine, its just replies to the delegated /64 that are not getting back to the LAN

I have the same problem. My LAN doesnt get an IPv6. My WAN interface receives one.

Right now I see in the logs``` Apr 2 15:46:37 dhcp6c 35833 advertise contains NoPrefixAvail status Apr 2 15:46:37 dhcp6c 35833 Sending Solicit But why? Here's a short dump: 

@router_wang: @JKnott: …is there some reason why you don't want your WiFi on the same network as your local LAN?  The last time I did that was back in the 802.11b days, when only the insecure WEP encryption was available.  Then I had the WiFi on the outside of my firewall and used a VPN to access my network.  Currently, I just have an access point, not router, connected directly to my LAN, using WPA2 for encryption. Guest WiFi access. Also "facebook" syndrome. Why let rogue cellphone apps inventory and probe your network. I don't think a guest Wifi was the intent of the OP.  There's no reason why you can't have both LAN and guests on their own prefix.  Regardless, my point was there isn't much need to keep WiFi devices off of the local LAN, as WPA2 is quite secure.  That was not the case with WEP.

For anyone else reading this thread, I also had to configure my WAN interface for VLAN 201, set my WAN MTU to 1472 and MSS to 1448 then set my LAN interface MSS to 1448.

It works now. :) I didn't change anything however so my ISP must've done something.

Why do you think the WAN address should be within your /60?  With that /60, you can have up to 16 LANs with a /64 prefix within 2600:8801:1d00:DE50 - 2600:8801:1d00:DE5E.  Normally, with IPv6, the ISP will assign a WAN address that is outside of your prefix.  That is certainly the case here.  Also, you don't actually need a routeable address on the WAN port, as routing, in IPv6, is normally done over the link local addresses.  The routeable address on the WAN interface would only be used for management and diagnostics.

Then lobby to your ISP to get it fixed. It we add workarounds for broken designs, then ISPs will have no incentive to fix their broken designs.

No, the problem disappeared by itself… Probably an issue with my ISP?

I can add that I use a Windows 2016 IPv6 DHCP server for address leasing My pfSense is set up for Unmanaged Router Advertisment And I attach my LAN interface config Thank in advance for any help ///Peter! [image: IPv6_RA.PNG] [image: IPv6_RA.PNG_thumb] [image: LAN_Interface.PNG] [image: LAN_Interface.PNG_thumb]

I think something might have been locking me out with the firewall rules when making interface changes. In my case, I basically have a DMZ router hop to an internal network.  In order to rule this out, I connected my laptop directly to the LAN port of the Netgate. I'm now able to make changes to the interfaces and not get locked out. I'm also on Comcast, I set a prefix delegation hint of /60 and they happily handed me back that prefix.  Something to keep in mind if you need more subnets :)

@JKnott: The only LL packets that pfSense can see are those that pass through a pfSense interface.  I know about the multicast packets for things such as router advertisements etc..  However, MLD is used to discover which devices on a local LAN want to receive specific multicasts from elsewhere, not those originating on the local LAN.  For example, if your computer wants to listen to some multicast out on the net, the routers (and possibly switches) listens for the request and then arranges to get that multicast from the source and pass it on to the requesting device(es). Agreed; all the packets logged are from potential LAN clients of a multicast stream that the pfsense router has access to. If you execute "netstat -s -s" you can see that under icmp6: has reference to "MLDv2 listener report" which am guessing means the number of listeners observed since boot. @JKnott: There is no need to do this on the local network.  Also, multicasts are not received by every node on the network.  They are filtered by multicast MAC address in the NIC, so that if a node is not interested in a particular multicast, it doesn't hear it. Yes, I understand and agree that multicasts are not received by every node. My understanding that the higher level IP protocols configure the Ethernet interface according to their needs to take advantage of the NICs ability to ignore Ethernet multicast traffic in hardware. The packets coming from various LL addresses on my LAN are sending to an IPv6 multicast address (ff02::16) that must be enabled by the pfsense router based upon a reserved Ethernet multicast address for MLDv2. I know how the old mapping of IPv4 multicast addresses were handled, but have not come across the equivalent method that supports IPv6 multicast addresses. IPv6 has many multicast addresses defined for LL traffic (https://www.iana.org/assignments/ipv6-multicast-addresses/link-local.csv) @JKnott: This differs from IPv4 broadcasts that all devices receive.  The only thing that's comparable in IPv6 is the all nodes multicast, which is received by all nodes and used for things like router advertisements.  Also, that "2" in ff02 refers to the scope, in this case link local.  That means a router will ignore it, as it doesn't have anything to do. Both IPv4 and IPv6 use Ethernet multicast. IPv4 also uses Ethernet broadcast, which is not supported in IPv6, but, as you pointed out, however, if every IPv6 node enables the same Ethernet multicast address on a specific interface, then there is an effective link broadcast address. Routers will NOT repeat that traffic onto other links. @JKnott: BTW, RFC 3810 has been superseded by RFC 4604. RFC4604 is an update to RFCs 3376 and 3810 and clarifies how IGMPv3 is related to MLDPv2 And, I still am waiting to hear why there is selective filtering of logged traffic. I wonder what else is unformatted besides MLDv2 listener reports…