What he said [image: screenshot-2018-04-30-11-16-05.png] [image: screenshot-2018-04-30-11-16-05.png_thumb]

Thanks.  That gave me the information I needed.  A few more searches later and I was able to adjust my configuration to resolve the issue.  I had been using IPv6 with Unique Local Addresses but didn't want to switch my configuration around until I was able to confirm everything was working.  Because none of my interfaces had "Track Interface" set, it wasn't actually requesting an address.  Once I set my LAN to track the WAN, I received an address and prefix.  Thanks!

Well a followup to let others know the final outcome. First, many thanks to all who helped me.  I truly appreciate spending your time on my problems! As it turns out, all I could get from my ISP was 1. A (pseudo) static IPv4 which I get by PPPoE (same address guaranteed but always assigned through PPPoE negotiation. 2. A dynamic /128 assigned by DHCPv6 over the PPPoE connection 3. A (pseudo) static /56 assigned by DHCPv6-PD over the PPPoE connection Note that the IPv6 communication between the router and the ISP uses a link local address, NOT the /128.  In fact, the /128 is not needed at all (as you will see)! Here is how I configured: 1. Per the requirements of my ISP, I configured the WAN IPv4 as PPPoE and the WAN IPv6 as DHCP over the IP4 link with a /56 prefix.  From this I found out my /56. 2. I then chose a prefix ID of ff for WAN addresses, 00 for LAN and 01 for VoIP (another inside LAN). 3. I created a WAN virtual IP/IP alias from the WAN /64 I chose and the mac address of the WAN adapter. 4. I made the LAN and VoIP interface IPv6 assignment to be Track Interface tracking the WAN /56 using prefix IDs 00 and 01 respectively 5. I enabled DHCPv6 and RA on LAN and VoIP 6. "normal" firewall rules (especially adding ICMPv6 req on WAN) Kinda simple. The amazing thing is that the IPv6 "WAN address" as known by pfSense (e.g. for binding OpenVPN etc) IS THE ALIAS!!!  This, it turns out, is ideal for me.  The ONLY dynamic address (the DHCPv6 assigned global WAN address) is totally irrelevant as I now have a static IPv6 global address!!  In fact the dynamic WAN address doesn't even show up in the GUI Status|Interfaces though it does show in command line ifconfig. The only place I have hardcoded an address (which I don't particularly like to do) is the alias.  One place. Just one. Finally, I added other things I use such as OpenVPN servers, OpenVPN clients etc. etc. All told, I'm very happy with what you people helped me set up and I'm testing it extensively.

Ah going for your HE cert nice!!!  Love the T-Shirt… Been Sage Since Jan of 2011 ;) [image: create_badge.php?pass_name=johnpoz&badge=3]

I enabled the setting. The prefix no longer changes when I reboot the pfsense box, but a power cycle of the cable modem still changes the prefix. I am considering sending the fe80:: address of the pihole as DNS ip since that won't change. Still does not solve the problem, but it is a possible workaround. Thanks for the input.

What I figured out, is that after adding a static ipv6 entry, until you restart the unbound service, it will not show in DNS Lookup. You can verify that the client got the lease, but no sign of it in DNS. So after adding entries, then I restarted unbound, then DNS lookup works. Seems to me like you shouldn't have to do that, but that is only thing that I could find that works.

You do that by creating entries for both addresses, using the same host name.

I enabled these settings in OpenWRT's LAN interface and it seems to work. The LAN interface in pfsense gets an ipv6 address and the computers on LAN get an ipv6 address. [image: TYCU8Nz.png]

Normally, IPv6 addresses are assigned via SLAAC, where the router provides the network prefix and the client device creates the suffix, using either the MAC address or a random number.  Those addresses will not change unless the prefix does.  You can filter on those addresses for incoming traffic.  However, you usually can't filter on the address for outgoing traffic, as something called privacy addresses are used, which will change daily. https://en.wikipedia.org/wiki/IPv6#Stateless_address_autoconfiguration_.28SLAAC.29

it doesn't use mac for dhcp statics.  But sure still using mac to talk on the wire.

There is NO default allow rules in the wan gui out of the box… Out of the box on the wan would be block rfc1918 and bogon.  There would no other rules there unless created by the user. There are hidden rules say for dhcp when you enable dhcp on the wan.  And there will be ipv6 rules for your wan link local if you have ipv6 enabled. You can always view the full rule set here. https://doc.pfsense.org/index.php/How_can_I_see_the_full_PF_ruleset If your box is using teredo then all bets are off on the firewall rules since you just tunneled through it..

So I am guessing something firewall related I screwed up on somewhere. One thing I've often found is it's better to start from scratch, as something might have been set that shouldn't have been.  Also, as I mentioned, keep things simple at first, to get it going, then go from there.

UPDATE: The same exact steps were taking again this afternoon. This time I observed the CPU level and waited until it leveled from near a 100% spike, post save/applying the interface changes, then rebooted the box. All is good!!

It was very good for me to have a chance to read this great content. It is very useful.

I updated yesterday and it appears to be working OK, including IPv6.

It was an upgrade. I'm still getting the same global address from my ISP, and the isp is still routing replies to traffic fro both /64s that I'm sending request from, to pf. pf is just not routing the replies to /64 tha it delegates downstream to the google wifi, on to it. They arrive at the WAN port, and go no further. No firewall logs of them being blocked. Its as if after the upgrade, it cant see the route back to the lan for that prefix. IPv6 Trafffic for th /64 that is directly trcked by the LAN interface is still working fine, its just replies to the delegated /64 that are not getting back to the LAN