@Ofloo: never mind spoke to soon :/ The port has vlan tags of several vlans enabled so not quite sure what you're refering to when you're talking about retagging the traffic, .. but i think what you're saying i already did. What is connected to that port? Is the connected device VLAN aware? Is it setup for multiple VLANs? Is this happening on more then one port with more then one device/client? Best bet is to use wireshark on a port that has this issue and look at the RA packets, confirm they are tagged at all and correctly for the VLAN for the subnet being advertised, if they are then set your sights on the client/s.

would there be any issues due to the built-in ethernet switch? –jason

@m3nt0r123: I have a simple home network. Just a handful of devices with an AP providing WiFi. I realized that a number of devices are using IPV6 instead of static IPV4 addresses I assigned. I read through the documentation and am thoroughly confused and need some guidance. Pure IPv6 devices exist when you force them to use only IPv6. I guess you didn't,, so they all ask (DHCP) for an IPv4 and, if they can handle it, an IPv6. @m3nt0r123: I want to ensure my traffic shaping (PRIQ) works as intended and that my packages function as intended as well. I have floating rules for traffic shaping to prioritize traffic but imagine those rules are not applied since an IPV6 lease is assigned to the device rather than the static IPV4. Can't tell, never shaped anything in my life. @m3nt0r123: Should I disable IPV6? Maybe, for the time being. But guidance isn't what you need. IPv6 is a huge subject. As "IPv4", you'll have to go through the "learning phase". @m3nt0r123: Am I able to apply PRIQ to IPV6? Is it already applied? Never heard that shaping, or "PRIQ" is IPv4-only. @m3nt0r123: Should my other packages work as expected (pfblockerng, suricata)? pfblockerng will work well - checkup with their support. But you should know that that the concept of "lists with bad IPv6" will never work out in the future, it's simply to big. Using DNSBL still works. suricata is more an packet inspection tool. These are still the same. The "IPv4" or "IPv6" is just the envelop that transports the packet. The thing is : as a firewall operator you do not have a choice, you should become friends with IPv6. Remember : a firewall handles IP packets. And IP means : IPv4 or IPv6, knowing that IPv4 will fade out (in the next decade so you have some time ;))

Agree, you are right, all the services that depended upon a static IP long ago moved to AWS, so I should just ditch it, good thought. Esp since Route53 works beautifully with pF's dynDNS updater.. Is there nothing that pF won't do (better) ?

Thx for all answers.

@JKnott: You could also use Packet Capture or Wireshark to see if pfSense is actually sending out RAs with the wrong gateway, or if they're coming from elsewhere.  You have to filter on ICMP6 to capture them.  If you use Packet Capture, you may want to download the capture file and use Wireshark to examine it, as Wireshark provides more info than the list shown in Packet Capture. You were right. I wiresharked it and found out that my old EdgeMax router was sending out router advertisements. Factory reset the darn thing and all is right on the network. At least, it wasn't DNS.  Thank you for you help.

Some updates: I recently switched to a new ISP (BT Infinity) so decided to give this another go. Unfortunately the exact same ACK dropping issue still happens with BT's Smart Hub (Home Hub 6A). This time I come across this post https://ttlexpired.co.uk/2016/02/12/ipv6-tunnel-and-failing-tcp-sessions/ describing a very similar issue from an engineer working for SKY and he concluded this is a bug with Broadcom SoC's "flow cache" mechanism, and by disabling flow cache the issue can be mitigated. Both my old SKY router SR102 and BT's new hub use Broadcom's SoC, so I have a strong suspicion that this is indeed the root cause. I'm no longer with SKY so can't experiment with it, but for anyone stumbling across this post via Google, you might be able to play with it by compiling your own SR102 firmware from SKY's GPL tarball and try to disable flow cache. Unfortunately BT has yet to release the source code for its Smart Hub, so I'm still stuck.

Wan is not static,  when this happens 6rd appears to be up and the Lan hands out valid v6 addresses just no routes are assigned. I've also been noticing issues with other things.  I got the kids a switch for Xmas and had to set up a hybrid outbound NAT rule but it only works for awhile and then I have to go back in and edit/save to get the switch connectivity working again.

I could do that, but my ISP allocates me a dynamic address - is there a way of allocating a /64 prefixed space to a virtual IP block? I can't work it out, nor can I find any documentation on how to do so.

If your wanting to use ipv6 for some clients and not others you have 2 ways to go about it if you ask me.. Complete static do not run RA, do not run dhcpipv6.. Any clients that want to use ipv6 will have to be setup static ipv6 to be able to talk to pfsense, and get outbound on it, etc.  This allows you to easy firewall and only allow specific IPs that you set on clients.  Your going to want to turn off privacy ipv6 on the client as well or they will just use some random ipv6 in the prefix you setup as their outgoing source IPv6.. You can setup RA and or dhcpv6, etc..  But disable ipv6 on the client completely..  This might not be available on some clients, refer to option 1 I use option 1… It allows me to use ipv6 on the devices I want to use ipv6 on while not have to worry about it on other devices..  Actually sort of a hybrid of 1 and 2 - since I also disable ipv6 on any device I can that I am not going to be using it on..

Hi Derelict, Thanks a lot for your reply, as I mentioned we announce this subnet and I have full control over the routes, I also do have a static route to route the whole /32 prefix to the WAN CARP VIP, the idea is that I don't want to use DHCP6, when a customer needs an IPv6 Subnet what I do is just add the first IP of that subnet as an IP Alias Stacked with the V1050 CARP VIP, and that IP will also be the Gateway for the customer who will use this subnet. after digging more seems it's not a routing or setup problem, it's actually a firewall rules issue, it seems that pfsense doesn't add the IPv6 IP Aliases to the auto created Aliases, i'm not sure if anyone had this issue but if no one open a bug report about it then I will do it. here is what happens, I do have IN and OUT rules configured on WAN: Protocol: IPv4+6 Source: any Destination: V1050 net    –--> this suppose to include any IP that is assigned to V1050 interface including IP Aliases, and it's an Auto Alias created by pfsense. on V1050 I have a firewall rules to allow all traffic. so basically what ever IPv6 IP Alias you add to V1050 interface you should reach it, but this doesn't work cause the V1050 net Alias doesn't include that new IP Alias, I added a new firewall rule on WAN to allow traffic to that new IP Alias and I was able to to reach it. Best Regards

In your WAN settings, you want to request a different prefix size. With residential service, you can request as low as /60, which will give you 16 /64's to use on various networks. You will want to delete your DUID after changing the setting (you'll need to shell to the router and rm /var/db/dhcp6c_duid) then release/renew the WAN connection so it creates a new DUID and requests a new lease and prefix from Comcast's DHCPv6 server. Then you should be able to set up multiple networks using Track Interface and select a different prefix ID for each network.

Hi pmisch, thanks a lot for your reply! Only ping is (was) working, nothing else. I did not dig into routing issues because ping was working. If ICMP packages are routed correctly, I assume correct routing tables. I was already looking into the tcpdump on the firewall, I'm not an expert in reading this traffic but I did not see any problems here. Over the xmas days I had some time to review my whole network, and I found a really embarrassing fault. I 've had an additional network interface activ on my server I 've never used and used the same IPv4 address for pfSense. After disabling this interface pfSense is now working as expected. Still testing everything, but this post goes already over the pfSense VM. Nevertheless thank you again for replying! Btw: What does sounds german? My english or my problem? ;-) But yes, you nailed it…

Shouldn't it be possible to use SLAAC for a link-local WAN connection with the ISP router If you take a peek with Wireshark or packet capture, you'll find routers normally use the link local address.  It doesn't need a public address to be able to route traffic.

i'm in the same boat (on FTTP NBN) using pfsense and unable to get ipv6 working just for the purposes of testing i spun up a sophos utm instance and got an ipv6 lease immediately (could ping6 from WAN but PD did not work due to current version only supporting /64 PD) next i tested a ubiquiti edgerouter lite and can get full ipv6 working (correct settings are /56 PD with prefix-only, wan interface keeps a link-local address and each internal/lan interface gets a PD and all clients get an ipv6 lease inside the prefix). pfsense is my preferred platform however i am unable to get any ipv6 traffic flowing at all running a tcpdump i can see neighbour solicitations from my provider (telstra) would appreciate some assistance if anyone has any further insights

Depends on the delegation. For :00e4: and :00ff: to be in the same delegation it would have to be a /56. :00ef: and :00e4: are in the same /60.

@razzfazz: You can do it from the command line by deleting the DUID file and killing & restarting dhcp6c manually. Thanks for that tidbit…I renamed the file and (since it said service dhcp6c wasn't running?) I restarted the router, and it did acquire an IPv6 block for the LAN as desired.