Some updates: I recently switched to a new ISP (BT Infinity) so decided to give this another go. Unfortunately the exact same ACK dropping issue still happens with BT's Smart Hub (Home Hub 6A). This time I come across this post https://ttlexpired.co.uk/2016/02/12/ipv6-tunnel-and-failing-tcp-sessions/ describing a very similar issue from an engineer working for SKY and he concluded this is a bug with Broadcom SoC's "flow cache" mechanism, and by disabling flow cache the issue can be mitigated. Both my old SKY router SR102 and BT's new hub use Broadcom's SoC, so I have a strong suspicion that this is indeed the root cause. I'm no longer with SKY so can't experiment with it, but for anyone stumbling across this post via Google, you might be able to play with it by compiling your own SR102 firmware from SKY's GPL tarball and try to disable flow cache. Unfortunately BT has yet to release the source code for its Smart Hub, so I'm still stuck.

Wan is not static,  when this happens 6rd appears to be up and the Lan hands out valid v6 addresses just no routes are assigned. I've also been noticing issues with other things.  I got the kids a switch for Xmas and had to set up a hybrid outbound NAT rule but it only works for awhile and then I have to go back in and edit/save to get the switch connectivity working again.

I could do that, but my ISP allocates me a dynamic address - is there a way of allocating a /64 prefixed space to a virtual IP block? I can't work it out, nor can I find any documentation on how to do so.

If your wanting to use ipv6 for some clients and not others you have 2 ways to go about it if you ask me.. Complete static do not run RA, do not run dhcpipv6.. Any clients that want to use ipv6 will have to be setup static ipv6 to be able to talk to pfsense, and get outbound on it, etc.  This allows you to easy firewall and only allow specific IPs that you set on clients.  Your going to want to turn off privacy ipv6 on the client as well or they will just use some random ipv6 in the prefix you setup as their outgoing source IPv6.. You can setup RA and or dhcpv6, etc..  But disable ipv6 on the client completely..  This might not be available on some clients, refer to option 1 I use option 1… It allows me to use ipv6 on the devices I want to use ipv6 on while not have to worry about it on other devices..  Actually sort of a hybrid of 1 and 2 - since I also disable ipv6 on any device I can that I am not going to be using it on..

Hi Derelict, Thanks a lot for your reply, as I mentioned we announce this subnet and I have full control over the routes, I also do have a static route to route the whole /32 prefix to the WAN CARP VIP, the idea is that I don't want to use DHCP6, when a customer needs an IPv6 Subnet what I do is just add the first IP of that subnet as an IP Alias Stacked with the V1050 CARP VIP, and that IP will also be the Gateway for the customer who will use this subnet. after digging more seems it's not a routing or setup problem, it's actually a firewall rules issue, it seems that pfsense doesn't add the IPv6 IP Aliases to the auto created Aliases, i'm not sure if anyone had this issue but if no one open a bug report about it then I will do it. here is what happens, I do have IN and OUT rules configured on WAN: Protocol: IPv4+6 Source: any Destination: V1050 net    –--> this suppose to include any IP that is assigned to V1050 interface including IP Aliases, and it's an Auto Alias created by pfsense. on V1050 I have a firewall rules to allow all traffic. so basically what ever IPv6 IP Alias you add to V1050 interface you should reach it, but this doesn't work cause the V1050 net Alias doesn't include that new IP Alias, I added a new firewall rule on WAN to allow traffic to that new IP Alias and I was able to to reach it. Best Regards

In your WAN settings, you want to request a different prefix size. With residential service, you can request as low as /60, which will give you 16 /64's to use on various networks. You will want to delete your DUID after changing the setting (you'll need to shell to the router and rm /var/db/dhcp6c_duid) then release/renew the WAN connection so it creates a new DUID and requests a new lease and prefix from Comcast's DHCPv6 server. Then you should be able to set up multiple networks using Track Interface and select a different prefix ID for each network.

Hi pmisch, thanks a lot for your reply! Only ping is (was) working, nothing else. I did not dig into routing issues because ping was working. If ICMP packages are routed correctly, I assume correct routing tables. I was already looking into the tcpdump on the firewall, I'm not an expert in reading this traffic but I did not see any problems here. Over the xmas days I had some time to review my whole network, and I found a really embarrassing fault. I 've had an additional network interface activ on my server I 've never used and used the same IPv4 address for pfSense. After disabling this interface pfSense is now working as expected. Still testing everything, but this post goes already over the pfSense VM. Nevertheless thank you again for replying! Btw: What does sounds german? My english or my problem? ;-) But yes, you nailed it…

Shouldn't it be possible to use SLAAC for a link-local WAN connection with the ISP router If you take a peek with Wireshark or packet capture, you'll find routers normally use the link local address.  It doesn't need a public address to be able to route traffic.

i'm in the same boat (on FTTP NBN) using pfsense and unable to get ipv6 working just for the purposes of testing i spun up a sophos utm instance and got an ipv6 lease immediately (could ping6 from WAN but PD did not work due to current version only supporting /64 PD) next i tested a ubiquiti edgerouter lite and can get full ipv6 working (correct settings are /56 PD with prefix-only, wan interface keeps a link-local address and each internal/lan interface gets a PD and all clients get an ipv6 lease inside the prefix). pfsense is my preferred platform however i am unable to get any ipv6 traffic flowing at all running a tcpdump i can see neighbour solicitations from my provider (telstra) would appreciate some assistance if anyone has any further insights

Depends on the delegation. For :00e4: and :00ff: to be in the same delegation it would have to be a /56. :00ef: and :00e4: are in the same /60.

@razzfazz: You can do it from the command line by deleting the DUID file and killing & restarting dhcp6c manually. Thanks for that tidbit…I renamed the file and (since it said service dhcp6c wasn't running?) I restarted the router, and it did acquire an IPv6 block for the LAN as desired.

Thank you scott83. I've tested and that setting was already enabled on my computer. I ran the enable command again and rebooted and still no DNS via RA. I'm wondering if I've set something somewhere else in pfSense that is stopping it from sending the DNS via RA?

Thanks for the replies.  The issue ended up being a bug with IGMP snooping on my Ubiquiti Edgeswitch.  Disabling IGMP snooping on the specific VLAN with unmanaged RAs set allowed the RAs to be broadcasted to the clients.

There's a known issue with the DHCPv6 lease list not working right… Bug 7413 It's been kicked down the road a couple of versions now, since at least 2.4.0… hopefully it gets fixed soon.

@marjohn56: :) Yes, well - Kaspersky… Hmm Not allowed near any of my machines. Apart from the fact they may or may not be in leagues with the Kremlin I have always found it slows my machines down. I use Webroot, never have an issue. Well either way, thanks for your help man - wouldn't have been able to do it without you.  I think the issue is pretty much sorted now.

@bimmerdriver: Just to provide an update on this. I did try reporting it to OVH. Their support organization support@ovh.ca did not reply to my emails so I phoned them. Hard as it is to believe, they told me to try reporting it to their abuse website. They said there might be better response. I did get a response, but as is plain to see, they still have not fixed the problem. I guess the lesson here is if you are looking for a company to host your website, don't use OVH. Their network is broken and their service sucks. .. Their (OVH) transit router replied to the ping, some routers before, and some afterwards (not OVH) didn't. Not very related, but : I don't know if OVH is a good host for a web site - I can't tell. I have some 10 web sites with them and several dedicated servers - never used comparable services else where for the last 10 years, so,. So, I can't compare  ;) Never contacted their commercial or technical support (ok, may once or twice in 10 years).  Of course, my sites are up with a pretty 99,999 % uptime for the mentioned time span. Btw : replying to ICMP (ping) is important when IPv6 comes into play, for IPv4 it was less important. It's said that OVH isn't following all 'official' guidelines concerning IPv6 implementation - this is probably true when we talk about them as an ISP, but on my dedicated servers, IPv6 (a classic /64 each) works great for the last several years. Same thing for the basic site hosting services. True is that OVH is investing like no other company in networking, except for Google probably. See http://weathermap.ovh.net/#europe for Europe, USA and the rest. When they have an issue like two weeks ago : 2 independent high tension lines went down (in theory, in France, not possible  ;D) AND a main backup diesel power supply  didn't start, all their boarding routers went down (my servers stayed up btw) and most of their data centers became unreachable. It create a huge hole on the Internet map …. BIG == vulnerable. edit : OVH is one of the companies that offered a "host a WordPress or commercial site yourself" for a coupe of € a year. So, even my grandmother thought its was time to build her own site ... She neither wasn't aware that some knowledge was needed to actually 'run' a site and 'send that mail'  (and OVH wasn't and isn't selling knowledge ...). edit2 : as johnpoz : ( I don't know why my navigators prefer IPv4 now, before switching to IPv6. Normally, they do it the other way around (I use he.net for IPv6). Whatever ...) [image: Capture1.PNG] [image: Capture1.PNG_thumb] [image: Capture2.PNG] [image: Capture2.PNG_thumb]

(I don't think OP (who vanished) got a /36)

I managed to get port 80 free so way to go for requesting my cert. Well, no, nc just listens on port 80 tcp4 instead of also tcp6? That's just mean. :- I wasn't able to figure out exactly why that is. It's in /usr/local/pkg/acme/acme.sh while the _startserver() function seems to be the part where the http server is being invoked. I set ncaddr manually to my desired IPv6 address. Now it's listening and my cert is being issued. First try with acme testserver it still showed timeout. Gotta report a bug I guess. Edit: Here's the bug report. https://redmine.pfsense.org/issues/8126

What does your provider say how to configure your WAN port? What are your actual settings of the WAN interface?