Thank you scott83. I've tested and that setting was already enabled on my computer. I ran the enable command again and rebooted and still no DNS via RA. I'm wondering if I've set something somewhere else in pfSense that is stopping it from sending the DNS via RA?

Thanks for the replies.  The issue ended up being a bug with IGMP snooping on my Ubiquiti Edgeswitch.  Disabling IGMP snooping on the specific VLAN with unmanaged RAs set allowed the RAs to be broadcasted to the clients.

There's a known issue with the DHCPv6 lease list not working right… Bug 7413 It's been kicked down the road a couple of versions now, since at least 2.4.0… hopefully it gets fixed soon.

@marjohn56: :) Yes, well - Kaspersky… Hmm Not allowed near any of my machines. Apart from the fact they may or may not be in leagues with the Kremlin I have always found it slows my machines down. I use Webroot, never have an issue. Well either way, thanks for your help man - wouldn't have been able to do it without you.  I think the issue is pretty much sorted now.

@bimmerdriver: Just to provide an update on this. I did try reporting it to OVH. Their support organization support@ovh.ca did not reply to my emails so I phoned them. Hard as it is to believe, they told me to try reporting it to their abuse website. They said there might be better response. I did get a response, but as is plain to see, they still have not fixed the problem. I guess the lesson here is if you are looking for a company to host your website, don't use OVH. Their network is broken and their service sucks. .. Their (OVH) transit router replied to the ping, some routers before, and some afterwards (not OVH) didn't. Not very related, but : I don't know if OVH is a good host for a web site - I can't tell. I have some 10 web sites with them and several dedicated servers - never used comparable services else where for the last 10 years, so,. So, I can't compare  ;) Never contacted their commercial or technical support (ok, may once or twice in 10 years).  Of course, my sites are up with a pretty 99,999 % uptime for the mentioned time span. Btw : replying to ICMP (ping) is important when IPv6 comes into play, for IPv4 it was less important. It's said that OVH isn't following all 'official' guidelines concerning IPv6 implementation - this is probably true when we talk about them as an ISP, but on my dedicated servers, IPv6 (a classic /64 each) works great for the last several years. Same thing for the basic site hosting services. True is that OVH is investing like no other company in networking, except for Google probably. See http://weathermap.ovh.net/#europe for Europe, USA and the rest. When they have an issue like two weeks ago : 2 independent high tension lines went down (in theory, in France, not possible  ;D) AND a main backup diesel power supply  didn't start, all their boarding routers went down (my servers stayed up btw) and most of their data centers became unreachable. It create a huge hole on the Internet map …. BIG == vulnerable. edit : OVH is one of the companies that offered a "host a WordPress or commercial site yourself" for a coupe of € a year. So, even my grandmother thought its was time to build her own site ... She neither wasn't aware that some knowledge was needed to actually 'run' a site and 'send that mail'  (and OVH wasn't and isn't selling knowledge ...). edit2 : as johnpoz : ( I don't know why my navigators prefer IPv4 now, before switching to IPv6. Normally, they do it the other way around (I use he.net for IPv6). Whatever ...) [image: Capture1.PNG] [image: Capture1.PNG_thumb] [image: Capture2.PNG] [image: Capture2.PNG_thumb]

(I don't think OP (who vanished) got a /36)

I managed to get port 80 free so way to go for requesting my cert. Well, no, nc just listens on port 80 tcp4 instead of also tcp6? That's just mean. :- I wasn't able to figure out exactly why that is. It's in /usr/local/pkg/acme/acme.sh while the _startserver() function seems to be the part where the http server is being invoked. I set ncaddr manually to my desired IPv6 address. Now it's listening and my cert is being issued. First try with acme testserver it still showed timeout. Gotta report a bug I guess. Edit: Here's the bug report. https://redmine.pfsense.org/issues/8126

What does your provider say how to configure your WAN port? What are your actual settings of the WAN interface?

"Presumably, i need to set up routing on each interface to the gateway for the tunnel?" No.. Why would you think that?  Your just attaching a network to pfsense, just like a ipv4 network..  Pfsense will be the gateway to the clients on that network. Pfsense knows what its default gateway is for wan, and it knows what it is for ipv6 via your tunnel you setup - you would not setup a gateway on an interface unless it was a wan connection.

Normally the other router would announce itself. If it's possible to use it from that subnet it must already be there.

@bigtfromaz: It's a shame that Cox, with billions of subnets at their disposal, won't supply a static one to the account.  HE is doing it for free. Cox is a typical ISP. HE is not a typical ISP. If HE offered residential internet service, I would pay more for it.

Phew… After a long battle with the DC... I obtained a second /64 routed and carried over the existing WAN address. I assigned it to the LAN and to devices. All is good! Thanks!!

@thehammer86: Just looking for clarification on the optimical MTU for the HE 6in4 tunnel interface in pfSense.  I have a DSL connection so I would think that I would need to drop the MTU at the HE side config from 1480 to 1472.  Would I also set the HENETv6 interface in pfSense to 1472 as well? If your IPv4 MTU is 1492, then your 6in4 is 1472, You can set it on the interface in pfSense and then also set it on https://tunnelbroker.net/ under the advanced tab of the affected tunnel.

This is a known issue with radvd.  The bug is fixed in the next release of pfSense (2.4.2).  It only happens on ARM hardware like the SG-3100.  Here is the bug report and documentation of the upcoming fix from the pfSense Redmine bug site:  https://redmine.pfsense.org/issues/8022#change-35066. Bill

@virgiliomi: @marjohn56: You might be able to get away with trying managed only on dhcpv6, set up a static assignment for his device, then add a firewall rule to block that address from the internet… Worth a try... This is probably the best solution… and should work as long as the prefix from your ISP doesn't change. One slight issue, pretty sure some or all Android devices won't play though as they rely on on SLAC, but that's not a showstopper, they will still run on v4.

I have multi-WAN and HE.net tunnels on 2.4 here and it all works fine. Perhaps you missed a step, such as assigning/enabling the GIF interface?

Like I said its bad design to not use a transit. Perhaps I used the wrong expression.  I took your description as requiring public IPv6 addresses on the WAN side of the firewall.  I do have one that's completely different from what my /56 contains.  However, that public address is not used in routing my /56 to me.  It also has a /128 prefix.  Netstat -r shows a link local address that's not on my firewall for the default route.  With IPv6, routing is normally done using the link local address, so not having a public IPv6 address on my WAN interface would not break anything.  All that IPv6 address does is allow connection to my firewall from elsewhere.  This contrasts with IPv4, where a routed IP address is necessary, except with point to point links.

Thank you.

@Derelict: No idea. NATs are bad. Yeah, I know.  But when you're using someone else's network, you have no choice.

Hi, Yes, I did. It was even the one that made me access via ssh in pfsense and look at the squid conf and process. From what I saw in sockstat -6l squid is not even listening on ipv6. Maybe it has not even been compiled for IPv6 support. In the squid conf the listen is also only in IPv4. The squid in transparent mode is not redirecting the IPv6 traffic to it. From what I realized only IPv4 traffic is working.