I've checked disabling completely IPv6 on the br1 and br2 interfaces and still teh same problem, so I'm not sure what else to do.

If you disable dhcp6 server and disable dhcp6 on wan/LAN interfaces it stops the flood. In pfsense 2.4

One ping that is a little higher than the others should not interest you. No problem. pfadmin

Can pfSense assign the full /48, up to FFFF?  On my system, the prefix IDs only go up to FF.  But I only have a /56 prefix. If you get a /48 PD you can set the track interface prefix ID from 0 to ffff. What is displayed and accepted as input there is dynamic and is dependent on the size of the PD. (A /60 shows 0 - f) pfSense running with thousands of defined interfaces is another matter.

Thanks everyone for your answers!

Yeah you are right. Here is similiar situation. https://forum.pfsense.org/index.php?topic=80472.0 I am out of luck. Thanks everybody for their time.

If you grabbed a /48 right?  But the /64 you get from them is not going to do you any good for internal use between multiple segments..  You would not subnet the /64 you can get from HE..  If you need more than 1 local segment you need to get the /48 and that you can break up in to your /64s you need.

I do the following on all windows hosts on my network: netsh interface ipv6 isatap set state disabled netsh interface ipv6 6to4 set state disabled netsh interface teredo set state disabled

That's for a host, not a network. I would like to give one host 65536 addresses via dhcp (or any other centrally managed way would be ok too). Or am I missing something obvious here? Yes.  While IPv6 supports multiple IPs on an interface (mine currently has 17) I suspect 65K is a bit much.  If you're running virtual machines for those servers, they will get there own individual addresses, if configured to bridge.

For people having MTU issues or questions, I was looking into this a while ago, trying to troubleshoot some connectivity problems. I found some useful info. There is "MTU Path Maximum network path size scan utility", which can be downloaded here: https://www.iea-software.com/products/mtupath/. It supports both ipv4 and ipv6. It uses both icmp and udp. You can sort of do this manually using ping, but this runs more quickly. There are some more powerful but less flexible utilities available from wand.net.nz. There are two utilities and you can download them at https://wand.net.nz/pmtud/. They are based on open-source software. The outgoing test could probably be built-into pfsense. It would make a good addition to the diagnostics. The incoming test requires an external host to run the query on.

OK I got my system working with IPv6 disabled. I turned off the DNS Forwarder and DNS Resolver. Now the LAN clients are working. But without the Forwarder or Resolver, I can't individually assign DNS to LAN clients. For example, the kids LAN clients need to be operating on one DNS policy (forcing Google safe search) and the parents using another DNS policy (such as allowing youtube and netflix). So now my problem is DNS configuration, not belonging in this thread anymore. In summary, 2.4.0-RC (amd64) seemed to fix my IPv6 problem. Disabling the DCHPv6, RA, and LAN IPv6 worked once I updated to 2.4.0-RC (amd64).

@omnidan: Alright, let me try again by describing the highlevel problem :) For various devices on my network (AppleTV, ipad, notebook etc.) I want to unblock georestictions of video streaming by routing the traffic of netflix, youtube etc. through an IPv6-HE-tunnel. The tunnel is working and I have complete control over the devices. Some do have limited options for configuration, however, i.e. the appletv or ipad. All devices get their ipv6 configuration and route ipv6 traffic properly to the tunnel gateway. Some apps however still prefer ipv4 (25ms advantage of ipv6 or not). That's why I want to force ipv6 for certain domains like youtube.com, netflix.com etc. Netflix over IPv6 using he.net ? That's would be a huge no-go. Netflix WILL block you. Running IPv6 via he.net (tunnel broker) is ok, but all netflix.com traffic should be forced to chose IPv4. @reinderien : Very nice. Gona try your solution.

I don't want to disable RAs.  They're used to assign the prefix.  Also, ULAs are routeable, just not over the Internet. Here's how it looks on a Linux system: vlan3    Link encap:Ethernet  HWaddr 74:D4:35:5A:F5:FB            inet addr:172.16.3.10  Bcast:172.16.3.255  Mask:255.255.255.0           inet6 addr: fd48:1a37:2160:1:5c0b:a1d3:1ff8:7224/64 Scope:Global           inet6 addr: fe80::76d4:35ff:fe5b:f5fa/64 Scope:Link           inet6 addr: fd48:1a37:2160:1:76d4:35ff:fe5a:f5fb/64 Scope:Global           UP BROADCAST RUNNING MULTICAST  MTU:1300  Metric:1           RX packets:1478 errors:0 dropped:0 overruns:0 frame:0           TX packets:1204 errors:0 dropped:0 overruns:0 carrier:0           collisions:0 txqueuelen:1000           RX bytes:307424 (300.2 Kb)  TX bytes:247592 (241.7 Kb)

How do you change the MSS on an interface? Did you mean MTU? I'd suggest trying again with all ICMP for IPv6 allowed to/from LAN & WAN in the firewall. If you have a Linux machine, try the tracepath6 command to a hostname that's giving you trouble. Usually it will tell you where the MTU on the link changes. Ideally run the command from the otherside to you as well for even more information on the PMTU. And maybe increase the MTU of wan_stf to 1480 (but only if you're not using PPPoE). FreeBSD also seems to have MTUs per route. For example, these commands can help you see what routes there are along with the diagnostics->routes page: netstat -r -n route -6 get default BTW the 1232 I think comes from the (1280B MTU - 20B IPv4 6rd header - 28B tcp header)?

i have same problem… I have to set dhcp6 on wan to none... then apply then wait 5 mins then set again.. works like a champ... my isp is comcast

@riceri: @JKnott: Do you now have multiple /64s available? Yes, they route the whole /48 to my router and i can split it to multiple /64 and my router takes care of that routing. Good, that's the way it's supposed to work.  Now all you have to do is figure out what to do with the other 65,535 /64s.  ;) BTW, I only get a /56 from my ISP.  :(

Thanks! That did it. Once I changed the routing setting for the LAN interface, the radvd service is gone from the list of services in the web interface now. Thanks for the help!

Personally? I hope it never gets "solved". It's a ridiculous design choice that OVH and their ilk need to be forced to fix properly. As to whether pfSense ever gains an NDP proxy, who knows. Maybe eventually. I am not fond of how the one that just showed up in ports is implemented, though.

You'll need to provide a lot more detail about the specifics of how you set everything up, including DHCPv6 and RA tab settings for each interface/VLAN I have a similar setup (HE.net /64 and routed /48) and I use subnets from the /48 on VLANs and they work perfectly. Something about your interface/DHCP/RA setup or even your switch/L2 must be not quite right.