@vc6SfV8: I finally gave up and contacted Time Warner.  They had disabled IPv6 for everyone and were enabling it at the customer's request only going forward.  It sounds like it was causing too many headaches for them.  They enabled it again for me and it works now…. It would have been nice to know that before spending 10 hours troubleshooting. Good for you, calling them! Sends a good message.

For what it's worth, I opened a redmine ticket for it: https://redmine.pfsense.org/issues/7734 @marjohn56, OK, there are a lot of changes around dhcp6c in version 2.4b I think you where referring to your https://github.com/pfsense/pfsense/pull/3515; and this got merged in 2.4b?

It's not a dhcp6c problem per say, you are correct that the Bridge interface does not exist when dhcp6c fires up, so it's a start up issue. Until a full fix is found can I suggest a shell command is run at startup with a delay and then start dhcp6c from there. Not ideal I know, but it will get around the problem you have.

I 100% agree with you and applied your observations but my problem still remains, at this point I have given up and just disabled IPv6

Was just about to post the same problem. I have a Vigor 130 + pfSense here, with the Vigor doing the VLAN 7 tagging OOTB.

"This is epic trolling, even for you." Even for me?  Wow.. You do understand you started this whole thing. JKnott post a RFC fro some info and you I assume in your complete understanding of ipv6 and how vpn services work disagree with that RFC??  Did you even read it?  I guess that is a no from your comments. You understand its a Request for Comment, the authors addresses are listed - if you disagree with them, why don't you contact them directly and point out to them how Nat is still needed for vpns ;) "It works FFS. Get over it." Which has ZERO to do with the the info that was posted - who is trolling?

"Basically, I have received a /64 static block from my "isp" 2a01y:z" If all they gave you was /64, then they do not want you putting anything behind a router, ie pfsense.  The only way to use a firewall in such a case would be bridged so your devices behind the firewall are on that /64 hetzner is online host, so this is in the cloud somewhere?  Or a DC and your trying to run your own router/firewall - pfsense?  If you want to use IPv6 behind pfsense then they should route more networks to you, or should use delegation to allow your router to request a prefix, /60, /56, /48 etc.. That would then be routed to you. I have quite a few vps that have ipv6 address space, and yeah you get a /64.  But these vps are meant to be directly connected to the hosting network, and not behind some firewall/router.  So your trying to run pfsense on some virtual esxi box or something and put your other vms you create behind pfsense in the cloud?

That worked for me thanks for the help :)

Just wanted to say that I implemented Gertjan's suggestion, and it works great! Btw : I know, this isn't the 'best' solution (I'm locking out many IPv6 that might not be owned by netflix but had not any troubles yet). Actually, those prefixes appear to be sub-allocated to Netflix from AWS (but they aren't maintaining rwhois), and appear to only belong to Netflix, so I don't think it will impact much else at the present time.

@753951: I had exact same setting (I don't remember ever changing it). LAN off, WAN on. But turning it off for a moment on WAN made IPv6 working again. It's back to default value (on now) on WAN and everything still works even after reboot. I made other changes (LAN tracks WAN) and it's all working now. The only thing I can't get to work is VM interface in pfSense (Hyper-V virtual switch). It's set up to track WAN interface, exactly same as LAN, but that entire segment (one Debian, one Windows 10, one Windows 8.1 and one Windows Server 2016, which is domain controller, DHCP server and DNS server) can't get public IPv6. Can you have more than one interface in pfSense set to track another one for DHCPv6? That's really strange. For a typical dual-stack configuration with one WAN and one LAN it's a pretty simple setup. You should have the following WAN settings: IPV4: dhcp IPV6: dhcp6 request prefix only /56 prefix do not wait for ra do not allow pd release You should have the following LAN settings: ipv4: static ipv6: track interface upstream gateway: none track ipv6 interface: WAN Except for do not allow pd release, it will not work without the settings. I recommend do not allow pd release. It works quite well at preventing the prefix from changing. However, Telus engineering told me that as long as the DUID does not change, the prefix should not change. I have found that if I clear do not allow release, it will release the lease and there will be a new prefix. If I do that a few times, occasionally the same prefix will be allocated again. If you plan to use pfsense for dhcpv6, I also recommend assisted RA. Not sure what you're trying to accomplish with the VM interface. Please elaborate. I have my hyper-v configured so the hyper-v management interface is on the LAN. I also have an extra NIC that's only connected to the hyper-v (not to any guests) and is connected to an unbridged LAN port on the modem. I use this only to log into the modem. I bumped up the routing metric so if any address other than the modem lan is accessed, it will go through the LAN interface on pfsense.

You don't have to do anything with DHCPv6 Relay unless the DHCPv6 server is on another subnet.

In a static IPv6 WAN configuration, if the provider is expecting /56 and you set /64 on the WAN interface (others have said setting /56 on the WAN interface is ridiculous; they are correct), the ISP assumes that 2001:xxxx:xxxx:6901:: is on the same L2 subnet, but it isn't because the subnets sizes don't match. Think of the /56 as 256 /64s.  PfSense can pick select /64 for each LAN or VLAN interface.

@fastisp: The physical interface is a Realtek PCIe GBE network Controller (onboard ethernet controller). That might be the cause of your problems. Otherwise, I have no idea. :(

^ that clearly is not needed derelict, I already posted the RA coming out of pfsense with the vlan tag on it..  See my tcpdump. "Try with it set to unimagaged on the vlans and managed on the native interface with DHCPv6 enabled." Has ZERO to do with anything!! And as a side note - how do you know I don't have that currently setup that way ;) Simple enough for you to show that pfsense is not putting tags on traffic.. simple tcpdump is all that is needed you will either see the tags or you wont.. Per what Derelict stated about the conf and the interfaces in it.. You can see clearly that assigned to the vlan interface or not. [image: conf.png] [image: conf.png_thumb]

Unfortunately yes this is a production system. I have enabled Reject Leases From: 192.168.100.1 as my modem (surfboard) apparently does that when it loses connection. I haven't seen it happen in a couple days, but we're still in the 4 day window.

HOLY JEBUS! After whacking my head against this and doubting my networking skills… I got it running. Turns out: A rogue IPMI from (older) testing times was also using the same IP used for the transfer net. This resulted in some kind of wierdness. Deactivated ipv6 on said ipmi, everything is working. Thanks all you rock! I can rest easy tonight. \o/ -Chris.

As to visiting the site only twice - I find myself using their looking glass interface now and then https://lg.he.net/ very handy… And if your leveraging their FREE dns you will need to go there, or if you want to edit any of your IPv6 PTR records. So prob a bit more than twice for some of us ;) BTW they also make a handy app for your iphone/android http://networktools.he.net/