@bimmerdriver: If you use pfsense 2.4 beta, the DUID is displayed in System / Advanced / Networking / IPv6 Options / DHCP6 DUID. It's a DUID-LLT format. As Bimmnerdriver says. Use version 2.4B. The DUID is then stored in the config file and will never change. Earlier pfSense versions can lose the DUID, especially if you are using a RAM disk. Goto System / Advanced / Networking / IPv6 Options / DHCP6 DUID and click SAVE. If you use an earlier version then the DUID is created by the dhcp6c client, and is created in /var/db, it goes by the name pf dhcp6c_duid. It's a binary file so you would need to read it in a hex editor. However, as I have said, if you use and earlier version than 2.4B you run the risk of the DUID changing.

I am pretty sure there is an issue with the latsest version of pfSense (2.3.4). I cannot put my finger on it. At least not yet. On my production firewall, I received the IPv6 from my provider using DHCPv6. I also got 128 subnet preventing anything to work. As I also owned a /48 from HE. I installed a second pfsense where I can play with at will using my production firewall to provide DHCPV6 and subnet delegation. During all my test, I always got a 128 subnet on my test firewall (sniffing the network shows the correct /64 announcement). I try many different configuration without success. Sometimes if I used SLAAC on my test firewall it works fine (reconfiguring the main firewall accordingly) , switching to DHCPv6 seems to provide the correct result… It is inconsistent and so far I could not create a test that provide each time the same results that would allow a good basis to fill a bug report... I am still searching but this 128 subnet appears after I installed the latest release. My next step will be to install an older realease on my test firewall....I'll let you know the outcome.

@moscato359: They were both set to 0. Would that cause the issue? Yes, that is what selects which /64 is used.  With both set to 0, they're trying to use the same prefix.  Change one to another number up to 255.

@mjgtall: @johnpoz: Glad to hear.. So they just forgot to give you that info before or did they have to fix it? Thanks. No, they had to fix it. Just out of curiosity, is your ISP Comcast?

Thanks for all help. I think I finally found the last problem. I had a IP alias for ::1 so I could have a easy to remember static gateway.. it had a /128 per how I'm used to setup ip aliases. Apparently the dhcp server were using this as base for it's range6 statement and it also messed things up somehow so it didn't reply to that anymore. After removing the ip alias and also disabling ipv6 completely on the lan interface and re-enabling everything including the ip alias but now as a /64.. everything seems fine again. Not sure if some check was changed between the releases.. because this issue started after the upgrade.

After a reboot of everything involved (computers, pfsense boxes, etc) everything is now working

That makes it look much easier I have now fixed it. I am very pleased,the kids not so much! Thank you so much for the help!

I just set up OpenVPN between my psSense firewall and a computer running Windows.  Initially, it provided the Windows computer an IPv6 address on my network prefix.  However, that will cause problems with routing etc., so I changed it to another prefix.  I'll have to see what happens with this.  At the moment, I can't ping the firewall or Windows computer, using the OpenVPN endpoint addresses.

Yes, I know every interface has a link local address.  No doubt about it.  My point is that it's not used for most things.  Routers advertise the link local address and other devices use that link local address for the default route.  But you can't use browsers with a link local address and you have to specify the interface for everything else, as a given link local address could be on any interface, as there is nothing in the link local address to indicate which interface is used.  For example, I just pinged my firewall.  When I used the global unicast address, I could just ping it.  But to ping the link local address, I had to specify the interface that connected to the firewall, even though there is only one network interface in this computer. i.e. ping6 -I eth0… So, yes, you could do something like use ssh to connect to a link local address, but why bother, if you have another unicast address, where you don't have to specify the interface? Regardless, this has gone beyond the original question, where the OP confused link local addresses with unique local addresses. https://en.wikipedia.org/wiki/Unique_local_address https://en.wikipedia.org/wiki/Link-local_address#IPv6

Thanks. Right my bad. I'm so used to IPV4 :\ Ok I'll try a any any rule. but how do you test that to see if it works.

There is an issue with the leases being displayed as well: https://redmine.pfsense.org/issues/7413

Hey, thanks for your replies, I'm solving another priority right know, so I'll take a little more time to try it again! Pretty soon I'll be back here!!! Thanks

@bimmerdriver: It could also be that your ISP only gives /56 prefix, regardless of what you request. It obviously does. As I said I got DIFFERENT PDs each try, but they all were /56. At least now I know what caused the issue.

Good stuff.

I suspected CP early on and unchecked the "Enable Captive Portal" box in the config, clicked save, it didn't fix it. Rebooted, still didn't fix… it wasn't until much later that I realized that the checkbox doesn't seem to do anything. Once I clicked save and left the page assuming it accepted the setting, coming back to that page showed it was checked as enabled again. I tried a few times to just disable it and every time the box was left checked. Finally I just deleted the captive portal and everything IPv6 lit up as expected.

me too.  NPT not nornal work now.. 2.3.3-RELEASE-p1 (amd64) built on Thu Mar 09 07:17:41 CST 2017 FreeBSD 10.3-RELEASE-p17

Unless you want to test how devices behave (better said, how much broken they are) on an IPv6-only network, then no, absolutely NOT.

My original issue is resolved.  But if you really wanted to know: WAN: DHCPv4 and DHCPv6 client LAN: Static IPv4, Tracking WAN IPv6 You've seen the DHCPv6 configuration in the screenshots above (I changed the From to :0001).