That's helpful, thanks. I guess I was confused between what an interface gets assigned and the prefix delegation I would be getting. Definitely makes sense that interfaces get /64s. But it would be nice if there was somewhere that showed that I was getting the prefix I was asking for.

I figured that's what the prefix ID meant, but it wasn't entirely clear, so thanks for clarifying that.

Now to send /64s to my Cisco router for my VLAN's via a /61. But that's a separate question.

^^^^
Yep, that why I said "Every address currently available is within a /3, with 1/8 of all IPv6 addresses allocated to GUAs".

Of the entire 2^128 IPv6 addresses, only 2^125 are used for GUAs.

Since /3 represents all currently available GUAs, a /4 would be half of them.

Thank you, you are probably right. I am overcomplicating things and the configuration I want can be done just using resolver, without involving Bind. I have reconfigured my pfSense box to use the resolver and I see that it is pushing the IPv6 address of the box to the client machines with DHCP, exactly what I was trying to do with Bind. I think I'll stick with this configuration for now.

Thanks again for your help, JKnott!

@virgiliomi:

What you're looking for is an option in the ISP router to do prefix delegation. Hopefully the ISP router can delegate an IPv6 prefix to each of your pfSense systems via DHCPv6-PD. You'd receive the /64 delegated from the ISP router, then apply it to one of your networks. If you want, you could probably even delegate /60's so you each get 16 /64's to use as you wish.

Ok, that's what I was thinking. I wasn't sure if the pfSense could request a /64 and the modem would keep track of things; I guess I'll just wait until I get the modem set up and play around. Thanks for all the feedback everyone!

@DLW67:

I'm still learning IPv6 myself, but I've found that with DHCP configured as "managed," only my Linux hosts will receive a global IP address  from the DHCP pool, with the desired prefix. With this config, my W10 hosts only show local addresses.

With DHCP configured as "assisted," both Linux and W10 clients will receive a global address. The Linux host will take an address from the DHCP pool, but the W10 host will use the network prefix and generate its own address.

I'm still exploring the other config options.

There is a problem with the latest version of windows 10 with DHCP6. Try ipconfig /release6 and ipconfig /renew6 to see if that will cause a lease to be allocated. As was already said, android phones use SLAAC, not DHCP6 due to a design decision by google and you should use assisted, not managed.

OK.  Lets just ignore all the internal vs external routing for a minute and focus on one problem for right now, since things are getting muddied up in a general (although informative) IPv6 routing discussion.  My core issue is IPv6 doesn't work on the WAN interface.

I cant ping6 the external IPv6 address assigned to pfSense (with proper FW rules in place to allow) WAN interface when the gateway is not on the same network.  I also can't ping6 from the box to ipv6.google.com in shell or web interface.  I do have use non-local gateway checked on the gateway config.  Please help me solve this issue, since this at the very least should work but doesn't.

Not having any problems connecting to them.. But they don't have any AAAA records..

dig @2607:f0db:5001:8000::2 test-ipv6.com AAAA

; <<>> DiG 9.10.4-P3 <<>> @2607:f0db:5001:8000::2 test-ipv6.com AAAA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57326
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;test-ipv6.com.                IN      AAAA

;; AUTHORITY SECTION:
test-ipv6.com.          300    IN      SOA    ns1.test-ipv6.com. jfesler.test-ipv6.com. 2016030401 10800 3600 604800 86400

;; Query time: 64 msec
;; SERVER: 2607:f0db:5001:8000::2#53(2607:f0db:5001:8000::2)
;; WHEN: Sun Oct 16 09:51:34 Central Daylight Time 2016
;; MSG SIZE  rcvd: 79

@virgiliomi:

Gertjan's got it most likely… Hurricane Electric offers free DNS service as well, and that's what the HE.net and HE.net (v6) are for... HE.net Tunnelbroker is what you want to pick to update the IPv4 address for your IPv6 tunnel.

As you suspected, Gertjan spotted my error.

Thanks; I appreciate the clarification of the purpose for those other, various options.

Cheers!

Thanks.  Using lower case for the alphabetic hex characters in the interface address works.

It's a bit inconsistent though, as the interface allows upper-case characters when adding the IPv6 gateway.

For Windows, you can run ipconfig /release6 and ipconfig /renew6. Not sure about other operating systems.

Your DHCPv6 is not working, you get link local addresses (staring with fe08).

Perhaps you need to set your router advertisement mode to managed?

This is a known bug in Windows.  If is not a PFSense bug - and there is nothing you can do in PFSense to fix it.

The windows NIC driver will deliver layer-2 broadcast traffic (which includes RAs) from any VLAN, tagged or untagged, to the untagged VLAN.  So the IPv6 driver sees the RAs and sets up the routes.  Stupid.

MS, foolishly, refuses to recognize that this is a bug.  They claim working by design, partly because they use it in some configuration for SMB (aks Samba) file sharing.

Best advice: don't ever mix tagged and untagged traffic on a link terminating to a MS Windows or MS Server box.  If you don't need the tagged traffic in the Windows box you may be able to block the tagged VLANs in your Switch.

Linux systems used to have this fault too - but the Linux community recognized and fixed the bug in their NIC handling.  Your phone (whether Android or iPhone) never suffered from this bug.

Setting it to "track" automatically sets up RA and DHCP for the segment being tracked.

Thank you.  I'll give that a try this evening.  Appreciate the help.

and here the pfSense ifconfig -a, netstat -rn and pfctl -sa (sans STATE)

[2.3.2-RELEASE][admin@fw.home]/root: ifconfig -a re0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=8209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,linkstate>ether 00:e0:4c:68:27:db inet6 fe80::2e0:4cff:fe68:27db%re0 prefixlen 64 scopeid 0x1 nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (100baseTX <full-duplex>) status: active re1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=8209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,linkstate>ether 00:e0:4c:68:27:dc inet 192.168.178.1 netmask 0xffffff00 broadcast 192.168.178.255 inet6 2001:981:41db:0:2e0:4cff:fe68:27dc prefixlen 64 inet6 fe80::1:1%re1 prefixlen 64 scopeid 0x2 nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>) status: active iwn0: flags=8802 <broadcast,simplex,multicast>metric 0 mtu 2290 ether 00:1e:65:41:11:d1 nd6 options=21 <performnud,auto_linklocal>media: IEEE 802.11 Wireless Ethernet autoselect (autoselect) status: no carrier pflog0: flags=100 <promisc>metric 0 mtu 33160 pfsync0: flags=0<> metric 0 mtu 1500 syncpeer: 224.0.0.240 maxupd: 128 defer: on syncok: 1 enc0: flags=0<> metric 0 mtu 1536 nd6 options=21 <performnud,auto_linklocal>lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384 options=600003 <rxcsum,txcsum,rxcsum_ipv6,txcsum_ipv6>inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 nd6 options=21 <performnud,auto_linklocal>re0_vlan6: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=3 <rxcsum,txcsum>ether 00:e0:4c:68:27:db inet6 fe80::2e0:4cff:fe68:27db%re0_vlan6 prefixlen 64 scopeid 0x8 nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (100baseTX <full-duplex>) status: active vlan: 6 vlanpcp: 1 parent interface: re0 pppoe0: flags=88d1 <up,pointopoint,running,noarp,simplex,multicast>metric 0 mtu 1492 inet 82.161.239.242 --> 194.109.5.175 netmask 0xffffffff inet6 fe80::2e0:4cff:fe68:27db%pppoe0 prefixlen 64 scopeid 0x9 inet6 fe80::2e0:4cff:fe68:27dc%pppoe0 prefixlen 64 scopeid 0x9 nd6 options=23 <performnud,accept_rtadv,auto_linklocal>[2.3.2-RELEASE][admin@fw.home]/root: netstat -rn Routing tables Internet: Destination        Gateway            Flags      Netif Expire default            194.109.5.175      UGS      pppoe0 82.161.239.242    link#9            UHS        lo0 127.0.0.1          link#7            UH          lo0 192.168.178.0/24  link#2            U          re1 192.168.178.1      link#2            UHS        lo0 194.109.5.175      link#9            UH      pppoe0 194.109.6.66      194.109.5.175      UGHS    pppoe0 194.109.9.99      194.109.5.175      UGHS    pppoe0 Internet6: Destination                      Gateway                      Flags      Netif Expire default                          fe80::2a0:a50f:fc78:5530%pppoe0 UGS      pppoe0 ::1                              link#7                        UH          lo0 2001:981:41db::/64                link#2                        U          re1 2001:981:41db:0:2e0:4cff:fe68:27dc link#2                        UHS        lo0 fe80::2a0:a50f:fc78:5530          pppoe0                        UHS      pppoe0 fe80::%re0/64                    link#1                        U          re0 fe80::2e0:4cff:fe68:27db%re0      link#1                        UHS        lo0 fe80::%re1/64                    link#2                        U          re1 fe80::1:1%re1                    link#2                        UHS        lo0 fe80::%lo0/64                    link#7                        U          lo0 fe80::1%lo0                      link#7                        UHS        lo0 fe80::%re0_vlan6/64              link#8                        U      re0_vlan fe80::2e0:4cff:fe68:27db%re0_vlan6 link#8                        UHS        lo0 fe80::%pppoe0/64                  link#9                        U        pppoe0 fe80::2e0:4cff:fe68:27db%pppoe0  link#9                        UHS        lo0 fe80::2e0:4cff:fe68:27dc%pppoe0  link#9                        UHS        lo0 ff01::%re0/32                    fe80::2e0:4cff:fe68:27db%re0  U          re0 ff01::%re1/32                    2001:981:41db:0:2e0:4cff:fe68:27dc U          re1 ff01::%lo0/32                    ::1                          U          lo0 ff01::%re0_vlan6/32              fe80::2e0:4cff:fe68:27db%re0_vlan6 U      re0_vlan ff01::%pppoe0/32                  fe80::2e0:4cff:fe68:27db%pppoe0 U        pppoe0 ff02::%re0/32                    fe80::2e0:4cff:fe68:27db%re0  U          re0 ff02::%re1/32                    2001:981:41db:0:2e0:4cff:fe68:27dc U          re1 ff02::%lo0/32                    ::1                          U          lo0 ff02::%re0_vlan6/32              fe80::2e0:4cff:fe68:27db%re0_vlan6 U      re0_vlan ff02::%pppoe0/32                  fe80::2e0:4cff:fe68:27db%pppoe0 U        pppoe0 [2.3.2-RELEASE][admin@fw.home]/root: pfctl -sa TRANSLATION RULES: no nat proto carp all nat-anchor "natearly/*" all nat-anchor "natrules/*" all nat on pppoe0 inet from 127.0.0.0/8 to any port = isakmp -> 82.161.239.242 static-port nat on pppoe0 inet from 192.168.178.0/24 to any port = isakmp -> 82.161.239.242 static-port nat on pppoe0 inet from 127.0.0.0/8 to any -> 82.161.239.242 port 1024:65535 nat on pppoe0 inet from 192.168.178.0/24 to any -> 82.161.239.242 port 1024:65535 no rdr proto carp all rdr-anchor "relayd/*" all rdr-anchor "tftp-proxy/*" all rdr-anchor "miniupnpd" all FILTER RULES: scrub on pppoe0 all fragment reassemble scrub on re1 all fragment reassemble anchor "relayd/*" all anchor "openvpn/*" all anchor "ipsec/*" all block drop in log quick inet from 169.254.0.0/16 to any label "Block IPv4 link-local" block drop in log quick inet from any to 169.254.0.0/16 label "Block IPv4 link-local" block drop in log inet all label "Default deny rule IPv4" block drop out log inet all label "Default deny rule IPv4" block drop in log inet6 all label "Default deny rule IPv6" block drop out log inet6 all label "Default deny rule IPv6" pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state block drop log quick inet proto tcp from any port = 0 to any label "Block traffic from port 0" block drop log quick inet proto udp from any port = 0 to any label "Block traffic from port 0" block drop log quick inet proto tcp from any to any port = 0 label "Block traffic to port 0" block drop log quick inet proto udp from any to any port = 0 label "Block traffic to port 0" block drop log quick inet6 proto tcp from any port = 0 to any label "Block traffic from port 0" block drop log quick inet6 proto udp from any port = 0 to any label "Block traffic from port 0" block drop log quick inet6 proto tcp from any to any port = 0 label "Block traffic to port 0" block drop log quick inet6 proto udp from any to any port = 0 label "Block traffic to port 0" block drop log quick from <snort2c>to any label "Block snort2c hosts" block drop log quick from any to <snort2c>label "Block snort2c hosts" block drop in log quick proto tcp from <sshlockout>to (self) port = ssh label "sshlockout" block drop in log quick proto tcp from <webconfiguratorlockout>to (self) port = https label "webConfiguratorlockout" block drop in log quick from <virusprot>to any label "virusprot overload table" pass in quick on pppoe0 inet6 proto udp from fe80::/10 port = dhcpv6-client to fe80::/10 port = dhcpv6-client keep state label "allow dhcpv6 client in WAN" pass in quick on pppoe0 proto udp from any port = dhcpv6-server to any port = dhcpv6-client keep state label "allow dhcpv6 client in WAN" pass out quick on pppoe0 proto udp from any port = dhcpv6-client to any port = dhcpv6-server keep state label "allow dhcpv6 client out WAN" block drop in log quick on pppoe0 from <bogons>to any label "block bogon IPv4 networks from WAN" block drop in log quick on pppoe0 from <bogonsv6>to any label "block bogon IPv6 networks from WAN" block drop in log on pppoe0 inet6 from fe80::2e0:4cff:fe68:27db to any block drop in log on pppoe0 inet6 from fe80::2e0:4cff:fe68:27dc to any block drop in log on ! pppoe0 inet from 82.161.239.242 to any block drop in log inet from 82.161.239.242 to any block drop in log quick on pppoe0 inet from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8" block drop in log quick on pppoe0 inet from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8" block drop in log quick on pppoe0 inet from 172.16.0.0/12 to any label "Block private networks from WAN block 172.16/12" block drop in log quick on pppoe0 inet from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16" block drop in log quick on pppoe0 inet6 from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7" block drop in log on ! re1 inet6 from 2001:981:41db::/64 to any block drop in log inet6 from 2001:981:41db:0:2e0:4cff:fe68:27dc to any block drop in log on re1 inet6 from fe80::1:1 to any block drop in log on ! re1 inet from 192.168.178.0/24 to any block drop in log inet from 192.168.178.1 to any pass in quick on re1 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server" pass in quick on re1 inet proto udp from any port = bootpc to 192.168.178.1 port = bootps keep state label "allow access to DHCP server" pass out quick on re1 inet proto udp from 192.168.178.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server" pass quick on re1 inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "allow access to DHCPv6 server" pass quick on re1 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "allow access to DHCPv6 server" pass quick on re1 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "allow access to DHCPv6 server" pass quick on re1 inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "allow access to DHCPv6 server" pass in quick on re1 inet6 proto udp from fe80::/10 to 2001:981:41db:0:2e0:4cff:fe68:27dc port = dhcpv6-client keep state label "allow access to DHCPv6 server" pass out quick on re1 inet6 proto udp from 2001:981:41db:0:2e0:4cff:fe68:27dc port = dhcpv6-server to fe80::/10 keep state label "allow access to DHCPv6 server" pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback" pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback" pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback" pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback" pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself" pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself" pass out route-to (pppoe0 194.109.5.175) inet from 82.161.239.242 to ! 82.161.239.242 flags S/SA keep state allow-opts label "let out anything from firewall host itself" pass out on pppoe0 route-to (pppoe0 fe80::2a0:a50f:fc78:5530) inet6 from fe80::2e0:4cff:fe68:27dc to ! fe80::/48 flags S/SA keep state allow-opts label "let out anything from firewall host itself" pass in quick on re1 proto tcp from any to (re1) port = https flags S/SA keep state label "anti-lockout rule" pass in quick on re1 proto tcp from any to (re1) port = http flags S/SA keep state label "anti-lockout rule" pass in quick on re1 proto tcp from any to (re1) port = ssh flags S/SA keep state label "anti-lockout rule" anchor "userrules/*" all pass quick inet6 proto ipv6-icmp all keep state label "USER_RULE" pass in quick on pppoe0 reply-to (pppoe0 194.109.5.175) inet proto icmp all keep state label "USER_RULE" pass in quick on pppoe0 reply-to (pppoe0 fe80::2a0:a50f:fc78:5530) inet6 proto ipv6-icmp all keep state label "USER_RULE" pass in quick on re1 inet from 192.168.178.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule" pass in quick on re1 inet6 from 2001:981:41db::/64 to any flags S/SA keep state label "USER_RULE: Default allow LAN IPv6 to any rule" anchor "tftp-proxy/*" all No queue in use STATES: ---8<--- SNIP ---8<--- ---8<--- SNIP ---8<--- INFO: Status: Enabled for 0 days 23:20:46          Debug: Urgent Interface Stats for re1              IPv4            IPv6   Bytes In                      212632837        283813782   Bytes Out                    1492315433      5846016430   Packets In     Passed                        1142930          2278495     Blocked                          2744            5972   Packets Out     Passed                        1257149          4286970     Blocked                              0                0 State Table                          Total            Rate   current entries                      436   searches                        18603154          221.3/s   inserts                          182085            2.2/s   removals                          181649            2.2/s Counters   match                            216006            2.6/s   bad-offset                            0            0.0/s   fragment                              0            0.0/s   short                                11            0.0/s   normalize                            18            0.0/s   memory                                0            0.0/s   bad-timestamp                          0            0.0/s   congestion                            0            0.0/s   ip-option                            17            0.0/s   proto-cksum                            0            0.0/s   state-mismatch                      1114            0.0/s   state-insert                          0            0.0/s   state-limit                            0            0.0/s   src-limit                              0            0.0/s   synproxy                              0            0.0/s   divert                                0            0.0/s LABEL COUNTERS: Block IPv4 link-local 212229 0 0 0 0 0 0 0 Block IPv4 link-local 125632 0 0 0 0 0 0 0 Default deny rule IPv4 125632 26832 7404811 26832 7404811 0 0 0 Default deny rule IPv4 193922 0 0 0 0 0 0 0 Default deny rule IPv6 212231 5978 952881 5978 952881 0 0 0 Default deny rule IPv6 86600 15 996 0 0 15 996 0 Block traffic from port 0 199428 0 0 0 0 0 0 0 Block traffic from port 0 197965 0 0 0 0 0 0 0 Block traffic to port 0 171550 0 0 0 0 0 0 0 Block traffic to port 0 170884 0 0 0 0 0 0 0 Block traffic from port 0 199431 0 0 0 0 0 0 0 Block traffic from port 0 197345 0 0 0 0 0 0 0 Block traffic to port 0 27884 0 0 0 0 0 0 0 Block traffic to port 0 27758 0 0 0 0 0 0 0 Block snort2c hosts 199430 0 0 0 0 0 0 0 Block snort2c hosts 199428 0 0 0 0 0 0 0 sshlockout 199434 0 0 0 0 0 0 0 webConfiguratorlockout 34150 0 0 0 0 0 0 0 virusprot overload table 139234 0 0 0 0 0 0 0 allow dhcpv6 client in WAN 136973 0 0 0 0 0 0 0 allow dhcpv6 client in WAN 24831 21 3801 21 3801 0 0 0 allow dhcpv6 client out WAN 84300 24 3696 0 0 24 3696 0 block bogon IPv4 networks from WAN 89023 0 0 0 0 0 0 0 block bogon IPv6 networks from WAN 87735 0 0 0 0 0 0 0 Block private networks from WAN block 10/8 127716 0 0 0 0 0 0 0 Block private networks from WAN block 127/8 126622 0 0 0 0 0 0 0 Block private networks from WAN block 172.16/12 126622 0 0 0 0 0 0 0 Block private networks from WAN block 192.168/16 126622 0 0 0 0 0 0 0 Block ULA networks from WAN block fc00::/7 126926 0 0 0 0 0 0 0 allow access to DHCP server 124287 98 33136 98 33136 0 0 1 allow access to DHCP server 217 434 165597 217 94421 217 71176 2 allow access to DHCP server 139832 0 0 0 0 0 0 0 allow access to DHCPv6 server 88724 0 0 0 0 0 0 0 allow access to DHCPv6 server 0 0 0 0 0 0 0 0 allow access to DHCPv6 server 0 0 0 0 0 0 0 0 allow access to DHCPv6 server 3220 0 0 0 0 0 0 0 allow access to DHCPv6 server 2633 0 0 0 0 0 0 0 allow access to DHCPv6 server 2633 0 0 0 0 0 0 0 pass IPv4 loopback 199120 40 3768 20 1268 20 2500 0 pass IPv4 loopback 40 0 0 0 0 0 0 0 pass IPv6 loopback 62 24 3696 24 3696 0 0 0 pass IPv6 loopback 42 0 0 0 0 0 0 0 let out anything IPv4 from firewall host itself 199096 96 8338 47 4807 49 3531 1 let out anything IPv6 from firewall host itself 62436 6537294 6113385103 4265755 5831145973 2271539 282239130 493 let out anything from firewall host itself 62427 2199794 1645496455 1183552 1451981118 1016242 193515337 796 let out anything from firewall host itself 62437 0 0 0 0 0 0 0 anti-lockout rule 202715 3175 2203691 1421 117700 1754 2085991 0 anti-lockout rule 199961 3175 2203691 1421 117700 1754 2085991 0 anti-lockout rule 199961 4734 2329089 2187 164329 2547 2164760 1 USER_RULE 202669 295 16008 116 5584 179 10424 0 USER_RULE 202605 36 1853 23 1351 13 502 0 USER_RULE 199922 36 1853 23 1351 13 502 0 USER_RULE: Default allow LAN to any rule 138935 2291258 1659445059 1087388 204607559 1203870 1454837500 1090 USER_RULE: Default allow LAN IPv6 to any rule 6767 6516204 6109716448 2260226 281068737 4255978 5828647711 304 TIMEOUTS: tcp.first                  120s tcp.opening                  30s tcp.established          86400s tcp.closing                900s tcp.finwait                  45s tcp.closed                  90s tcp.tsdiff                  30s udp.first                    60s udp.single                  30s udp.multiple                60s icmp.first                  20s icmp.error                  10s other.first                  60s other.single                30s other.multiple              60s frag                        30s interval                    10s adaptive.start          115800 states adaptive.end            231600 states src.track                    0s LIMITS: states        hard limit  193000 src-nodes    hard limit  193000 frags        hard limit    5000 table-entries hard limit  200000 TABLES: bogons bogonsv6 snort2c sshlockout virusprot webConfiguratorlockout OS FINGERPRINTS: 710 fingerprints loaded</bogonsv6></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></performnud,accept_rtadv,auto_linklocal></up,pointopoint,running,noarp,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum></up,broadcast,running,simplex,multicast></performnud,auto_linklocal></rxcsum,txcsum,rxcsum_ipv6,txcsum_ipv6></up,loopback,running,multicast></performnud,auto_linklocal></promisc></performnud,auto_linklocal></broadcast,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,linkstate></up,broadcast,running,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,linkstate></up,broadcast,running,simplex,multicast>