"I'm an ipv6 novice" Doesn't sounds like you should be running a email server on ipv6 then ;)

"but experimenting with IPv6 to be prepared for the eventual change." And I commend that fully.. I dabble with ipv6 myself to keep my hands in it for when might actually use it at work..  Which is truly lagging, I will most likely be retired before ipv6 is fully mainstream to be honest..  I would suggest go take certs tests from HE, you can get a free tshirt when you pass sage level. I by no means am a dhcpv6 expert, but what dok mentions is going to be where you get started.. The DUID is going to be per machine, and this is normally how a dhcpv6 would give you your IP.. Its not going to give you multiple because you have multiple interfaces in the same network.. Now this could be tied with the IAID I assume to allow you to have each interface get an IP in the same prefix. You would have to read the rfc's to be sure.. And then again would depend on if pfsense supports that, and if your isp support that.. I don't really see when this would be useful though.  Such a setup shouldn't really exist.. Why would you put 2 interfaces from the same machine into the same network?  Especially on a ROUTER!! You might do it on some host I guess serving up websites or something on different IPs.. But on a router - no. Simple solutions to your problem.. Use different isps ;)  So each interface would get its own IP in its own prefix..  Use HE for ipv6, you could for sure setup tunnels on each interface. Even if pfsense supports having each interface get an ipv6 in the prefix, doesn't mean your ISP does.. You could contact them - good luck with that ;)

I guess the WAN 'tracks' something for a list of LAN's - this list will be setup explicitly when the WAN is set - this list will be populated when all the LAN's exists AND when WAN is saved. Something like that ^^

I can understand why ISPs might not want to statically assign non-business customer prefixes, as the customers may come and go.  However, through the use of the DUID, the assigned address should not change, at least not for the lifetime of the DUID.

Hurm. definitely related to RA. ip -6 neigh (from a linux system) doesn't show any routers prior to pinging the router ip. after pinging the interface's ipv6 address on the router everything works and ip -6 neigh shows the router as reachable

Are you using the same prefix ID as on your LAN interface? If so that would be an issue. I have a 6rd configuration as well and can get a separate ipv6 subnet allocation on my other internal interface, but I can't get it to pass any ipv6 traffic.

@timmiet: here is my full setup. comcast modem/router (DNS and DHCP on)-> pfsense 2.2.4 (DNS and DHCP off) -> Server 2012r2 (DNS and DHCP on) server has a static IPV4 but IP6 is Obtain automatically. from pfsense I can ping tcpip6 from server I can not. comcast router IP 192.168.107.1 PFSense IP 192.168.7.1 Windows Server 192.168.7.10 I'm very very very very TCPIPV6 stupid please help. :) To start, I would test with a computer connected directly to the Comcast modem. If that doesn't work, you will never be able to get a Comcast to Pfsense to (same) computer to work…

@doktornotor: Uhm… instead of trying random prefixes, you should find out HOW does your ISP deliver IPv6. Yes, the first place one should look.  I was not able to find that info.  Info I did find was generic and had no date.  It apparently referred to the rollout from several years ago.  Other posts showed different values so I tried some. One suggestion I read was to plug a win machine into the modem.  I don't have a win machine.  I've been thinking of trying that on my wife's macbook but only as a final option to confirm if an IPv6 addr is obtained. I'll keep searching for more info. thanks

@doktornotor: Floating or not won't matter, a rule for ICMPv6 won't ever match his internal machine listening on port 8088. @jtl: As I test I used``` nc -6 -l 8088 I created another rule for port 8088 and that works. Here's a bit of a cluttered screenshot showing it. Left window is remote server, and right is netcat. https://i.imgur.com/xGUavMh.png Need to read up more on IPv6 sometime.

@pixeltofu: Cool thanks! Got it working by disabling the DHCPv6 server and changing the Router advertisements to unmanaged! The Androids also work now! Why should I change the internal IP's to /24? What's the advantage of it? It's just my internal network? You'll almost never need the full /16 for one network segment and even if you try to do that you'll run into serious performance problems with that many clients on the same broadcast domain. A /24 is the best compromise in a single broadcast domain for number available addresses, performance and manageability.

You have to qualify which interface you mean with a link-local address, as an example this is  from the FreeBSD ping6 manual page: The following will probe hostnames for all nodes on the network link     attached to wi0 interface.  The address ff02::1 is named the link-local     all-node multicast address, and the packet would reach every node on the     network link.           ping6 -w ff02::1%wi0

Interesting… O.K. well I've finished off most of the changes to dhcp6c now and that's all sorted apart from removing rubbish from the log like ctrl crud on startup, but that can wait. I'll see if I can find out why dpinger is not closing.

From my point of view, telekom don´t use DS-List ?!? ( see IP 79.XX in the dokument ).

What directions?  These https://doc.pfsense.org/index.php/Using_IPv6_with_a_Tunnel_Broker

"but i found it weird that i couldnt unless going through my lan ip. " So you were hitting your public IPv4 1.2.3.4 address from a box on your network, lets call it 192.168.1.100..  That would be NAT reflection.  And unless you set it up in pfsense then no its not going to work.  Unlike many consumer routers that have it on by default. Here is the thing testing nat reflection is not a valid test that your port forward is going to work, be it with consumer router or pfsense.

@JKnott: So why the difference with sending a renew on some occasions and not on others, when in both cases I just pulled the cable? If you want, I can send you a PM to provide links to the captures, on Google Drive.  Then you'll be able to compare the 2 situations. I'm not talking about renew I'm talking about release, two different things.

Under Services > DHCPv6 Server/RA, you can change the DHCPv6 range to be different - like ::2000 to ::3000 - then at the bottom of the page is where you can set up a static DHCPv6 entry for the host you want. However, you'll need to know the DUID of the host, so it might be easier to have it pick up a lease first, then add a static DHCPv6 entry from the Status > DHCPv6 Leases page by clicking the white and blue + button on the right side of the table.

Solved. This turned out to be an ISP side routing issue. Like in https://forum.pfsense.org/index.php?topic=104583.0 , I was trying to advertise the /48 to the ISP gateway through SA, which is apparently not how it's supposed to work. Testing with netcat6, I listened at a remote server for UDP packets and sent one from the LAN. It went through. So in fact LAN->Internet was working, but replies (Internet->LAN) never came through. This was resolved by the ISP setting up a separate link network {linkprefix}::/64, and then routing {prefix}::/48 <-> {linkprefix}::1/64 (ISP GW) <-> {linkprefix}::2/64 (Pfsense) <-> LAN. (No route daemon running on pfsense, only static configs at ISP side.) Unfortunately, I never found out why/how Internet<->Pfsense traffic worked before (regardless of Pfsense box's address), if there were no routes set up at ISP's before. Maybe their gateway added my Pfsense box as a single host to their routing tables through IPv6 Neighbor discovery or something.