"but i found it weird that i couldnt unless going through my lan ip. "

So you were hitting your public IPv4 1.2.3.4 address from a box on your network, lets call it 192.168.1.100..  That would be NAT reflection.  And unless you set it up in pfsense then no its not going to work.  Unlike many consumer routers that have it on by default.

Here is the thing testing nat reflection is not a valid test that your port forward is going to work, be it with consumer router or pfsense.

@JKnott:

So why the difference with sending a renew on some occasions and not on others, when in both cases I just pulled the cable?

If you want, I can send you a PM to provide links to the captures, on Google Drive.  Then you'll be able to compare the 2 situations.

I'm not talking about renew I'm talking about release, two different things.

Under Services > DHCPv6 Server/RA, you can change the DHCPv6 range to be different - like ::2000 to ::3000 - then at the bottom of the page is where you can set up a static DHCPv6 entry for the host you want.

However, you'll need to know the DUID of the host, so it might be easier to have it pick up a lease first, then add a static DHCPv6 entry from the Status > DHCPv6 Leases page by clicking the white and blue + button on the right side of the table.

Solved. This turned out to be an ISP side routing issue. Like in https://forum.pfsense.org/index.php?topic=104583.0 , I was trying to advertise the /48 to the ISP gateway through SA, which is apparently not how it's supposed to work.

Testing with netcat6, I listened at a remote server for UDP packets and sent one from the LAN. It went through. So in fact LAN->Internet was working, but replies (Internet->LAN) never came through.

This was resolved by the ISP setting up a separate link network {linkprefix}::/64, and then routing {prefix}::/48 <-> {linkprefix}::1/64 (ISP GW) <-> {linkprefix}::2/64 (Pfsense) <-> LAN. (No route daemon running on pfsense, only static configs at ISP side.)

Unfortunately, I never found out why/how Internet<->Pfsense traffic worked before (regardless of Pfsense box's address), if there were no routes set up at ISP's before. Maybe their gateway added my Pfsense box as a single host to their routing tables through IPv6 Neighbor discovery or something.

Another good source of info is "IPv6 Essentials".
http://shop.oreilly.com/product/0636920023432.do

@Derelict:

FWIW mail.yahoo.com hangs for me too on HE tunnel but not on centurylink native. Haven't has time to look at it further and, after all, who needs ANOTHER reason not to use yahoo mail?

Haha, I hear you. I have several yahoo mail users complaining about this. Unfortunately, this is one of those examples of "old habits die hard."

@apple4ever:

@bimmerdriver:

It's definitely worth looking at a tunnel. If there's a server close to your location the throughput may be quite close to the throughput of your link. However, recently, I've been unable to access mail.yahoo.com through the tunnel, although I have no way to determine whether the problem is caused by the tunnel, yahoo's network or possibly even pfsense. Aside from that issue, the tunnel has been rock solid since I started using it, which was several years ago.

I decided you are right, so I set one up. Love getting a /48, and having a static IP. Makes things so much easier. Hopefully I won't run into issues like you did (luckily I don't use yahoo mail).

Have you done anything with delegated prefix? I'm trying to add the range, but its giving me an error that doesn't make sense:

I'm trying to delegate a /52 using the range of 2001:470:1234:1000:: to 2001:470:1234:1fff:ffff:ffff:ffff:ffff but it give me an error:

"Prefix Delegation To address is not a valid IPv6 Netmask for 2001:470:1234:1000::/52"

Except all the subnet calculators tell me it should be valid.

Help?

Don't forget to set up the dynamic dns if you don't have a static ipv4 address.

Sorry, haven't delegated a prefix. I'm only using a /64. Not sure why it's not happy with that.

That's helpful, thanks. I guess I was confused between what an interface gets assigned and the prefix delegation I would be getting. Definitely makes sense that interfaces get /64s. But it would be nice if there was somewhere that showed that I was getting the prefix I was asking for.

I figured that's what the prefix ID meant, but it wasn't entirely clear, so thanks for clarifying that.

Now to send /64s to my Cisco router for my VLAN's via a /61. But that's a separate question.

^^^^
Yep, that why I said "Every address currently available is within a /3, with 1/8 of all IPv6 addresses allocated to GUAs".

Of the entire 2^128 IPv6 addresses, only 2^125 are used for GUAs.

Since /3 represents all currently available GUAs, a /4 would be half of them.

Thank you, you are probably right. I am overcomplicating things and the configuration I want can be done just using resolver, without involving Bind. I have reconfigured my pfSense box to use the resolver and I see that it is pushing the IPv6 address of the box to the client machines with DHCP, exactly what I was trying to do with Bind. I think I'll stick with this configuration for now.

Thanks again for your help, JKnott!

@virgiliomi:

What you're looking for is an option in the ISP router to do prefix delegation. Hopefully the ISP router can delegate an IPv6 prefix to each of your pfSense systems via DHCPv6-PD. You'd receive the /64 delegated from the ISP router, then apply it to one of your networks. If you want, you could probably even delegate /60's so you each get 16 /64's to use as you wish.

Ok, that's what I was thinking. I wasn't sure if the pfSense could request a /64 and the modem would keep track of things; I guess I'll just wait until I get the modem set up and play around. Thanks for all the feedback everyone!

@DLW67:

I'm still learning IPv6 myself, but I've found that with DHCP configured as "managed," only my Linux hosts will receive a global IP address  from the DHCP pool, with the desired prefix. With this config, my W10 hosts only show local addresses.

With DHCP configured as "assisted," both Linux and W10 clients will receive a global address. The Linux host will take an address from the DHCP pool, but the W10 host will use the network prefix and generate its own address.

I'm still exploring the other config options.

There is a problem with the latest version of windows 10 with DHCP6. Try ipconfig /release6 and ipconfig /renew6 to see if that will cause a lease to be allocated. As was already said, android phones use SLAAC, not DHCP6 due to a design decision by google and you should use assisted, not managed.

OK.  Lets just ignore all the internal vs external routing for a minute and focus on one problem for right now, since things are getting muddied up in a general (although informative) IPv6 routing discussion.  My core issue is IPv6 doesn't work on the WAN interface.

I cant ping6 the external IPv6 address assigned to pfSense (with proper FW rules in place to allow) WAN interface when the gateway is not on the same network.  I also can't ping6 from the box to ipv6.google.com in shell or web interface.  I do have use non-local gateway checked on the gateway config.  Please help me solve this issue, since this at the very least should work but doesn't.

Not having any problems connecting to them.. But they don't have any AAAA records..

dig @2607:f0db:5001:8000::2 test-ipv6.com AAAA

; <<>> DiG 9.10.4-P3 <<>> @2607:f0db:5001:8000::2 test-ipv6.com AAAA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57326
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;test-ipv6.com.                IN      AAAA

;; AUTHORITY SECTION:
test-ipv6.com.          300    IN      SOA    ns1.test-ipv6.com. jfesler.test-ipv6.com. 2016030401 10800 3600 604800 86400

;; Query time: 64 msec
;; SERVER: 2607:f0db:5001:8000::2#53(2607:f0db:5001:8000::2)
;; WHEN: Sun Oct 16 09:51:34 Central Daylight Time 2016
;; MSG SIZE  rcvd: 79

@virgiliomi:

Gertjan's got it most likely… Hurricane Electric offers free DNS service as well, and that's what the HE.net and HE.net (v6) are for... HE.net Tunnelbroker is what you want to pick to update the IPv4 address for your IPv6 tunnel.

As you suspected, Gertjan spotted my error.

Thanks; I appreciate the clarification of the purpose for those other, various options.

Cheers!