Another good source of info is "IPv6 Essentials". http://shop.oreilly.com/product/0636920023432.do

@Derelict: FWIW mail.yahoo.com hangs for me too on HE tunnel but not on centurylink native. Haven't has time to look at it further and, after all, who needs ANOTHER reason not to use yahoo mail? Haha, I hear you. I have several yahoo mail users complaining about this. Unfortunately, this is one of those examples of "old habits die hard."

@apple4ever: @bimmerdriver: It's definitely worth looking at a tunnel. If there's a server close to your location the throughput may be quite close to the throughput of your link. However, recently, I've been unable to access mail.yahoo.com through the tunnel, although I have no way to determine whether the problem is caused by the tunnel, yahoo's network or possibly even pfsense. Aside from that issue, the tunnel has been rock solid since I started using it, which was several years ago. I decided you are right, so I set one up. Love getting a /48, and having a static IP. Makes things so much easier. Hopefully I won't run into issues like you did (luckily I don't use yahoo mail). Have you done anything with delegated prefix? I'm trying to add the range, but its giving me an error that doesn't make sense: I'm trying to delegate a /52 using the range of 2001:470:1234:1000:: to 2001:470:1234:1fff:ffff:ffff:ffff:ffff but it give me an error: "Prefix Delegation To address is not a valid IPv6 Netmask for 2001:470:1234:1000::/52" Except all the subnet calculators tell me it should be valid. Help? Don't forget to set up the dynamic dns if you don't have a static ipv4 address. Sorry, haven't delegated a prefix. I'm only using a /64. Not sure why it's not happy with that.

That's helpful, thanks. I guess I was confused between what an interface gets assigned and the prefix delegation I would be getting. Definitely makes sense that interfaces get /64s. But it would be nice if there was somewhere that showed that I was getting the prefix I was asking for. I figured that's what the prefix ID meant, but it wasn't entirely clear, so thanks for clarifying that. Now to send /64s to my Cisco router for my VLAN's via a /61. But that's a separate question.

^^^^ Yep, that why I said "Every address currently available is within a /3, with 1/8 of all IPv6 addresses allocated to GUAs". Of the entire 2^128 IPv6 addresses, only 2^125 are used for GUAs. Since /3 represents all currently available GUAs, a /4 would be half of them.

Thank you, you are probably right. I am overcomplicating things and the configuration I want can be done just using resolver, without involving Bind. I have reconfigured my pfSense box to use the resolver and I see that it is pushing the IPv6 address of the box to the client machines with DHCP, exactly what I was trying to do with Bind. I think I'll stick with this configuration for now. Thanks again for your help, JKnott!

@virgiliomi: What you're looking for is an option in the ISP router to do prefix delegation. Hopefully the ISP router can delegate an IPv6 prefix to each of your pfSense systems via DHCPv6-PD. You'd receive the /64 delegated from the ISP router, then apply it to one of your networks. If you want, you could probably even delegate /60's so you each get 16 /64's to use as you wish. Ok, that's what I was thinking. I wasn't sure if the pfSense could request a /64 and the modem would keep track of things; I guess I'll just wait until I get the modem set up and play around. Thanks for all the feedback everyone!

@DLW67: I'm still learning IPv6 myself, but I've found that with DHCP configured as "managed," only my Linux hosts will receive a global IP address  from the DHCP pool, with the desired prefix. With this config, my W10 hosts only show local addresses. With DHCP configured as "assisted," both Linux and W10 clients will receive a global address. The Linux host will take an address from the DHCP pool, but the W10 host will use the network prefix and generate its own address. I'm still exploring the other config options. There is a problem with the latest version of windows 10 with DHCP6. Try ipconfig /release6 and ipconfig /renew6 to see if that will cause a lease to be allocated. As was already said, android phones use SLAAC, not DHCP6 due to a design decision by google and you should use assisted, not managed.

OK.  Lets just ignore all the internal vs external routing for a minute and focus on one problem for right now, since things are getting muddied up in a general (although informative) IPv6 routing discussion.  My core issue is IPv6 doesn't work on the WAN interface. I cant ping6 the external IPv6 address assigned to pfSense (with proper FW rules in place to allow) WAN interface when the gateway is not on the same network.  I also can't ping6 from the box to ipv6.google.com in shell or web interface.  I do have use non-local gateway checked on the gateway config.  Please help me solve this issue, since this at the very least should work but doesn't.

Not having any problems connecting to them.. But they don't have any AAAA records.. dig @2607:f0db:5001:8000::2 test-ipv6.com AAAA ; <<>> DiG 9.10.4-P3 <<>> @2607:f0db:5001:8000::2 test-ipv6.com AAAA ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57326 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;test-ipv6.com.                IN      AAAA ;; AUTHORITY SECTION: test-ipv6.com.          300    IN      SOA    ns1.test-ipv6.com. jfesler.test-ipv6.com. 2016030401 10800 3600 604800 86400 ;; Query time: 64 msec ;; SERVER: 2607:f0db:5001:8000::2#53(2607:f0db:5001:8000::2) ;; WHEN: Sun Oct 16 09:51:34 Central Daylight Time 2016 ;; MSG SIZE  rcvd: 79

@virgiliomi: Gertjan's got it most likely… Hurricane Electric offers free DNS service as well, and that's what the HE.net and HE.net (v6) are for... HE.net Tunnelbroker is what you want to pick to update the IPv4 address for your IPv6 tunnel. As you suspected, Gertjan spotted my error. Thanks; I appreciate the clarification of the purpose for those other, various options. Cheers!

Thanks.  Using lower case for the alphabetic hex characters in the interface address works. It's a bit inconsistent though, as the interface allows upper-case characters when adding the IPv6 gateway.

For Windows, you can run ipconfig /release6 and ipconfig /renew6. Not sure about other operating systems.

Your DHCPv6 is not working, you get link local addresses (staring with fe08). Perhaps you need to set your router advertisement mode to managed?