Ok turns out this is an actual bug! https://redmine.pfsense.org/issues/5258 If you suffer from this, System -> Advanced > Firewall/NAT and Disable reply-to rules (tick the box). Not sure what multi WAN ipv6 users can do to fix it.

I'm less convinced that the problem is on the comcast configuratoin part if anymore. I noticed from the firewall logs that most of my ipv6 traffic is simply being blocked when this occurs, and if i attempt to reload the filter rules a handful of times, it eventually starts working. I did run into a problem with there appeared to be some race condition where my ipv6 rules wren't being applied so maybe it's related to that. I'm getting centurylink fiber pulled next tuesday, and they use 6rd, so I'm not going to bother digging into the current problem and see what happens when the centurylink connection is up.

May be @ hutnik. However, thanks!

I will add a little followup to this. After some experimentation, I've determined that the DHCP leases file in /var/dhcpd/var/db has to be manually edited or deleted if you decide to make the prefix delegation mask shorter at any point, for instance if you go from a /64 prefix delegation size to a /60. This is because the leases file contains previously allocated leases, and despite the fact that the client is asking for shorter mask (/60 for instance), continues to hand out the same subnet (/64) as it had previously. Thanks, –Andrew

So this is where your doing it?  See pic On your CLIENT do an ipconfig /all.. what does it show for dns for the openvpn connection? So for example I connect to one of my vps running openvpn..  Now can you do a query via vpn, do a traceroute do you go down the tunnel to get to the dns you provided? [image: vpndns.png] [image: vpndns.png_thumb] [image: dnsonvpnclient.png] [image: dnsonvpnclient.png_thumb] [image: dnsqueryandtrace.png] [image: dnsqueryandtrace.png_thumb]

Ok, little follow-up. It looks like it's not possible (at all) to actually specify which address is advertised in a RA. I assume the host directly uses the source address of the RA To speed up failover, one can hack the pfSense code which generates the actual radvd config and set MinRtrAdvInterval 3, MaxRtrAdvInterval 5 and, for the ::/0 route add AdvRouteLifetime 5. This reduces failover time to around 10 seconds - but I'm not sure if it is generally a good idea to mess with these values. The fastest option (in terms of failover) seems to be actually not to use SLAAC in the first place, but to manually configure IPv6 on each host - to be able to specify the desired CARP IP as default gateway… Does this make sense? PS: Oh, just found this read: https://www.isc.org/blogs/routing-configuration-over-dhcpv6-2/

Yes, I already worked around the multiple P2 issue with a config edit and both come up successfully. Tomorrow I'm going to try setting the network on the ASA side of the IPv6 P2 to ::/0 instead of the LAN address…

Doesn't revert anywhere here, as already noted. And no need to be clicking Save either.

Indeed it is. It comes enabled by default these days I thought. I never had to turn it on.

You can't use overlapping prefixes on the WAN and LAN side of your pfSense box ([PREFIX]:a300::/64 is a subset of [PREFIX]:a300::/56).

I am running ipv6 on 2.2.4 without any issues.  But I use a tunnel from Hurricane Electric, FREE, STABLE, FAST - WORKS!! Easy to setup and you get a /48 from them.  If you ask me most of the isp are not quite ready for ipv6.. This way doesn't matter! And you can even setup PTR for your ipv6 addresses..  Does your isp let you do that ;)

OK, you need a MoDem transparent (pass-tru/bridged to PPPoE) -OR- a MoDem-Router that can act as a DHCP6-Server (like the Fritz!Box 7360).

@ancker: I take full advantage of the 'register static DHCP entries in DNS' feature for IPv4. I would like to do something similar for IPv6. … Is there a way to do this? I'd like for my internal hosts to start talking via IPv6 where possible. Hopefully the ability to use DHCPv6 server with interfaces that are tracking another for IPv6 will be coming in version 2.3… that's likely still a ways off though. There will be lots of big changes in that version. This won't help for EUI-64 addresses, but if you opt to run IPv6 in a "Managed" way (no SLAAC), then anything that supports DHCPv6 will go that route, while anything else won't use IPv6 (i.e. Android). This is an option that would (hopefully) also be available for interfaces that are tracking IPv6. ref: post by cmb

@pra: Perhaps you need to use a NDP proxy (same as arp proxy but for IPv6) But i don t find it It does not and should not exist. You don't need nor want to proxy NDP. WAN and LAN(s) must have distinct subnets with proper routing. The ISP must supply you with a /64 or larger routed to your WAN address.

@hda: A prefix /60 gives you a collection of 2^4-1 subnets for your site. Each LAN, WAN node has its own unique subnet value, and such address has mask /64 … Thanks for confirming that.  That's what i had guessed was occurring.  But how would something like this work of the ISP does'nt provide you a /56.  For example, if their router only requested a /60, how would one allocate IPv6 addresses to WAN/LAN? Also, why is this occurring when I try to request a /64: And the LAN interface is tracking the WAn interface and it gets:   inet6 xxx prefixlen 60 Where is the LAN interface getting this /60? Thanks.

The firewall should hand out its own address for DNS in that case. There isn't a way to control it otherwise at the moment.

You realize that it allows anyone to completely bypass your firewall by simply sending fragmented IPv6 packets, right?