You can't use overlapping prefixes on the WAN and LAN side of your pfSense box ([PREFIX]:a300::/64 is a subset of [PREFIX]:a300::/56).

I am running ipv6 on 2.2.4 without any issues.  But I use a tunnel from Hurricane Electric, FREE, STABLE, FAST - WORKS!! Easy to setup and you get a /48 from them.  If you ask me most of the isp are not quite ready for ipv6.. This way doesn't matter! And you can even setup PTR for your ipv6 addresses..  Does your isp let you do that ;)

OK, you need a MoDem transparent (pass-tru/bridged to PPPoE) -OR- a MoDem-Router that can act as a DHCP6-Server (like the Fritz!Box 7360).

@ancker: I take full advantage of the 'register static DHCP entries in DNS' feature for IPv4. I would like to do something similar for IPv6. … Is there a way to do this? I'd like for my internal hosts to start talking via IPv6 where possible. Hopefully the ability to use DHCPv6 server with interfaces that are tracking another for IPv6 will be coming in version 2.3… that's likely still a ways off though. There will be lots of big changes in that version. This won't help for EUI-64 addresses, but if you opt to run IPv6 in a "Managed" way (no SLAAC), then anything that supports DHCPv6 will go that route, while anything else won't use IPv6 (i.e. Android). This is an option that would (hopefully) also be available for interfaces that are tracking IPv6. ref: post by cmb

@pra: Perhaps you need to use a NDP proxy (same as arp proxy but for IPv6) But i don t find it It does not and should not exist. You don't need nor want to proxy NDP. WAN and LAN(s) must have distinct subnets with proper routing. The ISP must supply you with a /64 or larger routed to your WAN address.

@hda: A prefix /60 gives you a collection of 2^4-1 subnets for your site. Each LAN, WAN node has its own unique subnet value, and such address has mask /64 … Thanks for confirming that.  That's what i had guessed was occurring.  But how would something like this work of the ISP does'nt provide you a /56.  For example, if their router only requested a /60, how would one allocate IPv6 addresses to WAN/LAN? Also, why is this occurring when I try to request a /64: And the LAN interface is tracking the WAn interface and it gets:   inet6 xxx prefixlen 60 Where is the LAN interface getting this /60? Thanks.

The firewall should hand out its own address for DNS in that case. There isn't a way to control it otherwise at the moment.

You realize that it allows anyone to completely bypass your firewall by simply sending fragmented IPv6 packets, right?

IIRC from last time I touched this damned thing - there are tabs to separately disable the IPv6 stuff only. Might be distro, NM version and init specific though. Probably better asked elsewhere.

Hello, @Nick2253: Can you set NPt destination prefix to track the WAN IP? @jimp: 1. No, not yet (though it's a feature we'd like to see eventually) Such a feature would be very nice. I need it for IPv6 load balancing (2xDSL with dynamic IPv6). Please add this!

Yeah, I'm definitely butted out of your "I have invented a /48 to use that noone routed to me and it doesn't work" "issue"…

Yes /48 on the WAN was definitely wrong. I had again contact with my ISP. They gave me now a transfernet /126 for my WAN. They routed the /48 to my WAN IP. But still not working, I believe or better sure this is not a pfsense or my config error. I don't have confidence in my provider now. I'm able to ping from LAN side, even from a host (computer) to they're router - my gateway. Asked them now to send there "show running-config ipv6", which they won't give me…. caputre: no NDP request found. No response seen to ICMPv6 request in frame 38. That's all about I see. Keep you posted.

Native IPv6 which does not use a prefix provided by my ISP.

One thing you should double check is that you have followed the part in the directions labeled "Pitfalls" about making sure that System > Advanced, Networking tab has "Allow IPv6" checked. That's the only way I know of that will stop the v6 auto gateway from showing up. I plan on making some updates to the wiki doc after the hangout. I ran through the whole process a couple times this week and had no problems. The gateways showed up automatically as expected and everything worked. There were a few minor differences to the wiki doc but nothing earth shattering.

Ok, figured out what was wrong on my configuration! The Captive Portal is not working with ipv6 and prevent the RA daemon to work properly. Thread can be closed Thanks

@Satras: …. I'm currently talking (again) to my ISP and try to convince him.. but I guess he won't listen. Normally, an ISP is considered as a BIG company (several millions of clients) so implementing IPv6 "for you" would be pure fiction. I'm using a big (biggest) French ISP "Orange" (+16 000 000 clients, mostly ADSL and some fiber links). They still think about "IPv6", because they have to switch the entire country to mixture of IPv6 and IPv4 in one go. Nice aspect: this is France so, first, they 'talk' about it (for the last 5 years already)  ;) I'm using https://tunnelbroker.net/ services for years now. This means that all my PC's and other devices  have an native IPv4 and IPv6 access. Works great !!

Looks like policy based routing is the answer

to bring up a tunnel with HE you have to allow ping to your public IP on your wan..  I have set this up so many times, it really is like 20 seconds tops to get a tunnel going. Btw I noticed you have a ipv4 icmp rule on your lan - but your notes say ipv6?  And its kind pointless since you have a any any rule from your lan that would allow icmp anyway.