This is working for me: https://moerbst.wordpress.com/2016/07/31/ipv6mit-pfsense-an-dsl-der-telekom/ It's in german language but with screenshots for every step, so it should be no problem :-)

That is not the default setting.. So clearly at some point you said, I only want tcp/udp outbound – so that would break ping/traceroute, etc..

How have you configured your WAN and your LAN?
At least in my area, Comcast will hand out a /64 prefix or a /60.
If you want the simplest config,

your WAN interface should be set up to use DHCP6

leave "DHCPv6 Prefix Delegation size" at 64

check the "Send IPv6 prefix hint" checkbox

then for IPv6 on your LAN interface set it up to "track interface" pointing to the WAN interface with the "IPv6 Prefix ID" set to 0 (you can't change it if you requested a /64 on the WAN).

That should be enough to get legitimate IPv6 addresses on your LAN.

Tim

When they don't support it, they should at least stop breaking it.

Frankly, time to find a new ISP. This thing just works (pretty much everywhere when you drop the MTU to 1280) unless some lame ISP screws that intentionally or just by some clueless misconfiguration of their equipment.

@richardd:

What I'm missing in pfSense DHCP6 is the option to use the MAC address for identification

No such thing exists for DHCP6.

YOu had to reboot your ISP equipment Im almost sure about that. If you use PPPoE sometimes when pppoe session is not disconnected properly it simply doesnt work until you reboot things :)

Glad you made it working.

So your double natting to this pfsense box 192.168.1.1 which is in front of your pfsense box that also nats.  Does that pfsense have a public on its wan?

You mention your at school - is this the schools network?  Or do you have your own private internet connection.  Many schools lock down their networks, where they don't even want you running nat that would allow you to put non registered devices on their network.  It would be quite possible that they are blocking protocol 41 which is required for a HE tunnel.

From the HE faq

*Two important notes:

Your IPv4 endpoint address must be reachable via ICMP ECHO_REQUEST (Internet Control Message Protocol).
    If you are using a NAT (Network Address Translation) appliance, please make sure it allows and forwards IP protocol 41.

What is IP Protocol 41?
    IP Protocol 41 is one of the Internet Protocol numbers. Within the IPv4 header, the IPv4 Protocol field is set to 41 to indicate an encapsulated IPv6 packet.

Even if they do allow it.. Not sure it would work through a double nat?  Do you have access to this pfsense in front of yours - is it allowing protocol 41?  Is it sending it to your 2nd pfsense wan IP?  See attached.

protocol41.png
protocol41.png_thumb

It appears this may still be a bug in 2.2.2  My PPPoE sessions being renewed seem to completely break DHCP6 prefix delegation with my ISP.  The WAN link comes up and can be used to communicate but routing for the delegated subnet is completely broken.

I was able to confirm that killing the processes and re-saving the wan config as suggested on the documentation page here https://doc.pfsense.org/index.php/DHCPv6_Client_XID_Mismatch resolved the issue.

@doktornotor:

Can people here retest this with latest 2.2.3 snapshots? Seems working for me.

Ditto, seems fine for me as well, but more widespread testing would be appreciated.

Thank You Johnpoz & Gertjan. … :D learningg  ....  :-*

@doktornotor:

…
Also note that the IPv6 display for PPPoE has never worked properly -- neither in the GUI dashboard, nor in the console menu.

+1, that is, the WAN IPv6 prefix + MACderivative parallel to the WAN IPv4 entry.
Luckily I know my steady /48 on beforehand, so I can issue the different subnets for the SLAAC, Static or DHCPv6 LAN's ;)

For those still encountering issues with Comcast's odd DHCPv6 setup
FYI, another trick to doing this if you don't want to have to change the MAC address and aren't willing to wait a week:

Modify the WAN dhcp settings to request a /60 as previously detailed
Download http://www.ipv6.mtu.edu/wide_mkduid.pl which is a simple perl script to create a dhcp6c_duid file.
Run it on a Linux box (or something with Perl installed) like so
$ ./wide_mkduid.pl -t now -m <pfsense wan="" mac="" address="">successfully created /home/timw/dhcp6c_duid
DUID is 00:01:00:06:55:77:0a:34:XX:XX:XX:XX:XX:XX (MAC redacted)

copy over the generated dhcp6c_duid to the pfsense box (I scp'd it into /tmp)
Save a copy of /var/db/dhcp6c_duid (just in case anything goes wrong)
cp /tmp/dhcp6c_duid /var/db/dhcp6c_duid
Go into the WAN settings in the Web UI and just resave them.

Immediately after doing this I was received my shiny new /60 prefix delegation.</pfsense>

The gif tunnel being /128 is fine.

@furgussen:

kernel: cannot forward src fe80:2::20c:29ff:fe2a:fba2, dst 2001:0:9d38:6abd:307a:377a:a785:7ba6, nxt 6, rcvif vmx1, outif gif0

Which is bizarre.  I don't know why pfSense is trying to foward link-local out to the internet.

Because something is sourcing traffic from its link-local IP destined to its LAN MAC. This looks like what'd happen if you didn't configure your routed /64 on your LAN interface, or didn't configure RAs or DHCPv6 to assign IPv6 IPs to clients.

@jayjanssen:

Thanks, but that seems unsatisfying…

But that's how it works… Feel free to experiment with DHCPv6-Server to learn about address routing mask /64. One should reserve the last 64 bits for addressing LAN hosts. SLAAC fits right in, but you can make what you want with static or dhcpv6.

but I had use PF2.1.X version , ipv6 work in andriod.  only PF2.2.X IPV6 not work.

I don't need that binding on that interface for sure.. So just removed it..

@Rhongomiant:

I am being told by an ISP that has multiple gateways for redundancy that my pfSense devices should be able to get the gateway IP from Router Advertisements after sending a Router Solicitation. I realize that this will work if I use SLAAC
…

No, you use RA in combination with SLAAC, DHCPv6-server or Static IPv6 assignment. And your pfSense devices are on the LAN.
Configure your LAN IPv6 as static first with another unique subnet value than WAN,  mask /64, not some other value there.

Seems that DHCPv6 server has no problem. Problem is the default settings of Windows

I've installed the following Microsoft fixes from https://support.microsoft.com/en-us/kb/929852
Microsoft Fix it 50440
Microsoft Fix it 50443

Update - General System Logs also states:
Note- my logs are latest first.

php-fpm[60244]: /interfaces.php: Creating rrd update script
snmpd[78479]: disk_OS_get_disks: adding device 'ada0' to device list
check_reload_status: Reloading filter
check_reload_status: updating dyndns lan
php-fpm[60244]: /interfaces.php: Shutting down Router Advertisment daemon cleanly
check_reload_status: Restarting ipsec tunnels
check_reload_status: Syncing firewall

Just an update. I got an Intel 350-T4 adapter (igb) and am using one of the ports for my wan (untagged) IPv6 is now working properly. Is this an issue with tagged interfaces on em cards?