"Enabling the adapter, even with no clients connecting, leads to very long DNS lookup times, or faiilure to resolve, and much slower page loads for browsers behind the firewall." Huh??  What is having a hard time to resolve?  You do understand even if you query via IPv4 for a fqdn if there is AAAA record you most likely get that returned as well since many dns clients default to query both.. If you get back a AAAA (ipv6 address for a fqdn) and your client prefers and has ipv6 it will try to use that..  But what does this have to do with pfsense having a link local address?  I use ipv6 on some interfaces in pfsense and none on other interfaces that I am not using IPv6 in that network.. Yes those interfaces still get link local as shown above.. Your posting of this inet6 2001:5<foo>9:4125:5501 prefixlen 128 and inet6 2601:248:<foo>:44c6 prefixlen 64 This is NOT a none setting on the interface.. Where are you saying this is coming from??  If you have an interface set to NONE for ipv6 it sure and the hell is not going to get a global ipv6 address on it.. 2000::/3 So you bring up openvpn..  I route ipv6 over one of my vpn servers connections, and then on another one I do not - so as you can see from attached one has a global ipv6 address, the other does not but both of them have link local addresses on them for ipv6.. If you are not ready to use ipv6, then make sure all your interfaces in pfsense have none set for ipv6 this is all that should have to be done.. [image: openvpnipv6.png] [image: openvpnipv6.png_thumb]</foo></foo>

Block DNS over IPv6. Follow the wiki for the rest. End of story. Not going to explain for the zillionth time that System - General is NOT for clients.

This is working for me: https://moerbst.wordpress.com/2016/07/31/ipv6mit-pfsense-an-dsl-der-telekom/ It's in german language but with screenshots for every step, so it should be no problem :-)

That is not the default setting.. So clearly at some point you said, I only want tcp/udp outbound – so that would break ping/traceroute, etc..

How have you configured your WAN and your LAN? At least in my area, Comcast will hand out a /64 prefix or a /60. If you want the simplest config, your WAN interface should be set up to use DHCP6 leave "DHCPv6 Prefix Delegation size" at 64 check the "Send IPv6 prefix hint" checkbox then for IPv6 on your LAN interface set it up to "track interface" pointing to the WAN interface with the "IPv6 Prefix ID" set to 0 (you can't change it if you requested a /64 on the WAN). That should be enough to get legitimate IPv6 addresses on your LAN. Tim

When they don't support it, they should at least stop breaking it. Frankly, time to find a new ISP. This thing just works (pretty much everywhere when you drop the MTU to 1280) unless some lame ISP screws that intentionally or just by some clueless misconfiguration of their equipment.

@richardd: What I'm missing in pfSense DHCP6 is the option to use the MAC address for identification No such thing exists for DHCP6.

YOu had to reboot your ISP equipment Im almost sure about that. If you use PPPoE sometimes when pppoe session is not disconnected properly it simply doesnt work until you reboot things :) Glad you made it working.

So your double natting to this pfsense box 192.168.1.1 which is in front of your pfsense box that also nats.  Does that pfsense have a public on its wan? You mention your at school - is this the schools network?  Or do you have your own private internet connection.  Many schools lock down their networks, where they don't even want you running nat that would allow you to put non registered devices on their network.  It would be quite possible that they are blocking protocol 41 which is required for a HE tunnel. From the HE faq *Two important notes: Your IPv4 endpoint address must be reachable via ICMP ECHO_REQUEST (Internet Control Message Protocol).     If you are using a NAT (Network Address Translation) appliance, please make sure it allows and forwards IP protocol 41. What is IP Protocol 41?     IP Protocol 41 is one of the Internet Protocol numbers. Within the IPv4 header, the IPv4 Protocol field is set to 41 to indicate an encapsulated IPv6 packet. Even if they do allow it.. Not sure it would work through a double nat?  Do you have access to this pfsense in front of yours - is it allowing protocol 41?  Is it sending it to your 2nd pfsense wan IP?  See attached. [image: protocol41.png] [image: protocol41.png_thumb]

It appears this may still be a bug in 2.2.2  My PPPoE sessions being renewed seem to completely break DHCP6 prefix delegation with my ISP.  The WAN link comes up and can be used to communicate but routing for the delegated subnet is completely broken. I was able to confirm that killing the processes and re-saving the wan config as suggested on the documentation page here https://doc.pfsense.org/index.php/DHCPv6_Client_XID_Mismatch resolved the issue.

@doktornotor: Can people here retest this with latest 2.2.3 snapshots? Seems working for me. Ditto, seems fine for me as well, but more widespread testing would be appreciated.

Thank You Johnpoz & Gertjan. … :D learningg  ....  :-*

@doktornotor: … Also note that the IPv6 display for PPPoE has never worked properly -- neither in the GUI dashboard, nor in the console menu. +1, that is, the WAN IPv6 prefix + MACderivative parallel to the WAN IPv4 entry. Luckily I know my steady /48 on beforehand, so I can issue the different subnets for the SLAAC, Static or DHCPv6 LAN's ;)

For those still encountering issues with Comcast's odd DHCPv6 setup FYI, another trick to doing this if you don't want to have to change the MAC address and aren't willing to wait a week: Modify the WAN dhcp settings to request a /60 as previously detailed Download http://www.ipv6.mtu.edu/wide_mkduid.pl which is a simple perl script to create a dhcp6c_duid file. Run it on a Linux box (or something with Perl installed) like so $ ./wide_mkduid.pl -t now -m <pfsense wan="" mac="" address="">successfully created /home/timw/dhcp6c_duid DUID is 00:01:00:06:55:77:0a:34:XX:XX:XX:XX:XX:XX (MAC redacted) copy over the generated dhcp6c_duid to the pfsense box (I scp'd it into /tmp) Save a copy of /var/db/dhcp6c_duid (just in case anything goes wrong) cp /tmp/dhcp6c_duid /var/db/dhcp6c_duid Go into the WAN settings in the Web UI and just resave them. Immediately after doing this I was received my shiny new /60 prefix delegation.</pfsense>

The gif tunnel being /128 is fine. @furgussen: kernel: cannot forward src fe80:2::20c:29ff:fe2a:fba2, dst 2001:0:9d38:6abd:307a:377a:a785:7ba6, nxt 6, rcvif vmx1, outif gif0 Which is bizarre.  I don't know why pfSense is trying to foward link-local out to the internet. Because something is sourcing traffic from its link-local IP destined to its LAN MAC. This looks like what'd happen if you didn't configure your routed /64 on your LAN interface, or didn't configure RAs or DHCPv6 to assign IPv6 IPs to clients.

@jayjanssen: Thanks, but that seems unsatisfying… But that's how it works… Feel free to experiment with DHCPv6-Server to learn about address routing mask /64. One should reserve the last 64 bits for addressing LAN hosts. SLAAC fits right in, but you can make what you want with static or dhcpv6.

but I had use PF2.1.X version , ipv6 work in andriod.  only PF2.2.X IPV6 not work.

I don't need that binding on that interface for sure.. So just removed it..

@Rhongomiant: I am being told by an ISP that has multiple gateways for redundancy that my pfSense devices should be able to get the gateway IP from Router Advertisements after sending a Router Solicitation. I realize that this will work if I use SLAAC … No, you use RA in combination with SLAAC, DHCPv6-server or Static IPv6 assignment. And your pfSense devices are on the LAN. Configure your LAN IPv6 as static first with another unique subnet value than WAN,  mask /64, not some other value there.

Seems that DHCPv6 server has no problem. Problem is the default settings of Windows I've installed the following Microsoft fixes from https://support.microsoft.com/en-us/kb/929852 Microsoft Fix it 50440 Microsoft Fix it 50443