@JasonTracy: That said, I'm interested to hear more about how you're doing this! What ?  :D  I will outline the principle for non-tracking setups. Comcast, I am not with them. But they supply a /60, I understood from elsewhere. Try [Interfaces: WAN] (Advanced(Send Options=ia-pd 0)) and (prefix delegation: checked) If you get the /60 on the WAN, then you can know your prefixnumber as the first 64 bits. Let's assume you get a prefixnumber like 2015:911:abcd:ff80(::1) on your WAN. The last placeholder (0) in :ff80: is actually the supplied space, your 4-bits equals 15 LAN's possibly. Now in webgui pfSense you can make a LAN-1 static as 2015:911:abcd:ff81::1/64 or a LAN-2 static as 2015:911:abcd:ff82::1/64. (The space available is :ff81: tru :ff8f: ). A (PC) serverhost on LAN-1 (:ff81:) could get a number issued by you, (not by DHCPv6), say 2015:911:abcd:ff81::1001. Or you could config a DHCPv6-Server/RA with a pool like [2015:911:abcd:ff81::1051 upto 2015:911:abcd:ff81::1100]. You make your WAN firewall rules on a wellknown server fixed IPv6 address. So when ISP pulls/changes your 2015:911:abcd:ff8::/60, then your IPv6 LAN's and public server are securely off-line.

Ditto for Comcast. EDIT: Sorry, it's actually just a /60 for Comcast.

@antillie: If Comcast wants to change your IPv6 prefix there is nothing you can do to stop them. It wouldn't surprise me if they change your prefix now and then just to make it hard for you to run a server. Maybe they can sell you a business class account with a static prefix assignment? Yeah I'm hoping it's not nefarious. :) Issue is getting the speed/bandwidth on the business accounts. A 100MB line on Business isn't cheap… Or, if this enhancement gets applied to PFSense then it may resolve my issue. https://redmine.pfsense.org/issues/3029

Yes, your edge firewall is a master holding the /48. Request by slave DHCP(PD). Stop the /52-ing internal. Peel off /64-ers from your comcast /48. Stick to /64 routing.

the guy from my ISP

@pii77: … Anyone with best practices on how to solve this?... Why does an/your ISP issue a prefix /48 and not keep it the same number for you, despite you get it with DHCP6c(PD) (and they reserve the right to change/pull it ofcourse). ? Why not just assume that your /48 is a permanent number (quasi-static) ? Because then next assign your LAN a subnet static or with DHCP6-server…

@snowyrain: I don't know why… As a pfSense manager yourself, that is not a very satisfying position.  :P

No, not 6to4. That 6to4 wannabe magic anycast thing is officially dead.

Yeah, this is a pfSense forum. Configuring firewalls requires you understand at least basic concepts of networking. You are totally stuck with IPv4 mentality, which just does not apply to IPv6. Everyone has a public IPv6, every box can be reached directly unless you block the traffic by firewall. There is no NAT to hide behind.

So, well… here's a couple of suggestions: 1/ Install the Filer package and use that to upload whatever custom scripts you have (Diagnostics - Filer) 2/ Install the Cron package and use that to maintain your custom cronjobs (Services = Cron). This way, the mods will actually survive upgrades.

Attenuating the default. For me will do: [System: Gateways: Edit gateway] WAN_DHCP6; Probe Interval=8; Down=32;

Dude, you do NOT 1:1 NAT IPv6 like this. WTF. There's NPt for IPv6. P.S. Filed a bug: https://redmine.pfsense.org/issues/4536 (Note @OP: Fixing that bug will prevent you from configuring similar BS. Meanwhile, kindly remove that nonsense yourself.)

6RD + Charter is confirmed working in 2.2.1-Release! Thanks to Ermal, Chris & Will for following through with this Feel free to read about the process: https://redmine.pfsense.org/issues/2882

@virgiliomi: There's a bug regarding IPv6 not returning after modem reset… I added some comments back in February about it, even with the "Use IPv4 connectivity as parent interface" option enabled. https://redmine.pfsense.org/issues/3290 Thanks for the pointer, I'm now watching this issue.  It sounds like your experience is the same as mine.

@jvangent100: Well mine Always comes up after reboot, but it disconnects frequently. … Will watch relevant logs and hope to find out why I am getting frequent disconnects (sometimes twice a day). Could periodically killing and starting DCHPc6 help ? Some past experience. Assure a MAC-derived fe80 linklocal on the WAN, do not rely on one compounded from privacy-extensions. If the other side pulls the line (too long for apinger), then IPv4 will recover but IPv6 may not. But then a (re)fresh PPPoE disconnect/connect will solve. [Status: Interfaces] If a disconnect is (IPv4 & IPv6), then test relaxation (factor 4 to 8 (Probe Interval, Down)) for apinger [System: Gateways: Edit gateway]. Periodically restarting, like frequent config changes, can introduce instance problems for dhcp6c like new PID is established and old is not flushed.

The thinking is: If you have IPv6 disabled, you'd want to be notified that people are attempting to use IPv6 when you told the firewall you do not want IPv6 to be used. It's a security measure. If you want to ignore IPv6, enable it and add some floating rules to block w/o logging.

@hda: OK, sounds plausible. Would you be willing to show us the final settings of the DTv130 for this case ? I've added a few screenshots, they're a bit messy, i didn't clean up the config yet. [image: snapshot6.png] [image: snapshot6.png_thumb] [image: snapshot7.png] [image: snapshot7.png_thumb] [image: snapshot8.png] [image: snapshot8.png_thumb] [image: snapshot9.png] [image: snapshot9.png_thumb] [image: snapshot10.png] [image: snapshot10.png_thumb]

If you can use link-local, you should. It won't change like some can. Imagine you have a local IPv6 network where the prefix changes periodically (DHCP6-PD, etc). There is no benefit to using the actual interface IP over the link-local at a network level except in cases when it may be easier for a person to remember. It's just an odd concept for those familiar with IPv4 to grasp. All clients will always have a link-local address, even if they don't yet have an actual routable IPv6 address, so it's always more reliable to talk to a link-local address if you can.

@koos147: … is it correct that the router advertisement is on the LAN tab? ... Ofcourse. The LAN has its own unique public IPv6 and can have a switch with, for instance 8, computing devices on it. Then this LAN could have its own RA settings like allow Static and (SLAAC or not). Then another LAN could only have RA for DHCP6-server.