I know this is an old thread – but I had a similar problem.  I am using DHCPv6;  Windows 7 would obtain an address from DHCPv6 and the default route from the router.  The default route would be there (as seen via "route print") for 30 minutes.  Then it would disappear. I found that the default Windows Firewall allows ICMPv6 ONLY from fe80::/64.  Normally, this is fine, however, in our infinite wisdom, we set the router's link-local address to be fe80:42::1  (which isnt part of the fe80::/64 subnet).  If we let it pick its own link-local, (the default) it would have been OK. Thus, the initial default gateway appeared because Windows requested it via Router Solicitation.  But it was unable to hear the periodic Router Advertisement messages after that in order to keep that default route alive.  It timed out after 30 minutes and disappeared. We've since changed our router's link-local address to be fe80::42:1 (which IS part of fe80::/64).

Well - If you have a default ipv6 gateway, all the IPV6 traffic on the lan will try to go there. So, I think if you put a pass-all firewall rule on the lan for anything originating from a 2002 ip and then at the bottom in the advanced section of that rule change the gateway from default top the correct gateway, your traffic will go out over the correct gateway. I have not tried this with IPV6 but seems it should work.

So i was playing with MikroTik RotuerOS and it picks up and distributes ip6 address right away, only config needed is enabling ip6. What is different about how RouterOS is requesting the address vs. pfsense?

Having your ipv6 subnet and IPs become dynamic doesn't make it useless - Just much less useful as a server. Which is probably the intent. Dump the native IPV6 if it becomes annoying and grab a hurricane electric /48 that never changes.

Can you just put them on different LANs or VLANs? Comcast will give you up to 16 /64 prefixes, so you could just put the "open" hosts in one (basically, a DMZ) and the locked down ones in another.

Some more info. I enabled DHCP6 on my WAN side, then went to check the interface status. Turns out the IPv6 of fe80::213:5fff:fe05:bde2 is actually my Gateway IPv6. Should I allow this traffic to go through from my Gateway IPv6? Thanks!

I finally get my IPv6 connexion working with pfSense 2.1.4-RELEASE (i386) . Here are the steps I followed : checked "Allow IPv6" in "System: Advanced: Networking" enabled "Static IPv6" on the WAN interface and set IPV6_ADDR with /128 prefix let "IPv6 Upstream Gateway" to "none" run "route change -inet6 default IPV6_ADDR" (without %pppoe) enabled "Static IPv6" on LAN interface and set IP with /64 prefix checked "Enable DHCPv6 server on LANX interface" in "Services: DHCPv6 server" let "Router Advertisement" to "Disabled" added some IPv6 rules for LANX traffic

Right.. seemingly working when i did the following: Put a notch on "Only request a IPv6 prefix, do not request a IPv6 address " on my WAN dhcp6 setting. Also followed the other advice around and put LAN on "Track interface", added a WAN firewall rule to allow inbound source UDP 547, destination UDP 546 Internal clients get ipv6 address, and get 10/10 on the test-ipv6.com page. Well.. guess every ISP is different perhaps? C

@avink: This very much resembles the thing I have. I always have to start the DHCPv6 by hand. In my opinion it is because the PPPoE isn't stable when the DHCPv6 is starting. I actually got the dhcp6c command from your bugreport on redmine, thanks for that  ;) Running dhcp6c in a tmux by hand now, seems stable so far.

If i set the WAN interface to DHCP6 and delegation size to 48 (according to my ISP), and LAN interface to "Track Interface:WAN", my WAN gets a address like this: IPv6 Link Local fe80::202:1eff:fef2:8981%xl0  IPv6 address 2001:4610:a:b::xxx  Subnet mask IPv6 128 Gateway IPv6 fe80::2a0:a50f:fc7a:8b00 And my LAN gets: IPv6 Link Local fe80::1:1%bge0  IPv6 address 2001:4641:7766:0:21a:a0ff:xxxx:xxxx  Subnet mask IPv6 64 And internal clients also gets a IPV6 address.. However, im unable to ping anything related to IPV6. ping6 ipv6.google.com PING6(56=40+8+8 bytes) 2001:4641:7766::34cf:6c49:85df:9bb8 --> 2a00:1450:400f:803::1001 ^C --- ipv6.l.google.com ping6 statistics --- 3 packets transmitted, 0 packets received, 100.0% packet loss Ive added a WAN firewall rule to allow IPV6 UDP Source Port:547 Destination Port: 546. I also added WAN rule to allow IPV6 ICMP. What am i doing wrong? :) C

I am really looking forward to have a dynamic NPt that tracks my DHCP PD assignment

@razzfazz: Pass-through as in VT-d? Yes, Intel VT-d aka DirectPath I/O in VMware ESXi. The parent interface's name is "igb0". In contrast, the other two WAN interfaces were called "vmx3f1"/"vmx3f2" on pfSense 2.1 and are now called "vmx1"/"vmx2" on 2.2. By the way, I've switched from 2.1.3 to 2.2 since my last message in this thread. @razzfazz: The point is, the WAN interface that's the parent for your tunnel cannot be behind a NAT (including the NAT that many desktop virtualization solutions use for their virtualized interfaces by default) unless you set up the correct forwarding (proto 41 – note, not port 41! – needs to be forwarded to your tunnel endpoint). There's no NATing going on anymore (for the tunnel's parent interface at least). After your post I've set the upstream DSL modem to operate in transparent bridge mode and let pfSense do all the PPPoE magic. pfSense displays the exact same IPv4 address on that interface that various "What's my IP address?"-websites show me (like this one). Now that I figured I needed to use the "Update Key" instead of my password, pfSense's DynDNS client seems to work just fine, too. HE is constantly aware of any IP address changes. The tunnel is still not up however. :-X Edit: It's working! Well, after deleting my old tunnel and creating a new one and updating all the settings in pfSense accordingly I was finally able to ping servers via IPv6, but unfortunately most of the requests simply timed out. I stumbled across this video on youtube suggesting to set the MTU to the lowest possible value. So after setting the MTU to 1280 in pfSense and the HE control panel I got rid of that odd timeout problem. Still, I noticed some minor flaws: 1.) Gateway monitoring is stuck on "pending", no matter what I set the monitor IP to. (I just disabled monitoring for now.) 2.) A second/bogus GW popped up that I simply can't remove. It doesn't show up in exported settings, but as soon as I import the settings it's there again. 3.) The box on the right side of the tunnel interface on the first page of pfSense is blank where it should show the IPv6 address I assume. This behavior doesn't change whether or not I set "IPv6 Configuration Type" to none or static, providing the IPv6 address myself. Fixed as per 2.2-ALPHA (amd64) built on Fri May 23 08:08:31 CDT 2014! However, thank you for your time razzfazz!

Am I alone with this ? I played with the Pool and the Router advisement but no luck so far… any help ? Please

I set the MSS to 1000, and then it started working. No idea why it has to be so low, and it could probably be a bit higher, but I haven't been bothered to check.

@priller: 1e100.net is Google. Correct. See: https://support.google.com/faqs/answer/174717?hl=en

Yeah, for android devices is a must, they only use SLAAC.

Hey, thanks for the replies. I'll look into setting it up as a transparent firewall.