@IonutIT

I re edit my post above.
kea2unbound is innocent 👍
The issue is deep in the GUI, and identical to my initial pfBlockerng issue.

I'll have a patch some where next week.

@NickyDoes yeah a /56 is lot of /64s for testing and playing with ;)

Best practice is /64 for any segment you want to break out.. Even if it only has a couple of devices on it.. It seems insane when you first start playing with Ipv6 to be honest.. Since a /64 is so freaking huge when it comes to how many IPs..

Thanks @jimp for the fix. I've re-tested with 23.01.b.20221221.1946 snapshot and the issue seems to be resolved.

@bob-dig Yes, what you say is true. Luckily my prefix(es) are not dynamic and I'd need to do quite a few changes to flip to what you suggest. I'll probably think about that as a longer-term project but for now this solution works for my specific use case.

@jarrodsfarrell Did fix the DNS IPv4+6. Post filter is getting tripped so I can't edit my post.

@joe90

If it is assigning an address from with your prefix, then that address will start with your /56 prefix.

I don't have any experience with IPv6 on PPPoE or with OpenWRT, so I don't know what else to check.

However, you don't need a WAN GUA. If you want to access pfSense from elsewhere, you can use the LAN interface address.

@andicniko

EDIT: After a factory reset and trying again, it seems it will work if 1) I state the DHCPv6 range in full (including the prefix), and 2) I state the subnet in the router advertisements settings.

For anyone else struggling to make this work, the specific settings are:

Services / DHCPv6 Server & RA / LAN / DHCPv6 Server
Range = [your desired IPv6 range in full, e.g. 1000:1000:1000:1000::2000 to 1000:1000:1000:1000::3000]

Note: DO NOT omit the prefix when stating the range. This is one of the issues that seemed to prevent my DHCPv6 server working properly (if the LAN interface is set to IPv6 Configuration Type = Static IPv6). By default, the range is stated excluding the prefix, e.g. ::2000 to ::3000. I'm not sure why this should matter, if the subnet field is already populated and aware of 1000:1000:1000:1000::, and omitting the prefix does no harm when the LAN interface is set to IPv6 Configuration Type = Track interface. Also note: I also had some trouble keeping the "Provide DNS servers to DHCPv6 clients" checkbox ticked. It is ticked by default, but seemed to untick by itself when changing and saving settings on this page. When ticking it again and saving, it would just disappear. However, it was ticked after navigating to another page and coming back. So I didn't have an issue in the end.

Services / DHCPv6 Server & RA / LAN / Router Advertisements
Subnets = [your IPv6 prefix 1000:1000:1000:1000::/64]

Note: DO NOT leave this blank. This is one of the issues that seemed to prevent my DHCPv6 server working properly (if the LAN interface is set to IPv6 Configuration Type = Static IPv6). By default this is blank, and it does no harm leaving it blank when the LAN interface is set to IPv6 Configuration Type = Track interface. I'm not sure why this should matter.

I don't know if the above are supposed to be necessary or not - apologies if I'm posting something that should be obvious. But I hope that helps someone!

@mickman99 Sorry mal wieder die späte Rückmeldung. Habe jetzt Urlaub und kann mich dem Thema wieder expliziter widmen.

Tatsächlich wird der Präfix einwandfrei auf die Interfaces verteilt und stimmen auch mit dem Präfix mit dem der FRITZ!Box überein. Laut Log der FRITZ!Box wird das verteilte Netz an das LAN Interface auch erkannt und als Exposed Host freigegeben.

Ich vertraue allerdings der Firewall der FRITZ!Box nicht so ganz. Ich richte parallel bei einem Nachbar einen OpenVPN Server über IPv6 ein. Auch dort wird der eingehender Verkehr trotz Exposed Host (natürlich nur zum Test so freigegeben) rejected. Sinn macht das nicht.

Zusätzlich ist bei meiner pfsense das Problem aufgetreten, wenn viele Daten auf einmal verarbeitet werden müssen, dass der interne DNS Server abschmiert. Da habe ich auch die Vermutung, dass es an der FRITZ!Box liegt. Der Log der Fritte verrät da allerdings nicht so viel...

@bob-dig

All the addresses appear automagically. One of each type is consistent, based on the MAC address. The privacy addresses are based on random numbers. The only thing I configure is the DNS entries, which I point to the consistent addresses. I do not ever use a privacy address for DNS, as it would only last for a week. It is also possible to have consistent addresses based on a random number, for those who are worried about someone tracking their MAC address.

So what does the config on pfSense look like vs your external server config? There must be some difference in the formatting or naming of the option to explain what is happening.

Look in /var/dhcpd/etc/dhcpdv6.conf