part 2 1000356; rev:1;) alert icmp any any -> <FW_TUNNEL_v6> any (msg:"Suspicious ICMPv6 Packet Too Big (WANv6)"; itype:2; threshold:type threshold, track by_src, count 20, seconds 60; classtype:attempted-dos; sid:1000357; rev:1;) if there is anything else please let me know this has some adaptations to it for udp flood issues with false positives etc part one and two are because of the 32762 char limit on my posts

@SteveITS It looks like it is detecting ipv6 better already is showing alerts [image: 1752342154032-screenshot-2025-07-12-at-10.39.56-resized.png] It sees some ipv6 going to my interface. Again snort also would spot stuff every once a a while. My son got a bad bug on his tablet and it had a Russian email server running I checked it on virus total and it was spot on as malware known abuses so I reported it

@Gertjan Fixed it. I had on the interface address both an IPv6 address and an "IPv4 address embedded in the IPv6 address (this is known as IPv6-mapped IPv4 addresses or IPv6 embedded IPv4 addresses)" before that is normally not for interfaces only the static device assignments so that is corrected my Pv6-mapped IPv4 addresses or IPv6 embedded IPv4 addresses are now only on the Lan devices and not on the firewall interfaces. [image: 1752100262620-screenshot-2025-07-09-at-15.29.37-resized.png]

@JonathanLee said in IPv6 HE tunnel broker and Netflix quick fix idea: This fixed my issues 100% anyone else parse AAAA and A dns records like this? That issue is very old. Hit the search button - its just above : [image: 1721814205482-979fea0f-8b0a-4338-afa4-9be21a3aeefa-image.png] The issue has even a pfBlockerng solution made for it : [image: 1721814277228-99d7ab85-cb14-44e3-958e-e48648d7256f-image.png] Check the check box. Add all the host names that should not be resolved to AAAA. Done.

@steveits OK, thanks. If I can ever get registered on Redmine, I'll file a bug report.

@Jxck Well, it certainly won't work, without it being configured on the VPN.