@Gertjan Fixed it. I had on the interface address both an IPv6 address and an "IPv4 address embedded in the IPv6 address (this is known as IPv6-mapped IPv4 addresses or IPv6 embedded IPv4 addresses)" before that is normally not for interfaces only the static device assignments so that is corrected my Pv6-mapped IPv4 addresses or IPv6 embedded IPv4 addresses are now only on the Lan devices and not on the firewall interfaces. [image: 1752100262620-screenshot-2025-07-09-at-15.29.37-resized.png]

@jimp thank you for the clarification. Yes, I think it must have been very late at night when that got added...

@JonathanLee said in IPv6 HE tunnel broker and Netflix quick fix idea: This fixed my issues 100% anyone else parse AAAA and A dns records like this? That issue is very old. Hit the search button - its just above : [image: 1721814205482-979fea0f-8b0a-4338-afa4-9be21a3aeefa-image.png] The issue has even a pfBlockerng solution made for it : [image: 1721814277228-99d7ab85-cb14-44e3-958e-e48648d7256f-image.png] Check the check box. Add all the host names that should not be resolved to AAAA. Done.

@jbannister SLAAC .... NPT .... Never used these, as they are 'not needed' ( ? ) I followed the pfsense documentation as mentioned above, and was a happy IPv6 user for many years. I advise you to validate the pfsense documentation. There is no SLAAC, even as it promises beautiful things. No NPT. This boils down to : set up a DHCPv6 server on every LAN - with a pool, so you can static DHCP map, as the old DHCPv4 days, your devices. I'm saying this with any in depth knowledge, but : as soon as I read NPT, there are issues .... so, it must be a complex thing. And I tend to keep things "simple", especially my Ethernet networks and everything that is related to it.

@steveits OK, thanks. If I can ever get registered on Redmine, I'll file a bug report.

@Jxck Well, it certainly won't work, without it being configured on the VPN.

@jimp If states are not to be preserved, then a disable/enable (via a heartbeat mechanism or otherwise) might do the trick.. of course with a disruption of the IPv6 connectivity while the tunnel is re-establishing itself.