@johnpoz said in Netflix and HE tunnel broker: No gua, no ula - not even a link-local, so why and the F would it ask for AAAA for?? Lazy freaking programing if you ask me. Good question. If there are no local IPv6 interfaces to talk to, I'm curious what the advantage is knowing that an AAAA exists for a host that will be contacted over A anyway. I've a possible reason in front of me, the one and only Firefix plugin I use : [image: 1773127237304-4cc14808-f093-4491-9b04-2d62263ab906-image.png] edit : the plugin is he.net powered. It shows me for every web site I visit what I'm using : A or AAAA, and it also shows what other sites are visited when the page was retrieved. [image: 1773127312570-36fdb069-8ff7-4888-a2ce-c2c8e65d6013-image.png] I can image that when this Firefox plugin is used, these AAAA requests are made. But if it isn't used ? @SteveITS said in Netflix and HE tunnel broker: Edit: also FWIW we found HE tunnels were rate limited. I mean they are free, so hard to complain, but bandwidth was about 1/3 of our IPv4 connection speed. Because the POPs have cost involved Some of them are marked as "can't add any new clients anymore" == they are 'full'. If they would throw hardware on it, tunnel.he.net would become a real, free VPN alternative **, which would need even more hardware. ** he.net uses a tunnel = IPv6 packets are encapsulated into a IPv4 packets = the GIF protocol, which is, afaik, not encrypted. Not a big deal as all traffic is TLS already anyway.

@Gertjan Fixed it. I had on the interface address both an IPv6 address and an "IPv4 address embedded in the IPv6 address (this is known as IPv6-mapped IPv4 addresses or IPv6 embedded IPv4 addresses)" before that is normally not for interfaces only the static device assignments so that is corrected my Pv6-mapped IPv4 addresses or IPv6 embedded IPv4 addresses are now only on the Lan devices and not on the firewall interfaces. [image: 1752100262620-screenshot-2025-07-09-at-15.29.37-resized.png]

@jimp thank you for the clarification. Yes, I think it must have been very late at night when that got added...

@JonathanLee said in IPv6 HE tunnel broker and Netflix quick fix idea: This fixed my issues 100% anyone else parse AAAA and A dns records like this? That issue is very old. Hit the search button - its just above : [image: 1721814205482-979fea0f-8b0a-4338-afa4-9be21a3aeefa-image.png] The issue has even a pfBlockerng solution made for it : [image: 1721814277228-99d7ab85-cb14-44e3-958e-e48648d7256f-image.png] Check the check box. Add all the host names that should not be resolved to AAAA. Done.

@jbannister SLAAC .... NPT .... Never used these, as they are 'not needed' ( ? ) I followed the pfsense documentation as mentioned above, and was a happy IPv6 user for many years. I advise you to validate the pfsense documentation. There is no SLAAC, even as it promises beautiful things. No NPT. This boils down to : set up a DHCPv6 server on every LAN - with a pool, so you can static DHCP map, as the old DHCPv4 days, your devices. I'm saying this with any in depth knowledge, but : as soon as I read NPT, there are issues .... so, it must be a complex thing. And I tend to keep things "simple", especially my Ethernet networks and everything that is related to it.

@steveits OK, thanks. If I can ever get registered on Redmine, I'll file a bug report.

@Jxck Well, it certainly won't work, without it being configured on the VPN.

@jimp If states are not to be preserved, then a disable/enable (via a heartbeat mechanism or otherwise) might do the trick.. of course with a disruption of the IPv6 connectivity while the tunnel is re-establishing itself.