Odd iOS / Mac OS issue with IPV6 and new SG-4860

  • I can't get pfSense to allow external IPV6-based communication for MacOS and iOS devices.  Other devices work with external IPV6 devices, inclusive of Windows-based machines, linux-based machines, virtual machines inclusive of virtual PC on a MacOS laptop that can't access external IPV6 sites itself.

    Delving into a bit further on the Mac Laptop, I have 3 good global IPV6 addresses, which are:
    1. autoconf secured = a preferred global IPV6 address, that no longer uses EUI64 encoding in MacOS Sierra (hides MAC address)
    2. autoconf temporary = a SLAAC address with privacy extensions to prevent identification of a specific machine.
    3. a DHCPV6 served address from pFsense within the designated ::1000 to ::2000 range.

    None<< of these addresses can ping the global address beyond the WAN interface (e.g. www.v6.facebook.com).
    None<< of these addresses can ping the global address on the WAN interface itself.

    Only addresses 1 & 3 can ping the global ipv6 address on the LAN interface which is odd given the relative constancy of address for 1 & 3. Typically most IPV6 configurations when working with the external address, and select the use of the privacy address (#2) in order to protect the user.

    I can ping any other internal machine using its global IPV6 address. However, for addresses 1 & 3, there is ~70% packet loss, while address #2 is tolerated without any losses.

    Essentially ping6 -S [address #] [LAN or WAN] address provides these results.

    I would think this is a firewall problem, but I have only the 3 default rules in there, and I can't find anything that causes this problem.

    I would note that the Mac is using Sierra, which introduced the privacy change (see: http://arstechnica.com/apple/2016/09/macos-10-12-sierra-the-ars-technica-review/6/) and is also affecting iOS devices.

    Thoughts would be greatly appreciated as this appears to be affecting communication for IPV6. All of these devices were initially easily and quickly seen by the ubiquiti AP when it was installed, and I can not determine how they would be singled out for this given the different device types.