  • Here's a small issue I noticed. I'm running the July 7th 2.1 Snapshot with DHCP6-PD.

    When pfsense starts up, the LAN interface gets a modified EUI-64 style global address. The one with FF:FE stuffed in the middle of the MAC address. The LAN interface only has that address and the link-local FE80 address. Then after a few days the LAN picks up a 2601:xyz::1 style address. At this point it has these three addresses shown in ifconfig.

    The problem with this is that firewall rules that are set to do something for the LAN address on IPv6 will only apply to the 2601:xyz::1 address and not the modified EUI-64 one. I have a rule set to block access to the LAN address from the WAN interface and it only applies to the 2601:xyz::1 style address. Rebooting pfsense will bring it back to the initial stage with just the one EUI-64 global address.

  • I started another thread about a seemingly unrelated issue here:,50815.0.html
    In that thread, pfsense wasn't setting the ipv6 DNS servers from my ISP. It still does this but today I noticed that when the 2601:xyz::1 address got picked up, the DNS entries become correct. Previously I had been manually adding my ISP's ipv6 DNS servers to resolv.conf so I didn't notice until now.

  • There might be a race condition here where it has not yet set the LAN address to ::1.

    I'm still considering switching out the wide dhcp6 client since others have reported it going away without any logs. It's been on the roadmap for a while, looks it needs to happen.

    The intention is to always configure <prefix>::1 on the router for the sake of simplicity.</prefix>

