dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
10314
share rss forum feed


plencnerb
Premium
join:2000-09-25
Carpentersville, IL
kudos:3
reply to whfsdude

Re: [IPv6] Troubleshooting Comcast IPv6 (Start Here)

Ok, I'll use the one you referenced. Probably will do the install tomorrow.

Thanks!

--Brian



NetFixer
Snarl For The Camera Please
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
reply to mojo1

said by mojo1:

So far, so good. The only issue I am experiencing right now is on the Netalyzr test. Everything passes except the IPv6 MTU. I get a warning that my system cannot process fragmented packets. The test indicates that the MTU should be 1496. But, when I change MTU in my router from 1500 to 1496, I still get the same error. It appears changing the value in the router has no effect on IPv6 traffic.

I see that same warning in the current Netalyzr test whether I go through my Netgear WNR1000v2, my D-Link DIR655, or a test PC directly connected to my cable modem. That is something that has only recently started happening with the Netalyzr test. At this point I don't know if Comcast has recently done something with their IPv6 implementation, or if the Netalyzr test has changed some parameter.

I also have set the IPv6 MTU on a Windows PC on the NIC doing the IPv6 to 1496 (as shown below), and that did not change the Netalyz test results.


netsh interface ipv6>set interface "Local Area Connection 2" mtu=1496
Ok.
 
netsh interface ipv6>show int
Querying active state...
 
Idx  Met   MTU    State         Name
---  ----  -----  ------------  -----
  8     0   1496  Connected     Local Area Connection 2
  5     2   1280  Disconnected  Teredo Tunneling Pseudo-Interface
  3     1   1280  Connected     6to4 Pseudo-Interface
  2     1   1280  Connected     Automatic Tunneling Pseudo-Interface
  1     0   1500  Connected     Loopback Pseudo-Interface
 


FWIW, I have not had any problems accessing sites that use IPv6 (and many mainstream sites these days do use IPv6), and test-ipv6.com indicates that my connection is able to to do "large packet" transfers using IPv6.




Unless I see some actual real-world problems, I am not really too concerned about this recent development in the Netalyzr test.

--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.

mojo1

join:2006-12-05
Atlanta, GA

Thanks for the reassurance. I was taking the same position of wait and see. Everything seems to be working fine. My pings on speedtest.net went to 15ms from my usual 5ms to a local server, but that isn't a huge deal to me.



NetFixer
Snarl For The Camera Please
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

said by mojo1:

Thanks for the reassurance. I was taking the same position of wait and see. Everything seems to be working fine. My pings on speedtest.net went to 15ms from my usual 5ms to a local server, but that isn't a huge deal to me.

The Netalyzr test tells me that outbound ftp is blocked on most of my PCs, yet I have absolutely no problems accessing any ftp servers. I tend to not take Netalyzr warnings very seriously unless I can verify their results independently.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.

34764170

join:2007-09-06
Etobicoke, ON
reply to AVonGauss

said by AVonGauss:

Well, since we're jibbing Cisco, I think it's ironic the one's who often indirectly claim to be the leaders in networking are the ones slackin' on IPv6...

With Cisco and pretty much every other vendor the level of support for IPv6 very much varies from product to product and model to model. They have good if not great support for most of their routers and switches but other products are still very much hit or miss. Cisco is the Microsoft of networking. The 800 lb gorilla. It doesn't mean they're perfect or that every product is the best.


plencnerb
Premium
join:2000-09-25
Carpentersville, IL
kudos:3
reply to NetDog

Well this morning I went ahead and installed pfsense 2.1 beta. Once installed, I verified the items that whfsdude See Profile pointed out, and then rebooted both my pfsense box, and my cable modem.

Below is the status information on my WAN side

 
Status up
DHCP up  
MAC address 00:40:05:7e:91:5b
IPv4 address 24.13.17.39  
Subnet mask IPv4 255.255.248.0
Gateway IPv4 24.13.16.1
IPv6 Link Local fe80::240:5ff:fe7e:915b  
IPv6 address 2001:558:6033:ad:25e7:534c:e450:d625  
Subnet mask IPv6 64
Gateway IPv6 fe80::201:5cff:fe3d:4e41
ISP DNS servers 127.0.0.1
75.75.75.75
75.75.76.76
2001:558:feed::1
2001:558:feed::2
Media 100baseTX <full-duplex>
In/out packets 4300/3388 (1.59 MB/349 KB)
In/out packets (pass) 4300/3388 (1.59 MB/349 KB)
In/out packets (block) 0/0 (0 bytes/0 bytes)
In/out errors 0/0
Collisions 0 
 
 

However, when I test for ipv6, the test site does not show my ipv6 ip (only shows my ipv4 one), and the test failes with a result of 0/10. Also, when I try to do the tracert test to google, I cannot get past the first hop.

So, I know the problem is what NetDog See Profile mentions below

quote:
If you don't see the first hop check your default route on your desktop, make sure your seeing the RA's.

Don't block all ICMPv6 (for the adv users)
I am a big fan of blocking everything and opening only what I really want. But v6 uses ICMPv6 messages to talk ND's, RA's. If you block all ICMPv6 traffic you will block the important communication to get your DHCPv6 address and PD.


However, I'm not sure where in pfsense I need to go to modify this setting, or how I can verify if I am seeing my RA's.

Thanks!

--Brian

--
============================
--Brian Plencner

E-Mail: CoasterBrian72Cancer@gmail.com
Note: Kill Cancer to Reply via e-mail


whfsdude
Premium
join:2003-04-05
Washington, DC

You might have to add an IPv6 firewall rule under Firewall > Rules. Then click the LAN tab.

Also make sure your LAN interface has a IPv6 address (verify PD is working).



plencnerb
Premium
join:2000-09-25
Carpentersville, IL
kudos:3

1 edit

Click for full size
As far as I can tell, IPv6 to the LAN side is working.

ipconfig
 
Windows IP Configuration
 
Ethernet adapter Local Area Connection:
 
   Connection-specific DNS Suffix  . : localdomain
   IPv6 Address. . . . . . . . . . . : 2601:d:4c00:5d:34c8:339c:31d4:729b
   Temporary IPv6 Address. . . . . . : 2601:d:4c00:5d:bdf2:69ed:b924:805b
   Link-local IPv6 Address . . . . . : fe80::34c8:339c:31d4:729b%11
   IPv4 Address. . . . . . . . . . . : 192.168.1.100
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::250:4ff:fe21:713d%11
                                       192.168.1.1
 
Tunnel adapter isatap.localdomain:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : localdomain
 
Tunnel adapter Teredo Tunneling Pseudo-Interface:
 
   Connection-specific DNS Suffix  . :
   IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:884:3172:3f57:fe9b
   Link-local IPv6 Address . . . . . : fe80::884:3172:3f57:fe9b%19
   Default Gateway . . . . . . . . . :
 
Tunnel adapter 6TO4 Adapter:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
 

I've attached a picture of the Firewall rules on the LAN side for further review.

--Brian

--
============================
--Brian Plencner

E-Mail: CoasterBrian72Cancer@gmail.com
Note: Kill Cancer to Reply via e-mail


whfsdude
Premium
join:2003-04-05
Washington, DC
reply to NetDog

Whoops - just looked at my config. You also need to allow v6 on the "WAN" firewall rule.



NetFixer
Snarl For The Camera Please
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
reply to plencnerb

I opened a couple of command prompt windows on an XP workstation and a Windows server so that I could provide examples for your dual IPv6 address question, but I see that when I got back to your post, you had edited the ipconfig display and removed your question. I guess that means that you found out why you were getting the same IP addresses repeated twice.

However, I can still provide some insight on the "Temporary" and "Permanent" IPv6 addresses (and one way to dispense with the "Temporary" IPv6 address if you wish to do it.

Shown below is ipconfig and netsh information from one of my Windows XP workstations that uses DHCP. It has "Temporary" and "Public" IPv6 addresses which correspond to your "Temporary" and "Permanent" entries. Note that the IP address to the right of the prefix is the same for both the "Public" and "Link-local" entries.


C:\>ipconfig
 
Windows IP Configuration
 
Ethernet adapter Local Area Connection 2:
 
        Connection-specific DNS Suffix  . : dcs-net
        IP Address. . . . . . . . . . . . : 192.168.9.100
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        IP Address. . . . . . . . . . . . : 2601:5:c80:91:900c:4383:6312:b26b
        IP Address. . . . . . . . . . . . : 2601:5:c80:91:e291:f5ff:fe95:b69d
        IP Address. . . . . . . . . . . . : fe80::e291:f5ff:fe95:b69d%8
        Default Gateway . . . . . . . . . : 192.168.9.254
                                            fe80::1e7e:e5ff:fe4c:e6ff%8
 
C:\>netsh int ipv6 show addr
Querying active state...
 
Interface 8: Local Area Connection 2
 
Addr Type  DAD State  Valid Life   Pref. Life   Address
---------  ---------- ------------ ------------ -----------------------------
Temporary  Preferred   3d19h54m27s    12h26m25s 2601:5:c80:91:900c:4383:6312:b26b
Public     Preferred   3d19h54m27s  3d19h54m27s 2601:5:c80:91:e291:f5ff:fe95:b69d
Link       Preferred      infinite     infinite fe80::e291:f5ff:fe95:b69d
 
 


Shown below is the same information from my Windows 2003 server which has a IPv4 static IP addresson its LAN interface, and IPv4 DHCP on its WAN interface


C:\>ipconfig
 
Windows IP Configuration
 
Ethernet adapter Local Area Connection:
 
   Connection-specific DNS Suffix  . : dcs-net
   IP Address. . . . . . . . . . . . : 192.168.9.2
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   IP Address. . . . . . . . . . . . : 2601:5:c80:91:e291:f5ff:fe95:beac
   IP Address. . . . . . . . . . . . : fe80::e291:f5ff:fe95:beac%4
   Default Gateway . . . . . . . . . : fe80::1e7e:e5ff:fe4c:e6ff%4
 
Ethernet adapter Local Area Connection 2:
 
   Connection-specific DNS Suffix  . : hsd1.tn.comcast.net.
   IP Address. . . . . . . . . . . . : 174.49.12.155
   Subnet Mask . . . . . . . . . . . : 255.255.248.0
   Default Gateway . . . . . . . . . : 174.49.8.1
 
C:\>netsh int ipv6 show addr
Querying active state...
 
Interface 4: Local Area Connection
 
Addr Type  DAD State  Valid Life   Pref. Life   Address
---------  ---------- ------------ ------------ -----------------------------
Public     Preferred   3d19h52m57s  3d19h52m57s 2601:5:c80:91:e291:f5ff:fe95:beac
Link       Preferred      infinite     infinite fe80::e291:f5ff:fe95:beac
 
 


Using a static IPv4 assignment, eliminates the "Temporary" IPv6 address from being assigned. That means that as long as the PD prefix does not change, the server's public IPv6 address will not change. My experience has been that (at least with Windows XP) the "Temporary" IPv6 address can and will change for PCs that use DHCP (and the "Temporary" IPv6 address is used as the preferred IP address). That is possibly due to the fact that Windows XP and Windows Server 2003 do not have a native DHCP6 client, so if you are using Windows 7 or 8, you may not see the frequently changing IPv6 addresses that I see on my DHCP PCs.

--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.


plencnerb
Premium
join:2000-09-25
Carpentersville, IL
kudos:3

1 edit
reply to whfsdude

Click for full size
I went ahead and created a rule on the WAN side for IPv6. I used the information from the IPv6 default rule on the LAN side as a guide.

Picture is what my WAN side firewall rules now look like.

I have not done so, but should I reboot pfsense and / or cable modem now that I have the change in place?

In reply to NetFixer See Profile, yes I did edit my post to remove the double IPv6 IP's. (Did a reboot and they went away).

However, thanks for the detailed explanation on the different types of IPv6 addresses (Temporary, Permanent, and so on).

I have also gone and disabled the following three Network Adapters (had to turn on hidden devices to have them show up)
• Microsoft 6to4 Adapter
• Microsoft ISATAP Adapter
• Teredo Tunneling Pseudo-Interface

My thought was that since I'm getting both an IPv4 and IPv6 IP from pfsense, (and they are "true" IP's), and that Comcast is using native IPv6, I would not need to use these.

In doing so, my updated "ipconfig" and "int ipv6 show addr" information is below for review

 
ipconfig
 
Windows IP Configuration
 
Ethernet adapter Local Area Connection:
 
   Connection-specific DNS Suffix  . : localdomain
   IPv6 Address. . . . . . . . . . . : 2601:d:4c00:5d:34c8:339c:31d4:729b
   Temporary IPv6 Address. . . . . . : 2601:d:4c00:5d:bdf2:69ed:b924:805b
   Link-local IPv6 Address . . . . . : fe80::34c8:339c:31d4:729b%11
   IPv4 Address. . . . . . . . . . . : 192.168.1.100
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::250:4ff:fe21:713d%11
                                       192.168.1.1
 
netsh int ipv6 show addr
 
Interface 1: Loopback Pseudo-Interface 1
 
Addr Type  DAD State   Valid Life Pref. Life Address
---------  ----------- ---------- ---------- ------------------------
Other      Preferred     infinite   infinite ::1
 
Interface 11: Local Area Connection
 
Addr Type  DAD State   Valid Life Pref. Life Address
---------  ----------- ---------- ---------- ------------------------
Public     Preferred    23h59m59s   3h59m59s 2601:d:4c00:5d:34c8:339c:31d4:729b
Temporary  Preferred    23h59m59s   3h59m59s 2601:d:4c00:5d:bdf2:69ed:b924:805b
Other      Preferred     infinite   infinite fe80::34c8:339c:31d4:729b%11
 
 

--Brian
--
============================
--Brian Plencner

E-Mail: CoasterBrian72Cancer@gmail.com
Note: Kill Cancer to Reply via e-mail


whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
reply to NetDog

Click for full size
Remove the source as LAN on the WAN firewall rule. If you still want a to block incoming traffic we can go through that after we get this working.


plencnerb
Premium
join:2000-09-25
Carpentersville, IL
kudos:3

Click for full size
Done.

Do I need to reboot anything? I did a tracert to www.google.com, and that works now, however it shows the IPv4 IP's and not IPv6 ones.
Comcast's IPv6 test also only shows my IPv4 IP.

--Brian
--
============================
--Brian Plencner

E-Mail: CoasterBrian72Cancer@gmail.com
Note: Kill Cancer to Reply via e-mail


whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast

1 recommendation

reply to NetDog

I think you're good now, I can ping you.

Depending on the happy eyeballs implementation, you might have to restart your browser.

If you do want to block incoming connections:
1. Create an allow all ICMP rule under LAN. This way you don't break Path MTU Discovery.
2. Create your block rule under the LAN section, not the WAN. Otherwise you'll have to poke holes for things like DHCP. It's also a better security practice to have the ACLs as close to the segment as possible.

FWIW, I don't run a firewall on v6. Firewalls break too much stuff (eg. SCTP) and I'd rather just implement security on my hosts since 99% of the stuff nowadays doesn't come over the network.



plencnerb
Premium
join:2000-09-25
Carpentersville, IL
kudos:3

Click for full size
I have not made these last two changes yet, but I will go ahead and do so.

While you can ping me, and that's a good thing, I think I still have some issues.

The above picture is when I go do a test at test-ipv6.com.

--Brian
--
============================
--Brian Plencner

E-Mail: CoasterBrian72Cancer@gmail.com
Note: Kill Cancer to Reply via e-mail


whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast

Maybe try a different browser? Are you using alternative DNS servers that could be stripping the AAAA records?

Seeing as your machine has connectivity now, I don't think it's a network problem.

Edit: Was this screenshot before or after you locked down the firewall?



Mike Wolf

join:2009-05-24
Beachwood, NJ
kudos:3
reply to NetFixer

I'd be more interested in forcing the use of a consumer router on the MetroEthernet service in the same manner one can use a consumer router when attached to a cable modem.



plencnerb
Premium
join:2000-09-25
Carpentersville, IL
kudos:3
reply to whfsdude


WAN Interface status from pfsense
 
Click for full size
WAN Firewall Rules
Click for full size
LAN Firewall Rules
Click for full size
IPv6 Test from Waterfox
Figured I would put everything into one post in this thread.

I did a reboot on my desktop, and tested again.

Below is what I see on my desktop from both the "ipconfig" command as well as the "netsh int ipv6 show addr" command.

 
C:\Users\Brian A. Plencner>ipconfig
 
Windows IP Configuration
 
Ethernet adapter Local Area Connection:
 
   Connection-specific DNS Suffix  . : localdomain
   IPv6 Address. . . . . . . . . . . : 2601:d:4c00:68:34c8:339c:31d4:729b
   Temporary IPv6 Address. . . . . . : 2601:d:4c00:68:a87f:4530:6b2f:2036
   Link-local IPv6 Address . . . . . : fe80::34c8:339c:31d4:729b%11
   IPv4 Address. . . . . . . . . . . : 192.168.1.100
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::250:4ff:fe21:713d%11
                                       192.168.1.1
 
Tunnel adapter isatap.localdomain:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : localdomain
 
Tunnel adapter Teredo Tunneling Pseudo-Interface:
 
   Connection-specific DNS Suffix  . :
   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:6ab8:24d2:3553:3f57:fe9b
   Link-local IPv6 Address . . . . . : fe80::24d2:3553:3f57:fe9b%18
   Default Gateway . . . . . . . . . :
 
C:\Users\Brian A. Plencner>netsh int ipv6 show addr
 
Interface 1: Loopback Pseudo-Interface 1
 
Addr Type  DAD State   Valid Life Pref. Life Address
---------  ----------- ---------- ---------- ------------------------
Other      Preferred     infinite   infinite ::1
 
Interface 17: isatap.localdomain
 
Addr Type  DAD State   Valid Life Pref. Life Address
---------  ----------- ---------- ---------- ------------------------
Other      Deprecated    infinite   infinite fe80::5efe:192.168.1.100%17
 
Interface 18: Teredo Tunneling Pseudo-Interface
 
Addr Type  DAD State   Valid Life Pref. Life Address
---------  ----------- ---------- ---------- ------------------------
Public     Preferred     infinite   infinite 2001:0:9d38:6ab8:24d2:3553:3f57:fe9b
Other      Preferred     infinite   infinite fe80::24d2:3553:3f57:fe9b%18
 
Interface 11: Local Area Connection
 
Addr Type  DAD State   Valid Life Pref. Life Address
---------  ----------- ---------- ---------- ------------------------
Public     Preferred    23h59m55s   3h59m55s 2601:d:4c00:68:34c8:339c:31d4:729b
Temporary  Preferred    23h59m55s   3h59m55s 2601:d:4c00:68:a87f:4530:6b2f:2036
Other      Preferred     infinite   infinite fe80::34c8:339c:31d4:729b%11
 
C:\Users\Brian A. Plencner>
 
 

While it looks like everything should be working, I cannot get to IPv6 only sites either. I tried in both IE 9 x64 and Waterfox. The sites I tested (and could not get to) are below

• »ipv6.google.com/
• »ipv6.speedtest.comcast.net/

Finally, I did some specific tests with google. It appears I'm getting a mix of both IPv4 and IPv6.

 
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
 
C:\Users\Brian A. Plencner>nslookup www.google.com
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  2601:d:4c00:68::1
 
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out
 
C:\Users\Brian A. Plencner>ping www.google.com
 
Pinging www.google.com [74.125.225.210] with 32 bytes of data:
Reply from 74.125.225.210: bytes=32 time=34ms TTL=51
Reply from 74.125.225.210: bytes=32 time=33ms TTL=51
Reply from 74.125.225.210: bytes=32 time=34ms TTL=51
Reply from 74.125.225.210: bytes=32 time=65ms TTL=51
 
Ping statistics for 74.125.225.210:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 33ms, Maximum = 65ms, Average = 41ms
 
C:\Users\Brian A. Plencner>tracert www.google.com
 
Tracing route to www.google.com [74.125.225.210]
over a maximum of 30 hops:
 
  1    <1 ms    <1 ms    <1 ms  pfSense.localdomain [192.168.1.1]
  2    24 ms    11 ms    27 ms  24.13.16.1
  3    10 ms     9 ms    11 ms  te-9-1-ur04.algonquin.il.chicago.comcast.net [68.87.229.189]
  4    15 ms    15 ms    15 ms  te-0-3-0-2-ar01.area4.il.chicago.comcast.net [68.86.189.229]
  5    25 ms    22 ms    24 ms  he-3-10-0-0-cr01.350ecermak.il.ibone.comcast.net [68.86.93.181]
  6    13 ms    15 ms    13 ms  pos-1-8-0-0-pe01.350ecermak.il.ibone.comcast.net [68.86.87.166]
  7    14 ms    13 ms    14 ms  66.208.228.202
  8    13 ms    13 ms    29 ms  209.85.254.120
  9    13 ms    14 ms    12 ms  72.14.237.108
 10    22 ms    24 ms    24 ms  209.85.241.22
 11    50 ms    34 ms    45 ms  72.14.239.49
 12    36 ms    33 ms    64 ms  216.239.46.149
 13    34 ms    34 ms    33 ms  209.85.251.111
 14    36 ms    34 ms    35 ms  den03s06-in-f18.1e100.net [74.125.225.210]
 
Trace complete.
 
C:\Users\Brian A. Plencner>
 
 

Could this maybe point to a bad DNS server?

--Brian

--
============================
--Brian Plencner

E-Mail: CoasterBrian72Cancer@gmail.com
Note: Kill Cancer to Reply via e-mail


NetFixer
Snarl For The Camera Please
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

said by plencnerb:

Could this maybe point to a bad DNS server?

--Brian

Try doing the nslookup commands shown below from your PC to see if you have a DNS problem on the LAN side of your pfSense box.


C:\>nslookup www.comcast.net
Server:  dcs-srv.dcs-net
Address:  192.168.9.2
 
Non-authoritative answer:
Name:    a1526.dscg.akamai.net
Addresses:  23.67.61.57, 23.67.61.59
Aliases:  www.comcast.net, www.comcast.net.edgesuite.net
 
C:\>nslookup -type=AAAA www.comcast.net
Server:  dcs-srv.dcs-net
Address:  192.168.9.2
 
Non-authoritative answer:
www.comcast.net canonical name = www.comcast.net.edgesuite.net
www.comcast.net.edgesuite.net   canonical name = a1526.dscg.akamai.net
a1526.dscg.akamai.net   AAAA IPv6 address = 2001:559:0:5d::1743:3d39
a1526.dscg.akamai.net   AAAA IPv6 address = 2001:559:0:5d::1743:3d3b
 
C:\>nslookup www.google.com
Server:  dcs-srv.dcs-net
Address:  192.168.9.2
 
Non-authoritative answer:
Name:    www.google.com
Addresses:  74.125.130.104, 74.125.130.147, 74.125.130.106, 74.125.130.105
          74.125.130.103, 74.125.130.99
 
C:\>nslookup -type=AAAA www.google.com
Server:  dcs-srv.dcs-net
Address:  192.168.9.2
 
Non-authoritative answer:
www.google.com  AAAA IPv6 address = 2607:f8b0:4002:c05::63
 


FWIW, once your PC(s) are able to use the native dual stack, IPv6 should automatically be used instead of IPv4 for hostnames that have AAAA DNS records as shown by the ping tests below.


C:\>ping www.comcast.net
 
Pinging a1526.dscg.akamai.net [2001:559:0:501::48f6:2d41] with 32 bytes of data:
 
Reply from 2001:559:0:501::48f6:2d41: time=22ms
Reply from 2001:559:0:501::48f6:2d41: time=21ms
Reply from 2001:559:0:501::48f6:2d41: time=20ms
Reply from 2001:559:0:501::48f6:2d41: time=20ms
 
Ping statistics for 2001:559:0:501::48f6:2d41:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 20ms, Maximum = 22ms, Average = 20ms
 
C:\>ping www.google.com
 
Pinging www.google.com [2607:f8b0:4002:c01::93] with 32 bytes of data:
 
Reply from 2607:f8b0:4002:c01::93: time=21ms
Reply from 2607:f8b0:4002:c01::93: time=19ms
Reply from 2607:f8b0:4002:c01::93: time=20ms
Reply from 2607:f8b0:4002:c01::93: time=19ms
 
Ping statistics for 2607:f8b0:4002:c01::93:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 19ms, Maximum = 21ms, Average = 19ms
 
C:\>ping -4 www.comcast.net
 
Pinging a1526.dscg.akamai.net [23.67.61.57] with 32 bytes of data:
 
Reply from 23.67.61.57: bytes=32 time=20ms TTL=58
Reply from 23.67.61.57: bytes=32 time=20ms TTL=58
Reply from 23.67.61.57: bytes=32 time=19ms TTL=58
Reply from 23.67.61.57: bytes=32 time=17ms TTL=58
 
Ping statistics for 23.67.61.57:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 17ms, Maximum = 20ms, Average = 19ms
 
C:\>ping -4 www.google.com
 
Pinging www.google.com [74.125.140.104] with 32 bytes of data:
 
Reply from 74.125.140.104: bytes=32 time=19ms TTL=48
Reply from 74.125.140.104: bytes=32 time=18ms TTL=48
Reply from 74.125.140.104: bytes=32 time=23ms TTL=48
Reply from 74.125.140.104: bytes=32 time=18ms TTL=48
 
Ping statistics for 74.125.140.104:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 18ms, Maximum = 23ms, Average = 19ms
 



--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.


plencnerb
Premium
join:2000-09-25
Carpentersville, IL
kudos:3

Well, I don't get the same thing you do, so this appears to be a DNS issue on the LAN side.

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
 
C:\Users\Brian A. Plencner>nslookup www.comcast.net
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  2601:d:4c00:68::1
 
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out
 
C:\Users\Brian A. Plencner>nslookup -type=AAAA www.comcast.net
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  2601:d:4c00:68::1
 
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out
 
C:\Users\Brian A. Plencner>nslookup www.google.com
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  2601:d:4c00:68::1
 
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out
 
C:\Users\Brian A. Plencner>nslookup -type=AAAA www.google.com
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  2601:d:4c00:68::1
 
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out
 
C:\Users\Brian A. Plencner>
 
 

--
============================
--Brian Plencner

E-Mail: CoasterBrian72Cancer@gmail.com
Note: Kill Cancer to Reply via e-mail


NetFixer
Snarl For The Camera Please
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

From the above results, it appears that you are using your pfSense box as your DNS server, and that is what is not working.

Try going into the TCPIP properties for the NIC in your PC, and try manually setting your DNS servers for 75.75.75.75 and 75.75.76.76 and see if that helps.

Your NIC setup won't look exactly like what you see below, but it should point you to where to look to change it.




If changing the DNS servers in the PC to point to Comcast fixes the issue, perhaps whfsdude will be able to reply with advice on how to fix your pfSense setup.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.


plencnerb
Premium
join:2000-09-25
Carpentersville, IL
kudos:3

This is what pfsense is reporting for my DNS servers

75.75.75.75
75.75.76.76
2001:558:feed::1
2001:558:feed::2
 

I went and modified my NIC so that IPv4 had a hard-coded DNS of the first two, and IPv6 had a hard-coded DNS of the second two.

Did an ipconfig/release and then ipconfig/renew, and re-tested. Got the same results, except that the address of the DNS server is the primary one that I put on the NIC for IPv6.

C:\Users\Brian A. Plencner>nslookup www.comcast.net
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  2001:558:feed::1
 
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out
 
C:\Users\Brian A. Plencner>
 

I think at this point, I wonder if I should start a new thread for this, as it is more a pfsense issue, then a comcast issue. I would hate to "muddy the waters" so to speak as I know that IPv6 is working in my area, and does work when I plug my desktop directly into the cable modem.

--Brian

--
============================
--Brian Plencner

E-Mail: CoasterBrian72Cancer@gmail.com
Note: Kill Cancer to Reply via e-mail


NetFixer
Snarl For The Camera Please
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

said by plencnerb:

I think at this point, I wonder if I should start a new thread for this, as it is more a pfsense issue, then a comcast issue. I would hate to "muddy the waters" so to speak as I know that IPv6 is working in my area, and does work when I plug my desktop directly into the cable modem.

--Brian

Personally, a new thread just for my problem would be my choice; simultaneous sub threads with different sub topics are always somewhat difficult to navigate.

While having a known starting place to discuss Comcast IPv6 problems is a good idea, at some point there is going to be a problem when multiple users are trying to resolve multiple unrelated problems. Perhaps NetDog See Profile will post some guidelines/rules for this new semi-sticky thread.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.


whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
reply to NetDog

I can still reach your PC.

traceroute6 to 2601:d:4c00:68:34c8:339c:31d4:729b (2601:d:4c00:68:34c8:339c:31d4:729b) from 2001:559::85:d07f:b7d1:7f6c:8da9, 64 hops max, 12 byte packets
 1  2001:559:0:85::1  0.948 ms  0.850 ms  0.866 ms
 2  2001:559:0:84::1  1.397 ms  1.349 ms  1.179 ms
 3  ae-19-0-ar04.capitolhghts.md.bad.comcast.net  1.754 ms  1.617 ms  1.545 ms
 4  pos-5-7-0-0-cr01.ashburn.va.ibone.comcast.net  4.705 ms
    pos-5-4-0-0-cr01.ashburn.va.ibone.comcast.net  5.994 ms
    pos-5-1-0-0-cr01.ashburn.va.ibone.comcast.net  5.257 ms
 5  he-0-15-0-0-cr01.newyork.ny.ibone.comcast.net  18.379 ms  11.905 ms  11.755 ms
 6  he-0-3-0-0-cr01.350ecermak.il.ibone.comcast.net  30.388 ms  38.303 ms  33.282 ms
 7  he-2-11-0-0-ar01.area4.il.chicago.comcast.net  41.233 ms  40.682 ms  35.917 ms
 8  te-3-3-ur04.algonquin.il.chicago.comcast.net  33.539 ms  32.581 ms  32.167 ms
 9  2001:558:322:265::2  44.274 ms  36.339 ms  42.821 ms
10  2001:558:6033:ad:3449:6c62:49bb:d73e  41.354 ms  55.599 ms  41.589 ms
11  2601:d:4c00:68:34c8:339c:31d4:729b  41.038 ms  41.742 ms  41.942 ms
 

I can still reach you. So I'm still thinking DNS but it could be something else I guess. Do you have any weird proxy software on the box?


NetDog
Premium,VIP
join:2002-03-04
Parker, CO
kudos:77
Reviews:
·Comcast
reply to NetFixer

said by NetFixer:

said by plencnerb:

I think at this point, I wonder if I should start a new thread for this, as it is more a pfsense issue, then a comcast issue. I would hate to "muddy the waters" so to speak as I know that IPv6 is working in my area, and does work when I plug my desktop directly into the cable modem.

--Brian

Personally, a new thread just for my problem would be my choice; simultaneous sub threads with different sub topics are always somewhat difficult to navigate.

While having a known starting place to discuss Comcast IPv6 problems is a good idea, at some point there is going to be a problem when multiple users are trying to resolve multiple unrelated problems. Perhaps NetDog See Profile will post some guidelines/rules for this new semi-sticky thread.

Maybe we do a troubleshooting post for each device? I am up for whatever, I was just looking for a way that new users could get an idea of where to start.


NetFixer
Snarl For The Camera Please
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

1 edit

said by NetDog:

Maybe we do a troubleshooting post for each device? I am up for whatever, I was just looking for a way that new users could get an idea of where to start.

I don't know what the solution will be (and I do think that a common starting place for Comcast IPv6 related problems is a good idea). However, already in plencnerb's sub thread (in which I have been participating) in this thread, there have been replies that were meant for plencnerb, but were actually addressed to you. Imagine the confusion factor if there were a half dozen totally unrelated active sub threads.

A forum moderator can be asked to separate sub thread elements into a new thread, but when posters reply to the thread instead of to individual posts (or posters), that complicates the job of extracting and collating those sub thread posts, and it could be a PITA if a moderator needed to do that on a regular basis (I know because I have had to do it for other forums/message boards).

EDIT:
While on the subject of multiple sub threads I have a curiosity question regarding IPv6 support for the Comcast/Netgear WNR1000v2-VC. That router was originally on Comcast's IPv6 approved gateway device list, but was subsequently withdrawn. Was that because it snags a /64 for its WAN interface, and also randomly changes its LAN PD prefix? And are Comcast/Netgear planning a firmware upgrade to address that?
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.


plencnerb
Premium
join:2000-09-25
Carpentersville, IL
kudos:3
reply to NetDog

I do agree it can get confusing. Right now, its just my issue with pfsense, so it is fairly easy to follow. But, what if there was 3 or 4 different users posting different questions with different hardware. It would then be hard to follow, and to make sure that a reply was directed to the right post.

The idea that Netdog came up with is a good one. He has a LOT of wonderful information in that first post. The difficult part, I feel, comes down to where we are with my issues: Troubleshooting what is wrong, and working the problem to resolution. At that point, it does become router specific, as far as getting the right settings / configuration in place. Of course, you add in the complexity of differences in OS, and potential changes that we, as end users make to the OS to fit our environment.

I don't know how one would manage it, but if there was a way to have a separate post in this thread for a given router, and its settings. For example, whfsdude See Profile has it working currently on his pfsense box. He could document the changes he had to make to get it working, and add the steps he went through. The same could be done for a given Netgear router, Linksys router, etc. Then, as people read this thread, they see the first post, and then future posts for a specific hardware type.

Then, if there are questions, a new thread could be started.

In my case, I would have started a new thread after performing the steps I read here (connect pc directly to cable modem, verify I got the proper IPv6 info, and so on), then look at the post for pfsense, make the modifications, and see if I get the results posted. Since I did not, I could then open a new thread for the discussion, troubleshooting, and resolution.

If a given hardware type was not listed....not sure if it would be best to add to this existing thread, or start a new one, and then put the end results in this thread. In that case, maybe the first person to use that given hardware could "step up" so to speak to put together the post to be added here, showing the settings that had to be modified to get IPv6 to work for a given hardware device.

Regardless of how its done, I do see a lot of manual monitoring and work for a forum moderator to keep things in order. Almost like building a FAQ for IPv6.

So, not sure what the best answer is on this.

To answer whfsdude See Profile's question

said by whfsdude:

I can still reach you. So I'm still thinking DNS but it could be something else I guess. Do you have any weird proxy software on the box?

As far as I know, I don't have any odd proxy software installed on my system. To verify it's not me, I did switch hard drives and boot into Windows 8 Pro, and I get the same results.

I do think its a DNS issue, but I'm not sure if it is something to do with DNS in pfsense, or if it has to do with DNS from Comcast.

To rule out DNS on Comcast's side, I could go back to having my desktop plugged directly into the cable modem, and run a few quick tests and see what comes back (full ipconfig info, tracerts, pings, and ipv6 tests), and the post those results, so we can compare them to when I am behind pfsense, and try to figure out what may be different.

--Brian
--
============================
--Brian Plencner

E-Mail: CoasterBrian72Cancer@gmail.com
Note: Kill Cancer to Reply via e-mail


NetFixer
Snarl For The Camera Please
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

2 edits

said by plencnerb:

I do think its a DNS issue, but I'm not sure if it is something to do with DNS in pfsense, or if it has to do with DNS from Comcast.

To rule out DNS on Comcast's side, I could go back to having my desktop plugged directly into the cable modem, and run a few quick tests and see what comes back (full ipconfig info, tracerts, pings, and ipv6 tests), and the post those results, so we can compare them to when I am behind pfsense, and try to figure out what may be different.

Another way to rule out DNS is to not use DNS. Try pings and traceroutes to my Windows and Linux server IPv6 hostnames and IPv6 addresses as shown below.


C:\>ping ipv6.dcsenterprises.net
 
Pinging ipv6-dcs-srv.dyndns-ip.com [2601:5:c80:91:e291:f5ff:fe95:beac] with 32 bytes of data:
 
Reply from 2601:5:c80:91:e291:f5ff:fe95:beac: time=20ms
Reply from 2601:5:c80:91:e291:f5ff:fe95:beac: time=17ms
Reply from 2601:5:c80:91:e291:f5ff:fe95:beac: time=19ms
Reply from 2601:5:c80:91:e291:f5ff:fe95:beac: time=18ms
 
Ping statistics for 2601:5:c80:91:e291:f5ff:fe95:beac:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 17ms, Maximum = 20ms, Average = 18ms
 
C:\>ping ipv6.dcs-net.net
 
Pinging ipv6-webhost.dyndns-ip.com [2601:5:c80:91:e291:f5ff:fe95:a879] with 32 bytes of data:
 
Reply from 2601:5:c80:91:e291:f5ff:fe95:a879: time=21ms
Reply from 2601:5:c80:91:e291:f5ff:fe95:a879: time=18ms
Reply from 2601:5:c80:91:e291:f5ff:fe95:a879: time=21ms
Reply from 2601:5:c80:91:e291:f5ff:fe95:a879: time=19ms
 
Ping statistics for 2601:5:c80:91:e291:f5ff:fe95:a879:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 18ms, Maximum = 21ms, Average = 19ms
 
C:\>ping 2601:5:c80:91:e291:f5ff:fe95:beac
 
Pinging 2601:5:c80:91:e291:f5ff:fe95:beac with 32 bytes of data:
 
Reply from 2601:5:c80:91:e291:f5ff:fe95:beac: time=36ms
Reply from 2601:5:c80:91:e291:f5ff:fe95:beac: time=35ms
Reply from 2601:5:c80:91:e291:f5ff:fe95:beac: time=20ms
Reply from 2601:5:c80:91:e291:f5ff:fe95:beac: time=18ms
 
Ping statistics for 2601:5:c80:91:e291:f5ff:fe95:beac:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 18ms, Maximum = 36ms, Average = 27ms
 
C:\>ping 2601:5:c80:91:e291:f5ff:fe95:a879
 
Pinging 2601:5:c80:91:e291:f5ff:fe95:a879 with 32 bytes of data:
 
Reply from 2601:5:c80:91:e291:f5ff:fe95:a879: time=19ms
Reply from 2601:5:c80:91:e291:f5ff:fe95:a879: time=18ms
Reply from 2601:5:c80:91:e291:f5ff:fe95:a879: time=23ms
Reply from 2601:5:c80:91:e291:f5ff:fe95:a879: time=17ms
 
Ping statistics for 2601:5:c80:91:e291:f5ff:fe95:a879:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 17ms, Maximum = 23ms, Average = 19ms
 
C:\>tracert 2601:5:c80:91:e291:f5ff:fe95:beac
 
Tracing route to 2601:5:c80:91:e291:f5ff:fe95:beac over a maximum of 30 hops
 
  1    <1 ms    <1 ms    <1 ms  2601:5:c80:6b:a221:b7ff:fe9c:602
  2    31 ms    28 ms    29 ms  2001:558:4013:19::1
  3    20 ms    17 ms    19 ms  2001:558:6016:19:39d6:46d1:4004:e738
  4    21 ms    18 ms    18 ms  2601:5:c80:91:e291:f5ff:fe95:beac
 
Trace complete.
 
C:\>tracert 2601:5:c80:91:e291:f5ff:fe95:a879
 
Tracing route to 2601:5:c80:91:e291:f5ff:fe95:a879 over a maximum of 30 hops
 
  1    <1 ms    <1 ms    <1 ms  2601:5:c80:6b:a221:b7ff:fe9c:602
  2    24 ms    66 ms    32 ms  2001:558:4013:19::1
  3    22 ms    18 ms    18 ms  2001:558:6016:19:39d6:46d1:4004:e738
  4    29 ms    18 ms    19 ms  2601:5:c80:91:e291:f5ff:fe95:a879
 
Trace complete.
 


FWIW, the above example was done from a Windows XP notebook attached to my guest Netgear router. It has no connectivity to my local network, so there is no possibility that the results shown above are actually some backdoor local connection (as would be the case if I had done this test from a PC connected to my LAN). The Netgear router does share a common physical connection through my cable modem with my other two routers and the WAN interfaces for my two servers, but being on different IPv4 and IPv6 subnets prevents any direct local communication. A graphic diagram of my network can be viewed here: »www.dcs-net.net/image/DCS-networ···gram.gif if that might help in understanding the conditions of the above test.

--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.


plencnerb
Premium
join:2000-09-25
Carpentersville, IL
kudos:3

Good suggestion.

However, things don't appear to be working, per my results below.

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
 
C:\Users\Brian A. Plencner>ping 2601:5:c80:91:e291:f5ff:fe95:beac
 
Pinging 2601:5:c80:91:e291:f5ff:fe95:beac with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
 
Ping statistics for 2601:5:c80:91:e291:f5ff:fe95:beac:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
 
C:\Users\Brian A. Plencner>ping 2601:5:c80:91:e291:f5ff:fe95:a879
 
Pinging 2601:5:c80:91:e291:f5ff:fe95:a879 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
 
Ping statistics for 2601:5:c80:91:e291:f5ff:fe95:a879:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
 
C:\Users\Brian A. Plencner>ping ipv6.dcsenterprises.net
 
Pinging ipv6-dcs-srv.dyndns-ip.com [2601:5:c80:91:e291:f5ff:fe95:beac] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
 
Ping statistics for 2601:5:c80:91:e291:f5ff:fe95:beac:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
 
C:\Users\Brian A. Plencner>ping ipv6.dcs-net.net
 
Pinging ipv6-webhost.dyndns-ip.com [2601:5:c80:91:e291:f5ff:fe95:a879] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
 
Ping statistics for 2601:5:c80:91:e291:f5ff:fe95:a879:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
 
C:\Users\Brian A. Plencner>tracert 2601:5:c80:91:e291:f5ff:fe95:beac
 
Tracing route to 2601:5:c80:91:e291:f5ff:fe95:beac over a maximum of 30 hops
 
  1     *        *        *     Request timed out.
  2  ^C
C:\Users\Brian A. Plencner>
 
 

What I will do at some point tomorrow is put together a series of tests that I want to run while connected directly to my cable modem (avoiding my pfsense box). Not sure on that full list yet, but it will of course include doing a similar test to what I did above, along with a few other things (running a test at both comcast's and the standard ipv6 web site tests, trace routes to google's IPv6 site, and so on).

Something tells me that I have something not configured correctly with pfsense. However, before I make that call, I want to test without it, to make sure everything is as it should be on my end.

Thanks again to everyone who has helped so far.

--Brian

--
============================
--Brian Plencner

E-Mail: CoasterBrian72Cancer@gmail.com
Note: Kill Cancer to Reply via e-mail


NetFixer
Snarl For The Camera Please
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

FWIW, just in case you don't already know it, the fact that the pings to my IPv6 hostnames returned the correct IP addresses (and the CNAME DynDNS aliases) indicates that your DNS is working. It would seem that the problem is with the IPv6 transport (and as you said, probably in the pfSense box).
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.