[magicalhippo]

Please don't put words in my mouth. I did not say "Because pfSense, does really bad things."

How pfSense works is fairly reasonable if every IPv6 deployment had been as the original designers intended, ie you have a static prefix.

It's just that the way IPv6 ended up getting deployed in practice was often not aligned with that original vision. And that has been a large source of IPv6 frustration.

[gertrunde]

There's a few things here that are a bit iffy tbh!

I can't see why an ISP is dynamically changing the IPv6 addressing for a client, but if that's what is going on, then v6 NPT is your friend (RFC6296 - https://datatracker.ietf.org/doc/html/rfc6296).

But pfsense's behaviour is a bit iffy too, unless when you say 'public IP', you mean the IPv6 address being used on the pfsense facing the clients? (I'm assuming it's using DHCPv6 prefix delegation, and the delegation is being changed? And potentially the uplink subnet as well).

[direwolf20]

It's a legal requirement in Europe for privacy. A long term static address is a personal identifier.

[illiac786]

How could this be a legal requirement and at the same time you can purchase static IPs as a paid option from ISPs, like I did?

[direwolf20]

You're allowed to consensually waive your own privacy rights.

[anikom15]

Does the mailman come around and change house numbers and street names every month, too?

[pmezard]

Any vague source for that?

Asking as a European who did not have his IPv4 address changed for months or even years. Or is it IPv6 specific? But I cannot see why.

[illiac786]

opnsense can use the delegated prefix for DHCPv6, it then automatically becomes the “LAN net” firewall alias and you can refer to it in a firewall rule I believe. I assume it’s the same for pfsense and I suspect they are not the only ones.

[magicalhippo]

> v6 NPT is your friend

So NAT is the one true solution after all.. /s

> unless when you say 'public IP', you mean the IPv6 address being used on the pfsense facing the clients?

Well, that's kinda the thing, pfSense seems to assume global means it's also the IP facing the local clients. I couldn't get pfSense to advertise its ULA as the DNS server for example. But if you have a static prefix, that's not a bad assumption. And a static prefix is what the IPv6 designers envisioned.

> I'm assuming it's using DHCPv6 prefix delegation, and the delegation is being changed?

ISP indeed uses DHCPv6 prefix delegation. The prefix I get can change "randomly". It always changes when my router or modem reboots, but other times too (perhaps when their equipment reboots).

I should note that after getting very frustrated with pfSense, I threw it away a few years ago and switched to OpenWRT which has worked much, much better when it comes to IPv6.