This breakage affects pfSense users, i.e. those who use pfSense on their gateway router that connects to the Internet.
Since the last weekend, my pfSense router failed to get a new DHCP lease for an IPv6 address. Interestingly, tcpdump on the WAN interface shows DHCPv6 Solicit messages leaving pfSense, and DHCPv6 Advertise messages returning. But pfSense did not go through to the next phase of acquiring a IPv6 address lease.
I was originally suspecting something amiss with the Advertise that led pfSense to ignore it. However, I could not tell what was wrong with it, even after dissecting the contents with tshark.
Eventually, I discovered that pfSense was dropping the DHCPv6 Advertise replies. Yup, the firewall was blocking the traffic. This is matched by a default rule that drops traffic from bogon networks. This happens when the WAN interface configuration has the “Drop bogon networks” option checked.
pfSense’s bogon list currently contains an entry for 8000::/1. StarHub’s DHCP server is sourcing from an fe80::/16 address, which matches. Now, pfSense’s bogon list is updated monthly by default. I don’t know if 8000::/1 is a new entry just introduced, or StarHub just changed their DHCP server to use an fe80::/16 address.
A quick search on the Internet does find mention of the 8000::/1 entry in the bogon list in 2013. So it appears to have been in there for quite long.
The fix for this is really quite simple. In your WAN interface configuration, under the “Private networks” section at the bottom, uncheck “Block bogon networks.” DHCPv6 should just work fine after this.