GARBAGE: Thanks for your help @VygrNetworkMonkey -- I appreciate you do this for free and have no obligation to help me here, it means a lot! I'm gonna paste here what I posted on reddit just now to see if anyone in r/fSense knows what the deal is, but maybe you could provide some insight. I managed to get an extra subnet going last night but it's not quite working how I would expect. For privacy sake let's say that prefix is 1234:5678:9ABCD:EF00::/56 I set my pfSense WAN to DHCPv6 where they assign me a /64 outside of that range, then I set my pfSense LAN interface to Track Interface on WAN. pfSense then automatically subnets that /56 into a /64 which is fine (pfSense doesn't appear to have the ability to adjust that /64 to anything else??). That /64 is 1234:5678:9ABCD:EF00::/64 (the subnet ID I have in pfSense is 0, so it uses the first subnet available from that /56). To be clear this works perfectly. Clients on my network get IPv6 addresses within that /64 and everything works fine. The confusion I'm having is if I want an additional subnet, and how routing works. On my pfSense I setup an additional OPT1 interface that's just on VLAN1. I don't have any other VLAN's anywhere on my network. On the OPT1 interface I set the interface ID to "1". That seemed to work and I got a subnet of 1234:5678:9ABCD:EF01::/64 and the OPT1 interface has an IP address that friends of mine are able to ping from outside the internet. However, despite firewall rules being in place, I cannot ping that IP from anywhere inside my LAN, from any machine. Whenever I do, I just get destination host unreachable. If I check my Windows Route table, I can actually see that new OPT1 subnet 1234:5678:9ABCD:EF01::/64 but it says "on-link". Is this normal for IPv6? How does the routing actually work? I understand that outside of my network, that my ISP throws anything destined for my /56 at my router, but internally? How do I make this work? Sorry for the wall of text. Hope someone is able to give me a hand.

"On-link" means that the Windows PC can send directly to that address block without going through a router. It should have an IPv6 address from that address block on one of its network ports, so if you run ipconfig you should see that address.

Windows should have your pfSense router as its default route. In IPv6, the default route is "::0". This is from the top of my "route print" output on my main Windows box:

IPv6 Route Table

===========================================================================

Active Routes:

If Metric Network Destination Gateway

12 25 ::/0 pppp:pppp:pppp:pp01::251

7 25 ::/0 pppp:pppp:pppp:pp02::251

7 281 ::/0 fe80::1ae8:29ff:febe:e296

12 281 ::/0 fe80::1ae8:29ff:febe:e295

I have replaced my delegated /56 prefix with pppp:pppp:pppp:pp. This box has two Ethernet cards, interface 12 connected to my "Outer" subnet (01) and interface 7 connected to my "Inner" subnet (02). The Outer subnet is a DMZ, where guests and untrusted devices are connected. The "Inner" subnet is where all my trusted devices connect. My ER4 router has one Ethernet port connected to Outer and one to Inner, and its device ID on both subnets is ::251, and both of those addresses are in the routing table as default routes. The router's link-local addresses (fe80::) are also in the routing table as default routes, as IPv6 often routes packets using the link-local addresses as the next hop address and does not actually need to have a global unicast IPv6 address to route packets to. With these routing table entries, any packet sent to an address that is not elsewhere in the routing table will be sent via the default route with the lowest metric, so it will be sent to pppp:pppp:pppp:pp01::251, my ER4's Outer IPv6 address. The ER4 will then look up its routing table to send the packet on.