Hi PacketTracer
Once again - thank you for your help!
Regarding DMZ there are different definitions on what it is, but the definition here http://en.wikipedia.org/wiki/DMZ_(computing) goes fine hand in hand with your description. And yes I agree.
(Regarding /127: Yes, you are right. I was at the time trying to experiment if it was possible to bind a virtual IPv6 address to the ISP-router and connect that to the WAN side of the 860L/CPE to get in compliance with RFC-6164. Besides the /127 problem in pfSense, it seems only possible if I had an extra NIC (which I do not have) or better a virtual interface in the ISP router (which feature it does not have to my knowledge).)
Regarding "communication relationships": Yes, that is what I want. :-)
Reachability test CPE LAN --> WAN (ISP LAN):
Precondition:
1) CPE fw off & no simple security.
2) IPv6 connectivity to the Internet
Test:
I did ping6 (icmpv6 echoes) and rltraceroute6 (UDP), tcptraceroute6 (TCP) and tracert6 (IMCPv6 Echo) from my desktop machine behind the LAN of my CPE/860L towards 2a02:188:4401::6.
Result:
I only reach 2a02:188:4401:8100::1 with the *traceroute6 programs - never the actual target. ping6 no success.
Reachability test WAN (ISP LAN) --> CPE LAN/my desktop computer (2a02:188:4401:8100:1337:1337:1337:1337)
Precondition:
1) CPE fw off & no simple security.
2) IPv6 connectivity to the Internet
Test:
I did ping6 (icmpv6 echoes) and traceroute6 (UDP/ICMP <-- http://www.freebsd.org/cgi/man.cgi?query=traceroute6&apropos=0&sektion=0&manpath=FreeBSD+8.3-RELEASE&arch=i386&format=html ) from the ISP router (2a02:188:4401::1) towards my LAN of my CPE/860L with target my desktop machine (2a02:188:4401:8100:1337:1337:1337:1337).
Result:
ping6 succeeds
traceroute6 UDP succeeds
traceroute6 ICMP succeeds
Reachability test DMZ Server (2a02:188:4401::6) --> CPE LAN/my desktop computer (2a02:188:4401:8100:1337:1337:1337:1337):
Precondition:
1) CPE fw off & no simple security.
2) IPv6 connectivity to the Internet
3) DMZ server has gateway set to 2a02:188:4401::1.
Test:
I did ping6 (icmpv6 echoes) and rltraceroute6 (UDP), tcptraceroute6 (TCP) and tracert6 (IMCPv6 Echo) from the ISP DMZ server towards the LAN of my CPE/860L.
Result:
ping6 (ICMPv6) fails. 2a02:188:4401:8100:1337:1337:1337:1337(2a02:188:4401:8100:1337:1337:1337:1337) 56 data bytes
tracert6 (ICMPv6) fails. Never reaches anything.
rltraceroute6 (UDP) fails. -"-
tcptraceroute6 (TCP) fails. -"-
Clients of the WAN can ping eachother and the ISP router without a problem
From within the DIR-860L I can ping e.g. 2a02:188:4401::6. I have added an image of this to this post.
Some selected IPv6 routes from the ISP router:
Destination Gateway Flags Refs Use Mtu Netif Expire
default 2a02:188:130:2::1 UGS 0 3012 1500 rl0
::1 ::1 UH 0 0 16384 lo0
2a02:188:130:2::/64 link#4 U 0 96855 1500 rl0
2a02:188:130:2::2 link#4 UHS 0 0 16384 lo0
2a02:188:4401::/64 link#1 U 0 89921 1500 fxp0
2a02:188:4401::1 link#1 UHS 0 174 16384 lo0
2a02:188:4401:8100::/56 2a02:188:4401::8100 UGS 0 8525 1500 fxp0
Regarding the DIR-860L firewall: Protocol now has ALL instead of ANY.
Source start address has to differ from destination start address else a javascript popup window poped up. I circumvented this by choosing a destination start address that was within range of LAN, WAN, INTERNET (seen from CPE) meaning 1000:: to ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Regarding activating firewall rules I had some strange experiences.
It seemed that everytime I switched "Turn IPv6 Filtering ON and ALLOW rules listed" (and the check boxes is selected ;-) ) and regardless of Simple Security is on or not the result is that Status - Logs - Router Status (radio button) gets filled with the firewall dropping my traffic. E.g. it drops if I go to ANY address that needs to pass either WAN or INTERNET e.g. http://[2a02:188:4401::6]/ (yeah a webserver as well) :-) or http://test-ipv6.com/
If I however choose "Turn IPv6 Filtering ON and DENY rules listed" then (also regardless of Simple Security is on or not) suddenly I have access to http://test-ipv6.com/ but still not e.g. http://[2a02:188:4401::6]/
I did try your settings (less network scope for AllowISPIn), but that did not make a change in the outcome.
I have added an image to this post about my fw settings. It has
DENY rules listed set but the address ranges, interfaces and protocol applies to my test situation with "ALLOW rules listed".