Being a Telus customer, there is native IPv6 available aslong as you play within their rules. I finally got around to building a system to accommodate this setup. I am still determining how sticky the IPv6 lease from Telus is. Turns out that Telus offers a /56 Prefix as long as your router only requests an IA-PD and not a IA-NA.

Quite some time ago I was able to utilize this address space with My Ubiquity Router following [this guide.] (https://heald.ca/configuring-telus-optik-ipv6-ubiquiti-edgerouter/) Only recently I looked into My EdgeRouter’s v6 firewall rules. While lacking NETv6_interface address groups, the following rule allows for a Dynamic Prefix Destination rule for a EUI-64 address. The mask is modified limit it to the 5th Prefix or hex

set firewall ipv6-name IPv6-In rule 4 destination address ::5:224:2FFF:FE85:6E10/::00ff:ffff:ffff:ffff:ffff

Once I had figured out that the rule would work with a changing address the next problem was updating DNS. Using Cloudflare, it was easy enough to find scripts to update the entries using their API. Updating my own on premise BIND DNS took a little longer. The following scripts were added to my crontab and and be used as needed.

One of the main benefits of moving from my Static Hurricane Electric /48 was that I was now able to use Cloudflare’s Proxy service and take advantage of their NAT64 Service. While I had implemented my own NAT64/SIIT-DC Cloudflare was easier. I had come across an issue that was little known; Cloudflare will provide DNS to free Hurricane Electric addresses but when you try and proxy them or use the NAT64 it will result in a generic error.

crontab:

*/5 * * * * /root/Cloudflare.sh HOSTNAME.FQDN
*/5 * * * * /root/Bind.sh HOSTNAME.FQDN

Cloudflare.sh
Bind.sh

Sources:

[Inbound Firewall rules with DHCPv6-PD] (https://community.ui.com/questions/Inbound-Firewall-rules-with-DHCPv6-PD/31aac051-4565-451c-89b2-8146a36724e8#comment/36880eb8-b3ef-4431-9e87-6049d2e720bb).