[RESOLVED] Problem with Cox cable-modem and pfSense with IPv6 routing on pfSense LAN side
-
Interesting. Public address from a private-addressed server on WAN.
You wouldn't happen to have the firewall filter logs from when you have the RFC1918 block enabled would you?
-
In that unique case you can make an RFC1918 alias and:
Pass the DHCP traffic in on WAN
Block the RFC1918 in on WAN
Rest of your WAN rulesDisable the checkbox for RFC1918 on WAN.
The ISP should not be expecting you to accept that traffic into WAN. I would open a ticket with them.
-
The firewall logs always show as empty with the private block enabled or disabled.
I've talked to Cox tech support by phone and via their DSL Reports rep and no information is public about their use of the private network space within the Cox system. Not even a simple list of "we use these ranges, pick something else for your use" which has bitten folks for some time now when they have duplicates.
I'll skip trying to create firewall rules, want to keep the pfSense setup as basic as possible.
-
I believe the problem was my rental ASSUS cable-modem/router-wifi. It was not passing the prefix subnet information, only individual ipv6 ip addresses for the one /64 subnet that it was using for direct connections to its LAN side. It was not sharing the rest of the /60 block that was showing up on the WAN side.
When I swapped it out for a NETGEAR CM700 and plugged the pfsense firewall into the NETGEAR CM700 ethernet out, the pfsense fw picked up the proper IPv6 information to distribute IPv6 addresses on the LAN side. That's what I wanted. I am going to mark this as resolved.
-
@obitori , I know this is pretty old at this point, But I'm also a Cox customer, battling my way through a similar setup with pfSense and a netgear CM1000 cable modem.. Any chance you could provide some details on your pfSense config to get it to use the ISP provided block of addresses?
Thanks for any info you can provide. -
@martywise Nothing fancy, my WAN page has these set:
Use DHCP6 to configure
use /56 prefix and send a hint to the ISP
reject leases from your modem's internal IP address
don't block private networks (once working you can try blocking) -
@stan-qaz -- Thanks for the info. Going through my settings again I see what I'm missing. I am currently only asking for a /64 and that's what I'm getting... And, it changes each router reboot.
With your config, do you get a static block? Have you seen the prefix change over time? If so, how frequently?
Thanks again.
-
@martywise No reason to only ask for a /64 but it should work if you have only one internal LAN.
Try checking: "Do not allow PD/Address release" to see if it helps stabilize the prefix.
You do not get a static block, you get whatever Cox wants to hand out. Some times and some areas you'll be on the same prefix for a long time, other times and areas (like Phoenix last year) you'll get a different prefix every couple months. As long as you avoid hard coding the prefix into some rule or DNS entry you will never notice it changing.
-
@martywise said in [RESOLVED] Problem with Cox cable-modem and pfSense with IPv6 routing on pfSense LAN side:
And, it changes each router reboot.
Check Do not allow PD/Address release on the WAN page. Also, no harm in requesting more /64s than you need. The IPv6 address space is huge, with gazillions of addresses. I get a /56 from my ISP and currently use 4 /64s.
PfSense running on Qotom mini PC
i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
UniFi AC-Lite access pointI haven't lost my mind. It's around here...somewhere...
-
@stan-qaz Fabulous! Thanks. This is definitely working. Now, I get a LAN IPv6 address and a /56 prefix that does not change each reboot. As you say, it will likely change periodically. I've had Cox for over 20 years. In that time, my IPv4 has changed only infrequently... I expect this will probably be similar.
Thanks again for your help! -
@jknott I now have the "Do not allow PD/Address release" option checked and overall, things seem to be working.
As for address space -- that's about what I'm after too... I only want to create a few subnets, with at most a few dozen nodes on each.
Thanks for the assistance. -
My IPv4 address is virtually static, but my host name is based on modem and router MAC addresses. If I change hardware, the host name will change. If I change my router or it's NIC, my address will change. On IPv6, my prefix has survived modem and complete replacement of the box I run pfsense on. I suspect it might take a nuke or two, to change it.
