How To: Setup IPv6 with Comcast - Full Internet connectivity

pfSense2User

In this tutorial, and if you have Comcast/Xfinity High Speed Internet and a new cable modem, you have IPv6 support.

Go to www.comcast6.net it will display your IPv4 address and will tell you if your modem is supported to have IPv6
Go to http://mydeviceinfo.comcast.net/ for a list of modems with IPv6 support. If there's no check mark under IPv6, your modem is not supported, and therefore, an upgrade to a new one is a must.

To get the full support for your pfSense 2.1+ network, follow these steps:

1. Login to the web interface and go to Interfaces > WAN
2. Select DHCP6 in IPv6 Configuration type
3. Set the prefix to 64 and leave everything else unchecked.
4. Save and Apply the changes
5. Go to Interfaces > LAN
6. Select Track Interface in the IPv6 Configuration type
7. Select the Track Interface (WAN) and leave the Prefix ID set at 0
8. Save and Apply the Changes
9. Go to Firewall > Rules and create a new rule by clicking the + button to make a rule for the WAN interface

The following must be entered:

Proto    Src Prt Dst Prt GW Queue
IPv6/UDP * 547 * 546 * none

Save and Apply the changes.

Go to: test-ipv6.com to test your IPv6 connection.

NOTE: There might be some error (!) in the test, that's normal

Sites with IPv6:

ipv6.google.com
www.v6.facebook.com

priller

@pfSense2User:

9. Go to Firewall > Rules and create a new rule by clicking the + button to make a rule for the WAN interface

The following must be entered:

Proto    Src Prt Dst Prt GW Queue
IPv6/UDP * 547 * 546 * none

No need to manually enter that rule, it's already a built-in default rule.

/etc/inc/filter.inc

pass in quick on \${$oc['descr']} proto udp from any port = 547 to any port = 546 label "{$fix_rule_label("allow dhcpv6 client in {$oc['descr']}")}"

pfctl -sr

pass in quick on igb3 proto udp from any port = dhcpv6-server to any port = dhcpv6-client keep state label "allow dhcpv6 client in WAN"
pass out quick on igb3 proto udp from any port = dhcpv6-client to any port = dhcpv6-server keep state label "allow dhcpv6 client out WAN"

If been running Comcast IPv6 for about a year now without any special fw rules defined.

Doktor Jones

Comcast apparently just rolled out IPv6 in my area, as I discovered that my pfSense box had picked up an IPv6 address on its WAN that it hadn't had last week. I followed the steps here to make sure everything was configured right; I see IPv6 addresses on my WAN and LAN interfaces, as well as on my laptop, yet my devices don't seem to have IPv6 connectivity.

My WAN shows an address beginning with 2001:, my LAN and devices show addresses beginning with 2601:, and I have DNS servers of 2001:558:feed::1 and 2001:558:feed::2. From my laptop, an ifconfig en1 | grep inet6 yields the following:
inet6 2601:AAAA:BBBB:CCCC:XXXX:XXXX:XXXX:XXXX prefixlen 64 autoconf
inet6 2601:AAAA:BBBB:CCCC:YYYY:YYYY:YYYY:YYYY prefixlen 64 autoconf temporary
(in addition to the link-local address) where the "AAAA:BBBB:CCCC" parts are the same across the two (but not those literal hexadecimal digits) and the rest differs between them.

When I try to ping the DNS servers (i.e. ping6 2001:558:feed::1) from my laptop it just times out. If I run the ping from pfsense I get replies. I also can't ping the WAN's 2001: address or the WLAN's 2601: address, so it seems the problem is that my laptop can't talk to the router over IPv6. Strangely, if I do "ping6 ipv6.google.com", it resolves:
PING6(56=40+8+8 bytes) 2601:AAAA:BBBB:CCCC:YYYY:YYYY:YYYY:YYYY –> 2607:f8b0:4006:802::1002
(yes, it seems to be using the "temporary" address – is that normal?) but still times out.

Here are screenshots of my configuration. I entirely disabled and re-enabled the WAN interface after making changes, as well as releasing/renewing in Status>Interfaces, but can't get my laptop to connect. I also made sure "Allow IPv6" was enabled under "System>Advanced>Networking". What am I missing?

(P.S.: I'm running 2.1.2-RELEASE (amd64) / nanobsd (1g) if it makes a difference)

kpa

Sounds like you're only getting the stateless autoconfig (SLAAC) addresses for the pfSense WAN.  If you want IPv6 connectivity for your LAN you'll also need a routed /64 prefix from your ISP that is a distinct subnet from this 2601:AAAA:BBBB:CCCC::/64 subnet that is now on the WAN side of your pfSense system. You then use addresses from the routed /64 prefix on your LAN.

razzfazz

He was saying that he has a 2601:: address on the LAN side (both pfSense and devices), so clearly address assignment works.

razzfazz

@Doktor:

My WAN shows an address beginning with 2001:, my LAN and devices show addresses beginning with 2601:, and I have DNS servers of 2001:558:feed::1 and 2001:558:feed::2. From my laptop, an ifconfig en1 | grep inet6 yields the following:
inet6 2601:AAAA:BBBB:CCCC:XXXX:XXXX:XXXX:XXXX prefixlen 64 autoconf
inet6 2601:AAAA:BBBB:CCCC:YYYY:YYYY:YYYY:YYYY prefixlen 64 autoconf temporary
(in addition to the link-local address) where the "AAAA:BBBB:CCCC" parts are the same across the two (but not those literal hexadecimal digits) and the rest differs between them.

All of that looks correct. What do your LAN clients show as gateway? (Should be fe80::1:1 on the respective interface.) Anything in the firewall logs on the pfSense box?

kpa

Ok I re-read the question and it should work with those addresses. However, how are your LAN rules for IPv6 traffic?

Doktor Jones

The only block activity I'm seeing w/r/t IPv6 is the following:

WLANINT / [fe80::5e96:9dff:fe95:8781]:5353 / [ff02::fb]:5353 / UDP

which appears to be multicast DNS, and this is right after attempting a ping6. Of note, that does seem to be my laptop's link-local IPv6 address, but I'm not seeing any other IPv6 traffic getting blocked.

As far as rules go, I have a "IPv6 from WLANINT to any" rule set up; do I need anything beyond this?

priller

For IPv6 connectivity with Comcast DHCP-PD, this no need to add any rules whatsoever.  It will work "out of the box".

You do NOT need that udp 546/547 rule.  (see:  https://forum.pfsense.org/index.php?topic=75795.msg413493#msg413493 )

I would recommend getting ride of that rule and any other IPv6 rule you have configured and get back to a basic "plain vanilla" configuration.


Doktor Jones

Okay, I don't know if removing the UDP 546/547 rule fixed it, or if the problem is specifically with my wireless interface and/or Macbook; right now I'm at work and tunneled into my home network, and my Windows desktop (which is on a wired connection) has full IPv6 connectivity. I will report back tonight when I get home with more results. Specifically, I'll test with my Macbook on wireless, then on wired, and see if I get different results.

If it matters, my pfSense box has an Atheros ar9280 wireless card in it.

Doktor Jones

It looks like my Macbook has full IPv6 connectivity now :)

I've also changed my "DHCPv6 Prefix Delegation size" on the WAN interface to a /60 and enabled "Send IPv6 prefix hint", and set each of my three internal networks to a separate "IPv6 Prefix ID". Now my private WiFi systems are getting IPv6 addresses in one /64, LAN systems are getting IPv6 addresses in another, and my public WiFi systems are getting IPv6 addresses in a third.

Thanks!

gmx048

This post is deleted!

GatewayofIP

This post is deleted!

JKnott

This post is deleted!

Waytorouterlogin

This post is deleted!