Comcast IPv6 address issue

Gertjan

This issue :
@hendersonmc:

My ISP was Earthlink who used Comcast to provide me with broadband via a cable modem. A couple of years ago, IPv6 started working with my pfsense router/firewall automatically based on the default configuration settings for WAN and LAN. This worked until my Comcast provided cable modem died. After replacing it, IPv6 was lost as the WAN quit getting an IPv6 address through DHCP6. I tried and failed to convince anyone to reconfigure, so, I went to tunnelbroker.net for an IPv6 tunnel, which worked OK until my IPv4 address changed (replacing another broken cable modem was the cause of this).A little digging allowed me to correct my tunnelbroker.net configuration to point to the new IPv4 addressed everything worked again. Until this month.

I got a letter at the beginning of the month from Comcast saying Earthlink was being bought out and my service would become exclusively provided by them by the end of the month. Naturally, they did not wait. Once again, my IPv4 address changed and IPv6 tunneling was broken. Hoping that I could get IPv6 support directly, I plugged my Mac directly into the cable modem and was pleased to see that I had a public IPv6 address. Testing the configuration http://ipv6-test.com gave me a score of 19/20 successful tests. I got a 10 out 10 from http://test-ipv6.com

You are aware of the fact that pfSense has a tool (some sort of DDNS checker) that updates automatically your IPv4 (WAN) used by the tunnelbroker "he.net" when it changes ?

I noticed that the IPv6 address has a prefix length of 128 bits.

If this "ComCast" deals out IPv6 addresses like IPv6 / 128 you should give them a call. Announce them that you stop all relations with them.

Derelict

It is OK to have a /128 on WAN. But there has to be a prefix delegation to go with it. That will probably be a /56 with Comcast.

MikeV7896

It'll actually be a /64 by default… it can be requested as small as /60 for residential or /56 for Business-class service.

Do note that since you've already received an address (and possibly a prefix has been assigned to you) you'll probably want to delete the /var/db/dhcp6.duid file so that the DHCPv6 client generates a new DUID for a new lease. That will ensure that you get the prefix size that you request. If you don't delete the DUID file, Comcast's servers will find the existing prefix delegation and continue to give that to you, even though you're requesting something different.

hendersonmc

@Gertjan:

This issue :
@hendersonmc:

I got a letter at the beginning of the month from Comcast saying Earthlink was being bought out and my service would become exclusively provided by them by the end of the month. Naturally, they did not wait. Once again, my IPv4 address changed and IPv6 tunneling was broken. Hoping that I could get IPv6 support directly, I plugged my Mac directly into the cable modem and was pleased to see that I had a public IPv6 address. Testing the configuration http://ipv6-test.com gave me a score of 19/20 successful tests. I got a 10 out 10 from http://test-ipv6.com

You are aware of the fact that pfSense has a tool (some sort of DDNS checker) that updates automatically your IPv4 (WAN) used by the tunnelbroker "he.net" when it changes ?

By DDNS checker tool, I assume you are referring to Dynamic DNS service, which I have a configuration for.  When I check this service, all I see is the cached IPv4 address… I guess this implies that IPv6 isn't supported by either the DDNS protocol, or the implementation of the DDNS protocol by pfsense or the cloud service provider I have chosen (No-IP).

By the way, how did you know that the one test I failed on http://ipv6-test.com was for no reverse DNS record?

hendersonmc

@Derelict:

It is OK to have a /128 on WAN. But there has to be a prefix delegation to go with it. That will probably be a /56 with Comcast.

I have two IPv6 gateways now; The Comcast gateway with a IPv6 Link Local address and the tunnelbroker gateway with a public IPv6 address. Both have 0.0% packet loss, and the geographically closer Comcast gateway has 38% the latency of the tunnelbroker gateway. But, the Diagnostics / Routes display says that the tunnelbroker gateway is the default route for all IPv6 traffic, and the Comcast gateway has only one entry in the route table that has never been used.

Is IPv6 traffic routing related to the fact that /64 IPv6 addresses I have configured for the LAN are the nearly the same as the /64 IPv6 addresses used by the tunnel (Both address ranges are in the same /47 CIDR, and except for bit 48, are identical in the first 64 bits)? All I know is that I have never defined any routes that pfsense uses, so the routes I see are either statically setup by related configuration settings, or setup dynamically based on traffic received.

hendersonmc

@virgiliomi:

Do note that since you've already received an address (and possibly a prefix has been assigned to you) you'll probably want to delete the /var/db/dhcp6.duid file so that the DHCPv6 client generates a new DUID for a new lease. That will ensure that you get the prefix size that you request. If you don't delete the DUID file, Comcast's servers will find the existing prefix delegation and continue to give that to you, even though you're requesting something different.

I tried that (p.s. the filename is**/var/db/dhcp6_duid**), but the gateway still shows up with a Link Local address

MikeV7896

Gateways will always be link-local with IPv6. That's by design. The gateway will also likely have a global address for other purposes (i.e. remote access/management), but link-local addresses are always used for routing. On a Windows PC on your network, if you do ipconfig, the default IPv6 gateway address will be the link-local address for pfSense (IIRC should be fe80::1:1).

And sorry about the . vs _ in the filename. :)

hendersonmc

@virgiliomi:

Gateways will always be link-local with IPv6. That's by design. The gateway will also likely have a global address for other purposes (i.e. remote access/management), but link-local addresses are always used for routing. On a Windows PC on your network, if you do ipconfig, the default IPv6 gateway address will be the link-local address for pfSense (IIRC should be fe80::1:1).

And sorry about the . vs _ in the filename. :)

Well, even after regenerating that file, I am getting no IPv6 traffic through the Comcast gateway. There are many advanced settings for IPv6… should I mess with them?

Gertjan

@hendersonmc:

By DDNS checker tool, I assume you are referring to Dynamic DNS service, which I have a configuration for.  When I check this service, all I see is the cached IPv4 address… I guess this implies that IPv6 isn't supported by either the DDNS protocol, or the implementation of the DDNS protocol by pfsense or the cloud service provider I have chosen (No-IP).

he.net uses an IPV4 "server" address on their side - on needs to know all the time what your WAN IPv4 is.
Their setup instructions are clear about that.
Added to that, your WAN IPv4 needs to be 'pingable'.
On the pfSense side, there exists a tool that does just that - if you set it up.
Go here : Services -> Dynamic DNS -> Dynamic DNS Clients and add a "HE.net Tunnelbroker " type service. The settings are taken from your "he.net IPv6 tunnel account" page.
This service, comparable to what No-IP offers btw, will assure that YOUR IPv4 is known all the time at he.net.
The end to end IPv4 connection will be used to open a "channel" that's used to encapsulate the IPv6 stream.
The GIF interface part will decode the IPv6 stream on "our" (= pfsense) side.

You can check if the correct IPv4 (your WAN IP) is present by visiting your he.net IPv6 tunnel account.

@hendersonmc:

By the way, how did you know that the one test I failed on http://ipv6-test.com was for no reverse DNS record?

Seems not important to me.

MikeV7896

@hendersonmc:

@virgiliomi:

Gateways will always be link-local with IPv6. That's by design. The gateway will also likely have a global address for other purposes (i.e. remote access/management), but link-local addresses are always used for routing. On a Windows PC on your network, if you do ipconfig, the default IPv6 gateway address will be the link-local address for pfSense (IIRC should be fe80::1:1).

And sorry about the . vs _ in the filename. :)

Well, even after regenerating that file, I am getting no IPv6 traffic through the Comcast gateway. There are many advanced settings for IPv6… should I mess with them?

So one more question here… do you have just a modem, or do you have a gateway (modem+router) device from Comcast? Because if you have the latter, that will definitely affect IPv6. Comcast's gateways are not configured for IPv6 prefix delegation (unless you have a business account with static address(es). If you want to run pfSense behind a Comcast gateway, you'll want to put the gateway into Bridge mode, so it functions as just a modem, and let pfSense handle all of the router/firewall functions. Yes, that also means you'll need your own WiFi access point, as the Comcast gateway won't provide local network WiFi anymore either.

hendersonmc

@Gertjan:

he.net uses an IPV4 "server" address on their side - on needs to know all the time what your WAN IPv4 is.
Their setup instructions are clear about that.
Added to that, your WAN IPv4 needs to be 'pingable'.

This sounds to me like the instructions for setting up the tunnel… it is setup and works fine, other than having no AAAA record.

@Gertjan:

On the pfSense side, there exists a tool that does just that - if you set it up.
Go here : Services -> Dynamic DNS -> Dynamic DNS Clients and add a "HE.net Tunnelbroker " type service. The settings are taken from your "he.net IPv6 tunnel account" page.

Thanks for pointing out that pfSense allows more than one Dynamic DNS configuration!

@Gertjan:

he.net uses an IPV4 "server" address on their side - on needs to know all the time what your WAN IPv4 is.
Their setup instructions are clear about that.
Added to that, your WAN IPv4 needs to be 'pingable'.
On the pfSense side, there exists a tool that does just that - if you set it up.
Go here : Services -> Dynamic DNS -> Dynamic DNS Clients and add a "HE.net Tunnelbroker " type service. The settings are taken from your "he.net IPv6 tunnel account" page.
This service, comparable to what No-IP offers btw, will assure that YOUR IPv4 is known all the time at he.net.

Instructions for filling out the pfSense Dynamic DNS Client configuration for HE.net (aka tunnelbroker.net) are right on the configuration page, namely for Hostname you should for "he.net tunnelbroker: Enter the tunnel ID".

That said, I am failing with interesting entries in the system log; consider this…

Jan 3 16:19:22 php-fpm 37351 /services_dyndns_edit.php: Dynamic DNS (311434) There was an error trying to determine the public IP for interface - wan (em0 ).
Jan 3 16:19:22 check_reload_status Syncing firewall
Jan 3 16:19:13 php-fpm 9879 /services_dyndns_edit.php: phpDynDNS (311434): (Unknown Response)
Jan 3 16:19:13 php-fpm 9879 /services_dyndns_edit.php: phpDynDNS (311434): PAYLOAD: abuse
Jan 3 16:19:12 check_reload_status Syncing firewall
Jan 3 16:18:56 php-fpm 7933 /services_dyndns_edit.php: phpDynDNS (311434): (Unknown Response)
Jan 3 16:18:56 php-fpm 7933 /services_dyndns_edit.php: phpDynDNS (311434): PAYLOAD:
Jan 3 16:18:56 check_reload_status Syncing firewall
Jan 3 16:18:40 php-fpm 79049 /services_dyndns_edit.php: Dynamic DNS (311434) There was an error trying to determine the public IP for interface - wan (em0 ).
Jan 3 16:18:40 check_reload_status Syncing firewall

All I am changing to try to get something to work is which interface I am selecting, namely my WAN, IPV6 tunnel, or LAN.

hendersonmc

@virgiliomi:

So one more question here… do you have just a modem, or do you have a gateway (modem+router) device from Comcast? Because if you have the latter, that will definitely affect IPv6. Comcast's gateways are not configured for IPv6 prefix delegation (unless you have a business account with static address(es). If you want to run pfSense behind a Comcast gateway, you'll want to put the gateway into Bridge mode, so it functions as just a modem, and let pfSense handle all of the router/firewall functions. Yes, that also means you'll need your own WiFi access point, as the Comcast gateway won't provide local network WiFi anymore either.

Just a modem… by special request!

hendersonmc

I tracked down one issue; the dhcp6c process is being started twice for the same interface.

root    58549  0.0  0.1 10096  1832  -  Is    8:07PM    0:00.11 /usr/local/sbin/dhcp6c -d -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_em0.pid em0
root    91097  0.0  0.1 10096  1824  -  Is    8:07PM    0:00.10 /usr/local/sbin/dhcp6c -d -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_em0.pid em0

Does anyone know how the hidden startup files can be corrected? Just editing the interface through the pfSense Interface Configuration editor is not correcting the problem.

Guest

@hendersonmc:

I tracked down one issue; the dhcp6c process is being started twice for the same interface.

That one rears it's ugly head again, I've been working on a fix for that. What version of PFSense are you running?

hendersonmc

Here is the snapshots for the Interface Assignment and WAN Interface windows. All I change in the WAN Interface Configuration is the IPv6 Configuration Type to DHCPV6, then Save and Apply. While starting, I see this

root    15315  1.0  0.1 10096  1828  -  Ss  10:34AM    0:00.00 /usr/local/sbin/dhcp6c -d -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_em0.pid em0
root    74226  1.0  0.1 10460  2072  -  S    10:34AM    0:00.00 /bin/sh /var/etc/dhcp6c_wan_script.sh
root    81074  0.0  0.1 10460  2084  -  S    10:34AM    0:00.00 sh -c ps uxawww | grep dhcp6c 2>&1
root    81512  0.0  0.1 10264  1908  -  S    10:34AM    0:00.00 grep dhcp6c

And then I see this

root    15315  0.0  0.1 10096  1828  -  Is  10:34AM    0:00.00 /usr/local/sbin/dhcp6c -d -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_em0.pid em0
root    80687  0.0  0.1 10460  2084  -  S    10:38AM    0:00.00 sh -c ps uxawww | grep dhcp6c 2>&1
root    81304  0.0  0.1 10264  1908  -  S    10:38AM    0:00.00 grep dhcp6c

The DHCP log looks like this

Jan 4 10:34:33 dhcp6c 15241 failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory
Jan 4 10:34:33 dhcp6c 15241 failed initialize control message authentication
Jan 4 10:34:33 dhcp6c 15241 skip opening control port
Jan 4 10:34:48 dhcp6c 15315 XID mismatch

And the system log show this
Jan 4 10:53:26 php-fpm 11639 /system_gateways.php: ROUTING: setting IPv6 default route to fe80::213:5fff:fe05:bfe2%em0
Jan 4 10:53:27 php-fpm 11639 /system_gateways.php: The command '/usr/local/sbin/dhcpd -user dhcpd -group _dhcp -chroot /var/dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid em1' returned exit code '1', the output was 'Internet Systems Consortium DHCP Server 4.3.4 Copyright 2004-2016 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Config file: /etc/dhcpd.conf Database file: /var/db/dhcpd.leases PID file: /var/run/dhcpd.pid Wrote 0 deleted host decls to leases file. Wrote 0 new dynamic host decls to leases file. Wrote 3 leases to leases file. Listening on BPF/em1/00:22:4d:b0:d3:b8/192.168.10.0/24 Sending on BPF/em1/00:22:4d:b0:d3:b8/192.168.10.0/24 Can't bind to dhcp address: Address already in use Please make sure there is no other dhcp server running and that there's no entry for dhcp or bootp in /etc/inetd.conf. Also make sure you are not running HP JetAdmin software, which includes a bootp server. If you think you have received this mes
Jan 4 10:53:29 php-fpm 11639 /system_gateways.php: The command '/sbin/route delete -host 2001:470:20::2 ' returned exit code '68', the output was 'route: bad address: 2001:470:20::2'
Jan 4 10:53:29 check_reload_status Reloading filter
Jan 4 10:53:29 php-fpm 11639 /system_gateways.php: Removing static route for monitor fe80::213:5fff:fe05:bfe2 and adding a new route through fe80::213:5fff:fe05:bfe2%em0

The WAN Interface looks like this

WAN Interface (wan, em0)
Status                      up
DHCP                        up
MAC Address                  c4:2c:03:05:41:0d - Apple
IPv4 Address                98.195.72.200
Subnet mask IPv4            255.255.248.0
Gateway IPv4                98.195.72.1
IPv6 Link Local              fe80::c62c:3ff:fe05:410d%em0
IPv6 Address                2001:558:6022c40:ffa:c94:3324
Subnet mask IPv6            128
Gateway IPv6                fe80::213:5fff:fe05:bfe2
DNS servers
                            127.0.0.1
                            2001:470:20::2
                            74.82.42.42
                            68.87.85.102
                            208.67.220.220
MTU                          1500
Media                        1000baseT <full-duplex>In/out packets              29523479/11443436 (33.45 GiB/1.06 GiB)
In/out packets (pass)        29523479/11443436 (33.45 GiB/1.06 GiB)
In/out packets (block)        123447/3244    (18.98 MiB/374 KiB)
In/out errors                0/1
Collisions                  0

For my network, the IPv6 traffic is not forwarding. I am still using the public addresses that tunnelbroker gave me on the LAN, which might be a reason, although I can't understand what is wrong.

I am also now noting a strange behavior that the IPv6 traffic that is enabled for logging in the UI is not showing up in formatted logs. Is this because the IPv6 traffic can't be forwarded?</full-duplex>

hendersonmc

@marjohn56:

That one rears it's ugly head again, I've been working on a fix for that. What version of PFSense are you running?

Latest version.

However, at this point, I am thinking that the extra dhcp6c processes are happening because I am shutting down the WAN interface by clearing the Enabled flag in the configuration, saving and applying. I could verify this by repeating the disabling and then checking for the dhcp6c process, but, I doubt that this way of shutting down the interface is the recommended way. If I were to guess, the recommended way is to clearing the Enabled flag, save, and then reboot.

Plus, now that I know this, I can just do the 'killall -9 dhcp6c' command as a workaround if I am unwilling to wait for a reboot…

Guest

@hendersonmc:

@marjohn56:

That one rears it's ugly head again, I've been working on a fix for that. What version of PFSense are you running?

Latest version.

However, at this point, I am thinking that the extra dhcp6c processes are happening because I am shutting down the WAN interface by clearing the Enabled flag in the configuration, saving and applying. I could verify this by repeating the disabling and then checking for the dhcp6c process, but, I doubt that this way of shutting down the interface is the recommended way. If I were to guess, the recommended way is to clearing the Enabled flag, save, and then reboot.

Plus, now that I know this, I can just do the 'killall -9 dhcp6c' command as a workaround if I am unwilling to wait for a reboot…

I was able to replicate the issue, it's quite random but I did see it. If you are not running with dhcp6 before ra you may want to try this patch. I have put a lock inside the rtsold script where it runs dhcp6c, it means it can never run two copies of dhcp6c. If you want to try it then I would ask you to pm me as I will need feedback on your findings.

hendersonmc

Finally solved the dhcp6c process quitting.

Apparently, the tunnelbroker GIF tunnel that I had defined was interfering with the nominal IPv6, even though it was not assigned for any use on the Interfaces (assign) page, because when I deleted it, the WAN interface got an public IPv6 address.

Derelict

Hmm. I have an HE.NET tunnel and happily get DHCPv6 + /56 PD from Cox.

I have been watching it for a while. They are honoring the DUID and not changing my prefix despite new modems and WAN MACs. My IPv4 address with them as changed at least three times since I started getting delegated this prefix.