Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Comcast IPv6 address issue

    Scheduled Pinned Locked Moved IPv6
    20 Posts 5 Posters 5.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • GertjanG
      Gertjan
      last edited by

      This issue :
      @hendersonmc:

      My ISP was Earthlink who used Comcast to provide me with broadband via a cable modem. A couple of years ago, IPv6 started working with my pfsense router/firewall automatically based on the default configuration settings for WAN and LAN. This worked until my Comcast provided cable modem died. After replacing it, IPv6 was lost as the WAN quit getting an IPv6 address through DHCP6. I tried and failed to convince anyone to reconfigure, so, I went to tunnelbroker.net for an IPv6 tunnel, which worked OK until my IPv4 address changed (replacing another broken cable modem was the cause of this).A little digging allowed me to correct my tunnelbroker.net configuration to point to the new IPv4 addressed everything worked again. Until this month.

      I got a letter at the beginning of the month from Comcast saying Earthlink was being bought out and my service would become exclusively provided by them by the end of the month. Naturally, they did not wait. Once again, my IPv4 address changed and IPv6 tunneling was broken. Hoping that I could get IPv6 support directly, I plugged my Mac directly into the cable modem and was pleased to see that I had a public IPv6 address. Testing the configuration http://ipv6-test.com gave me a score of 19/20 successful tests. I got a 10 out 10 from http://test-ipv6.com

      You are aware of the fact that pfSense has a tool (some sort of DDNS checker) that updates automatically your IPv4 (WAN) used by the tunnelbroker "he.net" when it changes ?

      I noticed that the IPv6 address has a prefix length of 128 bits.

      If this "ComCast" deals out IPv6 addresses like IPv6 / 128 you should give them a call. Announce them that you stop all relations with them.

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        It is OK to have a /128 on WAN. But there has to be a prefix delegation to go with it. That will probably be a /56 with Comcast.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • MikeV7896M
          MikeV7896
          last edited by

          It'll actually be a /64 by default… it can be requested as small as /60 for residential or /56 for Business-class service.

          Do note that since you've already received an address (and possibly a prefix has been assigned to you) you'll probably want to delete the /var/db/dhcp6.duid file so that the DHCPv6 client generates a new DUID for a new lease. That will ensure that you get the prefix size that you request. If you don't delete the DUID file, Comcast's servers will find the existing prefix delegation and continue to give that to you, even though you're requesting something different.

          The S in IOT stands for Security

          1 Reply Last reply Reply Quote 0
          • H
            hendersonmc
            last edited by

            @Gertjan:

            This issue :
            @hendersonmc:

            I got a letter at the beginning of the month from Comcast saying Earthlink was being bought out and my service would become exclusively provided by them by the end of the month. Naturally, they did not wait. Once again, my IPv4 address changed and IPv6 tunneling was broken. Hoping that I could get IPv6 support directly, I plugged my Mac directly into the cable modem and was pleased to see that I had a public IPv6 address. Testing the configuration http://ipv6-test.com gave me a score of 19/20 successful tests. I got a 10 out 10 from http://test-ipv6.com

            You are aware of the fact that pfSense has a tool (some sort of DDNS checker) that updates automatically your IPv4 (WAN) used by the tunnelbroker "he.net" when it changes ?

            By DDNS checker tool, I assume you are referring to Dynamic DNS service, which I have a configuration for.  When I check this service, all I see is the cached IPv4 address… I guess this implies that IPv6 isn't supported by either the DDNS protocol, or the implementation of the DDNS protocol by pfsense or the cloud service provider I have chosen (No-IP).

            By the way, how did you know that the one test I failed on http://ipv6-test.com was for no reverse DNS record?

            1 Reply Last reply Reply Quote 0
            • H
              hendersonmc
              last edited by

              @Derelict:

              It is OK to have a /128 on WAN. But there has to be a prefix delegation to go with it. That will probably be a /56 with Comcast.

              I have two IPv6 gateways now; The Comcast gateway with a IPv6 Link Local address and the tunnelbroker gateway with a public IPv6 address. Both have 0.0% packet loss, and the geographically closer Comcast gateway has 38% the latency of the tunnelbroker gateway. But, the Diagnostics / Routes display says that the tunnelbroker gateway is the default route for all IPv6 traffic, and the Comcast gateway has only one entry in the route table that has never been used.

              Is IPv6 traffic routing related to the fact that /64 IPv6 addresses I have configured for the LAN are the nearly the same as the /64 IPv6 addresses used by the tunnel (Both address ranges are in the same /47 CIDR, and except for bit 48, are identical in the first 64 bits)? All I know is that I have never defined any routes that pfsense uses, so the routes I see are either statically setup by related configuration settings, or setup dynamically based on traffic received.

              1 Reply Last reply Reply Quote 0
              • H
                hendersonmc
                last edited by

                @virgiliomi:

                Do note that since you've already received an address (and possibly a prefix has been assigned to you) you'll probably want to delete the /var/db/dhcp6.duid file so that the DHCPv6 client generates a new DUID for a new lease. That will ensure that you get the prefix size that you request. If you don't delete the DUID file, Comcast's servers will find the existing prefix delegation and continue to give that to you, even though you're requesting something different.

                I tried that (p.s. the filename is**/var/db/dhcp6_duid**), but the gateway still shows up with a Link Local address

                1 Reply Last reply Reply Quote 0
                • MikeV7896M
                  MikeV7896
                  last edited by

                  Gateways will always be link-local with IPv6. That's by design. The gateway will also likely have a global address for other purposes (i.e. remote access/management), but link-local addresses are always used for routing. On a Windows PC on your network, if you do ipconfig, the default IPv6 gateway address will be the link-local address for pfSense (IIRC should be fe80::1:1).

                  And sorry about the . vs _ in the filename. :)

                  The S in IOT stands for Security

                  1 Reply Last reply Reply Quote 0
                  • H
                    hendersonmc
                    last edited by

                    @virgiliomi:

                    Gateways will always be link-local with IPv6. That's by design. The gateway will also likely have a global address for other purposes (i.e. remote access/management), but link-local addresses are always used for routing. On a Windows PC on your network, if you do ipconfig, the default IPv6 gateway address will be the link-local address for pfSense (IIRC should be fe80::1:1).

                    And sorry about the . vs _ in the filename. :)

                    Well, even after regenerating that file, I am getting no IPv6 traffic through the Comcast gateway. There are many advanced settings for IPv6… should I mess with them?

                    1 Reply Last reply Reply Quote 0
                    • GertjanG
                      Gertjan
                      last edited by

                      @hendersonmc:

                      By DDNS checker tool, I assume you are referring to Dynamic DNS service, which I have a configuration for.  When I check this service, all I see is the cached IPv4 address… I guess this implies that IPv6 isn't supported by either the DDNS protocol, or the implementation of the DDNS protocol by pfsense or the cloud service provider I have chosen (No-IP).

                      he.net uses an IPV4 "server" address on their side - on needs to know all the time what your WAN IPv4 is.
                      Their setup instructions are clear about that.
                      Added to that, your WAN IPv4 needs to be 'pingable'.
                      On the pfSense side, there exists a tool that does just that - if you set it up.
                      Go here : Services -> Dynamic DNS -> Dynamic DNS Clients and add a "HE.net Tunnelbroker " type service. The settings are taken from your "he.net IPv6 tunnel account" page.
                      This service, comparable to what No-IP offers btw, will assure that YOUR IPv4 is known all the time at he.net.
                      The end to end IPv4 connection will be used to open a "channel" that's used to encapsulate the IPv6 stream.
                      The GIF interface part will decode the IPv6 stream on "our" (= pfsense) side.

                      You can check if the correct IPv4 (your WAN IP) is present by visiting your he.net IPv6 tunnel account.

                      @hendersonmc:

                      By the way, how did you know that the one test I failed on http://ipv6-test.com was for no reverse DNS record?

                      Seems not important to me.

                      No "help me" PM's please. Use the forum, the community will thank you.
                      Edit : and where are the logs ??

                      1 Reply Last reply Reply Quote 0
                      • MikeV7896M
                        MikeV7896
                        last edited by

                        @hendersonmc:

                        @virgiliomi:

                        Gateways will always be link-local with IPv6. That's by design. The gateway will also likely have a global address for other purposes (i.e. remote access/management), but link-local addresses are always used for routing. On a Windows PC on your network, if you do ipconfig, the default IPv6 gateway address will be the link-local address for pfSense (IIRC should be fe80::1:1).

                        And sorry about the . vs _ in the filename. :)

                        Well, even after regenerating that file, I am getting no IPv6 traffic through the Comcast gateway. There are many advanced settings for IPv6… should I mess with them?

                        So one more question here… do you have just a modem, or do you have a gateway (modem+router) device from Comcast? Because if you have the latter, that will definitely affect IPv6. Comcast's gateways are not configured for IPv6 prefix delegation (unless you have a business account with static address(es). If you want to run pfSense behind a Comcast gateway, you'll want to put the gateway into Bridge mode, so it functions as just a modem, and let pfSense handle all of the router/firewall functions. Yes, that also means you'll need your own WiFi access point, as the Comcast gateway won't provide local network WiFi anymore either.

                        The S in IOT stands for Security

                        1 Reply Last reply Reply Quote 0
                        • H
                          hendersonmc
                          last edited by

                          @Gertjan:

                          he.net uses an IPV4 "server" address on their side - on needs to know all the time what your WAN IPv4 is.
                          Their setup instructions are clear about that.
                          Added to that, your WAN IPv4 needs to be 'pingable'.

                          This sounds to me like the instructions for setting up the tunnel… it is setup and works fine, other than having no AAAA record.

                          @Gertjan:

                          On the pfSense side, there exists a tool that does just that - if you set it up.
                          Go here : Services -> Dynamic DNS -> Dynamic DNS Clients and add a "HE.net Tunnelbroker " type service. The settings are taken from your "he.net IPv6 tunnel account" page.

                          Thanks for pointing out that pfSense allows more than one Dynamic DNS configuration!

                          @Gertjan:

                          he.net uses an IPV4 "server" address on their side - on needs to know all the time what your WAN IPv4 is.
                          Their setup instructions are clear about that.
                          Added to that, your WAN IPv4 needs to be 'pingable'.
                          On the pfSense side, there exists a tool that does just that - if you set it up.
                          Go here : Services -> Dynamic DNS -> Dynamic DNS Clients and add a "HE.net Tunnelbroker " type service. The settings are taken from your "he.net IPv6 tunnel account" page.
                          This service, comparable to what No-IP offers btw, will assure that YOUR IPv4 is known all the time at he.net.

                          Instructions for filling out the pfSense Dynamic DNS Client configuration for HE.net (aka tunnelbroker.net) are right on the configuration page, namely for Hostname you should for "he.net tunnelbroker: Enter the tunnel ID".

                          That said, I am failing with interesting entries in the system log; consider this…

                          Jan 3 16:19:22 php-fpm 37351 /services_dyndns_edit.php: Dynamic DNS (311434) There was an error trying to determine the public IP for interface - wan (em0 ).
                          Jan 3 16:19:22 check_reload_status Syncing firewall
                          Jan 3 16:19:13 php-fpm 9879 /services_dyndns_edit.php: phpDynDNS (311434): (Unknown Response)
                          Jan 3 16:19:13 php-fpm 9879 /services_dyndns_edit.php: phpDynDNS (311434): PAYLOAD: abuse
                          Jan 3 16:19:12 check_reload_status Syncing firewall
                          Jan 3 16:18:56 php-fpm 7933 /services_dyndns_edit.php: phpDynDNS (311434): (Unknown Response)
                          Jan 3 16:18:56 php-fpm 7933 /services_dyndns_edit.php: phpDynDNS (311434): PAYLOAD:
                          Jan 3 16:18:56 check_reload_status Syncing firewall
                          Jan 3 16:18:40 php-fpm 79049 /services_dyndns_edit.php: Dynamic DNS (311434) There was an error trying to determine the public IP for interface - wan (em0 ).
                          Jan 3 16:18:40 check_reload_status Syncing firewall

                          All I am changing to try to get something to work is which interface I am selecting, namely my WAN, IPV6 tunnel, or LAN.

                          1 Reply Last reply Reply Quote 0
                          • H
                            hendersonmc
                            last edited by

                            @virgiliomi:

                            So one more question here… do you have just a modem, or do you have a gateway (modem+router) device from Comcast? Because if you have the latter, that will definitely affect IPv6. Comcast's gateways are not configured for IPv6 prefix delegation (unless you have a business account with static address(es). If you want to run pfSense behind a Comcast gateway, you'll want to put the gateway into Bridge mode, so it functions as just a modem, and let pfSense handle all of the router/firewall functions. Yes, that also means you'll need your own WiFi access point, as the Comcast gateway won't provide local network WiFi anymore either.

                            Just a modem… by special request!

                            1 Reply Last reply Reply Quote 0
                            • H
                              hendersonmc
                              last edited by

                              I tracked down one issue; the dhcp6c process is being started twice for the same interface.

                              root    58549  0.0  0.1 10096  1832  -  Is    8:07PM    0:00.11 /usr/local/sbin/dhcp6c -d -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_em0.pid em0
                              root    91097  0.0  0.1 10096  1824  -  Is    8:07PM    0:00.10 /usr/local/sbin/dhcp6c -d -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_em0.pid em0

                              Does anyone know how the hidden startup files can be corrected? Just editing the interface through the pfSense Interface Configuration editor is not correcting the problem.

                              1 Reply Last reply Reply Quote 0
                              • ?
                                Guest
                                last edited by

                                @hendersonmc:

                                I tracked down one issue; the dhcp6c process is being started twice for the same interface.

                                That one rears it's ugly head again, I've been working on a fix for that. What version of PFSense are you running?

                                1 Reply Last reply Reply Quote 0
                                • H
                                  hendersonmc
                                  last edited by

                                  Here is the snapshots for the Interface Assignment and WAN Interface windows. All I change in the WAN Interface Configuration is the IPv6 Configuration Type to DHCPV6, then Save and Apply. While starting, I see this

                                  root    15315  1.0  0.1 10096  1828  -  Ss  10:34AM    0:00.00 /usr/local/sbin/dhcp6c -d -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_em0.pid em0
                                  root    74226  1.0  0.1 10460  2072  -  S    10:34AM    0:00.00 /bin/sh /var/etc/dhcp6c_wan_script.sh
                                  root    81074  0.0  0.1 10460  2084  -  S    10:34AM    0:00.00 sh -c ps uxawww | grep dhcp6c 2>&1
                                  root    81512  0.0  0.1 10264  1908  -  S    10:34AM    0:00.00 grep dhcp6c

                                  And then I see this

                                  root    15315  0.0  0.1 10096  1828  -  Is  10:34AM    0:00.00 /usr/local/sbin/dhcp6c -d -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_em0.pid em0
                                  root    80687  0.0  0.1 10460  2084  -  S    10:38AM    0:00.00 sh -c ps uxawww | grep dhcp6c 2>&1
                                  root    81304  0.0  0.1 10264  1908  -  S    10:38AM    0:00.00 grep dhcp6c

                                  The DHCP log looks like this

                                  Jan 4 10:34:33 dhcp6c 15241 failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory
                                  Jan 4 10:34:33 dhcp6c 15241 failed initialize control message authentication
                                  Jan 4 10:34:33 dhcp6c 15241 skip opening control port
                                  Jan 4 10:34:48 dhcp6c 15315 XID mismatch

                                  And the system log show this
                                  Jan 4 10:53:26 php-fpm 11639 /system_gateways.php: ROUTING: setting IPv6 default route to fe80::213:5fff:fe05:bfe2%em0
                                  Jan 4 10:53:27 php-fpm 11639 /system_gateways.php: The command '/usr/local/sbin/dhcpd -user dhcpd -group _dhcp -chroot /var/dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid em1' returned exit code '1', the output was 'Internet Systems Consortium DHCP Server 4.3.4 Copyright 2004-2016 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Config file: /etc/dhcpd.conf Database file: /var/db/dhcpd.leases PID file: /var/run/dhcpd.pid Wrote 0 deleted host decls to leases file. Wrote 0 new dynamic host decls to leases file. Wrote 3 leases to leases file. Listening on BPF/em1/00:22:4d:b0:d3:b8/192.168.10.0/24 Sending on BPF/em1/00:22:4d:b0:d3:b8/192.168.10.0/24 Can't bind to dhcp address: Address already in use Please make sure there is no other dhcp server running and that there's no entry for dhcp or bootp in /etc/inetd.conf. Also make sure you are not running HP JetAdmin software, which includes a bootp server. If you think you have received this mes
                                  Jan 4 10:53:29 php-fpm 11639 /system_gateways.php: The command '/sbin/route delete -host 2001:470:20::2 ' returned exit code '68', the output was 'route: bad address: 2001:470:20::2'
                                  Jan 4 10:53:29 check_reload_status Reloading filter
                                  Jan 4 10:53:29 php-fpm 11639 /system_gateways.php: Removing static route for monitor fe80::213:5fff:fe05:bfe2 and adding a new route through fe80::213:5fff:fe05:bfe2%em0

                                  The WAN Interface looks like this

                                  WAN Interface (wan, em0)
                                  Status                      up
                                  DHCP                        up
                                  MAC Address                  c4:2c:03:05:41:0d - Apple
                                  IPv4 Address                98.195.72.200
                                  Subnet mask IPv4            255.255.248.0
                                  Gateway IPv4                98.195.72.1
                                  IPv6 Link Local              fe80::c62c:3ff:fe05:410d%em0
                                  IPv6 Address                2001:558:6022🅱c40:ffa:c94:3324
                                  Subnet mask IPv6            128
                                  Gateway IPv6                fe80::213:5fff:fe05:bfe2
                                  DNS servers
                                                              127.0.0.1
                                                              2001:470:20::2
                                                              74.82.42.42
                                                              68.87.85.102
                                                              208.67.220.220
                                  MTU                          1500
                                  Media                        1000baseT <full-duplex>In/out packets              29523479/11443436 (33.45 GiB/1.06 GiB)
                                  In/out packets (pass)        29523479/11443436 (33.45 GiB/1.06 GiB)
                                  In/out packets (block)        123447/3244    (18.98 MiB/374 KiB)
                                  In/out errors                0/1
                                  Collisions                  0

                                  For my network, the IPv6 traffic is not forwarding. I am still using the public addresses that tunnelbroker gave me on the LAN, which might be a reason, although I can't understand what is wrong.

                                  I am also now noting a strange behavior that the IPv6 traffic that is enabled for logging in the UI is not showing up in formatted logs. Is this because the IPv6 traffic can't be forwarded?</full-duplex>

                                  1 Reply Last reply Reply Quote 0
                                  • H
                                    hendersonmc
                                    last edited by

                                    @marjohn56:

                                    That one rears it's ugly head again, I've been working on a fix for that. What version of PFSense are you running?

                                    Latest version.

                                    However, at this point, I am thinking that the extra dhcp6c processes are happening because I am shutting down the WAN interface by clearing the Enabled flag in the configuration, saving and applying. I could verify this by repeating the disabling and then checking for the dhcp6c process, but, I doubt that this way of shutting down the interface is the recommended way. If I were to guess, the recommended way is to clearing the Enabled flag, save, and then reboot.

                                    Plus, now that I know this, I can just do the 'killall -9 dhcp6c' command as a workaround if I am unwilling to wait for a reboot…

                                    1 Reply Last reply Reply Quote 0
                                    • ?
                                      Guest
                                      last edited by

                                      @hendersonmc:

                                      @marjohn56:

                                      That one rears it's ugly head again, I've been working on a fix for that. What version of PFSense are you running?

                                      Latest version.

                                      However, at this point, I am thinking that the extra dhcp6c processes are happening because I am shutting down the WAN interface by clearing the Enabled flag in the configuration, saving and applying. I could verify this by repeating the disabling and then checking for the dhcp6c process, but, I doubt that this way of shutting down the interface is the recommended way. If I were to guess, the recommended way is to clearing the Enabled flag, save, and then reboot.

                                      Plus, now that I know this, I can just do the 'killall -9 dhcp6c' command as a workaround if I am unwilling to wait for a reboot…

                                      I was able to replicate the issue, it's quite random but I did see it. If you are not running with dhcp6 before ra you may want to try this patch. I have put a lock inside the rtsold script where it runs dhcp6c, it means it can never run two copies of dhcp6c. If you want to try it then I would ask you to pm me as I will need feedback on your findings.

                                      1 Reply Last reply Reply Quote 0
                                      • H
                                        hendersonmc
                                        last edited by

                                        Finally solved the dhcp6c process quitting.

                                        Apparently, the tunnelbroker GIF tunnel that I had defined was interfering with the nominal IPv6, even though it was not assigned for any use on the Interfaces (assign) page, because when I deleted it, the WAN interface got an public IPv6 address.

                                        1 Reply Last reply Reply Quote 0
                                        • DerelictD
                                          Derelict LAYER 8 Netgate
                                          last edited by

                                          Hmm. I have an HE.NET tunnel and happily get DHCPv6 + /56 PD from Cox.

                                          I have been watching it for a while. They are honoring the DUID and not changing my prefix despite new modems and WAN MACs. My IPv4 address with them as changed at least three times since I started getting delegated this prefix.

                                          Chattanooga, Tennessee, USA
                                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.