/60 on WAN, /63 on LAN

johnpoz

Yeah that would be borked - just setup a HE tunnel and be done with all this ISP lack of understanding would be my suggestion..

JKnott

@derelict said in /60 on WAN, /63 on LAN:

You are probably actually getting a /59 from Comcast which is pretty much nonsensical.

It may be unusual, but there's nothing wrong with it, as it will provide 32 /64s. With my ISP, I can select anything between a /64 and /56.

johnpoz

I think the problem is asking for /60 and getting /59..

If you ask for /59 do you get a /58?

deet

@johnpoz said in /60 on WAN, /63 on LAN:

Yeah that would be borked - just setup a HE tunnel and be done with all this ISP lack of understanding would be my suggestion..

Does Netflix still block He.net?

deet

@johnpoz said in /60 on WAN, /63 on LAN:

I think the problem is asking for /60 and getting /59..

If you ask for /59 do you get a /58?

I don’t have /59 as an option in the drop-down. I suppose I could try configuring it manually.

johnpoz

sure its there..

Where are you not seeing that as an option?

deet

@johnpoz perhaps that’s not available on this 32-bit system running 2.3.4.

johnpoz

dude... If your running old, you need to state that.. Why would you not be running current?

JKnott

@johnpoz said in /60 on WAN, /63 on LAN:

dude... If your running old, you need to state that.. Why would you not be running current?

There's also a setting in newer versions that prevent pfSense from releasing the prefix for something as trivial as disconnecting/reconnecting the WAN Ethernet connection. Until that setting appeared, I had to occasionally update my DNS AAAA records with the new addresses.

deet

@johnpoz 2.3 is current for 32-bit systems. It’s not a factor, except in the UI, which is a factor only because of the need for a workaround, which is just as feasible in a manual configuration. Forget I mentioned it.

johnpoz

No 2.3.5p2 is current for 32 bit.. not 2.3.4

Which not only all the pfsense changes that have happened in the 4 different releases your behind

.4p1
.5
.5p1
.5p2

Your also behind be the base changes to freebsd, 2.3.4 is 10.3p17 while current on 2.3.5p2 is p26

I just do not get why anyone be behind on updates to their freaking firewall.. If your hardware can only run 32bit - guess what its time for an upgrade!!!

deet

@johnpoz for what it's worth, when i was asking the firewall to check for updates, it was telling me it was on the current version. If it puts your mind at ease, I have downloaded and installed the latest version separately. The issue persists.

The firewall otherwise meets the performance requirements and is stable. Unless this issue is addressed on a 64-bit system, I see no reason to replace the equipment.

In fact, none of this seems relevant to the thread.

Asking for a /59 delegation through the GUI has not helped. I've cleared the DUID. The messages in the logs are effectively the same. The consensus seems to be that this is errant behavior by the Cisco CPE from Comcast, and there seems to be no stable resolution, except to ask for different CPE from Comcast, which I can do next week.

Thanks to everyone for having a look.

JKnott

@deet said in /60 on WAN, /63 on LAN:

The consensus seems to be that this is errant behavior by the Cisco CPE from Comcast, and there seems to be no stable resolution, except to ask for different CPE from Comcast, which I can do next week.

I wonder if this has anything to do with why my ISP (Rogers) won't configure IPv6 on a Cisco cable modem. I had to change modems from Cisco to Hitron, in order to get IPv6.

macnerd

I've been banging my head the last week getting a Comcast to work.

Networking isn't my strong point but looking at the following capture the Prefix Length is :59 which pfsense shows as a /63 on LAN with Track Interface.

Deet, Netflix still blocks HE. I tried last night.

One of you mentioned there's another Comcast modem that doesn't have this issue?

IA Prefix
Option: IA Prefix (26)
Length: 25
Value: 00053b0d00053b0d3b260330000f000xxx00000000000000...
Preferred lifetime: 342797
Valid lifetime: 342797
Prefix length: 59
Prefix address: 2603:3000:f00:xxxx::

macnerd

I have the same setup from Comcast at work and at home. Today I had success doing the following at both sites but I'm almost positive I've tried this before without luck...

WAN:
DHCP6
PD Size is set to 59.
Send prefix hint is not checked. I figured if they're sending something different than I'm requesting I'd try not sending a hint.

LAN:
Track WAN
Prefix ID 1

DHCP6 Server & RA:
DHCP6 server is on with a range configured.
RA is set to Managed. (so far this is the only way I've had success. Unmanaged seems to break my clients)

The LAN is not picking up the next /64, ie. 2603:3000:f00:xxe1:: but the WAN is 2603:3000:f00:xxx0::. It ends in my PD of 1 but the a different number before it. Is this normal?

DHCP6 is on for LAN. RA is set to Managed. This is the only way I can get my end clients to get to the internet via IPv6.

The weird part is I can't ping an IPv6 address from pfsense when using the LAN interface as the source. But clients on that interface can.

Also, I set the Cisco cable modem's DHCP lease to 1 hour, after about a half hour IPv6 quit working until I went back into the WAN interface and re-saved. I saw a post over on the Comcast forums that someone set DHCP to never expire which appeared to work for them so I've set that. So far IPv6 has remained up.

deet

I’ve had a suspicion that getting it wrong in pfsense can offend the Comcast equipment for a day or two. More than once, I’ve come back to something a few days later to find it unexpectedly working. All the DHCP lease fiddling I can think of never seems to help in the moment, but then days later, things are fine.

The differing prefix seems normal. Comcast seems to use a different but similar subnet for the PDs.

I’m going to take another shot at all this. If yours magically works then maybe it’s my lucky day too.

macnerd

@deet Exactly what I've been through. :( In case I can't clear, my PD on LAN is now a /64. Before with WAN set to /59 and hinting I was getting the /63 on WAN.

I also turned off the firewall on the cable modem. Under firewall for IPv4 and 6 select Custom then at the bottom the last check box is were you can disable it. It's kind of hidden.