IPv6 on SoCal Spectrum

caskater4

I upgraded my spectrum internet to Gigabit today. The tech said I need IPv6 to get the most out of the connection so i've finally gone through the trouble of setting up IPv6 on my pfsense box. I'm running 2.4.4 on a Atom C3758 w/ 16GB RAM.

All of my internal LANs are now set up correctly and give out IPv6 addresses internally. The problem I have is I can't get an outbound IPv6 address from Spectrum. I've tried using DHCP6 and SLAAC with a variety of configurations but nothing seems to obtain an address. If I plug in my Windows 10 laptop directly to the modem I can get an IPv6 address without issue. What am I doing wrong?

Attached are the settings I'm currently using for DHCP6.

JKnott

@caskater4

Show your LAN page. There are some relevant settings there too. Also, I see you've selected a prefix size of 64. This means you'll only have a single /64 prefix available. Many ISPs provide a /56, for 256 /64s. Others may provide a /48 or /60. What does yours provide?

caskater4

Here's the top of that page.

And this is my internal LAN page.

I called Spectrum support to ask about the prefix. They were worthless, even after being escalated they had no idea what I was talking about and would just say "It should be automatic. We don't have any guidance for that." I'll try out some of those other values you mentioned.

caskater4

Is there a way to determine the prefix and any other relevant settings when connecting my laptop?

JKnott

@caskater4

On the LAN page, change IPv6 configuration to track interface and further down enter WAN for IPv6 interface. I am assuming they provide IPv6 via DHCPv6-PD.

JKnott

@caskater4 said in IPv6 on SoCal Spectrum:

Is there a way to determine the prefix and any other relevant settings when connecting my laptop?

On the LAN page, there's a box for prefix ID. Try different sizes. It might say the allowable range in the text below that box.

caskater4

@JKnott said in IPv6 on SoCal Spectrum:

@caskater4

On the LAN page, change IPv6 configuration to track interface and further down enter WAN for IPv6 interface. I am assuming they provide IPv6 via DHCPv6-PD.

When selecting Track Interface, the IPv6 Interface drop down is empty and won't allow me to select WAN for some reason.

chpalmer

@caskater4

LAN interface. Your looking at WAN.

caskater4

Okay that sort of seems to work. WAN is now on DHCP6 (64prefix) and LAN set to Track Interface. I now have an IPv6 address on the WAN and LAN interfaces as well as my internal machines.

Also, when I run test-ipv6.com I get failures still.

Also, if i'm running through Track Interface, isn't that assigning public IPs to all my internal machines? Does that not expose my devices directly to the Internet?

JKnott

@caskater4 said in IPv6 on SoCal Spectrum:

Also, if i'm running through Track Interface, isn't that assigning public IPs to all my internal machines? Does that not expose my devices directly to the Internet?

Yep, you should have 18.4 billion, billion addresses available, which makes it a tad difficult for attackers to find you. Also, that's why you're running a firewall. It will block unauthorized access. As for not getting to the Internet, I'd look at routing issues. You can use Packet Capture to see what's happening, though you'd probably want to download the captures and use Wireshark to analyze them.

Also, you can try different prefix delegation sizes to see what you can get.

caskater4

@JKnott Okay new problem. IPv6 works great but now IPv4 is broken somehow.

I can verify that I can ping/tracert external IPv6 addresses no problem. I can ping/tracert local IPv4 addresses but any external addresses fail to make contact.

Am I going to have to make IPv4 traffic track interface as well? Can I not have a IPv4 NAT and public IPv6 setup? Surely this is common.

Here are my LAN firewall rules. The last two are for opening traffic to the outside world and look correct to me.

And my outbound NAT rules

caskater4

The router can reach IPv4 external addresses no problem.

caskater4

Alright I figured it out. I had some bad rules defined in the WAN interface firewall. Everything is resolved now. Thanks for all your help!

JKnott

@caskater4

Were you able to determine what your available prefix size is?

Also, on the WAN page, there's a setting "Do not allow PD/Address release". Make sure that's checked.

caskater4

I don't see anything that would tell me the prefix size. The subnet mask on the router is 128.

I have a new problem unfortunately. I use AdvancedTomato on a Asus R7000 for WiFi. This is hooked up to the pfsense box and offers multiple SSID bridging to different VLANs.

The problem I am seeing now is that any device connected over WiFi cannot access the internet. None have an IPv6 address but have an IPv4 address. For some reason these devices are also getting an IPv6 DNS server. I assume they are unable to access the Internet because they are trying to use the IPv6 DNS address and can't because they don't have an IPv6 address itself.

I've tried enabling IPv6 support on the Tomato box but it doesn't seem to work. Do any of you have a similar setup with IPv6 working on WiFi?

caskater4

Correction, this appears to only affect IPv6 capable devices. Any device using WiFi that can only do IPv4 works fine without issue.

JKnott

@caskater4 said in IPv6 on SoCal Spectrum:

I don't see anything that would tell me the prefix size. The subnet mask on the router is 128.

As I mentioned earlier, if you look at the text below the prefix ID box on the LAN page, it may say. For example, mine says the available range is 0-ff, which is correct for my /56.

The /128 means that address is only to identify the WAN interface. It is not used for routing and has nothing to do with the prefix size.

BTW, custom on IPv6 is to call that a prefix, not subnet mask. Same function, different name.

JKnott

@caskater4 said in IPv6 on SoCal Spectrum:

I use AdvancedTomato on a Asus R7000 for WiFi.

Are you using that as a router or AP? If router, then it would have to be able to be configured for IPv6. If just as an AP, it would be transparent and any devices connected to it should behave as if directly on the LAN.

caskater4

It's setup as an AP, not a router.

The text below Prefix ID reads: "(hexadecimal from 0 to 0) The value in this field is the (Delegated) IPv6 prefix ID. This determines the configurable network ID based on the dynamic IPv6 connection. The default value is 0."

I also tried adding my guest network as a track interface with Prefix set to 1 and it wouldn't let me.

caskater4

So I enabled IPv6 DHCP6-PD on the Tomato AP and now most of my devices are getting IPv6 addresses. My laptops, tablets, TVs and alexa's are all connected now. However, for some reason our phones (Pixel 2XL and iPhone) are not getting internet access. They still don't show an IPv6 address. This is rather odd. I've tried restarting the phone and deleting the WiFi profile but nothing seems to fix it.