Getting upstream delegating router to create a route to pfSense gateway
-
I am having some difficulty getting my cablemodem to route to me, and I'd like someone to confirm my understanding of how DHCPv6-PD is meant to work.
Internet ---- Comcast ---- Cablemodem (DPC3941B) ---- pfSense ---- Host
I use DHCPv6 to get a /59 from the cablemodem, and that works great. It also assigns the pfSense box a WAN IP. (It's within the same /59, which I think is technically wrong, but no big deal).
The problem is that, while I can ping the pfSense box both from Host on a /64 subnet, and from the internet, I can't ping Host. When I try to ping Host, the cablemodem sends IPv6 ND "neighbor discovery" who-has requests, trying to figure out the MAC for the Host. This implies that the cablemodem thinks that Host is directly attached, and therefore, it implies that the cablemodem is not creating a route for the delegated prefix through the pfSense gateway.
Unfortunately, this cablemodem does not offer any way configure IPv6 static routes (or if it does, I don't know it).
Can someone confirm my understanding that we'd normally expect the delegating router (the cablemodem in this case) to automatically create a route at the same time it gave out the delegation? Is there anything else that is necessary to tickle a delegating router to actually make the route? For downstream hosts, my understanding is RA is used to advertise the gateway; but I don't believe RA is meant to be set upstream; but maybe I'm wrong about this and there's something missing to get the delegating router to create a route to my subnets?
Edited: By the way, here's another Comcast customer who has the same issue: https://forums.businesshelp.comcast.com/t5/IPV6/IPv6-routing-on-DPC3941B-in-pass-through-mode/td-p/39664. Evidently he was able to resolve the issue, although I'm not sure how. I've been talking to Comcast support folks, and they are currently not entirely sure what is missing either.
-
Is the modem in gateway or bridge mode? For pfSense to pass a prefix to the LAN, it has to use DHCPv6-PD, which you'll only get with the modem in bridge mode.
-
@JKnott Comcast Business modems with IPv4 static IPs have to be in something they call "pass-through" mode. I believe it basically behaves like a gateway. The modem runs its own DHCP server; it gets a prefix from Comcast ahead of time, and then delegates that when you ask for it with DHCPv6 PD.
There's supposedly a way you can ask Comcast support to put your modem into "true bridge" where it really is just like a switch. But due to the way they set up their provisioning, that causes you to lose your IPv4 static IPs, as well as other annoyances, like losing access to the web interface. But if you do opt into that, then you can do DHCPv6 with the source, which supposedly works way better.
But even in pass-through mode, which is what I'm trying to get to work, DHCPv6 PD itself works fine: it does the full 4-packet handshake, and I get a /59 prefix, and it gets renewed periodically. It's just that the route never gets created on the cablemodem. (But I believe the upstream routing is working fine, since I can ping the WAN IP, and I see the ND requests coming in.)
-
That is surprising, given that Comcast has long promoted IPv6. However, what you can do is capture the DHCPv6 packets. Set up Packet Capture to capture ICMPv6 on the WAN port. Then disconnect/reconnect the WAN cable. This should result in capturing the DHCPv6 packets. Download the capture and open it with Wireshark. The advertise and reply XID lines should show the assigned prefix.
-
@JKnott said in Getting upstream delegating router to create a route to pfSense gateway:
That is surprising, given that Comcast has long promoted IPv6. However, what you can do is capture the DHCPv6 packets. Set up Packet Capture to capture ICMPv6 on the WAN port. Then disconnect/reconnect the WAN cable. This should result in capturing the DHCPv6 packets. Download the capture and open it with Wireshark. The advertise and reply XID lines should show the assigned prefix.
Yeah, that is the first thing I did. The DHCPv6 conversation works great, and goes exactly how it should. (That's not entirely true; it gives out T1 and T2 values that dhcp6cd thinks are 'too short,' but as far as I can tell, that's not causing any actual trouble.)
The problem is that a route matching the assigned prefix doesn't seem to get added on the cablemodem, which I can also see clearly in Wireshark from the neighbor discovery packets.
Because Comcast has had a reputation for making an effort on IPv6, I want to push on this as hard as I can: this is really something that should be right, and from an engineering standpoint, is probably pretty straightforward to fix.