IPv6 behind Xfinity gateway

ebsense

Alas, the new xfinity / comcast gateway does not appear to have an option for a bridge mode on a residential service. I've looked through every option I could find, bridge was nowhere to be found.

Found the option within "At a Glance" page, which I've skipped so many times I became blind to it. With it I can get a /60 network from ISP, too bad I have to choose between this and having a backup gateway in case pfsense goes down (during server maintenance usually).

On the positive note my pings went down by half!

It is frustrating that protocol 41 (IPv6 encapsulation) appears to be blocked / dropped somewhere upstream. Otherwise IPv6 tunnel would have already solved my issues.

rajeshh

@JKnott @ebsense

Hello - I am in a similar boat - have the XB7, pfsense and unable to get ip6 for my lan clients. I don't want to put XB7 in bridge mode because I read how the speeds have been going down once you put in bridge mode. I do see prefix delegation /64 in the Infinity gateway. My understanding of Ip6 is still new, but can the /64 be only used for one interface - and its now being used for WAN, and hence cannot be used for the LAN?

ebsense

I couldn't find a good way to reroute IPV6 from xfinity to local subnet(s), good news is that gateway has been working pretty well in a bridge mode. I have XB6, and so far have not experienced any slowdowns from my Gigabit service (900mbps+ whenever I check). I did observe reduction in pings (compared to double NAT).

IPv6 is designed from the ground up to route differently compared to IPv4. NAT is no longer needed as there is enough addresses to id as many devices as needed. Alas xfinity is expecting to directly service a number of individual devices over IPv6 while pfsense does not have software support to emulate all of those devices on the WAN side. I got as far as providing all the lan clients downstream of pfsense with local ipv6 addresses and having pfsense reroute the IPv6 traffic from LAN to WAN with a correct IPv6 prefix, but return (download) data was lost because pfsense would not respond to xfinity's attempt to find route information for a specific IPv6 address which "belongs" to the lan computer.

I was sad to loose backup connectivity / wifi which I was hoping to use the gateway for in case pfsense ever goes down (for maintenance as en example), but without additional IPv6 options from xfinity and/or pfsense, I got lost in the woods.

JKnott

@rajeshh said in IPv6 behind Xfinity gateway:

My understanding of Ip6 is still new

I first read about it in the April 1995 issue of Byte magazine. I've had it at home for over 10 years.

but can the /64 be only used for one interface - and its now being used for WAN, and hence cannot be used for the LAN?

Actually, you only need a link local address on the WAN, as that's what normally used for IPv6 routing. If you do have a WAN IPv6 address, it has nothing to do with the LAN prefix.

JKnott

@ebsense said in IPv6 behind Xfinity gateway:

IPv6 is designed from the ground up to route differently compared to IPv4. NAT is no longer needed as there is enough addresses to id as many devices as needed.

Actually, routing works exactly the same, other than link local addresses can be used in routing. NAT is a hack created to get around the IPv4 address shortage. Without it, routing is now working as originally intended.

rajeshh

OK, I have changed the modem to be in bridge modem and have gotten IPv6 addresses on the lan. Will do some playing around - Thanks

JKnott

@rajeshh

Did you get a WAN IPv6 address? If so, does it's prefix have anything to do with the LAN prefix?

rajeshh

@JKnott No, they are 2 different prefixes.

JKnott

@rajeshh

That's the way it usually is. That WAN address plays no part in routing. It is used as the target address for VPNs, SSH, etc.. As I mentioned, you don't need it. Even for something like this, you can use the interface. address on your LAN. Also, there's one setting you might not know about. On the WAN page, you probably want to have Do not allow PD/Address release selected. This will often prevent your prefix from changing.

rajeshh

@JKnott Yep, I have that selected [ Came across it in other posts]. I presume I have to live in a mixed mode of ipv4 and v6, correct? I was partly exploring Ipv6 to see if it makes any of the setup with gaming PCs and open/strict NAT easier.

JKnott

@rajeshh
That's called "dual stack" and will be needed for a while yet. If the games support IPv6, then it will work that way for you. The operating systems prefer IPv6, but will use IPv4 when necessary.

harmonmonic

This post is deleted!