Comcast business head-scratcher…
I am running
I have enabled ipv6 on my comcast connection at work. (this is a completely different setup from my residence).
I requested a 60, because it's the only setting that would get a response from comcast.
on my wan, i received a /64…However on my lan and opt1 that are set to track the wan (0 and 1 prefixes respectively) I received /63 networks.
According to my comcast business login, the range is xxxx:yyyy::38:f600::/56.
The wan settings:
The lan settings:
The opt1 settings:
The astute observer would see that both the lan and opt1 ipv6 addresses are in the same subnet. If I change opt1's prefix to 2, the ip address assigned to opt1 is the same.
The problem is the /63 prefixes. They should be /64 and then lan and opt1 won't overlap.
Oh, I agree, but why were they issued as /63's in the first place? I told it to track the wan, not set them up as /63's.
even still: apparently the prefix numbers default to /64 even if the network's a /63…
Given all of that, how do I force the lans to be /64?
BTW: this is 2.4.2-RELEASE-p1 (amd64).
There is some room for improvement, I think, in the way pfSense handles a received prefix that is different from that set in the dhcp6c client.
It sounds to me like you are receiving a /59 from the modem, which is nonsensical. even though you are asking for a /60. (59 + 4 = 63, 60 + 4 = 64).
This feels quite familiar to me and I think the answer is either new firmware or a different modem from Comcast.
On a business account you should be being given a /56 at the bare minimum. I would demand a /48.
I would call Comcast and ask them how, in general terms (not pfSense-specific), you are supposed to configure their modem so your generic dhcp6c client gets a proper address and prefix delegation behind it.
Also, set Debug - Start DHCP6 client in debug mode in the interface dhcpv6. That will log things like what PD you are getting. It is safe to leave it that way - it doesn't generate that much more logging and what it does do is pretty useful. In System > Logs, DHCP just filter on process dhcp6c.
If confirmed to be a /59 you might try setting the interface to that and seeing if it kicks another bit onto your tracked interfaces.
Well… it's worse than you think. The Cisco code is so busted in the Comcast business modem (Static IPv4 version) that if you do make a DHCP PD request for a /64, it will never route anything through that assigned /64 block to the pF WAN side. Trust me, I have verified this many times. If you let it PD assign you a requested say /60, it says /60, but it's really N-1, which is a /59, also which is utter nonsense, but it's why you got a /63 inside. If you try manual addr assignment on your WAN intf, nothing with a prefix > 60 gets routed through the modem downstream to you, so don't waste your time. But, I am writing this to you on a /63 (!) internal net via pF using "Them" (I like to think about the 1950s SciFi movie with the giant ants after radiation... " but I digress), before switching back to my reliable (and properly designed) Hurricane Electric /48... BTW, trying a /59 request results in no traffic being passed, to me, the only PD that results in traffic being passed is the phony /60. I'd be interested in hearing your results if you try /59 etc and seeing what results. Not responsible for letting the blue smoke out !
Note, it's worse with the Netgear modem, dont switch (!), as it breaks SIP due to ALG always being on. So, you either live with a /63 inside or go back to 6in4 to Hurricane and simply fix your pF resolver to strip out AAAA's for Netflix's tunnel detectors so you can watch 'The Crown' in peace and quiet over v4, or you dont. Loads of docs on how to simply set that up.
Oh and one more thing, since Comcast never heard of in-addr delegation, even though they call it "Business Class", forget running any meaningful servers/services on them, V6 wise. Business ? Ha ! No way. We run our real production stuff on AWS/S3/Route53 and skip the Comcast headache(s). I tried a PD/addr non release on the WAN intf, didn't hold, ie they did not respect it, so after a power cycle, the assigned v6 addr changed, but trying to head fake an AAAA on Route 53 to an internal address I control off the /56 works, just dont expect external DMZs etc addrs etc to remain constant is my conclusion.
This is strictly amateur hour networking from Comcast.
Rgds to all.
With Comcast Business, spending the extra for a static IP Address isn't worth it IMHO. The inflexibility you get by having to use their own gateway ends up causing more problems than it's worth.
Skip the static IP, get a nice D3.1 modem (even if you don't have a speed tier that requires it, having the extra RF spectrum available is never a bad thing) and connect pfSense right to the modem. Request your /56 and go to town. Get your IPv4 address and set up Dynamic DNS to automatically update a hostname in your domain (so many Dynamic DNS services available!). Anything on the internet that needs to connect in, use the hostname instead of a static IP address.
And this is even if your IP address ever changes. I don't think I've actually had my IP address and /60 prefix (I'm a consumer customer, not business) change for months. It'll probably be a year in a couple more months.
Agree, you are right, all the services that depended upon a static IP long ago moved to AWS, so I should just ditch it, good thought.
Esp since Route53 works beautifully with pF's dynDNS updater.. Is there nothing that pF won't do (better) ?