Blocking Comcast router advertisements

  • In an effort to fix a problem they didn't understand, Comcast replaced my SMC router with a Cisco router.  Ipv6 custom name server configuration worked in the SMC router, but not in the Cisco.  The router advertisements continue to show the Comcast ipv6 nameservers instead of my own, breaking a lot of things in my internal network.  Replacing the router didn't fix the problem–which was something else in their network, but they won't return my SMC router because it is past EOL.

    I implemented pfsense to block the Comcast router advertisements and function as the IPv6 gateway, but after spending a couple of days on it, have not succeeded.  No matter what I do, Comcast router advertisement packets still make it through the pfsense firewall and onto my network.  Even if I block everything from the Comcast router, including ICMP6, I still see the RA packets.  I tried turning off IPv6 in the System/Advanced tab, but then Ipv6 doesn't work at all even with permissive firewall rules.

    I'm not even convinced that pfsense is functioning as an IPv6 router. It sends out the RA packets advertising itself, on the correct subnet but I don't think it's actually functioning as a router. Granted, it's a little hard to tell with the Comcast RA packets going out every 15 seconds.

    I am new to pfsense, but advanced in networking and ipv6 concepts, and I'm getting nowhere with this.  I would really appreciate any advice somebody could give me.  In the interest of brevity, I have not provided all of the configuration combinations I have tried, but I can if it would be helpful.  In short, they include almost all combinations of IPv6 configuration on my Comcast WAN and the 2 LAN subnets.

  • I have continued to experiment with this issue, still with no success.  I have gone so far as to create a general firewall rule to block Comcasts's RA on all four interfaces plus a bridge, and still I see the RA packets on my lan.

    It seems very strange to me that the Comcast router advertisements get into my LAN even though I have a firewall configured not to let them through.  If anybody has successfully implemented a configuration to have pfsense act as an IPv6 router, sending its own router advertisements and not passing those of the ISP, I would be really interested in how you did it.

  • LAYER 8 Global Moderator

    It would be impossible for the RA to get to your lan… Since your wan and lan would be on different layer 2.. If your seeing RA on your lan from comcast then your lan is on your wans L2..

    Lets see how you have everything physically connected.

  • Thanks for your insightful comment.  It turns our you were right.  I had set up a bridge to get my 5 static IP addresses from Comcast onto a private VLAN.  Somewhere–and I'm still not sure where, the RA packets were leaking onto my LAN.  RA packets are IP6 packets, and I would think they could be filtered by PFSense even on a bridge, but apparently that is not the case.

    My work-around is to plug all of the interfaces that need a public IP directly into the Comcast router, and leave all of the others on my switch.  It's a little disappointing because I can't watch the traffic with PFSense, but it is working, and I'm not able to set my own nameservers.

Log in to reply