pfsense IPV6 Issues with Comcast
I'm a pfsense newbie. Comcast is my ISP. Before starting with pfsense recently , I have typically run a dual ipv4+ipv6 stack without issue on other software (like Openwrt).
My pfsense box is set-up as follows:
- One WAN interface
- One LAN interface
- 2 OPT interfaces (OPT1 and OPT2)
I have no issues with ipv4, works just fine! I have DHCP client on WAN. On LAN, OPT1 and OPT2, I have a static RFC1918 IP and run a DHCP server on each of the interfaces. Each interface is a 192.168.x.x/24 subnet. Again, no issues here, works just fine!
I'm trying to do the following with ipv6
- DHCP6 client on WAN
- Prefix delegation of /60 on WAN
- Even though I have a /60 PD (more below), all I'm looking for is an ipv6 address for WAN and a /64 Prefix delegation from my ISP
- With the /64 Prefix Delegation (PD), I plan to configure LAN, OPT1 and OPT2 with a static v6 IP, and run a DHCP6 server on each of the interfaces. Goal is to have a v6 subnet on each interface
Below is my problem:
- I'm unable to get an ipv6 address from my ISP for the WAN
- I'm also unable to get the /64 prefix delegation
I have tried the following to address the problem:
- Changed the prefix delegation from /64 (original default) to /60 on my WAN interface page. I read on the net about folks having similar issues with comcast, and this was the supposed fix!
- Made sure the firewall is not blocking icmpv6 on WAN
- Rebooted my DOCSIS3 modem
- Rebooted my pfsense router
I'm still unable to get a WAN ipv6 address and a /64 PD from comcast!! What could be going on? What should I be doing different?
JKnott last edited by
You might try posting your config info, so we might have a clue about your configuration. For starters, have you enabled DHCPv6 on the WAN? Also, why do you want to use DHCPv6 on the LAN side. SLAAC works fine.
It may be they only give you the delegation, that's all you need really. You should be able to set the internal interfaces to track WAN and use /64s out of the /60 using different prefix IDs on each.
Check the dhcp logs.
Thanks for the responses!
I had a chance to play with this issue some more...
I now have the following config on WAN:
- dhcpv6 (I've always had this enabled, even during my previous post)
- PD of 64
Based on the responses I have set my WAN , OPT1 and OPT2 as follows:
- Set all 3 to track WAN, with a prefix ID of 1,2 and 3 for LAN, OPT1 and OPT2 respectively
There is some progress but still not fully configured for ipv6!
When I look at my dhcp logs, specifically at dhcp6c entries, I see the following:
- a /128 ipv6 address assigned to WAN
- a /64 assigned to LAN, OPT1 and OPT2
- However, my interfaces are still not configured with an ipv6 address!!
The last 2 lines of the dhcp6c logs are as follows:
- "failed initialize control message authentication"
- "failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory"
The last 2 lines appear to be error messages. Any ideas of what this could actually mean? Is it looking for a authentication key or a key file? What could be going on?
Appreciate your inputs- Thanks again!
JKnott last edited by
If you're assigning v6 subnets to the internal interfaces your PD from Commcast needs to be at least /60.
/64 is one subnet in v6 land.
/128 is fine for a single interface on WAN they can route your PD to but if that's only a /64 it can only be on one internal interface.
GregTheHun last edited by
To anyone else who might come across this post with Comcast. (or probably any ISP)
I went to the logs searching the logs as @stephenw10 suggested and noticed some funny "XID Mismatch" logs. So, looking up this article:
It said to basically do (arrow is for pointing out command):
# ps uxawww | grep dhcp6c root xxxxx 0.0 0.0 5780 1488 ?? INs Sat09PM 0:00.90 /usr/local/sbin/dhcp6c -d -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_re1.pid re1 root xxxxy 0.0 0.0 5780 1524 ?? Is Tue07AM 0:00.30 /usr/local/sbin/dhcp6c -d -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_re1.pid re1
Then, i saw multiple instances of it like the output do:
killall -9 dhcp6c
Solved my problem, maybe yours too.