IPv6 behind Xfinity gateway
Hello everyone, after many hours I'm left lost, tired and frustrated. I hope someone can link to information which could allow some progress in my quest to get IPv6 working behind my pfsense firewall. Here is my situation:
I've recently switched from using my own modem (IPv6 worked great) to using xfinity gateway (cheaper unlimited data plan) the issue is that gateway does not request anything other than one /64 IPv6 block, which it uses for itself (seemingly no way to disable / redirect it).
First I've tried to use the tried DHCP6 & track tunnel methods with /64 prefix size, my WAN would get a single IPv6, but LAN & subsequent computers would not.
Than I've tried to get IPv6 tunnel (from HE.net) working, but the gateway shows offline when DNS server is set as a Monitor IP. I've done the process over and over looking for issues, but IPv6 seems to be intercepted on the Xfinity level, even though the WAN IP of the pfsense is set as DMZ endpoint. Settings are as close to the guide (link) as I could make it, given that some interfaces were updated since than.
Lastly I've spent a ton of time trying to get NPt working with idea of creating a local /64 IPv6 name block (fc00:#::) and remap it to the existing /64 IPv6 block on the WAN side. Alas I'm still new to the NPt concept and could not find a reasonable guide as to how make full use out of it.
I really do not want to drop pfsense for my LAN just to get access to IPv6.
Thank you for the time to share your experiences, I'm willing to try anything suggested, I'm up the creek without a paddle at this point.
Can you put that modem into bridge mode? With my ISP, if I have the modem in gateway mode, I get a single /64. But with it in bridge mode, I can get a /56.
Alas, the new xfinity / comcast gateway does not appear to have an option for a bridge mode on a residential service. I've looked through every option I could find, bridge was nowhere to be found.
Found the option within "At a Glance" page, which I've skipped so many times I became blind to it. With it I can get a /60 network from ISP, too bad I have to choose between this and having a backup gateway in case pfsense goes down (during server maintenance usually).
On the positive note my pings went down by half!
It is frustrating that protocol 41 (IPv6 encapsulation) appears to be blocked / dropped somewhere upstream. Otherwise IPv6 tunnel would have already solved my issues.
Hello - I am in a similar boat - have the XB7, pfsense and unable to get ip6 for my lan clients. I don't want to put XB7 in bridge mode because I read how the speeds have been going down once you put in bridge mode. I do see prefix delegation /64 in the Infinity gateway. My understanding of Ip6 is still new, but can the /64 be only used for one interface - and its now being used for WAN, and hence cannot be used for the LAN?
I couldn't find a good way to reroute IPV6 from xfinity to local subnet(s), good news is that gateway has been working pretty well in a bridge mode. I have XB6, and so far have not experienced any slowdowns from my Gigabit service (900mbps+ whenever I check). I did observe reduction in pings (compared to double NAT).
IPv6 is designed from the ground up to route differently compared to IPv4. NAT is no longer needed as there is enough addresses to id as many devices as needed. Alas xfinity is expecting to directly service a number of individual devices over IPv6 while pfsense does not have software support to emulate all of those devices on the WAN side. I got as far as providing all the lan clients downstream of pfsense with local ipv6 addresses and having pfsense reroute the IPv6 traffic from LAN to WAN with a correct IPv6 prefix, but return (download) data was lost because pfsense would not respond to xfinity's attempt to find route information for a specific IPv6 address which "belongs" to the lan computer.
I was sad to loose backup connectivity / wifi which I was hoping to use the gateway for in case pfsense ever goes down (for maintenance as en example), but without additional IPv6 options from xfinity and/or pfsense, I got lost in the woods.
My understanding of Ip6 is still new
I first read about it in the April 1995 issue of Byte magazine. I've had it at home for over 10 years.
but can the /64 be only used for one interface - and its now being used for WAN, and hence cannot be used for the LAN?
Actually, you only need a link local address on the WAN, as that's what normally used for IPv6 routing. If you do have a WAN IPv6 address, it has nothing to do with the LAN prefix.
IPv6 is designed from the ground up to route differently compared to IPv4. NAT is no longer needed as there is enough addresses to id as many devices as needed.
Actually, routing works exactly the same, other than link local addresses can be used in routing. NAT is a hack created to get around the IPv4 address shortage. Without it, routing is now working as originally intended.
OK, I have changed the modem to be in bridge modem and have gotten IPv6 addresses on the lan. Will do some playing around - Thanks
Did you get a WAN IPv6 address? If so, does it's prefix have anything to do with the LAN prefix?
@JKnott No, they are 2 different prefixes.
That's the way it usually is. That WAN address plays no part in routing. It is used as the target address for VPNs, SSH, etc.. As I mentioned, you don't need it. Even for something like this, you can use the interface. address on your LAN. Also, there's one setting you might not know about. On the WAN page, you probably want to have Do not allow PD/Address release selected. This will often prevent your prefix from changing.
@JKnott Yep, I have that selected [ Came across it in other posts]. I presume I have to live in a mixed mode of ipv4 and v6, correct? I was partly exploring Ipv6 to see if it makes any of the setup with gaming PCs and open/strict NAT easier.
That's called "dual stack" and will be needed for a while yet. If the games support IPv6, then it will work that way for you. The operating systems prefer IPv6, but will use IPv4 when necessary.