Comcast Residential /64 Delegation
-
I want to wade carefully into the granularity discussion with regards to IPv6.
Both of you are correct, but you are coming to your conclusions from what I think are different directions.
First, IPv6 has 128 in the exponent. That yields a hugely, enormous, gigantic address space. It is IPv4 gone absolutely crazy. There are probably enough available IPv6 addresses to give every cell in your body its own address (perhaps many times more than enough, as I did not bother to Google how many cells are in our body ).
But the standards that define IPv6 are not really any different than those governing IPv4 space. The various sections of the address get used to coordinate routing, just like the network parts of IPv4 addresses today. So @johnpoz is correct to say IPv6 does not currently offer any more "granularity". It just offers more of the same level of "granularity" as IPv4 does today. All I can really do is identify a network and a host with IPv4 or with IPv6. IPv6 just gives me a lot more hosts, but does not inherently tell me anything about the various hosts.
However, from @bearhntr's point of view, because IPv6 offers so many more available combinations of bits for an address, the potential is there for more "granularity". Notice I said "potential", though. The current standards do not use any of that potential.
Here's what I mean. Suppose I am a major nationwide ISP. Because I have so many bits available, I could start carving up the network portion of the IPv6 addresses into much finer pieces say for geolocation (as one example). Today, with IPv4, the best you usually get is perhaps a city name based on the IPv4 subnet. That's because there aren't enough bits to start splitting that down to the individual neighborhood and street level and still leave enough bits to have unique hosts. But with IPv6, I could perhaps carve my network geolocation up down to the street level. And even up to individual buildings on that street (or apartments in a complex). So from this point of view, I can say IPv6 has more "granularity". Not that it inherently has more, but that I can give it more by purposefully using the additional address bits to help me segregate things more.
Here is another example. Because there are so many addresses, it would be feasible to create some standard that isolates some portion of the IPv6 address bits to specify maybe a device type such as toaster, refrigerator, oven, car, etc. This would require action at an international level to create and maintain, and that has not been done. But if it was, then you could say IPv6 offers additional "granularity" because you could identify what type of device you were talking to by noting some bit pattern in its address. Sort of like how MAC addresses today contain a prefix that identifies the manufacturer of the card.
So both of you are right, but you are coming at the problem from different points of view. At the moment, IPv6 does not automatically offer more granularity. That's because we are not taking advantage of some possibilities the additional number of address bits offers. However, if we did standardize on a method for sub-dividing the address bits and assigning some intelligence to those divisions, then you could argue IPv6 offers more granularity.
-
@jknott said in Comcast Residential /64 Delegation:
It would be easy enough if pfsense could filter on MACs, as some other firewalls do.
But there is no sign of doing that, am I right?
Would it be possible to assign every host according to the MAC-address one virtual IP that would act as an alias for the host, that then could be used for rules?
I hope one day they find a way, until then, every host its own vlan.
-
I thought the idea was filtering devices based on their IPv6 address. That's easy enough for incoming traffic, which normally uses the consistent address. However, outgoing, which uses random privacy addresses, cannot be filtered by a single IPv6 address. On the other hand, not only will MAC filtering do that, it will also block IPv4 (and even IPX) addressess at the same time.
-
@bmeeks Great post, but while such a thing might be possible. Such assignment is already possible and done with ipv4. Companies do it all the time while assigning public and rfc1918 space. Even can be done by floor of a building, or down to room level.
So while the much larger space of ipv6 would allow more freedom in doing something like that. Again its not something new to ipv6.
And to be honest I find it highly unlikely that isp would assign space per street or neighborhood on purpose or per specific plan, other than their normal IP plan.. But guess what - once the space is assigned that info become available - just like IPv4... A specific network is going to be used in a specific region. You don't use part of a network on one side of the city and the other part on the other side of the city. Just because some amount of space would need be assigned to area, once it is assigned - you now have the details of street/neighborhood anyway. No matter what size of network is used, that L2 that network is assigned to would be in a specific area - not like you stretch an L2 across the city, etc.
Ipv6 being broken up network/host while the space is larger - it does not provide for any more granularity than ipv4. Also broken up network/host - size of the overall amount of space, or size of the networks doesn't change anything from a detail point of view.
You could also not even with firewall rules - make a point about loss of detail with ipv6. With ipv4 assignment is always dhcp, you don't let devices just assign some random IP, well there is 169.254 link local - but this doesn't route, and there is no way to assign gateway auto, etc. So with dhcp I have detail of a client that grabbed an address even if no other traffic sent. I have mac of said device that gives detail about a client that connected to the network. With ipv6 slaac - I have no idea that some client connected to the network really. There is no "lease" that I could look up say a hostname and mac.. This is a loss of granularity ;)
-
@bearhntr My ISP (Charter) assigns IPv6 hostnames, but not at first. The device has to be online for a while and there may be some additional trigger I'm not aware of (eg: reverse lookup).
-
How did you discover this? What were you looking at to see the hostname?
Are you meaning your pfSense box got a hostname from Charter - or your devices within your network? Is pfSense your DNS and DHCP or do you use something else?
Curtis
-
I have found the DUID of the LAN interface in pfSense. Is there a way to find the IAID?
It is easy in Windows (just command prompt "ipconfig /all")
I have run the shell in pfSense and issues ifconfig -- but does not even show the DUID.
Curtis
-
@bearhntr said in Comcast Residential /64 Delegation:
but does not even show the DUID.
What exactly are you going to do with that exactly - has ZERO to do with comcast setting up PTR for you..
-
@linuxtracker said in Comcast Residential /64 Delegation:
My ISP (Charter) assigns IPv6 hostnames, but not at first. The device has to be online for a while and there may be some additional trigger I'm not aware of (eg: reverse lookup).
Any device within your prefix gets a host name? Who assigns it? I'm on Rogers and they provide a host name for the WAN interface, but not for any of the 2^72 addresses within my /56 prefix.
-
I realize that - it was a simple inquiry. More for finding the IAID of the LAN port in my pfSense box. As I am reading DHCPv6 uses both the IAID and DUID for assigning an address.
I know on my Windows servers when I make an RSVP for one of the devices in my network - I have to enter them both. I have some devices which I always want to be the same IPv4 and IPv6 address.
I have also posted a message to COMCAST to see if they have a document for setting up pfSense (or other product like it) to do IPv6. I keep losing my IPv6 connection (apparently) - as about every 3 days going to https://ipv6-test.com/ - the IPv6 fails. If I reboot my pfSense and my Domain Controller (where I am running the test) - it all comes back.
-
DAMMIT TO ALL BLOODY HELL!!!!!
I have rebooted the pfSense - 3 times now today and the DC 2x -- still not able to get IPv6 working.
I changed nothing!!!
This really should not be this difficult.
-
@bearhntr So nothing has changed from the years when I had comcast and tried to play with their ipv6 ;)
Do yourself a favor and just setup HE tunnel. Its static - you get your own /48 and you can set up PTRs
For what a couple of ms added latency maybe?
-
One cautionary note about using IPv6 via a Hurricane Electric tunnel. This is not a knock against HE at all, but just be aware that most all of the streaming providers such as Netflix and others block access from HE subnets. There are many ways to work around that problem, but just be aware it exists and some amount of admin-intervention will be required to work around it.
I had an HE tunnel setup myself for quite a while, but my cable ISP (the only one in town, and my best option unless I settle for 1.5 megabits/sec DSL or a congested local wireless ISP), recently moved me over to CGNAT. That killed my ability to use my HE tunnel as inbound traffic can't "find me" anymore behind the CGNAT IP. Also killed my VPN remote access.
-
What I don't get is why frustrate yourself at all with IPv6 at this point in time - if it doesn't work exactly how you want, and you fully understand all the differences that come with it - the simple solution is just turn it off.. There is ZERO actual "need" of it that this present time.
Unless you can name atleast 1 resource you need/want to access that requires ipv6 - just turn it off.. Problems solved..
I have IPv6 enabled on a few devices because I "want" too - and I have been doing this for 30+ years.. Its fun for me, etc. etc.. And I get how it works and don't have to think about it or lookup anything, etc. If I was a normal users - there is no freaking way in hell I would have IPv6 enabled at all.. Unless I was on a quest to understanding.. But there is zero reason to cause yourself grief with trying to get something to work that has currently zero value for your typical home user..
All the streaming resources sure and the F support ipv4, even ipv4 cgnat.. No shit they prob block HE ipv6, because I could just create a tunnel to some pop in a different region of the world and access a library that is not meant for where I actually am.. There is zero reason or benefit to try and leverage streaming services over IPv6.. Its not going to make your movie play better or clearer or better sound ;)
-
@johnpoz said in Comcast Residential /64 Delegation:
What I don't get is why frustrate yourself at all with IPv6 at this point in time - if it doesn't work exactly how you want, and you fully understand all the differences that come with it - the simple solution is just turn it off.. There is ZERO actual "need" of it that this present time.
Unless you can name atleast 1 resource you need/want to access that requires ipv6 - just turn it off.. Problems solved..
I have IPv6 enabled on a few devices because I "want" too - and I have been doing this for 30+ years.. Its fun for me, etc. etc.. And I get how it works and don't have to think about it or lookup anything, etc. If I was a normal users - there is no freaking way in hell I would have IPv6 enabled at all.. Unless I was on a quest to understanding.. But there is zero reason to cause yourself grief with trying to get something to work that has currently zero value for your typical home user..
All the streaming resources sure and the F support ipv4, even ipv4 cgnat.. No shit they prob block HE ipv6, because I could just create a tunnel to some pop in a different region of the world and access a library that is not meant for where I actually am.. There is zero reason or benefit to try and leverage streaming services over IPv6.. Its not going to make your movie play better or clearer or better sound ;)
Yes, totally agree. Did not mean to imply I needed IPv6. I was doing the same as you, just experimenting a bit to learn the ropes. But it started getting in the way of the grandkids streaming cartoons and Disney off their Apple devices whenever their devices grabbed a local IPv6 address from my HE allotment. So rather than work through the small hassle of modifying DNS to return the equivalent of null IPv6 results for those streamer domains, I just turned off IPv6.
Now that my cable ISP was purchased by Vyve, I got stuck behind CGNAT. So my HE tunnel is useless for now anyway.
I only offered up the caution about HE nets being on the "proxy/VPN" bad list of Netflix and others in case the OP or anyone else seeing this thread in the future ran into that issue.
-
I too was simply using to learn. It has now been more than a week - and nothing on my network (outside) works with IPv6. COMCAST has confirmed that they support IPv6 in my area (Metro Atlanta) for residential - and they are of NO HELP AT ALL in setting it up. Frustrating as hell.
I have tried resetting everything - and nothing I do will bring it back.
I will simply never understand that folks do not (especially COMCAST) create a document on "how" to do this. I know it is not "fully" supported (as I was advised) - but given that it's there, why not build your support pool by helping those that want to learn it, with solutions?
Curtis
-
My ISP, Rogers, has a community forum, where various issues are discussed and there are Rogers employees in it. Funny thing, one of my posts here has been quoted in it. Apparently, they consider me an IPv6 expert.
Actually, that may not be far off the mark. In dealing with their tech support, I found I had to educate them on the finer details of IPv6 and DHCPv6-PD.
-
@bearhntr said in Comcast Residential /64 Delegation:
I too was simply using to learn
Well all your going to learn from comcast IPv6 is how crappy a isp can deploy somethng ;)
Fire up a HE tunnel - if it takes you more than 2 minutes your doing something wrong. Now you can play with learn IPv6 on your network how you want. You can get a 48 to do with what you wish you can even play with delegation of prefix downstream to another pfsense install, etc.. Or other router.
You can play with dhcp6, you can play with slaac, etc. etc..
While your at it run through the HE ipv6 cert and get yourself a tshirt.. Way better than trying to get what comcast calls IPv6 working ;)
-
@johnpoz said in Comcast Residential /64 Delegation:
if it takes you more than 2 minutes your doing something wrong.
It took me way more than that but when it was running, there was nothing to complain and I wouldn't need the daily reboots via cron if I would still use it today.
But then, if you can have it "natively" it is kinda hard to use a tunnel (over IPv4) in my mind. -
@bob-dig said in Comcast Residential /64 Delegation:
t took me way more than that but when it was running, t
Have had a tunnel up for like 10 years... Have never had to reboot, its just up and works.. I serve ntp to the public pool via the ipv6 connection.. Have never had a scenario where it went down that my isp wasn't down..
I get alerts from the ntp pool when my score falls below 10 on their monitoring system.
it is kinda hard to use a tunnel (over IPv4) in my mind.
Does your isp allow you to have a /48 that never changes? Do they allow you to set the PTR on your IPv6? I really see no advantage to native vs maybe a couple of ms that the tunnel might add to latency... I have way more more control and ability with IPv6 this way.. And my current isp doesnt even have ipv6 as an option.