Comcast Residential /64 Delegation

JKnott

@bob-dig said in Comcast Residential /64 Delegation:

But then, if you can have it "natively" it is kinda hard to use a tunnel (over IPv4) in my mind.

I was using a tunnel (not he.net) for almost 6 years before my ISP provided native IPv6. Worked fine for me.

JKnott

@jknott

BTW, I have a new problem with that ISP. They're also my cell carrier. I recently bought a Google Pixel 6 and noticed that the hotspot doesn't provide IPv6 to connected devices, though the phone has IPv6 itself. At least this time it wasn't much effort to get them accept they have a problem. They're supposed to be providing IPv6 only to the phone and using 464XLAT to provide IPv4. They're clearly not doing that.

bearhntr

@johnpoz

I do not understand what you mean "get an HE tunnel".

Comcast appears to be be giving me an IPv6 address which starts - 2001:558:6011:

I found this site https://dnschecker.org/ipv6-whois-lookup.php

and put in my full address - and it gives me this info

%(#1100ff)[NetRange: 2001:558:: - 2001:55F:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
CIDR: 2001:558::/29
NetName: COMCAST6NET
NetHandle: NET6-2001-558-1
Parent: ARIN-001 (NET6-2001-400-0)
NetType: Direct Allocation
OriginAS: AS7922
Organization: Comcast Cable Communications, LLC (CCCS)
RegDate: 2003-01-06
Updated: 2021-06-07
Comment: CC1]

When I configured the WAN - the first time I chose /64 for the prefix delegation size. Lots more reading, and it appears that Comcast allows residential users /60.

I had read some place else - cannot find the posting now, that if you change this value after an initial address is assigned -- there is a file you must modify or reset to allow for the new prefix delegation to take hold. Anyone know what I need to change?

I am looking to a way to get an IPv6 address range for myself, a valid one that I did not make up. Still researching this at the http://www.ipv6actnow.org/faq/

I really would like to get this working and learn more about this. The constant barrage of "why do you want to do this messages" are "how should I put this? 'disparaging' to say the least" . I realize that everyone has an opinion and that not everyone here is on COMCAST or even in the USA - but I should be given some credit for trying to learn something on my own, rather than asking someone to do it for me. I have learned a lot already from these posts - and going to COMCAST to get information, I could probably get more out of the FBI (not that I am saying Comcast is secretive - they employ idiots who barely know how to answer the phone). I cannot change ISPs - as there are no others where I live, except AT&T - and I would not have them as an ISP if they paid me to be a customer.

I changed my LAN back to Track Interface and point to the WAN interface - it is not helping at all...and now the LAN interface shows no form of IPv6 address in the pfSense Status dashboard. So it appears that I am going backwards.

I started watching a couple video last night of just using the 2nd NIC in my Server 2019 DC to do all of this - and that is even more confusing than where I am now.

Once I finally get this all working - I plan on creating a document on every single setting in pfSense which must be set - and suggestions on someone repeating the procedure (or course after I can do the repeat process a few times myself). It just amazes me that when I was using the ORBI to be my Internet Gateway and Router - about 80% of this worked with no issues - I just wanted something more configurable and secure.

Ok - enough - back to working to figure more of this out.

johnpoz

@bearhntr What I mean is vs messing with your issues your having with comcast - just get a tunnel from Hurricane Electric...

I had comcast for many years - and sorry while they might have a large portion of their network with ipv6 support.. Its far from a robust deployment..

I couldn't keep a prefix for the life of me - the wind would change and would get a new prefix was my major issue with them. Nor do they allow you to edit any of the PTRs etc.. And using track interface is difficult to run dhcpv6 on your lan side, etc.

So vs dealing with all of those sorts of issues - I just got a free /48 that I have kept with multiple ISP changes.. And allows me really to do anything I could want with IPv6 vs having to do with a problematic isp deployment of ipv6.

bmeeks

@bearhntr:
To add to what @johnpoz is saying ...

Comcast and similar ISPs are not really wanting their residential users to have or utilize "static IP addresses" of any type (IPv4 or IPv6). While a select few may offer that as a premium-priced upgrade, most do not. They want to be able to change their network configurations on the fly. And they do not want, as a general rule, their residential customers hosting things for the Internet on their networks. So those two goals (the desire to be really flexible with network changes, and to discourage/disrupt service hosting by customers) lead to more advanced users having problems implementing something like you desire.

Comcast is likely to not always give you the same IPv6 prefix each time your cable modem reboots (or even if pfSense drops and then re-establishes its connection). A change in your IPv6 prefix leads to the problems you were describing (not able to have a consistent IPv6 address, and not able to create consistent IPv6 PTR records for LAN hosts). So while it is true Comcast and many other cable ISPs give you an IPv6 address, it really is not any more useful or beneficial than the IPv4 address they give you. You can't really treat it like a static IP block assignment that is just for you.

Tunnel service providers like Hurricane Electric are much more flexible and accomodating. They will permanently assign a /48 IPv6 netblock to just you personally. It is static and will never change so long as you have their service. They also allow you access to their DNS backend so that you can create any IPv6 PTR records you need. So that's why they may be the best choice for you.

The one small downside of a HE tunnel is the fact most of the major streaming networks block them. That means a device on your network using an IPv6 address that comes from a Hurricane Electric block is likely going to be blocked from using Netflix and similar services. There are ways to work around that which basically entail having your streaming devices use only your native IPv4 address for streaming.

Wanting to experiment with IPv6 is fine, and actually a good thing to get prepared for the future. Today, it is a technology that many ISPs seem to not fully understand. At least that is the impression you can get from looking at the hamfisted ways some of them deploy it to customers. But just understand that in pretty much every case for residential users, your ISP's implementation of IPv6 is going to be bumpy. A few folks get lucky with ISPs that are intelligent about how they deploy IPv6. But those are much more the exception than the rule. If you want some stability and predictability (along with the flexibility to fully utilize DNS records) for your IPv6 LAN, then a tunnel provider is probably the best solution. If you just want to play around with IPv6 and are not worried about stablity of addresses on your LAN, then using your ISP's IPv6 offering works (usually ... ).

johnpoz

@bmeeks great post - and to add to what ISPs could do - if they actually cared.. Is what HE is going and provide the users a way to get a specific sized prefix.. Doesn't have to be a /48

Many a colo or cloud hosts provide the ability to assign IPv6 networks to your machines or vms you host with them.

Your modem is registered with them - I should just be able to get a /X prefix assigned to me, and the ability to edit the PTR, etc. on that.. Its not freaking rocket science that is for sure - HE is doing it, and doing it for free!!

Comcast has one of the largest IPv6 delegation given - I believe a /9... They have enough space to freaking give their users some in a useable way if they so desired..

You for sure going to hinder your actual learning experience of how and what IPv6 is and how works dealing with how they have chosen to deploy it and roll it out.. Your over all learning experience would be way better with having a /48 of your own to play around with.. And use it in different ways on your local network.

You do understand you could actually use both the native IPv6 comcast gives you and the tunnel you create and then your /48

JKnott

@bearhntr said in Comcast Residential /64 Delegation:

When I configured the WAN - the first time I chose /64 for the prefix delegation size. Lots more reading, and it appears that Comcast allows residential users /60.
I had read some place else - cannot find the posting now, that if you change this value after an initial address is assigned -- there is a file you must modify or reset to allow for the new prefix delegation to take hold. Anyone know what I need to change?

Use /60 for delegation size. No, you do not have to modify a file.

JKnott

@johnpoz said in Comcast Residential /64 Delegation:

I couldn't keep a prefix for the life of me - the wind would change and would get a new prefix was my major issue with them.

Was that before pfsense added that Do not allow PD/Address release setting?

JKnott

@bmeeks said in Comcast Residential /64 Delegation:

Comcast and similar ISPs are not really wanting their residential users to have or utilize "static IP addresses" of any type (IPv4 or IPv6). While a select few may offer that as a premium-priced upgrade, most do not. They want to be able to change their network configurations on the fly. And they do not want, as a general rule, their residential customers hosting things for the Internet on their networks. So those two goals (the desire to be really flexible with network changes, and to discourage/disrupt service hosting by customers) lead to more advanced users having problems implementing something like you desire.
Comcast is likely to not always give you the same IPv6 prefix each time your cable modem reboots (or even if pfSense drops and then re-establishes its connection).

I used to have that problem with Rogers, until pfsense added the Do not allow PD/Address release setting. Now, my prefix is rock solid.

bearhntr

@bmeeks

I understand that COMCAST is not going to give a residential customer a rock-solid static Internet Address.

I cannot even get it working with the stuff internally (on my side the pfSense) - well, that part I can get working - but the fact that when I do have it working...and can get a 19/20 score at https://ipv6-test.com/ 3-5 days later it no longer works.

It honestly makes no sense to me why. I do not need 4 million addresses (LOL). I would be happy with a working /64 segment - which is reliable and "MINE".

Setting up the IPv4 was easy and always has been. But this IPv6 is giving me migraines.

I do not see what adding another layer of complexity by introducing HE would do. Seems like I would just be adding another door/window into what I am trying to secure.

Today I went to https://simpledns.plus/private-ipv6 -- and let it generate a Private IPv6 range for me. I then setup a new DHCP scope on my DC and that is not working either. So that I can have 'my' devices pull from that scope. But nothing is grabbing an address like it did when I had the scope of 2601:c9:200:491::/64 created there.

Everything on my network seems now to only be getting a linked-local type address - like fe80::dcce: and no IPv6 address at all.

These are the settings - I am using....now, and still the GATEWAY in pfSense is only showing an IPv4 address - no longer showing any form of IPv6 address.

--- I wish I could find that posting which talked about some which has to be deleted or modified when you change the Prefix Delegation Length....unless there is something else in another setting some place which is not right.

I also just noticed this - strange. There used to be interfaces listed here.

johnpoz

@bearhntr said in Comcast Residential /64 Delegation:

I would be happy with a working /64 segment - which is reliable and "MINE".

Well again - why dick with your isp when what your asking for is a click a way and 2 minutes of setup.. Yeah if you just want a /64 you can get that too, and your /48..

HE is one of the major players on the planet when it comes to IPv6 - they have pops all over the globe.. Its a no brainer to get IPv6 address space from them.. And no dick with some half assed IPv6 deployment from a company that could give 2 shits about users wanting to run their own hardware. Use the isp device - and your device will get IPv6 and work.. But wanting to do anything other than get an address - with your own router.. Why dick around..

bearhntr

@johnpoz

While I appreciate your dislike for COMCAST - some of your comments border on demeaning towards end users such as myself. You say "Get HE" over and over and over - but you have not once provided any helpful information as to "how". Everything that I have clicked on their site - is talking about fees.

All good and glorious that you love and use them - but how about a small tutorial as to 'what' to ask for or use on their site to make this happen? It is kinda like giving your kids the keys to the car, telling them to get in and press the gas pedal.

I do not want to come across as aggressive or even a jerk. I am trying to learn, and well "papa - I am in the car and pressing the gas pedal - but I hear nothing and the car does not go anywhere".

jpvonhemel

@bearhntr

@johnpoz != Comcast.

You might consider one of options.

I was successful getting Comcast to expand their plant 1/2 mile to add my home, simply by writing letters to the CEO. This got me off 18/2 VDSL. They did not charge anything to do this. Maybe writing old fashioned letters you stamp and mail might get your issues escalated to corporate level support.

Not sure if these are options for you. I know it’s not right to not get what you feel you are paying for.

Use Comcast support forums?

Get a Comcast Business account?

Get an HE account and play/learn.

Turn off IPv6 (that was how I handled this- move on with other things I need to be doing.

I know it is disappointing when a service you are paying for is not coming through. You should not have to settle for HE, but last I checked, there aren’t any Comcast employees here to help.

If you are determined to get v6 working with Comcast, seriously consider writing that letter to corporate. Comcast could do a much better job of documenting and supporting v6. The problem is the number of residential customers who care, are probably infinitesimal.

Good Luck.

jdeloach

This post is deleted!

bearhntr

@jpvonhemel

COMCAST support forums are a huge Joke!!! You got all the COMCAST Staff in there telling you their favorite answer "that configuration is 'not supported'" Trust me - I have B.T.D.T (been there done that).

I think I got it working in another way - back to 19/20 - still cannot figure out why I cannot get Hostname for ipv6 to show on the test. I can ping the IPv4 and IPv6 address of the DC and pfSense with name resolution - and they come back with the name from the DC.

From other machines on my network I get this

It resolves the NAME - but get ping failure.

I checked the Firewall on that workstation and ICMP is on - otherwise it would not have resolved the name or pinged at all.