is your Prefix really static or is it not

Comcast labels the /56 "static" in a business account portal but how it is delivered to the router I don't know. The last router swap was all auto-configured, the guy just stood there for a few minutes waiting for it to pull its settings.

The problem is 1) what subnet block gets delegated to the inner router, and inner router's LAN, changes when redelegating happens (if the route inward is lost and I start over trying to fix it), and 2) if I set them up as static in the pfSenses, AFAICT the Comcast router doesn't know where to route the innermost subnet...and its GUI only allows IPv4 static routes, and 3) if delegated automatically sometimes the building pfSense still doesn't create a static route.

So ideally I could set it up automatically and only have our one "inner" router get IPv6, and my hope would be routing is auto-configured, but I don't seem to be able to do that without other "inner" routers getting IPv6.

And if I didn't say above, the reason we need to do that is to allow access only to paying tenants, and to set bandwidth limits accordingly.

One possibility (?) is that the building router reacquires IPv6 when the Comcast router boots, but the inner/office router doesn't request delegation because it was already configured and doesn't know it needs to?

I spent quite a bit of time yesterday trying to figure out how to find the DUID that will be used on pfSense. "od -h /var/db/dhcp6c_duid" will show it, with the bytes reversed ("8550" = "50:85").

System > Advanced > Networking has a "DHCP6 DUID" dropdown but on this router if I choose Raw and enter in a DUID, and save the page, it changes my choice to DUID-LLT. I can use DUID-LL and enter a MAC but the output of "od" above includes extra output when I do that, which was confusing. (eventually had to enable DHCP6 debug mode on that page, and restart, to see it in the logs)

And then after all that I still found another router had acquired an IPv6 IP+delegation so had to turn that off again.

All I need is for the static route on the building pfSense to not disappear and I think it should work.

</mini-rant>

I never did what you did, so only thoughts but is your Prefix really static or is it not? If it is static, why do you need to use Track Interface?

I've had my prefix for almost 6 years. However, it's still DHCPv6 so the possibility of it changing remains.

I never did what you did, so only thoughts but is your Prefix really static or is it not? If it is static, why do you need to use Track Interface? If it is not static, then forget all of this is my advice, it is such a hassle. pfSense and/or FreeBSD is really bad when it comes to dynamic Prefixes. When the change only occurs early in the morning, you could make a cron to reboot pfSense. And, I kid you not, rebooting every switch with a Smart-Plug afterwards. But then, who would do something like that in a commercial environment.

Another thought, if you made static routes, have you ever considered to use fe80::-addresses for the routes? Never did it myself though. ULA also could work I guess.

Currently it's working with:
building WAN: DHCP6
building LAN: Track Interface
office WAN: static IPv6
office LAN: static IPv6
building router: needs static route for office LAN
building router: DHCPv6 Server off
building router: RA off

Following up, when the Comcast router boots (3am so an ISP update I assume) our building pfSense router loses its static route. I tried restarting it this morning to try to recover, and, fun times, it decided to revert to a 23.09 boot environment, removing a bunch of settings. Super confusing but easily fixed once I figured it out. However after that it still didn't have the route. Re-saving the static route as-is didn't create it either.

Is there something in the code perhaps that doesn't/can't set up the route if the IP subnets are incorrect/inaccessible? Is there a good way to recover from that?

Per this post it sounds like maybe Kea is required for "deny unknown clients" to work correctly for IPv6, so that could be something I try down the road when it's stable/finished.

Currently it's working with:
building WAN: DHCP6
building LAN: Track Interface
office WAN: static IPv6
office LAN: static IPv6
building router: needs static route for office LAN
building router: DHCPv6 Server off
building router: RA off

I suspect when I was banging on it a month ago the Comcast router kept the route for the delegated prefix, until it booted. So having the building router Track Interface and request a /62 prefix hopefully will keep that route in the Comcast router. Guess I'll find out in the next few months if/when it restarts. And then the fix and that point is probably just to reacquire the building LAN IPv6.

Done automatically I expect it will all work just fine, the problem is we need control over how to hand out addresses.

There's also some sort of a bug I ran into again where if I add an IPv6 gateway on the WAN interface page, it flips the IPv4 gateway to Automatic and disconnects Internet (even though there's only one IPv4 gateway). But that's another story...

Edit: Seems like all the DHCPv6 Server settings are ignored?
https://docs.netgate.com/pfsense/en/latest/services/dhcp/ipv6.html

"The DHCPv6 daemon can only run and be configured on interfaces with a Static IP address, so if a tab for an interface is not present, check that it is enabled and set with a Static IP. It is not currently possible to adjust settings for tracked interface DHCP service."

I suppose one could read that as "shouldn't be visible" vs "we'll ignore everything". It does seem to be using the configured address pool though.

Unfortunately this was broken twice this morning.

• my static route was no longer in the routing table
• DHCPv6 started handing out IPs again despite being set to allow only known clients.

In limited testing it looks like the problems were:

• DHCPv6 Server does not add a route for delegated prefixes to reserved IPs
• if I restart DHCPv6 Server, my static route is removed from the routing table
• I had to edit and save the route, to get it to work again

I kept banging on it. I set Router Advertisement to Managed so clients couldn't get an IP. However RA is still advertising prefixes to other routers, they are just failing.

At some point I re-saved the office router WAN interface and now that Delegated Prefix shows on the DHCPv6 Leases page. So maybe it was in some weird limbo state from above? I didn't try deleting the static route yet since we're into the workday.

However DHCPv6 Leases still shows leases and prefixes for other routers. Does it just not honor the "Deny Unknown Clients" setting?

Confused about the path forward, do I need to turn off DHCPv6 Server on the building router, and use a static route?

Side note: the "Start DHCP6 client in debug mode"

Hidden here :

So I started all over, and set it up using Track Interface and prefix delegation, with the building router DHCPv6 Server set with "Deny Unknown Clients" to allow only known clients. I had to allow any temporarily just to find the DUID of our router.

By the time I got back to set it to allow only known clients again, the building router had allocated another IP and prefix. However, it added a route to this other prefix and would not add a route for our office router prefix. So eventually I gave up and added a static route in our building router, pointing the subnet that had been delegated to our office router, to our office router.

So overall it looks like it should have worked with "deny unknown clients" except there was no route created from the outer pfSense to the inner pfSense, like there was for other routers in the building. ٩(͡๏̯͡๏)۶

Side note: the "Start DHCP6 client in debug mode" option seen referenced on this forum several places does not seem to exist on either of these routers' WAN interface settings? I thought I'd enabled that before, was that removed? Is there a trick to displaying that?

#ComputersDoExactlyWhatYouTellThemNotWhatYouWant

I'm thinking this might work:

• set building router to hand out IPv6 blocks
• create firewall rule on LAN to only allow IPv6 from known MAC addresses (one rule per MAC)
• create a firewall rule on LAN to assign each subnet to the correct limiter

It's a bunch of extra steps though.

In pfSense how do I find out the subnet a given tenant router is using? Can I connect the Status/DHCPv6 Leases, Delegated Prefixes info to the known MAC?

Option 2 is we set it up for us and wait until someone asks for IPv6. :)

I am not sure we have a client with a dynamic WAN IP for which we also have the Comcast account credentials to log in and look directly, so unclear if this is only for accounts with static IPv4. But it doesn't say so.

https://business.comcast.com/support/article/internet/comcast-business-internet-learn-about-ipv6
"To date, Comcast has launched dynamic and static IPv6 support for all Business Internet customers. The static IPv6 addresses are included in any IPv4 lease and those addresses can all be found by logging in to My Account. Static IPv6 is also supported and available for Ethernet Dedicated Internet customers."

So our /56 is static per their page.

[edit: which I found out because I'm there because it went down ]

you can assign a device to a specific LAN/VLAN according to the MAC supplier

You could do this with freerad more than likely.. radius can be used to assign vlan related to auth.. But not sure how that would come into play in this scenario..

I believe with some switches, such as from Cisco, you can assign a device to a specific LAN/VLAN according to the MAC supplier, not individual MACs. This would be typically be used with VoIP phones and computers sharing a connection to the switch. I don't think pfSense can do that.

In a quick look we can allow/block IPv6 by MAC, so maybe. So that would be to allow everyone to get an IP, but only allow known MACs to pass IPv6 traffic.

So, on building router LAN, Track Interface, configure a Prefix Delegation Pool, and let it rip?

Or else the manual approach of configuring a static IPv6 for the "building LAN" and assigning a /64 to our LAN. Then we would have to manually config each tenant router, if they ever wanted IPv6.

I did discover a handful of things not working properly when we enabled IPv6 via Hurricane Electric so that would be nice to know that. Unfortunately at least here we found HE throttles the speed, I think it was to around 35 Mbps download. And there are sites that don't work because of video rights or whatever since they consider HE like a VPN and block access. I mean, it's free, so... We still have HE enabled but it's a better experience telling my browser to prefer IPv4.

We do get a /56 as noted. I just need to ensure someone can't plug in a router and get free Internet.

Is the answer to not try to do anything automatically, and just use two /64s from our /56 to set up IPv6 manually? (for the building router LAN, our office router LAN) That would work for us I suppose but the goal for the tenants was hands-off router config.

And no I don't know how often the /56 changes, it's been 1.5 days since they replaced their router.

In pfSense can I assign specific subnets to specific MAC addresses?

"IPv6" attribution has little to do with the MAC.
It's all DUID based, some magic number generated by the client based on the position of the moon, the date, maybe the MAC, and other hardware present, and some other numbers that can be static, or less static.

For pfSense you can actually set the DUID and this might be important so it gets it's own 'static' IPv6 and/or prefixes :

My leases :

My prefix is right now 'eb', one of the 256, out of a /56 range.
It's 'eb' for at least a year now, and so is the leading "2a01:cb19:xxxx:yy__ which means my allocated IPv6 for my LAN devices are rather static.
I've heard (seen) that other ISP change the leading part and /or the prefix very often. Like in the good old days where the WAN IPv4 changed every day or week.