Received delegated /64 prefix, ipv6 outgoing but no incoming?

Uglybrian

I was curious and did a search for the prefix. Comcast home is a 60.

jhg

@Uglybrian Thanks for that information.

I have a plain vanilla LAN, only a few dozen hosts and no VLANs, so a single /64 should be, and IS, enough.

Can you help me understand @JKnott's statement that if I get a /64 prefix delegation that will not give my LAN hosts ipv6 addresses?

That's not what I see. My pfSense box gets a /64 delegation, PLUS its own IP (not in the delegated prefix) for its WAN adapter. Then pfSense's LAN-side DHCP server uses the /64 for all my LAN hosts. That part has always worked since I originally set up IPv6.

Is @JKnott assuming the /64 will be applied to the WAN adapter, leaving nothing for the LAN side?

(Why it doesn't work if I don't spoof the WAN MAC is an open question I'll have to troubleshoot in the future)

Uglybrian

I’ll do my best to try to explain, but it will be coming from an experienced point of view not from a knowledge viewpoint like jknott.

I’m guessing it works with the spoofed Mac address because when you changed PFS to new equipment. You did not power cycle your modem. So your modem is looking for your old MAC address and not finding it. sometimes with Comcast, I’ve heard you need to call it in and tell them that you have new equipment and they will reset the modem for you. I would try a power cycle first. With PFS disconnected.

Look at status->interfaces and see if your WAN is getting a 128 or 64 IPV6 address. Mine shows a 128 from my ISP.

Even though you did a restore from back up, I would still double check all IPV six settings. Head over to your interfaces, then your WAN. Scroll down and take a look at DHCP6 Client configuration. What size prefix is showing in (prefix delegation size). I don’t know if this is how it works, but if it’s 64 ,then I’m guessing Comcast will only give you IPv6 addresses for only one interface, your WAN. If the 64 is showing there, I would change it to a 60, reboot PFS and see what happens, Then triple check all your settings.

jhg

@Uglybrian I'm still having trouble understanding.

I have power-cycled the modem numerous times, especially after any pfSense configuration change.

My pfSense is now working correctly with a /64 delegated prefix (I now have a problem with DNS over an OpenVPN ptp connection but that's out of scope for this thread)

What I still don't understand is why a delegated /64 would ever be an issue unless I needed a set of prefixes (up to 16 for Comcast home). The pfSense WAN adapter received its own ipv6 address, and the delegated prefix is used by the LAN-side DHCP server. It all looks good at this point.

Uglybrian

I’m sorry I couldn’t explain it better but your question is beyond my scope.

Gertjan

@jhg said in Received delegated /64 prefix, ipv6 outgoing but no incoming?:

I have power-cycled the modem numerous times

You mean : using Diagnostics > Reboot and selecting Normal Reboot, right ?
Power-cycling is one of the best ways to kill your device (file system).

jhg

@Gertjan power cycled the modem not the pfsense box.

Gertjan

@jhg said in Received delegated /64 prefix, ipv6 outgoing but no incoming?:

the modem

Yeah, it was staring at me.
Coffee works now, thanks

jhg

@Gertjan I'm still having trouble getting IPV6 working after upgrading my hardware. It was working perfectly for a year. Here's what I see:

• I have captured the DHCP transaction with Comcast. They assign me a "non-temporary" address for the WAN adapter and also provide a delegated /64 prefix
• The DHCPv6 server (ISC) on the pfSense box uses the delegated prefix to provide IPv6 addresses to LAN clients.
• LAN clients can communicate with each other over IPv6.
• LAN clients can sent IPv6 packets to remote hosts (i.e. Google), and those packets exit the firewall on the WAN interface, as shown by a packet capture.
• Replies to any outgoing IPv6 packets are not seen at the pfSense WAN interface.

Notes
1, To satisfy @JKnott's statement that I need to request a larger delegated prefix (which I don't understand) I changed to /60 in the Interfaces/WAN configuration screen. This had no effect, and AFAICT from the captured DHCP transaction, pfSense didn't send a delegated prefix length in the DHCP SOLICIT packet.
2. I have power-cycled the MODEM and rebooted pfSense. The results are always the same.

Questions:

1. Do I have a configuration problem, or is Comcast somehow blocking IPv6 responses
2. There used to be a screen/tab in the Web Configurator that mentioned the delegated prefix, but I can no longer seem to find it. I believe it was in System/Advanced/Networking but it seems to have vanished. Where is the delegated prefix mentioned in the UI?

Gertjan

@jhg said in Received delegated /64 prefix, ipv6 outgoing but no incoming?:

I need to request a larger delegated prefix (which I don't understand) I changed to /60

Me neither. My ISP fiber router tells me it has a /56 for me. By every ISP router's LAN device, like my pfSEnse, can get only a 00 prefix, and a IPv6 is chosen to be the WAN IPv6 - like any other router's IPv6 ISP LAN client (PC printer etc ) and my pfSense can just ask one (1) /64, which is use on the pfSense LAN (IPv6 mode = tracking).

I've been getting the $eb prefix since day one :

Asking fir a /65, or bigger : fail.
But ok, I know, this is a known behavior and we era waiting for this to get resolved.

Btw : your other question, posted elsewhere : when you "spoof mac" an interface, this is the MAC being used, the original NIC MAC won't be references anymore.
I never had to do mac spoofing myself (modem days are over in France) but be ware :
Me thinking out loud here.
When you power up the modem first, and have it settled in.
And then pfSense, whet will the modem see initially ? the original WAN NIC MAC before it gets spoofed ? Or is a spoofed MAC power recycle resistant ?
Without ever seeing it, the original MAC isn't used or known on the network when it is spoofed.

@jhg said in Received delegated /64 prefix, ipv6 outgoing but no incoming?:

Do I have a configuration problem, or is Comcast somehow blocking IPv6 responses

Put pfSense aside.
Use any other device you have, like a PC. Can you get IPv6 now working ?

jhg

@Gertjan @JKnott

I tried connecting my Windows 11 laptop directly to the modem.

In that case, the DHCP transaction did not request a delegated prefix, so the Comcast DHCP server assigned only one address. IPv6 connectivity came up immediately and based on monitoring with Wireshark was operating normally. dhcp6-windows.pcap

So I have to conclude there's a problem with pfSense, since I now have NO IPv6 connectivity at all, even from the pfSense command line.

Can someone more knowledgeable than me examine this pcap file and tell me if they see anything wrong with the transaction? dhcp6-4.pcap

Suggestions?

jhg

Solved, and it's not pretty.

A debug message pointed me to /var/db/dhcp6c_duid containing text. So I removed the file to give DHCP6 a chance to start fresh. Then I disabled and re-enabled the WAN interface, and now everything's working.

When I look at that file now, it's binary, not text. Somehow, that file was preventing IPv6 connectivity.

Now all I have to do is reboot a few LAN devices that are hanging on to their old delegated prefix :-)