Comcast IPv6 working on Linux clients, but not Windows clients

madbrain

pfSense+ user here. IPv6 stopped working on all my Windows 10 & 11 clients. I'm not sure exactly when it stopped. It used to work fine. It might have been when I upgraded to 25.07.1, which I did maybe a month ago. I was on a 2024 release before.

test-ipv6.com shows the following on one host :

Adding details :

ipconfig shows :

Ethernet adapter Ethernet 4:

   Connection-specific DNS Suffix  . : localdomain
   IPv6 Address. . . . . . . . . . . : 2601:646:8200:reda::cted
   IPv6 Address. . . . . . . . . . . : 2601:646:8200:reda:cted:reda:cted:reda
   Temporary IPv6 Address. . . . . . : 2601:646:8200:reda:cted:reda:cted:reda
   Link-local IPv6 Address . . . . . : fe80::e280:2f0d:3e3f:a2%13
   IPv4 Address. . . . . . . . . . . : 192.168.100.109
   Subnet Mask . . . . . . . . . . . : 255.255.252.0
   Default Gateway . . . . . . . . . : 192.168.100.1

I have not changed any IPv6 related settings in pfSense recently.
Everything is pretty straightforward, using DHCPv6.

Prefix delegation size is set to 64 .

On the LAN side,

ISC DHCPv6 server is enabled.

No unusual server options - just "Enable DNS".

RA configure is set to Assisted.

On a working Linux box (Raspberry Pi 4), here is what I see :

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.100.241  netmask 255.255.252.0  broadcast 192.168.103.255
        inet6 2601:646:8200:reda::cted  prefixlen 128  scopeid 0x0<global>
        inet6 2601:646:8200:reda:cted:red:acte:dreda  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::ca8b:5ab1:38d7:ed56  prefixlen 64  scopeid 0x20<link>
        ether re:da:ct:ed:re:da  txqueuelen 1000  (Ethernet)
        RX packets 5409  bytes 800557 (781.7 KiB)
        RX errors 0  dropped 876  overruns 0  frame 0
        TX packets 5974  bytes 3554242 (3.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Any help would be appreciated.

JKnott

You might try adding an IPv4 upstream gateway. Otherwise, there's no way to reach the Internet. When you click on the Add button, it will suggest your WAN gateway. Also, do you really have a static IPv4 address?

madbrain

@JKnott
I am not sure which "Add" button you mean. On which screen ?

When I go to System / Routing / Gateways, I have 2 of them - one for IPv4, and one for IPv6.

As far as the static IP address, that is for the LAN interface only. The WAN interface (COMCAST) is using DHCP for both v4 and v6.

Gertjan

@madbrain

Another (probably not related) IPv4 question :

What is the not-shown mask ?
Not /24 ? You need more then 255 LAN devices ?

You use pppoe ? If not, check here.

The rest : all your IPv6 settings are identical to mine.
Not using Comcast though, but a French ISP.

madbrain

@Gertjan sorry about the missing mask. It is /22 . And yes, I do have more than 255 LAN devices. About 350. 2/3 being smart light bulbs.

I am not aware that Comcast uses PPPoE.

JKnott

@madbrain said in Comcast IPv6 working on Linux clients, but not Windows clients:

I am not sure which "Add" button you mean.

Sorry, my mistake. I thought I was looking at your WAN config.

madbrain

@Gertjan
Since you have a working IPv6 config with your ISP, could you tell me what the Status / Interfaces screen looks like ? In particular, is there any mention of a Prefix ?

Mine has no mention of it. I see that the WAN "Subnet mask IPv6" is 128 .
And LAN "Subnet mask IPv6" is 64 .

Thanks in advance.

Gertjan

@madbrain

Sure :

My WAN IPv6 sub net mask is (also) /64.

@madbrain said in Comcast IPv6 working on Linux clients, but not Windows clients:

I see that the WAN "Subnet mask IPv6" is 128 .

That is, imho, problematic.
The WAN interface IP is (also) part of a prefix, a /64 network.
As my pfSense is the only device connected to my ISP router, it uses just one IPv6 out of the 2^64 avaible IPv6 addresses (what a waste ^^). My ISP box uses also a IPV6 in that same network - it's the gateway IPv6 of my pfSense : it could have been ;

but no, its using

( ok why not)

A bit like assigning a LAN IPv4 on your WAN with a /32 : that won't work neither.

JKnott

@Gertjan said in Comcast IPv6 working on Linux clients, but not Windows clients:

I see that the WAN "Subnet mask IPv6" is 128 .

That is, imho, problematic.
The WAN interface IP is (also) part of a prefix, a /64 network.
As my pfSense is the only device connected to my ISP router, it uses just one IPv6 out of the 2^64 avaible IPv6 addresses (what a waste ^^). My ISP box uses also a IPV6 in that same network - it's the gateway IPv6 of my pfSense : it could have been ;

That's entirely normal. The /128 address is used only to provide an address for the interface. It is not used for traffic passing through pfSense. There's a /64 unique local address for that.

BTW, a LAN, any LAN, is normally a /64. Anything else would break things like SLAAC. This also applies to the WAN interface. The exception would be things like point to point links.

madbrain

@Gertjan
Thank you !

Good to know what to expect when it's working. However, the fact that you only have a single device connected to pfSense may mean that it isn't a fully working configuration. Is that device a Windows machine using Prefix delegation, or Linux system using SLAAC ? Or something else ?

A /128 might work if you have a single client device connected, but not for multiple devices.

Could you please take a look at "Status / DHCP6 leases" ?

I have many "Address leases" under that screen. But nothing under "Prefix delegation leases".

madbrain

@JKnott

Thanks. For some reason, after rebooting my equipment, the WAN subnet is now showing 128 today instead of 64 yesterday. I have no idea why this changed.

A couple even weirder things :

1. After rebooting all network equipment, a couple of Windows systems did have working IPv6 initially, about 5 minutes after booting up. Then, subsequently, IPv6 stopped working for them, as reported in my OP.

Linux systems all have IPv6 working at all times, presumably due to using SLAAC.

2. I spent some time bypassing pfSense altogether yesterday, switching the Comcast XB8 from bridge mode to router mode. I had to change the IPv4 subnet from a /24 to /16 - nothing offered in between by Comcast.

The Xfinity network information showed that there was a /60 assigned for IPv6.

Even then, I observed the same random behavior with Windows systems - some with working IPv6, some not. But it did not last.

I'm going to take another stab at bypassing pfSense. Maybe even factory reset the XB8.

I can also temporarily turn off my Wifi APs and reduce the client device count from 350 down to less than 50, to fit within a more standard IPv4 /24.

If none of this works consistently, it looks like I need to reach out to Comcast.

chpalmer

@madbrain Most cable modems use 192.168.100.1 with a subnet of /24. You are kinda asking for trouble if you use the same for your LAN... Although I know that Comcast uses 10.x.x.x for some of their commercial gateways..

just FYI

madbrain

This post is deleted!

madbrain

@chpalmer

Most routers I have used before default to 192.168.1.1, not 192.168.100.1, which is what I have set for pfSense.

The XB8 gateway defaults to 10.0.0.1 with a /24. I confirmed that is the default after doing a factory reset. I was also able to change it to a /16, and my LAN functioned fine with IPv6 for all clients, both Windows and Linux. No inconsistent behavior.

When setting the XB8 to bridge mode, its web admin UI continues to be accessible at 10.0.0.1 . However, once I switched to using pfSense as router, the problem with Windows clients not having IPv6 occurred again. The weird thing is that it worked fine for one Windows client in the first few minutes after pfSense and router booted up. Then it stopped working shortly after when I repeated the test a few minutes later. While it worked, I looked at status / DHCPv6 leases, and there were no Prefix delegation leases.

So, the issue appears to be specific to pfSense. Not sure what setting it could be that's breaking it.

Here is what the XB8 admin UI shows for the "Xfinity network" page. It looks like it's using a /60 .

chpalmer

@madbrain said in Comcast IPv6 working on Linux clients, but not Windows clients:

@chpalmer

Most routers I have used before default to 192.168.1.1, not 192.168.100.1, which is what I have set for pfSense.

Yep.. Routers.. not cable modems.. The GUI for most stand alone cable modems (no included router) such as the Motorola MB8611 or Arris Surfboard line and others will use 192.168.100.1 as their log in and give your device behind it an address in the 192.168.100.0/24 subnet so you can log in while it is not online. Even after you are online that subnet can cause issues if you are using those modems.. But since you are using the dreaded Comcast gateway you should be safe... Just wanted to rule that out for you.

madbrain

@chpalmer Thanks. I once had an MB8600, and SB8200. I don't remember what IP they used. kept getting major but intermittent problems on my cable line - lots of packet loss and disconnects. Comcast always blamed my modem for the probblems, and wouldn't fix it. They claim they couldn't monitor the line. It went on for many months, and I just couldn't get them to do anything. One day I gave up, sold my modems, and leased their gateway. Finally, they did fix it. My home is at the very end of the cable line on top of a hill. It is frequently affected by whatever Comcast does on their network. Comcast claims they cannot remotely monitor error statistics from 3rd party modems, but they can do so for their own modems/gateways. They also keep installing non-UV resistant cable on the front of my home in the hot California sun, which they have replaced at least 3 times in the last 15 years. SMH.

The other reason why I have the XB8 is for the unlimited data plan. I believe they charge an extra $30/month for unlimited data if you use a third party modem. That is a pretty big extra expense, on top of the purchase cost of the modem itself. But the overwhelming reason I keep their gateway is because I don't want them to be able to blame my equipment again for their line problems, which are likely to happen again.

JKnott

@madbrain said in Comcast IPv6 working on Linux clients, but not Windows clients:

A /128 might work if you have a single client device connected, but not for multiple devices.

No. You'd still need 2 addresses. The /128 can only be reached by routing through pfSense. As I mentioned, it's only for identifying the interface. It would be used for things like pinging the interface, connecting a VPN, etc..

JKnott

@madbrain said in Comcast IPv6 working on Linux clients, but not Windows clients:

top of a hill

Yeah, it's hard to get the bits up that hill!

Gertjan

@madbrain said in Comcast IPv6 working on Linux clients, but not Windows clients:

However, the fact that you only have a single device connected to pfSense may mean that it isn't a fully working configuration

'behind pfSense' : I said Comcast IPv6 working on Linux clients, but not Windows clients:

As my pfSense is the only device connected to my ISP route

So my ISP 'fiber' router has only one (1) LAN client device : pfSEnse.
pfSense has loads of devices connected over using 3 LANs.

@JKnott said in Comcast IPv6 working on Linux clients, but not Windows clients:

The /128 address is used only to provide an address for the interface. It is not used for traffic passing through pfSense. There's a /64 unique local address for that.

The fe80.... I guess. Thanks for the info.

@madbrain said in Comcast IPv6 working on Linux clients, but not Windows clients:

I have many "Address leases" under that screen. But nothing under "Prefix delegation leases".

pfSense would lease out 'entire' prefixes if you have a DHCPv6 capable router on a pfSense LAN.
This router would have a IPv6 address on it's WAN side.
And would typically ask for an /64 prefix for every LAN it has. Exactly like pfSense does.
The pfSense DHCPv6 would not only handle IPv6 leases, out of one prefix pool :

It also has to be set up to have a 'pool' of available prefixes, so it can give these /64 to any downstream 'sub routers' :

pfSense handling the delegation of prefixes is ... afaik, a very rare situation.
Are you sure you want to "Prefix delegation leases" with pfSense ?

@madbrain said in Comcast IPv6 working on Linux clients, but not Windows clients:

After rebooting all network equipment, a couple of Windows systems did have working IPv6 initially, about 5 minutes after booting up. Then, subsequently, IPv6 stopped working for them, as reported in my OP.

No need to keep the 'not working' state.
Ask your system why ?!
Type

ipconfig /all

and you can see for yourself :

   IPv6 Adress. . . . . . . . . . . . . .: 2a01:cb19:907:a6e2::c7(prefered)

How long does the DHCPv6 last ?
Answer :

netsh interface ipv6 show addresses

For example :

Dhcp       Prefered   5h14m22s   2h25m37s 2a01:cbxx:xx7:a6e2::c7

so my lease stays valid for 314 minutes and 22 seconds. If all goes well, it (Windows) will renew this lease before this lease expires **.

On the pfSense side, the same lease :

Take note : I'm only using DCPv6 for my network LAN network, as all these devices are 'known' to me, these are mostly all IPv6 capable devices. All devices have a 'static DUID DHCPv6' setup.

---

**
Something that annoys me for, not sure, months now, maybe a bit more then a year (since kea ?) :
It happens that Windows devices do not, for some reason, renew their IPv6 lease in time. The IPv6 becomes "depreciated" as the lease time expires.
Why the dhcpv6 client daemon doesn't renew in time, I can't tell.
A quick

ipconfig /renew6

on that Microsoft device will deal with it, but still, this is awkward.

The lease times on the pfSense side :

or 2 hours if the client didn't specify a lease duration.
and 24 hours or 1440 minutes maximum.

When I :

ipconfig /renew6

right now, I see :

Dhcp       Prefered  7h29m56s   4h41m11s 2a01:cbxx:xx7:a6e2::c7

or 7h30 or 450 minutes or 27000 seconds.

@madbrain said in Comcast IPv6 working on Linux clients, but not Windows clients:

If none of this works consistently, it looks like I need to reach out to Comcast.

Who handles the DHCPv6 in front of pfSense ?
The ISP box at your place ?
Further above ?
Do you see this in the pfSense DHCP log :

which tells me the DHCPv6 pfSense WAN IP has a lease time of 10 minutes.
The pfSense DHCPv6 WAN client renews every 300 seconds or 5 minutes.
Afaik, the prefixes are also renewed at that time. And hopefully, they 'stay the same' ^^ - mine always stay the same, as I can see them allocated to pfSense in my ISP router.

madbrain

@Gertjan

Thank you very much for this. I had not checked the "Primary address pool" section. This is what it shows.

The UI is slightly different, possibly because I'm on pfSense+. But I believe the settings are the same.

I'm typing this on a Windows machine on which IPv6 is currently working. Your netsh command shows this :

Interface 12: Ethernet 4

Addr Type  DAD State   Valid Life Pref. Life Address
---------  ----------- ---------- ---------- ------------------------
Dhcp       Preferred      1h26m7s      41m7s 2601:646:8200:xxxx::xxxx
Temporary  Preferred    23h56m33s   3h56m33s 2601:646:8200:xxxx:xxxx:xxxx:xxxx
Public     Preferred    23h56m33s   3h56m33s 2601:646:8200:xxxx:xxxx:xxxx:xxxx:xxxx
Other      Preferred     infinite   infinite fe80::xxxx:xxxx:xxxx:xx%xx

I don't have any static mapping for DHCPv6 clients. How did you add them ?
It seems like a ton of work to manually undter a DUID and IPv6 address for each of my devices. I wouldn't know the right value to enter. I'm not even certain how many of the 350 support IPv6 or not. Can this really not be made to work automatically ?

Simultaneously, on another Windows host on the same LAN, test-ipv6 is not working. The netsh command on that box shows :

Interface 18: Ethernet 3

Addr Type  DAD State   Valid Life Pref. Life Address
---------  ----------- ---------- ---------- ------------------------
Dhcp       Preferred     1h30m55s     45m55s 2601:646:8200:xxxx::xxxx
Public     Preferred    23h53m23s   3h53m23s 2601:646:8200:xxxx:xxxx:xxxx:xxxx:xxxx
Temporary  Preferred    23h53m23s   3h53m23s 2601:646:8200:xxxx:xxxx:xxxx:xxxx:xxxx
Other      Preferred     infinite   infinite fe80::xxxx:xxxx:xxxx:xxx%xx

I'm not seeing a lot of difference in the format of those addresses between the 2 boxes. The non-working one has a longer "temporary" IPv6 address than the working one.

As far as I know, the interfaces are configured identically on both machines as far as protocol settings.

Working box :

Non-working box :