Comcast IPv6 working on Linux clients, but not Windows clients

Gertjan

@madbrain

Another (probably not related) IPv4 question :

What is the not-shown mask ?
Not /24 ? You need more then 255 LAN devices ?

You use pppoe ? If not, check here.

The rest : all your IPv6 settings are identical to mine.
Not using Comcast though, but a French ISP.

madbrain

@Gertjan sorry about the missing mask. It is /22 . And yes, I do have more than 255 LAN devices. About 350. 2/3 being smart light bulbs.

I am not aware that Comcast uses PPPoE.

JKnott

@madbrain said in Comcast IPv6 working on Linux clients, but not Windows clients:

I am not sure which "Add" button you mean.

Sorry, my mistake. I thought I was looking at your WAN config.

madbrain

@Gertjan
Since you have a working IPv6 config with your ISP, could you tell me what the Status / Interfaces screen looks like ? In particular, is there any mention of a Prefix ?

Mine has no mention of it. I see that the WAN "Subnet mask IPv6" is 128 .
And LAN "Subnet mask IPv6" is 64 .

Thanks in advance.

Gertjan

@madbrain

Sure :

My WAN IPv6 sub net mask is (also) /64.

@madbrain said in Comcast IPv6 working on Linux clients, but not Windows clients:

I see that the WAN "Subnet mask IPv6" is 128 .

That is, imho, problematic.
The WAN interface IP is (also) part of a prefix, a /64 network.
As my pfSense is the only device connected to my ISP router, it uses just one IPv6 out of the 2^64 avaible IPv6 addresses (what a waste ^^). My ISP box uses also a IPV6 in that same network - it's the gateway IPv6 of my pfSense : it could have been ;

but no, its using

( ok why not)

A bit like assigning a LAN IPv4 on your WAN with a /32 : that won't work neither.

JKnott

@Gertjan said in Comcast IPv6 working on Linux clients, but not Windows clients:

I see that the WAN "Subnet mask IPv6" is 128 .

That is, imho, problematic.
The WAN interface IP is (also) part of a prefix, a /64 network.
As my pfSense is the only device connected to my ISP router, it uses just one IPv6 out of the 2^64 avaible IPv6 addresses (what a waste ^^). My ISP box uses also a IPV6 in that same network - it's the gateway IPv6 of my pfSense : it could have been ;

That's entirely normal. The /128 address is used only to provide an address for the interface. It is not used for traffic passing through pfSense. There's a /64 unique local address for that.

BTW, a LAN, any LAN, is normally a /64. Anything else would break things like SLAAC. This also applies to the WAN interface. The exception would be things like point to point links.

madbrain

@Gertjan
Thank you !

Good to know what to expect when it's working. However, the fact that you only have a single device connected to pfSense may mean that it isn't a fully working configuration. Is that device a Windows machine using Prefix delegation, or Linux system using SLAAC ? Or something else ?

A /128 might work if you have a single client device connected, but not for multiple devices.

Could you please take a look at "Status / DHCP6 leases" ?

I have many "Address leases" under that screen. But nothing under "Prefix delegation leases".

madbrain

@JKnott

Thanks. For some reason, after rebooting my equipment, the WAN subnet is now showing 128 today instead of 64 yesterday. I have no idea why this changed.

A couple even weirder things :

1. After rebooting all network equipment, a couple of Windows systems did have working IPv6 initially, about 5 minutes after booting up. Then, subsequently, IPv6 stopped working for them, as reported in my OP.

Linux systems all have IPv6 working at all times, presumably due to using SLAAC.

2. I spent some time bypassing pfSense altogether yesterday, switching the Comcast XB8 from bridge mode to router mode. I had to change the IPv4 subnet from a /24 to /16 - nothing offered in between by Comcast.

The Xfinity network information showed that there was a /60 assigned for IPv6.

Even then, I observed the same random behavior with Windows systems - some with working IPv6, some not. But it did not last.

I'm going to take another stab at bypassing pfSense. Maybe even factory reset the XB8.

I can also temporarily turn off my Wifi APs and reduce the client device count from 350 down to less than 50, to fit within a more standard IPv4 /24.

If none of this works consistently, it looks like I need to reach out to Comcast.

chpalmer

@madbrain Most cable modems use 192.168.100.1 with a subnet of /24. You are kinda asking for trouble if you use the same for your LAN... Although I know that Comcast uses 10.x.x.x for some of their commercial gateways..

just FYI

madbrain

This post is deleted!

madbrain

@chpalmer

Most routers I have used before default to 192.168.1.1, not 192.168.100.1, which is what I have set for pfSense.

The XB8 gateway defaults to 10.0.0.1 with a /24. I confirmed that is the default after doing a factory reset. I was also able to change it to a /16, and my LAN functioned fine with IPv6 for all clients, both Windows and Linux. No inconsistent behavior.

When setting the XB8 to bridge mode, its web admin UI continues to be accessible at 10.0.0.1 . However, once I switched to using pfSense as router, the problem with Windows clients not having IPv6 occurred again. The weird thing is that it worked fine for one Windows client in the first few minutes after pfSense and router booted up. Then it stopped working shortly after when I repeated the test a few minutes later. While it worked, I looked at status / DHCPv6 leases, and there were no Prefix delegation leases.

So, the issue appears to be specific to pfSense. Not sure what setting it could be that's breaking it.

Here is what the XB8 admin UI shows for the "Xfinity network" page. It looks like it's using a /60 .

chpalmer

@madbrain said in Comcast IPv6 working on Linux clients, but not Windows clients:

@chpalmer

Most routers I have used before default to 192.168.1.1, not 192.168.100.1, which is what I have set for pfSense.

Yep.. Routers.. not cable modems.. The GUI for most stand alone cable modems (no included router) such as the Motorola MB8611 or Arris Surfboard line and others will use 192.168.100.1 as their log in and give your device behind it an address in the 192.168.100.0/24 subnet so you can log in while it is not online. Even after you are online that subnet can cause issues if you are using those modems.. But since you are using the dreaded Comcast gateway you should be safe... Just wanted to rule that out for you.

madbrain

@chpalmer Thanks. I once had an MB8600, and SB8200. I don't remember what IP they used. kept getting major but intermittent problems on my cable line - lots of packet loss and disconnects. Comcast always blamed my modem for the probblems, and wouldn't fix it. They claim they couldn't monitor the line. It went on for many months, and I just couldn't get them to do anything. One day I gave up, sold my modems, and leased their gateway. Finally, they did fix it. My home is at the very end of the cable line on top of a hill. It is frequently affected by whatever Comcast does on their network. Comcast claims they cannot remotely monitor error statistics from 3rd party modems, but they can do so for their own modems/gateways. They also keep installing non-UV resistant cable on the front of my home in the hot California sun, which they have replaced at least 3 times in the last 15 years. SMH.

The other reason why I have the XB8 is for the unlimited data plan. I believe they charge an extra $30/month for unlimited data if you use a third party modem. That is a pretty big extra expense, on top of the purchase cost of the modem itself. But the overwhelming reason I keep their gateway is because I don't want them to be able to blame my equipment again for their line problems, which are likely to happen again.

JKnott

@madbrain said in Comcast IPv6 working on Linux clients, but not Windows clients:

A /128 might work if you have a single client device connected, but not for multiple devices.

No. You'd still need 2 addresses. The /128 can only be reached by routing through pfSense. As I mentioned, it's only for identifying the interface. It would be used for things like pinging the interface, connecting a VPN, etc..

JKnott

@madbrain said in Comcast IPv6 working on Linux clients, but not Windows clients:

top of a hill

Yeah, it's hard to get the bits up that hill!

Gertjan

@madbrain said in Comcast IPv6 working on Linux clients, but not Windows clients:

However, the fact that you only have a single device connected to pfSense may mean that it isn't a fully working configuration

'behind pfSense' : I said Comcast IPv6 working on Linux clients, but not Windows clients:

As my pfSense is the only device connected to my ISP route

So my ISP 'fiber' router has only one (1) LAN client device : pfSEnse.
pfSense has loads of devices connected over using 3 LANs.

@JKnott said in Comcast IPv6 working on Linux clients, but not Windows clients:

The /128 address is used only to provide an address for the interface. It is not used for traffic passing through pfSense. There's a /64 unique local address for that.

The fe80.... I guess. Thanks for the info.

@madbrain said in Comcast IPv6 working on Linux clients, but not Windows clients:

I have many "Address leases" under that screen. But nothing under "Prefix delegation leases".

pfSense would lease out 'entire' prefixes if you have a DHCPv6 capable router on a pfSense LAN.
This router would have a IPv6 address on it's WAN side.
And would typically ask for an /64 prefix for every LAN it has. Exactly like pfSense does.
The pfSense DHCPv6 would not only handle IPv6 leases, out of one prefix pool :

It also has to be set up to have a 'pool' of available prefixes, so it can give these /64 to any downstream 'sub routers' :

pfSense handling the delegation of prefixes is ... afaik, a very rare situation.
Are you sure you want to "Prefix delegation leases" with pfSense ?

@madbrain said in Comcast IPv6 working on Linux clients, but not Windows clients:

After rebooting all network equipment, a couple of Windows systems did have working IPv6 initially, about 5 minutes after booting up. Then, subsequently, IPv6 stopped working for them, as reported in my OP.

No need to keep the 'not working' state.
Ask your system why ?!
Type

ipconfig /all

and you can see for yourself :

   IPv6 Adress. . . . . . . . . . . . . .: 2a01:cb19:907:a6e2::c7(prefered)

How long does the DHCPv6 last ?
Answer :

netsh interface ipv6 show addresses

For example :

Dhcp       Prefered   5h14m22s   2h25m37s 2a01:cbxx:xx7:a6e2::c7

so my lease stays valid for 314 minutes and 22 seconds. If all goes well, it (Windows) will renew this lease before this lease expires **.

On the pfSense side, the same lease :

Take note : I'm only using DCPv6 for my network LAN network, as all these devices are 'known' to me, these are mostly all IPv6 capable devices. All devices have a 'static DUID DHCPv6' setup.

---

**
Something that annoys me for, not sure, months now, maybe a bit more then a year (since kea ?) :
It happens that Windows devices do not, for some reason, renew their IPv6 lease in time. The IPv6 becomes "depreciated" as the lease time expires.
Why the dhcpv6 client daemon doesn't renew in time, I can't tell.
A quick

ipconfig /renew6

on that Microsoft device will deal with it, but still, this is awkward.

The lease times on the pfSense side :

or 2 hours if the client didn't specify a lease duration.
and 24 hours or 1440 minutes maximum.

When I :

ipconfig /renew6

right now, I see :

Dhcp       Prefered  7h29m56s   4h41m11s 2a01:cbxx:xx7:a6e2::c7

or 7h30 or 450 minutes or 27000 seconds.

@madbrain said in Comcast IPv6 working on Linux clients, but not Windows clients:

If none of this works consistently, it looks like I need to reach out to Comcast.

Who handles the DHCPv6 in front of pfSense ?
The ISP box at your place ?
Further above ?
Do you see this in the pfSense DHCP log :

which tells me the DHCPv6 pfSense WAN IP has a lease time of 10 minutes.
The pfSense DHCPv6 WAN client renews every 300 seconds or 5 minutes.
Afaik, the prefixes are also renewed at that time. And hopefully, they 'stay the same' ^^ - mine always stay the same, as I can see them allocated to pfSense in my ISP router.

madbrain

@Gertjan

Thank you very much for this. I had not checked the "Primary address pool" section. This is what it shows.

The UI is slightly different, possibly because I'm on pfSense+. But I believe the settings are the same.

I'm typing this on a Windows machine on which IPv6 is currently working. Your netsh command shows this :

Interface 12: Ethernet 4

Addr Type  DAD State   Valid Life Pref. Life Address
---------  ----------- ---------- ---------- ------------------------
Dhcp       Preferred      1h26m7s      41m7s 2601:646:8200:xxxx::xxxx
Temporary  Preferred    23h56m33s   3h56m33s 2601:646:8200:xxxx:xxxx:xxxx:xxxx
Public     Preferred    23h56m33s   3h56m33s 2601:646:8200:xxxx:xxxx:xxxx:xxxx:xxxx
Other      Preferred     infinite   infinite fe80::xxxx:xxxx:xxxx:xx%xx

I don't have any static mapping for DHCPv6 clients. How did you add them ?
It seems like a ton of work to manually undter a DUID and IPv6 address for each of my devices. I wouldn't know the right value to enter. I'm not even certain how many of the 350 support IPv6 or not. Can this really not be made to work automatically ?

Simultaneously, on another Windows host on the same LAN, test-ipv6 is not working. The netsh command on that box shows :

Interface 18: Ethernet 3

Addr Type  DAD State   Valid Life Pref. Life Address
---------  ----------- ---------- ---------- ------------------------
Dhcp       Preferred     1h30m55s     45m55s 2601:646:8200:xxxx::xxxx
Public     Preferred    23h53m23s   3h53m23s 2601:646:8200:xxxx:xxxx:xxxx:xxxx:xxxx
Temporary  Preferred    23h53m23s   3h53m23s 2601:646:8200:xxxx:xxxx:xxxx:xxxx:xxxx
Other      Preferred     infinite   infinite fe80::xxxx:xxxx:xxxx:xxx%xx

I'm not seeing a lot of difference in the format of those addresses between the 2 boxes. The non-working one has a longer "temporary" IPv6 address than the working one.

As far as I know, the interfaces are configured identically on both machines as far as protocol settings.

Working box :

Non-working box :

madbrain

@Gertjan

To answer the other questions - who handles the upstream DHCPv6 - I believe it's the ISP, outside my home, not the box itself.

I'm still using ISC - not KEA. I tried to switch to KEA last year, and lots of things broke, especially Plex.

I tried earlier today also, and pfSense very weirdly went to a non-booting state. My COMCAST interface got renamed to WAN. Another NIC that I used for another ISP in the past started showing up as enabled again in the boot messages. I was able to restore a backup. I'm not sure why KEA would mess up so bad.

I'm not seeing any messages from dhcp6c except this:

Nov 5 18:19:03 rtsold 57093 RTSOLD Lock in place - sending SIGHUP to dhcp6c

Gertjan

@madbrain said in Comcast IPv6 working on Linux clients, but not Windows clients:

I don't have any static mapping for DHCPv6 clients. How did you add them ?

DHCPv4 : you know how it works : get the MAC of the device, and create a "static MAC" entry :

and done.
This device will from now on always have the same IPv4 LAN my LAN network : 192.168.1.6.
As I don't add/remove/change a lot of hardware, maybe one or two devices a year, this is easy to maintain. It also gives me a list of all known devices in my network.
So, if a device connects to my (company) LAN that uses a lease out of the DHCPv4 'pool' I know I have a new device - and that is a security question (for me). Shall I accept it, and give it its own reserved static IPv4, or is it just some occasional device ?
I do have another network, a captive portal, for all the devices that are visiting my company, a hotel.

Now, for DHCPv6 : it's all the same, with one exception : MACs can't be sued anymore, as devices can have more then one IPv6.
So the DUID was invented.
As shown above, I use the DUID of every device to create static DHCPv6 leases for all my trusted LAN devices.
If a IPv6 pops up that came from the pool - for me between :

then I have the same decision to make : a new device entered my LAN network : shall I add it for good, or was it just a temporary connection ?

When I look at my Status > DHCPv6 Leases page, I can see right away that there are no unknown devices, using IPv6, in my network. (the same is valid for Status > DHCP Leases ).
Remember : devices on your LAN won't be protected by pfSense.

Making static leases for known LAN devices also gives you a nice list of all your equipment on one place. No need to deal with 'IP' on any devices anymore. Leave them all on the default 'DHCP' mode, and done.
Another advantage : I can chose the host name of all my device on one place.

edit :
I've switched to kea last year, and never came back. Some 'minor' issues existed back then, but nothing mission critical that broke.
These days, with "25.07.1", is good enough for me.

be ware that I can't compare kea with ISC.
You might also be dealing with old ISC IPV6 bugs (that won't get fixed anymore).
I deal with the new bugs - that are discussed here on the forum - and will get fixed ;)
That said, IPv6, when I was using ISC, was working well enough for me. With kea it also works well (now).

madbrain

@Gertjan I already have DHCPv4 reservations for all 350 IP devices I own, along with custom hostnames. The pace of adding and removing devices in my home is much more rapid - usually a couple each month.

For DHCPv6, I see only a grand total of 16 leases. It just can't be that only 16 out of the 350 support IPv6. It is difficult to identify which DUID corresponds to which piece of hardware. It looks like the MAC is embedded into the DUID. The DUID is variable-length, though. I found the entry for my currently working desktop PC. It has the MAC of the Aquantia NIC as the last 12 hex digits of the DUID. The IPv6 address shown corresponds to the 'IPv6 address" from ipconfig on that system.

For the other non-working Windows system, I can't find any corresponding entry under leases.

I'm going to take a look at the remainder of the DHCPv6 leases, since there are so few of them, and try to figure out what they are.