Comcast 6to4 how-to?
Does anyone have a 6to4 how-to for pfSense 2.1 on Comcast? How different is it from the He.net instructions? ( http://doc.pfsense.org/index.php/Using_IPv6_on_2.0 )
The 6to4 setup on Comcast can be fully automatic, as witnessed with an Apple Airport.
bmah last edited by
I don't see anything in the pfSense 2.1 UI that allows you to configure a 6to4 interface so I'm guessing it can't be done from the pfSense UI. (In "normal" FreeBSD you'd configure an interface of type stf.)
Note also that with 6to4, it doesn't matter if you're on Comcast or whatever ISP…6to4 is agnostic of your ISP. (This is also one of its downsides, in that the "quality" of IPv6 connectivity can depend on a 6to4 gateway neither you nor your ISP has any control over.) That was one of the motivations for 6RD, which is very similar to 6to4.
(FWIW Comcast is my ISP, and I just use a he.net tunnel.)
Comcast had 6RD relays until last June: http://www.comcast6.net/6rd-config.php
Now comcast is pointing users in non-Dual Stack markets to its regional 6to4 relays: http://www.comcast6.net/6to4-config.php
The 6to4 auto-configuration works very well with some routers, it seems it should be as easy as (attached image) in pfSense as well but that function (IPv6 over IPv4 tunneling) doesn't seem to do anything as far as I can tell.
bmah last edited by
I'm going to admit ignorance at this point, especially since I don't use 6to4 myself. I will point out that RFC 2893, which is mentioned in the UI, is a document on IPv6 transition mechanisms in general. I always thought that 6to4 was (is) RFC 3056. So color me confused!
6RD is something that some ISPs are rolling out and some time is spent on that.
Actual dual stack is the way forward and Comcast will be rolling that out. You can activate the DHCP6 client on your WAN if your area already supports this. I'm not sure how far the deployment on the Comcast side is.
Considered 6to4, never attempted it yet. Not tried to see what that field does either, I really should. It's not for 6to4 though.
Just a quick update, Comcast 6to4 now works after support was added to pfSense on April 1st. Using the instructions here: http://forum.pfsense.org/index.php/topic,47872.0.html
Comcast dual-stack is still only available in a few markets and mine (Portland, OR) is not one of them. Info here: http://www.comcast6.net/
FWIW, don't expect any blazing speeds from Comcast 6to4. Speed is much lower and latency is much higher than IPv4. See attached screenshots.
Thanks for the positive report on the 6to4 support!
Glad it works for you.
I was also trying to set this up on comcast, and I've had a bit of trouble. The Status -> Gateway screen shows the connection is online, and I can ping the gateway IPv6 address from pfSense. None of my PCs are able to ping any IPv6 address, though it looks like IPv6 name resolution is working. At least, when I ping ipv6.google.com, the address is resolved with either no reply or destination unreachable. That may be cached on the computer, because I can't ping the same address from pfSense. I setup my connection with these instructions from another thread:
Select IPv6 configuration type "6to4" on the WAN.
Select IPv6 configuration type "Track interface" on the LAN.
Select the WAN interface here and a number instead of "none"
I had previously setup a SixXS tunnel, but I've deleted all those settings, just in case. I'm running the April 10th snapshot. This might be unrelated, but on a reboot, I get this crash log.
Crash report begins. Anonymous machine information: i386 8.3-RELEASE FreeBSD 8.3-RELEASE #1: Tue Apr 10 21:11:25 EDT 2012 root@FreeBSD_8.3_pfSense_2.1.snaps.pfsense.org:/usr/obj./usr/pfSensesrc/src/sys/pfSense_SMP.8 Crash report details: PHP Errors: [11-Apr-2012 16:27:14 UTC] PHP Parse error: syntax error, unexpected '=' in - on line 42
I have a firewall rule set to allow all IPv6 traffic from the LAN. I'm really not sure where to look from here. Any ideas?
EDIT: I can now ping the Gateway IP of the IPv6 interface. I haven't changed anything. I'm not sure why that started working, but I still get Destination Unreachable for anything else. DNS appears to be resolving, but no other traffic is passed.
EDIT2: I figured out how to fix the problem. Turns out, the default route for IPv6 is never created. I can manually execute "/sbin/route -n add -inet6 default [Gateway IP]" and it starts working. Any idea why this is happening, or what I can do to stop it? This might be a clue:
php: : The command '/sbin/route change -inet6 default '2001:1938:80:1fb::1'' returned exit code '1', the output was 'route: writing to routing socket: No such process route: writing to routing socket: Network is unreachable change net default: gateway 2001:1938:80:1fb::1: Network is unreachable'
Also, for some reason the IPv4 gateway has disappeared from the webgui. I can still see it with netstat, and IPv4 still works. It's just not in the webgui under System -> Routing or Status -> Gateways.
sorry for not reporting earlier:
I tested with the April 9th snapshot and Comcast 6to4 was broken there as well (vs. April 2nd snapshot where it worked OK). Same issues as mrhanman.
Reverted back to April 2nd snapshot for now, since I see a lot of commits still happening to IPv6 handling code.
databeestje: I can flip back and forth between slices (April 2nd known-good vs. April 9th or later) if you need any data collected. Please let me know how I can help.
Thank you. I will check on this later.
The default gateways for IPv6 referenced above is not the standard 6to4 relay address.
Are you confused with 6rd?
The php error on line 42 from std input and not even a file makes this really weird.
I think the snap you have is broken. Just not sure what exactly.
OK, I'll try today's snapshot and let you know what is/isn't working.
Using the latest Snapshot: 2.1-DEVELOPMENT (i386) built on Fri Apr 13 00:07:05 EDT 2012
I can ping the IPv6 Gateway, but nothing beyond it.
[2.1-DEVELOPMENT][firstname.lastname@example.org]/root(1): ping6 2002:c058:6301::1 PING6(56=40+8+8 bytes) 2002:1815:7e8a:: --> 2002:c058:6301::1 16 bytes from 2002:c058:6301::1, icmp_seq=0 hlim=64 time=28.143 ms 16 bytes from 2002:c058:6301::1, icmp_seq=1 hlim=64 time=29.553 ms 16 bytes from 2002:c058:6301::1, icmp_seq=2 hlim=64 time=29.808 ms 16 bytes from 2002:c058:6301::1, icmp_seq=3 hlim=64 time=29.654 ms 16 bytes from 2002:c058:6301::1, icmp_seq=4 hlim=64 time=30.774 ms ^C --- 2002:c058:6301::1 ping6 statistics --- 5 packets transmitted, 5 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 28.143/29.586/30.774/0.842 ms [2.1-DEVELOPMENT][email@example.com]/root(2): ping6 ipv6.google.com ping6: UDP connect: No route to host
Netstat shows no IPv6 default gateway
Internet6: Destination Gateway Flags Netif Expire ::1 ::1 UH lo0 2002::/16 link#10 U stf0 2002:1815:7e8a:: link#10 UHS lo0 => 2002:1815:7e8a::/64 link#1 U vr0 2002:1815:7e8a::1 link#1 UHS lo0 fe80::%vr0/64 link#1 U vr0 fe80::20d:b9ff:fe24:7288%vr0 link#1 UHS lo0 fe80::%vr1/64 link#2 U vr1 fe80::20d:b9ff:fe24:7289%vr1 link#2 UHS lo0 fe80::%vr2/64 link#3 U vr2 fe80::20d:b9ff:fe24:728a%vr2 link#3 UHS lo0 fe80::%lo0/64 link#7 U lo0 fe80::1%lo0 link#7 UHS lo0 fe80::%ovpns1/64 link#12 U ovpns1 fe80::2bd:f9ff:fe0a:1%ovpns1 link#12 UHS lo0 ff01::%vr0/32 fe80::20d:b9ff:fe24:7288%vr0 U vr0 ff01::%vr1/32 fe80::20d:b9ff:fe24:7289%vr1 U vr1 ff01::%vr2/32 fe80::20d:b9ff:fe24:728a%vr2 U vr2 ff01::%lo0/32 ::1 U lo0 ff01::%ovpns1/32 fe80::2bd:f9ff:fe0a:1%ovpns1 U ovpns1 ff02::%vr0/32 fe80::20d:b9ff:fe24:7288%vr0 U vr0 ff02::%vr1/32 fe80::20d:b9ff:fe24:7289%vr1 U vr1 ff02::%vr2/32 fe80::20d:b9ff:fe24:728a%vr2 U vr2 ff02::%lo0/32 ::1 U lo0 ff02::%ovpns1/32 fe80::2bd:f9ff:fe0a:1%ovpns1 U ovpns1
Manually adding inet6 default gateway fixes it
[2.1-DEVELOPMENT][firstname.lastname@example.org]/root(9): route add -inet6 default 2002:c058:6301::1 add net default: gateway 2002:c058:6301::1 [2.1-DEVELOPMENT][email@example.com]/root(10): ping6 ipv6.google.com PING6(56=40+8+8 bytes) 2002:1815:7e8a:: --> 2001:4860:8005::93 16 bytes from 2001:4860:8005::93, icmp_seq=0 hlim=56 time=39.839 ms 16 bytes from 2001:4860:8005::93, icmp_seq=1 hlim=56 time=38.709 ms 16 bytes from 2001:4860:8005::93, icmp_seq=2 hlim=56 time=38.661 ms 16 bytes from 2001:4860:8005::93, icmp_seq=3 hlim=56 time=39.027 ms 16 bytes from 2001:4860:8005::93, icmp_seq=4 hlim=56 time=38.721 ms ^C --- ipv6.l.google.com ping6 statistics --- 5 packets transmitted, 5 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 38.661/38.991/39.839/0.443 ms
I can corroborate irvingpop's results with the Apr 13th snapshot.
I have not yet found the time to debug this yet, it should be adding a new default route. But it isn't
Can not replicate on a static IPv4 wan, need to try dhcp later. It does add the static route for me, and the gateways also still exist.
OK, I've got a strange new problem. I updated to today's snaphot, added the ipv6 gateway as default ipv6 route manually, and now my computers can ONLY browse by ipv6 - ipv4 isn't working at all. I can ping either ipv6 or ipv4 addresses from pfSense. It looks like the DHCP server on pfSense may not be handing out the default gateway for ipv4 networks. Once I added the ipv4 default route manually on my windows box, ipv4 worked fine. ::)
EDIT: Looks like I can't connect to the webConfigurator, now. Not sure what's up with that, unless it's not listening on ipv4.
I just updated 2 installs with the latest snapshot and i'm not seeing anything like your issues.
May I suggest that your install is hosed? I can't even resemble anything close to your issues.
I did just commit a change that would disable the IPv4 gateway in the DHCP4 server but that is a very specific change that would only bite you if you had no ipv4 gateways at all. Dynamic or otherwise.
I managed to get a install online on a public IP with dhcp and I managed to replicate your issue. Seems like a timing issue.
I think it is now, I changed the default gateway address, as well as configuring the interface before trying to configure routing is generally a good idea.
fixed rc.newwanip and function interface_6to4_configure();
configuring the interface before trying to configure routing is generally a good idea.
So, just a gitsync, and off to the races?
yep, no binary changes required
OK, I just did a gitsync and nothing seems to have changed. I then installed the latest snapshot, which was a few hours newer and did another gitsync. I still have no ipv4 gateway on my PC, and no default ipv6 route on pfSense.
Just to be clear, to do a gitsync, you SSH into the box, hit 12 for pfSense Developer Shell, type 'playback gitsync git://github.com/bsdperimeter/pfsense.git', and hit enter a couple times, right? I also rebooted a few times, just for fun - both the PC and pfSense. Did I miss something?
EDIT: Also, there is only the ipv6 gateway listed under Status -> Gateways. The ipv4 gateway is missing.
EDIT: I tried adding an ipv4 LAN gateway in the GUI, and a strange thing happened. The original ipv4 LAN gateway reappeared, but I couldn't set it as default, and I couldn't get the new LAN gateway to work. I just delelted all the ipv6 settings on the interfaces, and everything is back to normal - minus ipv6 support, of course. Now, I'm going to try to add the settings back. Maybe it'll work this time around.
EDIT: I'm about to reset to defaults. Nothing else has worked.
wow, yeah, that sounds horrific, i'm really not sure what has gone wrong but it appears it's thoroughly confused.
The VM I setup for testing has a WAN_DHCP gateway for IPv4 and a WAN_6to4 gateway for ipv6.
Both of those gateways are automatically added by the system during setup. I did start with a clean install of 2.1 which may be the difference.
I had no time to setup a test vm behind it to verify I actually got a v4 gateway on the LAN, but i do see a "routers" line in /var/dhcpd/etc/dhcpd.conf do you have such a line in your dhcpd.conf?
All is working now for me. Both v4 and v6 gateways and routes came up fine at boot. Thanks again!
Using this snapshot: built on Tue Apr 17 06:39:44 EDT 2012
One question. I'm using IPv6 Prefix ID "none". Is that the correct configuration or is it better to assign a prefix ID?
![Screen Shot 2012-04-17 at 10.44.11 AM.png](/public/imported_attachments/1/Screen Shot 2012-04-17 at 10.44.11 AM.png)
![Screen Shot 2012-04-17 at 10.44.11 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2012-04-17 at 10.44.11 AM.png_thumb)
assign something other then "none" and it will get assigned to the LAN interface.
A 6to4 wan has 65535 choices. 0000 to ffff.
Strange, after changing the Prefix ID to 1 (chosen arbitrarily) from none, pfSense could no longer ping the IPv6 gateway (WAN_6TO4) – even after reboot. However, everything else worked (ex. ping6 ipv6.google.com from both pfsense and machines on LAN).
Changing back to none (and reboot) and the WAN_6TO4 gateway is pingable from pfsense again.
I still haven't gotten around to starting over. :-[ Would a "Reset to factory defaults" be just as good, or will that leave something behind?
EDIT: Went ahead and did it and - woohoo! - 6to4 is now working as it should. Must have been all the various versions I've gone through over the last year that messed it up. I still get that error on line 42 at startup, though.
I think there might be a corrupt PHP file in /usr/local/pkg from a defunct package.
Is there anyway I can check for what's causing it and remove it? If I'm not mistaken, it did this on the first boot, before I had added any packages.
ls -l /usr/local/pkg see if there is a file there that you don't recognize.