Comcast native ipv6 for network devices.


  • Rebel Alliance Global Moderator

    So my understanding is that comcast has started rolling out delegated prefixes for networking devices.

    http://blog.comcast.com/2012/04/ipv6-deployment-technology.html

    I believe, but not 100% sure that I am in a test area.  I can get a ipv6 address on my wan if I set it to dhcp6 - this hands out ipv6 dns, etc.  But it seems I only get a /128 so not sure if still just limited to single devices?

    Is anyone using pfsense with comcast native ipv6, not talking a 6to4 setup.  In the Schaumburg, IL area that knows if we can use native ipv6 with networking devices with comcast yet?

    I am currently using an he tunnel on 2.1 and this works fine.  But would like to move to native from my ISP vs the tunnel - but just not clear if supported yet in my area or how to set it up so that I get an ipv6 on my lan interface for use on my local network.

    I found this
    http://www.tiven.org/networking/native-ipv6-networking-with-pfsense

    but this says to use a link-local address of fe80::1 /64 – is that correct?  So the lan interface of pfsense will not get a global address?  But clients on the network will?  How would use work with static addresses in this case?



  • Iirc Comcast is doing a single /64 for the LAN, and yes the WAN is a /128, that's because of the DHCP6 lease.

    Select dhcp6 on the WAN, set the prefix delegation size to 64 bits.
    Go to the LAN interface, for IPv6 select "Track Interface". Set it to interface "WAN" and the network prefix is always 0 for you.

    That should basically be it. Let me know how that works out. Really Curious.


  • Rebel Alliance Global Moderator

    Not going to do that remote for sure ;)  Don't want to lock myself out - but give it a try when I get home for sure and let you know.

    Thanks!

    edit:  Well that seemed to work..  But couldn't not get to any ipv6 address once I removed the tunnel.  Going to bring up a clean vm to play with the native stuff.



  • Should just work, could well be some left over config from the tunnel or one of the clients not releasing the old tunnel prefix.
    Reboot pfSense, reboot the clients and see if that fixes it.

    There have been a few cases where some clients will not release the old prefix eventhough we Advertise the old prefix as being discontinued. It would still be valid for about 3 minutes after that.


  • Rebel Alliance Global Moderator

    I did reboot after removed the tunnel.

    Just going to play with it on a clean vm..  If that all works out, then just stay with that vm, etc.


  • Rebel Alliance Global Moderator

    Ok finally got around to playing with this with a clean vm, no he.net tunnel setup before, etc.  I grabbed the latest ova and booted right up.  I get ipv6 on wan, and the tracking gives me ipv6 on lan.

    But does not seem to find a ipv6 default route?

    Here are some screen shots of route table, console showing IPv6 addresses and mask and gateway widget showing doesn't have one, etc.

    I just run an gitsync this morning as well, just a few minutes ago and reboot..  How do I get it to get default ipv6 route?







  • Rebel Alliance Global Moderator

    Ok still not working???  WTF?  I believe that comcast has enabled ipv6 everywhere.  Atleast in chicago this shows it is enabled
    https://maps.google.com/maps/ms?msid=213069112737090935874.0004c1d17d71a22c5d721&msa=0&iwloc=0004c1d17d788f5a044ed

    Updated my comcast ipv6 vm to the latest, its gets an ipv6 on its wan.  But even pfsense can not get anywhere via ipv6 when using ipv6 from comcast.  HE works great.  Comcast native not so much ;)

    Any help - more than happy to let someone in that could take a look remotely to why not getting any default route for ipv6?

    Ok maybe its not really enabled. Shouldn't I be seeing RA on my wan interface with a simple tcpdump command

    example
    tcpdump -n -i em1 -vv ip6

    not getting nothing..  Seems odd?



  • Look like that is a crowdsourced map of deployment, which might be faulty.

    I see other threads in a forum I frequent where people claim to have IPv6 but it turned out to be a link-local.

    If you do not see a RA on the WAN you don't have to try. They support both SLAAC and DHCP6 on the WAN so yes, you should see atleast RA messags.


  • Rebel Alliance Global Moderator

    yeah not seeing those..  Guess not available here for routers yet.



  • @johnpoz:

    tcpdump -n -i em1 -vv ip6

    Unless I'm missing something, those screenshots above show you with a DHCPv6 address. Also you're running tcpdump on the wrong interface according to those screenshots. It should be em0.

    Comcast's gateway should be the LL address on the interfaces page.



  • No, that looks more like a stateless autoconf address, you get that one for free, but that would atleast imply that something is advertising.

    I just setup a test box here and it worked, I did need to enter atleast 0 in the prefix id field on the LAN interface for the "Track interface WAN" section before it configured a prefix on the LAN. After a reboot nonetheless.

    Still need to polish those edges.



  • @databeestje:

    No, that looks more like a stateless autoconf address, you get that one for free, but that would atleast imply that something is advertising.

    Maybe one could add the radvdump binary to pfsense (or have it as a package) as I assume it could help a few to ease debugging their IPv6 setup?



  • @databeestje:

    No, that looks more like a stateless autoconf address, you get that one for free, but that would atleast imply that something is advertising.

    It's actually not. Comcast RAs have the managed flag set on them. Mine looks the same and it's not SLAAC.

    Also 2601::/28 is Comcast's prefix they're assigning via PD.

    My guess is somehow the LL gateway isn't being added. It would really help if the OP could post a screenshot of his interface page.

    For example, mine is: Gateway IPv6 fe80::201:5cff:fe32:1481



  • Maybe johnpoz is willing to give me access to his install for debugging?



  • Just to update with more info as to what a Comcast deployment is.

    13:54:58.045607 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 80) fe80::201:5cff:fe32:1481 > ff02::1: ICMP6, router advertisement, length 80
    hop limit 0, Flags [managed, other stateful], pref medium, router lifetime 1800s, reachable time 30000s, retrans time 1000s[ndp opt]

    Screenshot of interfaces: http://willscorner.net/tmp/comcastic.png



  • Yeah, that screenshot looks healthy.


  • Rebel Alliance Global Moderator

    Yeah more than willing to give access to take a look..  Just PM me when would be good time for you to access, and I can send you the info to remote in.

    I have got a comcast guy on another forum checking for sure if should be available in my area.

    As to screen shots and what em – they might of swapped because I was using 2 different vms in testing this.  I had a clean vm that wasn't working and then was playing with it again on my normal vm.  So those 2 vms might be swapped for which em is wan and which is lan, etc.  Would have to double check that.

    edit:
    So if you see in the screenshots I posted I was getting Ips -- but just couldn't get anywhere, I didn't see a default route for ipv6.  But looking forward to your PM on your schedule - I should be available tonight, few hours from now to switch it over to my clean install with no tunnel setup -- can let you in for sure to take a look.  Would really really appreciate that!

    If you have time now I could remotely turn on remote access and let you in to current setup with HE tunnel setup, etc.  And you could play with that.  Don't care too much if you break the tunnel setup.  Doesn't matter if loose the tunnel that is currently setup, would like to go native anyway ;)

    edit2:  Got your PM, thanks once I hear back from the comcast guy that its suppose to be there I will let you know.  But what I am thinking is it's not there yet?

    So this is my normal vm, I turned off the HE tunnel.  Updated to the latest and greatest snap

    2.1-BETA0 (i386)
    built on Tue Jun 19 20:53:56 EDT 2012
    FreeBSD 8.3-RELEASE-p3

    I then run gitsysnc this morning to be sure.  Deleted my HE tunnel stuff, set wan to dhcp6, prefix delegation 64.  Then set Lan to track and 0 for prefix ID.  Rebooted.

    As you can see from screenshot I get a /128 and shows a /64 on my lan.. But just don't get a route out on ipv6 -- so I have highlighted that yes my wan is em1, and let a tcpdump -i em1 -vv ip6 run for like 5 minutes or so and just don't see anything!  I should be seeing RA should I not?  There should be some in a 5 minute period I would think ;)

    So my guess is something is not turned on at my isp for native to work yet for me.  Once I hear back from the comcast guy on another forum that is checking with my modem mac and still nothing working I will let you know and more than happy to let you in.  Happy to let you in now if you want.



  • Rebel Alliance Global Moderator

    I edited my last post, but does not seem to have bumped the time on the thread.  So bumpity bump ;)



  • johnpoz,

    Reach out in the Comcast forums on dslreports.com. It looks like they've set up DHCPv6 without RA. Just checking though, you've got a DOCSIS3 modem, right?


  • Rebel Alliance Global Moderator

    Yup SB6120, and have PM out to netdog on that site, he responded already once - but seems I only game him the CMTS-MAC, when he needed the CM-MAC?  So now I have sent him everything I could see from the modem with any sort of mac in it ;)

    I thought he would need the CMTS-MAC to see if ipv6 was enabled on my connection, this is what my modem connects too right?



  • @johnpoz:

    Yup SB6120, and have PM out to netdog on that site, he responded already once - but seems I only game him the CMTS-MAC, when he needed the CM-MAC?  So now I have sent him everything I could see from the modem with any sort of mac in it ;)

    I thought he would need the CMTS-MAC to see if ipv6 was enabled on my connection, this is what my modem connects too right?

    Ha! He actually plucked my IPv6 from a forum posting and looked me up. Told me to kick my modem so I could grab 3 x upstream.


  • Rebel Alliance Global Moderator

    I also posted all my info in the comcast direct forum on that site.

    Well post back what I hear, but yeah it seems like just no RAs.  If comcast comes back and says it should be working, I have remote access setup for databeestje already and have PM'd him the info.

    I did notice your nick on that forum as well.


  • Rebel Alliance Global Moderator

    Ok databeestje got into my box, and he mentioned that my VM is not set to promiscuous on the switch the pfsense wan interface is connected to. Would block NDS.

    So I changed that

    But still not working, ran this command

    rtsol -DF em1
    checking if em1 is ready…
    em1 is ready
    set timer for em1 to 0:624884
    New timer is 0:00624811
    New timer is 0:00004311
    timer expiration on em1, state = 1
    send RS on em1, whose state is 2
    set timer for em1 to 4:0
    New timer is 4:00002585
    timer expiration on em1, state = 2
    send RS on em1, whose state is 2
    set timer for em1 to 4:0
    New timer is 4:00000173
    received RA from fe80::250:56ff:fe00:2 on an unexpected IF(em0)
    New timer is 0:00779783
    timer expiration on em1, state = 2
    send RS on em1, whose state is 2
    set timer for em1 to 1:0
    New timer is 1:00000259
    timer expiration on em1, state = 2
    No answer after sending 3 RSs
    stop timer for em1
    there is no timer

    So unless have to restart the esxi box?  To allow the switch setting to take effect, seems like no RAs


  • Rebel Alliance Global Moderator

    so I heard back from netdog

    8m : 2012-06-20 15:33:59 : From NetDog See Profile delete · mark-unread · keep
    The CMTS your on supports IPv6 and I can see leases going out to other customers on the DHCP server.

    but I responded back to him that not seeing any RAs and no default route.


  • Rebel Alliance Global Moderator

    so I did a gitsync since I saw that wrong RA commit, and then hit save on my wan and its working from the router now.

    Internet6:
    Destination                      Gateway                      Flags      Netif Expire
    default                          fe80::201:5cff:fe31:da01%em1  UGS        em1
    ::1                              ::1                          UH          lo0
    2001:558:6033:12c:585b:3619:66ef:e1b1 link#2                        UHS        lo0
    2601:d:8b80:2c::/64              link#1                        U          em0
    2601:d:8b80:2c::1                link#1                        UHS        lo0
    2601:d:8b80:2c:250:56ff:fe00:2    link#1                        UHS        lo0
    fe80::%em0/64                    link#1                        U          em0
    fe80::1:1%em0                    link#1                        UHS        lo0
    fe80::250:56ff:fe00:2%em0        link#1                        UHS        lo0
    fe80::%em1/64                    link#2                        U          em1
    fe80::250:56ff:fe00:1%em1        link#2                        UHS        lo0
    fe80::%lo0/64                    link#6                        U          lo0
    fe80::1%lo0                      link#6                        UHS        lo0
    fe80::%ovpns1/64                  link#10                      U        ovpns1
    fe80::250:56ff:fe00:2%ovpns1      link#10                      UHS        lo0
    ff01::%em0/32                    fe80::250:56ff:fe00:2%em0    U          em0
    ff01::%em1/32                    fe80::250:56ff:fe00:1%em1    U          em1
    ff01::%lo0/32                    ::1                          U          lo0
    ff01::%ovpns1/32                  fe80::250:56ff:fe00:2%ovpns1  U        ovpns1
    ff02::%em0/32                    fe80::250:56ff:fe00:2%em0    U          em0
    ff02::%em1/32                    fe80::250:56ff:fe00:1%em1    U          em1
    ff02::%lo0/32                    ::1                          U          lo0
    ff02::%ovpns1/32                  fe80::250:56ff:fe00:2%ovpns1  U        ovpns1
    [2.1-BETA0][admin@pfsense.local.lan]/root(10): ping6 ipv6.google.com
    PING6(56=40+8+8 bytes) 2001:558:6033:12c:585b:3619:66ef:e1b1 –> 2607:f8b0:400f:801::1013
    16 bytes from 2607:f8b0:400f:801::1013, icmp_seq=0 hlim=55 time=36.524 ms
    16 bytes from 2607:f8b0:400f:801::1013, icmp_seq=1 hlim=55 time=36.316 ms
    16 bytes from 2607:f8b0:400f:801::1013, icmp_seq=2 hlim=55 time=36.014 ms
    16 bytes from 2607:f8b0:400f:801::1013, icmp_seq=3 hlim=55 time=35.045 ms
    16 bytes from 2607:f8b0:400f:801::1013, icmp_seq=4 hlim=55 time=35.084 ms
    ^C
    --- ipv6.l.google.com ping6 statistics ---
    5 packets transmitted, 5 packets received, 0.0% packet loss
    round-trip min/avg/max/std-dev = 35.045/35.797/36.524/0.619 ms

    [2.1-BETA0][admin@pfsense.local.lan]/root(11): traceroute6 ipv6.google.com
    traceroute6 to ipv6.l.google.com (2607:f8b0:400f:801::1013) from 2001:558:6033:12c:585b:3619:66ef:e1b1, 64 hops max, 12 byte packets
    1  * * *
    te-1-2-ur07.mtprospect.il.chicago.comcast.net  13.203 ms  10.957 ms  9.458 ms
    te-1-2-0-5-ar01.elmhurst.il.chicago.comcast.net  13.770 ms  22.087 ms  26.169 ms
    pos-0-7-0-0-cr01.chicago.il.ibone.comcast.net  18.085 ms  18.121 ms  15.739 ms
    pos-1-8-0-0-cr01.350ecermak.il.ibone.comcast.net  17.688 ms  17.588 ms  15.752 ms
    pos-1-4-0-0-pe01.350ecermak.il.ibone.comcast.net  14.264 ms  13.737 ms  13.539 ms
    7  2001:559::382  14.099 ms  13.056 ms  12.680 ms
    8  2001:4860::1:0:3f7  12.781 ms
        2001:4860::1:0:92e  22.108 ms
        2001:4860::1:0:3f7  13.786 ms
    9  2001:4860::8:0:2fe9  13.781 ms  16.365 ms  13.853 ms
    10  2001:4860::8:0:281d  50.876 ms
        2001:4860::8:0:281e  36.705 ms
        2001:4860::8:0:281d  35.046 ms
    11  2001:4860::8:0:3426  35.580 ms  37.061 ms  36.148 ms
    12  2001:4860::1:0:7a4  36.630 ms  36.996 ms  36.876 ms
    13  2001:4860:0:1::593  38.282 ms  45.503 ms  35.759 ms
    14  2607:f8b0:8000:1d::f  37.068 ms  37.603 ms  35.807 ms
    [2.1-BETA0][admin@pfsense.local.lan]/root(12):

    Have to see if can get a client going now.  But seems gateway widget is not working

    WAN_DHCP6 Pending Pending Unknown

    or

    WAN_DHCP6 ~ ~ ~ Unknown


  • Rebel Alliance Global Moderator

    spoke too soon.  Just did a reboot of pfsense, and now no route and

    ping6 ipv6.google.com
    ping6: UDP connect: No route to host

    So is this something wrong with pfsense, or comcast just not sending RA's – I have to guess no RA's since shouldn't I see them with a simple tcpdump?



  • tcpdump again.

    you could technically avoid RA issues at this point by setting the default gw to default  fe80::201:5cff:fe31:da01%em1  UGS        em1


  • Rebel Alliance Global Moderator

    That sure and the hell does not seem like a fix to me..  When it was working from pfsense, my clients were not working for starters.

    A better fix would be to just go back to my tunnel ;)

    And is it really common practice for my gateway to be linklocal?  Then why give my interface a global address??  Shouldn't I have a global gateway address to match up with my /128?

    I just do not get why they can not just freaking hand out the gateway via dhcp??



  • @johnpoz:

    That sure and the hell does not seem like a fix to me..  When it was working from pfsense, my clients were not working for starters.

    How is it not a valid fix? Did you add the correct firewalls to pass v6 traffic?

    A better fix would be to just go back to my tunnel ;)

    Have you tried just installing a new build without any previous tunnel configuration?

    And is it really common practice for my gateway to be linklocal?  Then why give my interface a global address??  Shouldn't I have a global gateway address to match up with my /128?

    Yes.

    I just do not get why they can not just freaking hand out the gateway via dhcp??

    It's not. Worked out the box for me. You do realize that DHCPv6 doesn't have an option to hand out a gateway. …that's why RA is used.

    Edit: Maybe the best solution is plug a laptop directly into the modem and run tcpdump. You'll be able to verify RAs.


  • Rebel Alliance Global Moderator

    I am aware that dhcpv6 does not hand out gateway!  Just ranting here - don't understand why it was removed, why not leave it as an option?

    Its not a fix, because setting a static gateway like that – that might change is not a good idea!  If it was my network and knew it wasn't going to change then sure.  But I have no idea what comcast might do next week.

    Plugging a box directly into my modem is a great idea, because what I can tell you is not seeing any RA's for sure currently.


  • Rebel Alliance Global Moderator

    Ok I plugged 2 different boxes into my modem, and yes rebooted modem between changing them.  Got online with ipv4 no issues.

    But linux didn't even get an IP via dhcpv6, and with tcpdump did not see any RAs - using radvdump nothing.  Connected a win 7 box, got an ip - and even pointed at ipv6 dns, but couldn't talk to them ;)

    Seems native ipv6 here in schaumburg is not yet ready for prime time!  Back to my nice stable HE tunnel I guess



  • Sounds like you've confirmed it is a 100% a Comcast issue having to do with a partial deployment. You should reach back out to NetDog and let him know you can get DHCPv6 but don't see any RA at all.


  • Rebel Alliance Global Moderator

    yup have a couple of PMs out to him, and have a post in the direct comcast forum on dslreports.



  • I think the headend is not sending out RA, but the dhcp6 server/relay at the headend is already active.

    But without RA that means delivering broken IPv6. Sort off, the missing default route means it fails fast, but still.



  • @johnpoz:

    Yeah more than willing to give access to take a look..  Just PM me when would be good time for you to access, and I can send you the info to remote in.

    I have got a comcast guy on another forum checking for sure if should be available in my area.

    I run the IPv6 program for Comcast, I will try to help.

    @johnpoz:

    As to screen shots and what em – they might of swapped because I was using 2 different vms in testing this.  I had a clean vm that wasn't working and then was playing with it again on my normal vm.  So those 2 vms might be swapped for which em is wan and which is lan, etc.  Would have to double check that.

    edit:
    So if you see in the screenshots I posted I was getting Ips -- but just couldn't get anywhere, I didn't see a default route for ipv6.  But looking forward to your PM on your schedule - I should be available tonight, few hours from now to switch it over to my clean install with no tunnel setup -- can let you in for sure to take a look.  Would really really appreciate that!

    If you have time now I could remotely turn on remote access and let you in to current setup with HE tunnel setup, etc.  And you could play with that.  Don't care too much if you break the tunnel setup.  Doesn't matter if loose the tunnel that is currently setup, would like to go native anyway ;)

    edit2:  Got your PM, thanks once I hear back from the comcast guy that its suppose to be there I will let you know.  But what I am thinking is it's not there yet?

    So this is my normal vm, I turned off the HE tunnel.  Updated to the latest and greatest snap

    2.1-BETA0 (i386)
    built on Tue Jun 19 20:53:56 EDT 2012
    FreeBSD 8.3-RELEASE-p3

    I then run gitsysnc this morning to be sure.  Deleted my HE tunnel stuff, set wan to dhcp6, prefix delegation 64.  Then set Lan to track and 0 for prefix ID.  Rebooted.

    As you can see from screenshot I get a /128 and shows a /64 on my lan.. But just don't get a route out on ipv6 -- so I have highlighted that yes my wan is em1, and let a tcpdump -i em1 -vv ip6 run for like 5 minutes or so and just don't see anything!  I should be seeing RA should I not?  There should be some in a 5 minute period I would think ;)

    by default we reply to a router requesting an IANA and IAPD with a /128 and /64.  You should see RAs more frequently than 5m.

    @johnpoz:

    So my guess is something is not turned on at my isp for native to work yet for me.  Once I hear back from the comcast guy on another forum that is checking with my modem mac and still nothing working I will let you know and more than happy to let you in.  Happy to let you in now if you want.

    you can contact me offline, I can verify if IPv6 has been launched in your area.



  • @whfsdude:

    johnpoz,

    Reach out in the Comcast forums on dslreports.com. It looks like they've set up DHCPv6 without RA. Just checking though, you've got a DOCSIS3 modem, right?

    we use RAs + stateful DHCPv6.  IPv6 auto-configuration is not supported.



  • @johnpoz:

    Yup SB6120, and have PM out to netdog on that site, he responded already once - but seems I only game him the CMTS-MAC, when he needed the CM-MAC?  So now I have sent him everything I could see from the modem with any sort of mac in it ;)

    6120 is good to go, CMMAC or account # sent privately both work.



  • @johnpoz:

    so I heard back from netdog

    8m : 2012-06-20 15:33:59 : From NetDog See Profile delete · mark-unread · keep
    The CMTS your on supports IPv6 and I can see leases going out to other customers on the DHCP server.

    but I responded back to him that not seeing any RAs and no default route.

    you should be learning the default route from the RAs sent by my CMTS.



  • @johnpoz:

    That sure and the hell does not seem like a fix to me..  When it was working from pfsense, my clients were not working for starters.

    A better fix would be to just go back to my tunnel ;)

    And is it really common practice for my gateway to be linklocal?  Then why give my interface a global address??  Shouldn't I have a global gateway address to match up with my /128?

    I just do not get why they can not just freaking hand out the gateway via dhcp??

    this would be a step backwards no?



  • @johnpoz:

    I am aware that dhcpv6 does not hand out gateway!  Just ranting here - don't understand why it was removed, why not leave it as an option?

    Its not a fix, because setting a static gateway like that – that might change is not a good idea!  If it was my network and knew it wasn't going to change then sure.  But I have no idea what comcast might do next week.

    Plugging a box directly into my modem is a great idea, because what I can tell you is not seeing any RA's for sure currently.

    [jjmb] I also co-chair the IETF dhcwg, there is talk about adding this option.  This is being heavily debated and even if it becomes available it does not mean people will use it.


Locked