IPv6 Comcast not working - overlapping v6 prefix delegation subnets?


  • I recently rebuilt my pfSense box with 2.1-RELEASE to test IPv6 (Comcast recently activated native dual-stack in WA, so I thought now would be a good time to upgrade and test).  I had been running with an HE.net Tunnel Broker account for quite some time, but that is no longer present on this machine–it's a fresh install of 2.1-RELEASE running on a VM.

    At first glance, I appear to be having the same issue as this thread.  However, I wasn't sure, so I wanted to start a new thread and provide new data.

    After reading through several other forum posts, I have basic IPv6 connectivity working for the pfSense box itself using this configuration:

    • WAN Interface

    • Use IPv4 connectivity as parent interface: Yes

    • Request only a IPv6 prefix: No

    • DHCPv6 Prefix Delegation size: 64

    • Send IPv6 prefix hint: Yes

    • DMZ Interface

    • IPv6 Configuration Type: Track Interface

    • IPv6 Interface: WAN

    • IPv6 Prefix ID: 0

    • LAN Interface

    • IPv6 Configuration Type: Track Interface

    • IPv6 Interface: WAN

    • IPv6 Prefix ID: 0

    With the configuration above, I get addresses on pfSense like:

    • em0 WAN: 2001:558:600a:22:6165:e6b6:7522:e562/128

    • em1 DMZ: 2601:8:9100:4e9:20c:29ff:fe1e:4bc6/64

    • em2 LAN: 2601:8:9100:4e9:20c:29ff:fe1e:4bbc/64

    Clients in my DMZ get addresses like this:

    • Host Address1: 2601:8:9100:4e9:20c:29ff:fecf:7e0c/64

    • Host Address2: 2601:8:9100:4e9::2000/64

    From the pfSense machine itself, I can ping IPv6 hosts just fine:

    
    [2.1-RELEASE][root@localhost]/root(3): ping6 ipv6.l.google.com 
    PING6(56=40+8+8 bytes) 2001:558:600a:22:6165:e6b6:7522:e562 --> 2607:f8b0:400a:801::1014
    16 bytes from 2607:f8b0:400a:801::1014, icmp_seq=0 hlim=56 time=11.287 ms
    16 bytes from 2607:f8b0:400a:801::1014, icmp_seq=1 hlim=56 time=11.048 ms
    ^C
    --- ipv6.l.google.com ping6 statistics ---
    2 packets transmitted, 2 packets received, 0.0% packet loss
    round-trip min/avg/max/std-dev = 11.048/11.168/11.287/0.119 ms
    
    

    As DHCP is saying below, that seems incorrect since my LAN and DMZ interfaces are all on the same IPv6 subnet, but they should not be?

    
    Oct 3 22:21:37 	dhcpd: Multiple interfaces match the same shared network: em1 em4
    Oct 3 22:21:37 	dhcpd: Multiple interfaces match the same subnet: em1 em4
    Oct 3 22:21:37 	dhcpd: Multiple interfaces match the same shared network: em1 em2
    Oct 3 22:21:37 	dhcpd: Multiple interfaces match the same subnet: em1 em2
    Oct 3 22:21:37 	dhcpd: Wrote 0 leases to leases file.
    Oct 3 22:21:37 	dhcpd: For info, please visit https://www.isc.org/software/dhcp/
    Oct 3 22:21:37 	dhcpd: All rights reserved.
    Oct 3 22:21:37 	dhcpd: Copyright 2004-2013 Internet Systems Consortium.
    Oct 3 22:21:37 	dhcpd: Internet Systems Consortium DHCP Server 4.2.5-P1
    Oct 3 22:21:37 	dhcpd: Warning: subnet 2601:8:9100:4e9::/32 overlaps subnet 2601:8:9100:4e9::/32
    Oct 3 22:21:37 	dhcpd: Warning: subnet 2601:8:9100:4e9::/32 overlaps subnet 2601:8:9100:4e9::/32
    
    

    Likewise, interesting log entries from radvd, I don't know if they pertain to what I'm seeing though (should IPv6 forwarding be enabled?  If so, where do I enable it?):

    
    Oct 3 22:13:11 	radvd[40981]: resuming normal operation
    Oct 3 22:13:11 	radvd[40981]: attempting to reread config file
    Oct 3 22:13:10 	radvd[40981]: resuming normal operation
    Oct 3 22:13:10 	radvd[40981]: attempting to reread config file
    Oct 3 22:13:09 	radvd[40981]: resuming normal operation
    Oct 3 22:13:09 	radvd[40981]: attempting to reread config file
    Oct 3 22:13:08 	radvd[40981]: resuming normal operation
    Oct 3 22:13:08 	radvd[40981]: attempting to reread config file
    Oct 3 22:13:07 	radvd[40162]: IPv6 forwarding seems to be disabled, but continuing anyway.
    Oct 3 22:13:07 	radvd[40162]: IPv6 forwarding setting is: 0, should be 1
    Oct 3 22:13:07 	radvd[40162]: version 1.9.1 started
    
    

    I think I have something mis-configured, but I'm not sure what?  Note that if I change my WAN interface Prefix Delegation Size to anything other than '64', I get no IPv6 addresses on any interface behind the pfSense itself (the WAN interface still has the 2001:558:600a… address, but nothing else does).


  • You will need to request a larger prefix than /64 if you want to support multiple LAN-side interfaces. Comcast will give you up to a /60, so it just request that (it doesn't matter that you won't be using all of it, and I seem to remember that I had trouble with sizes other than /64 and /60). You will then set each LAN-side interface to a unique prefix ID in the valid range (0-f in hex). The fact that you're setting them to the same (which pfSense arguably shouldn't let you do in the first place) is why you end up with the same prefix on both interfaces.


  • @razzfazz:

    You will need to request a larger prefix than /64 if you want to support multiple LAN-side interfaces. Comcast will give you up to a /60, so it just request that (it doesn't matter that you won't be using all of it, and I seem to remember that I had trouble with sizes other than /64 and /60). You will then set each LAN-side interface to a unique prefix ID in the valid range (0-f in hex). The fact that you're setting them to the same (which pfSense arguably shouldn't let you do in the first place) is why you end up with the same prefix on both interfaces.

    So I did the above (requesting a /60 prefix on the WAN, then starting with my LAN, I did prefix ID's of 1-4), but now I'm not getting any IPv6 addresses on any connected networks (or interfaces).  However, the WAN still has the /128 assigned to it.

    In the capture posted here, all of the advertised RA's seem to have /64 prefix, not /60.  I'm also not sure where the /60 prefix hint is being sent out (perhaps packets 46-48 & 51-53)?


  • You are getting a response from 2 DHCPv6 servers (normal).

    The 1st one (line 47) is giving you the /60 that you asked for, but the Preference is 00.

    The 2nd one (line 48) is giving you a /64 and the Preference is 255.

    So, pfSense is correctly using the /64, since it is the higher preference.  The PD it is giving you is 2601:8:9100:4e9::.  I suspect that is the prefix you had before changing the request from /64 to /60.  Looks like that's sticking in the DHCP server because the DUID that you send isn't changing and the lease hasn't expired.

    How to get ride of that …  Well, since the DUID is derived from the MAC address, I would probably go ahead and change the MAC on the WAN interface and reboot both the CM and pfSense.

    Anybody have a better idea?


  • Both replies are actually coming from one and the same server. Both have different IA_ADDR's, too, so I agree that this is most likely a leftover from a prior lease. I'd try just rebooting pfSense and power cycling the cable modem first before messing with the MAC.


  • @razzfazz:

    Both replies are actually coming from one and the same server.

    Why would you say that?

    Open the Server Identifier fields, they are different machines.  If you are saying that because the source address is the same, that's just the address of the CMTS.  In other forums, Comcast has discussed the two DHCPv6 server sources and the weighting.


  • @razzfazz:

    Both replies are actually coming from one and the same server. Both have different IA_ADDR's, too, so I agree that this is most likely a leftover from a prior lease. I'd try just rebooting pfSense and power cycling the cable modem first before messing with the MAC.

    Rebooted the CM and pfSense, and I'm still seeing the same two replies (/64 preference 255, /60 preference 0).  I'd rather not change my MAC, since my IPv4 address is bound to it right now, so I will wait for a few days and see if the /64 lease will eventually expire and start assigning the /60.  Does anybody know roundabout how long the leases are for IPv6 prefixes on Comcast's network?


  • @priller:

    Why would you say that?

    Yeah, I just saw that the source address is the same for both replies; my bad. I guess the CMTS serves as a DHCP relay, then?


  • @Kyle:

    Does anybody know roundabout how long the leases are for IPv6 prefixes on Comcast's network?

    See the pltime and vltime (preferred and valid lease duration, in seconds); looks like the default is 4 days, and at the time of the capture the older lease had been active for about 20 minutes and counting.


  • @razzfazz:

    See the pltime and vltime (preferred and valid lease duration, in seconds); looks like the default is 4 days, and at the time of the capture the older lease had been active for about 20 minutes and counting.

    Thanks razzfazz, I will keep ya'll posted over the next few days and let you know what happens.


  • @Kyle:

    So I did the above (requesting a /60 prefix on the WAN, then starting with my LAN, I did prefix ID's of 1-4), but now I'm not getting any IPv6 addresses on any connected networks (or interfaces).  However, the WAN still has the /128 assigned to it.

    Highly interested in this thread as I am seeing similar behavior.  Requesting a /64 on TWC's Road Runner gives me a /128 for WAN and a /64 for the LAN and everything works as it should. DHCPv6 for WAN and Track Interface for LAN.

    But when I request a /60 I get a /128 for WAN and a /60 for my LAN, WIFI, AND OPT interfaces using prefix ID's of 1-3 respectively.  This looks awesome but no connected PCs get a IPv6 address and I get a 0/10 running the test at www.test-ipv6.com


  • Odd, I can request a /60 from Comcast just fine and I end up with different /64 prefixes (all subsets of the /60) on each internal interface, so it doesn't seem to be a general problem with the prefix delegation code. Do you get your v4 connectivity through PPPoE by any chance?


  • Yeah, might be something screwy with my ISP requesting anything larger than a /64 that it gives me a /60 on every interface.  IPv6 addresses all look good (no private IPv6 addreses) but its still not routing or handing out IPs

    No PPPoE here, cable modem connection with native IPv6.


  • SLAAC doesn't work with anything but /64's, so I'm not surprised the clients wouldn't know what to do if you advertise a /60 to them.


  • This is with Track Interface though, or am I missing something?  I know quite a bit about networking but I'm still trying to grasp this IPv6 and its terminology.


  • Yeah, I don't understand why that seems to end up advertising the whole prefix on the internal interfaces for some; just pointing out that it's not unexpected that clients wouldn't be able to get an IPv6 address when that happens.


  • Reverted back to DHCP6 on WAN with a /64 Prefix Delegation Size, and Track Interface on LAN.

    This is the only way I can get IPv6 to work albeit just on the LAN.  Any other method either doesnt give out IPv6 addresses or causes workstations to fail the IPv6 test sites.


  • @Kyle:

    Thanks razzfazz, I will keep ya'll posted over the next few days and let you know what happens.

    Okay, so I wanted to check and see if the lease times were decrementing for each of the prefix advertisements (/60 vs. /64) comparing the 10/4 capture to one from 10/6 (today).

    • ipv6-comcast-20131004.cap (packets 38-40)

    • /60 Prefix Advertisement (packet 39)

    • Preference: 0

    • Preferred lease time (pltime): 345600

    • Valid lease time (vltime): 345600

    • /64 Prefix Advertisement (packet 40)

    • Preference: 255

    • preferred lease time (pltime): 345385

    • valid lease time (vltime): 345385

    • ipv6-comcast-20131006.cap (packets 98-100)

    • /60 Prefix Advertisement (packet 99)

    • Preference: 0

    • Preferred lease time (pltime): 345600

    • Valid lease time (vltime): 345600

    • /64 Prefix Advertisement (packet 100)

    • Preference: 255

    • preferred lease time (pltime): 174315

    • valid lease time (vltime): 174315

    So, it does look like the /64 lease will eventually expire in about 48 hours.  Hopefully that will trigger the /60 offer to take effect.


  • Okay, so it looks like my leases have expired, I am getting a new address on the WAN interface (/128), but still nothing on the backend.  I do see these error messages in the System Logs though:

    
    Oct 8 15:31:15 	dhcp6c[72315]: client6_recvadvert: XID mismatch
    Oct 8 15:31:15 	dhcp6c[72315]: client6_recvadvert: XID mismatch
    Oct 8 15:29:14 	dhcp6c[72315]: client6_recvadvert: XID mismatch
    Oct 8 15:29:14 	dhcp6c[72315]: client6_recvadvert: XID mismatch
    
    

    In this capture from today, I can see the pltime/vltime have reset in packets 70-72–the /60 offer is valid for 345600 with preference 00 and the /64 is valid for 329817 with preference 255.  To me, it seems like this is still broken, though I can't tell if it's Comcast handing out bad leases or pfSense not picking the right one--perhaps it's got something to do with the XID mismatch above as well?


  • I've been struggling with the same problem as ahnhell for the last few days and finally got it working.  I'm on TWC also and was able to get it to work by selecting the send prefix hint option and setting the prefix size to 64.  I've verified that when I select 60 as the prefix size, I get a/56 which results in /60's for my LAN and dmz interfaces.  I checked and pfsense is setting the prefix as "::/64 infinity" in dhcp6c_wan.cfg.

    Am I misunderstanding how this is supposed to be configured or is TWC's implementation wrong?


  • It's just a hint, so at the end of the day, they can do whatever they want with it (including ignoring it completely); that said, that behavior does seem odd. What size prefix do they give you when you uncheck "send hint"?


  • So, I spoke too soon - that's what I get for trying to test from my iPhone.  But it does look like selecting a prefix of /56 will work.  I will do more testing to verify.

    If I don't send a hint I get a /64.

    Edit:  I've done further testing and verified that when I request a /56 that is what I receive.  So this config seems to work (at least with TWC.)

    I guess the problem is when pfSense is configured to request a /60 the sla-len in the pd options is set to 4.  But when a /56 is received instead of the expected /60 each interface is configured with a /60 and stateless autoconfig won't work with this.  Hope this helps someone else.


  • @kolinger:

    Edit:  I've done further testing and verified that when I request a /56 that is what I receive.  So this config seems to work (at least with TWC.)

    I've tried sending the /56 as the hint, and it's still not working.  Haven't had a chance to look at a packet capture yet, but I may end up having to call Comcast, which isn't really my first choice, but I don't know what else to try.


  • Sorry guys just saw this post. I had posted about this weeks ago in another thread. This is only for Comcast as far as I know, but if you live in the north east right now the CMTS's are not setup to deal with a prefix any larger/smaller than /64. See http://forum.pfsense.org/index.php/topic,65724.15.html

    Below is a link if you private message the OP of the forum he can tell you if this feature is supported yet in your area. He will need the CMAC of your cable modem. DON'T POST YOUR CMAC IN THE PUBLIC.

    http://forums.comcast.com/t5/Home-Networking-Router-WiFi/IPv6-prefix-size-and-home-routing/td-p/1495933


  • @Kyle:

    I've tried sending the /56 as the hint, and it's still not working.  Haven't had a chance to look at a packet capture yet, but I may end up having to call Comcast, which isn't really my first choice, but I don't know what else to try.

    Did you try changing the MAC address on the WAN interface?


  • @Kyle:

    I've tried sending the /56 as the hint, and it's still not working.

    Also, this will definitely not work on Comcast; as far as I know, the shortest prefix they'll hand out is a /60.


  • Finally found success, thanks to Kolinger's statements.  I've been requesting a /60 trying to get this to work to no end.

    Requested a /56 on WAN with DHCP6, and then setup the other interfaces for Track Interface.  When selecting Track Interface, I then hit Save, and once the page refreshes, I then enter the Prefix ID, hit Save again and then Apply Changes.  Then did the same for my other interfaces, then rebooted.

    Once rebooted I got a proper /128 for WAN and a /64 for each of my other interfaces using the proper Prefix ID on each interface.  In the screen below you can see I used 1d for LAN, 2e for WLAN, and 3f for DMZ as Prefix ID's.  Any computer connected to these interfaces gets a proper IPv6 address within the correct /64 prefix ID that was setup.

    Ran a test at http://test-ipv6.com and got a 10/10 using a PC behind each interface so all is working now.  ;D

    ![Screen Shot 2013-10-09 at 7.45.40 PM.jpg_thumb](/public/imported_attachments/1/Screen Shot 2013-10-09 at 7.45.40 PM.jpg_thumb)
    ![Screen Shot 2013-10-09 at 7.45.40 PM.jpg](/public/imported_attachments/1/Screen Shot 2013-10-09 at 7.45.40 PM.jpg)


  • @mikeisfly:

    Below is a link if you private message the OP of the forum he can tell you if this feature is supported yet in your area. He will need the CMAC of your cable modem. DON'T POST YOUR CMAC IN THE PUBLIC.

    http://forums.comcast.com/t5/Home-Networking-Router-WiFi/IPv6-prefix-size-and-home-routing/td-p/1495933

    I went ahead and posted a question in the Comcast forum.

    @razzfazz:

    Did you try changing the MAC address on the WAN interface?

    No, I'd rather not do that unless I absolutely have to–it should just work.


  • Back to IPv4 unfortunately.  Every 48 hours I was losing my WAN connection, I assume during the DHCP renew and the cable modem would show loss of sync in its log files.  Back to IPv4 and my connection is back to rock solid.


  • @AhnHEL:

    Back to IPv4 unfortunately.  Every 48 hours I was losing my WAN connection, …..

    Everything or did you just loose the IPv6 addressing?

    If you are loosing the IPv6 addressing, uncheck "Block bogon networks" under the WAN interface configuration.  It's a known IPv6 DHCP-PD killer.


  • I'm losing everything, IPv4 and IPv6 addresses which requires a reboot to get back online.


  • Been playing with this all day until I found this thread.

    Comcast Business and pfsense 2.2.5

    I found a previous guide that suggested a /64 prefix int he Wan config for comcast.  I got an address for the WAN /64 and a similar prefixed address for the LAN but at a /60

    All my workstations only registered the link local address.  Couldn't get them to route correctly save for the various link-local addresses

    Once I set my prefix to /60 and rebooted everything seems to be working fine.  I am getting expected "real" IPv6 addresses to all the workstations that request the.

    Just a reboot, didn't have to wait a week or reset the mac addresses on my WAN

    Hope that helps someone.


  • I can verify that in the Kansas City area that /56 prefix would not work.  I changed it to /60 and Comcast immediately served up IPv6 networks for LAN and DMZ without a reboot.


  • neiltiffin, Do you have Comcast business or residential? I can't seem to find a straight answer (yet) on < /64 for residential customers (which I am).
    Monty


  • @chamont:

    neiltiffin, Do you have Comcast business or residential? I can't seem to find a straight answer (yet) on < /64 for residential customers (which I am).
    Monty

    Residential customers can request a prefix as small as /60… business customers can go down to /56. I have Comcast residential service and request a /60 with no problem.

    A note though... if you have already requested a /64, you'll need to let that lease expire (or find someone at Comcast that can delete it for you) before you'll be able to request a /60. So turn off IPv6 for 7+ days, then change the prefix request to /60 and turn it back on.


  • I have some bad news on this.

    Same problems, didn't get a /60 or /56, pfsense would drop the wan connection every few minutes, everything went unstable, reboots sometimes fixed.

    At a different office in town I manage, the comcast business router there is a Netgear, and it got a /60 and works just fine and was easy to setup with pfSense 2.2.5.  Everyone is happy. 10/10 on the ipv6 tests. yay.

    Eventually I broke down and called Comcast to see if they could release my Router's mac address and hopefully re-issue a range, they didn't and said they would not, and anything I read on the internet about Comcast techs doing so was wrong and those people were very naughty.

    Helpfully, they suggested I google the problem and that the SMCDG3 router I have was probably setup wrong.  Then I was wished a nice day.

    So I goggled and found this:

    http://forums.businesshelp.comcast.com/t5/Equipment-Modems-Gateways/SMCD3G-CCR-and-IPv6/td-p/11117

    TL:DR you have the SMCDG3 Comcast Business router,  you are not going to get a /60,  you will only ever get a /64.

    The ipv6 configuration pages of the SMCDG3 (not working /60) and the Netgear (Working with a /60) look very different.

    For the other office I am at (SMCDG3), I gave up and installed a Hurricane Electric Tunnel.

    Anyway, if you have a SMCDG3 and can get a /60 let me know how you did it.

    If you have a different device let us know and disregard.

    Good luck.


  • @entropywrench:

    TL:DR you have the SMCDG3 Comcast Business router,  you are not going to get a /60,  you will only ever get a /64.

    The ipv6 configuration pages of the SMCDG3 (not working /60) and the Netgear (Working with a /60) look very different.

    For the other office I am at (SMCDG3), I gave up and installed a Hurricane Electric Tunnel.

    Anyway, if you have a SMCDG3 and can get a /60 let me know how you did it.

    If you're using a Comcast-supplied gateway device (it's both a modem and router) because you have a static IPv4 address, then there's not much you'll be able to do, unless there's an advanced setting somewhere that allows DHCPv6 on the SMC to allocate a smaller prefix size.

    But if you don't have a static IPv4 address, then you should be able to put the gateway (this should be possible with any of Comcast's gateway devices) into Bridge mode, so that it functions as a modem only, not a router. Then you can connect your pfSense box to one of the ports, and should be able to get up to a /56 with business-class service, as the DHCP response would be coming from Comcast's servers, not the gateway.


  • @virgiliomi:

    But if you don't have a static IPv4 address, then you should be able to put the gateway (this should be possible with any of Comcast's gateway devices) into Bridge mode, so that it functions as a modem only, not a router. Then you can connect your pfSense box to one of the ports, and should be able to get up to a /56 with business-class service, as the DHCP response would be coming from Comcast's servers, not the gateway.

    Good to know, but each location has a static block of ipv4.

    I dug into the Netgear at the far office that is working wonderfully with ipv6, maybe the models will help with some others

    
    IPV6 works with a /60 and supports a /56
    
    Vendor Name	Netgear
    Hardware Version	1.04
    Serial Number	2B-----blah--------
    Firmware Version	V3.01.05
    Operating Mode	Residential Gateway
    System Uptime	7 days 01h:40m:46s
    Date	11 - 16 - 2015
    Time	13:26:58
    
    Where IPV6 doeesn't work with a /60
    
    Vendor Name 	SMC Networks
    Hardware Version 	1.01
    Serial Number 	H----blah----
    Firmware Version 	3.1.6.56
    Operating Mode 	RG
    System Uptime 	001 days 14h:57m:08s
    Date 	Nov-16-2015
    Time 	13:29:03
    

  • Just thought I would add my experience here as reference for anyone -

    I just swapped out older modem for newer model. I was lucky enough to get an Arris TG1682G. By default I tried a /64 setting and it worked. I asked Comcast to disable the built-in WiFi so as not to interfere with my separate AP. They "say" they put it in bridged mode but the external IPv4/v6 addresses are not the same as what shows on my WAN interface on pf. Not sure if it should be that way or not?

    I could not get IPv6 to work on the previous junky Technicolor modem they had given me. The new Arris worked BUT only after I rebooted my pf box. Again, not sure if that is coincidence or something that must be done. The IPv6 waters are very murky ones still. lol

    Anyway, I also put in more private DNS servers from DNSWATCH and OPENINCPROJECT. Personally, ever since Cisco bought OpenDNS, I don't trust it any more.

    ;DNow…just for laughs I'll share this -
    When I initially had no IPv6 address being assigned to the old router I called into Comcast Cust. Svc.  and got past the robo Tier 0 automated help and got the typical Tier 1 brain dead human, I explained I just wanted confirmation that I could actually get an IPv6, etc. before I went through all the trouble of config, swapping modems, etc. The guy actually started READING about IPv6 to me while we were on the phone!!!!  :o He had no clue what I was talking about.

    After I got the new modem and called in to have the WiFi shut off, a different brain dead Tier 1 'hooman' started telling me that the WiFi was built into the modem and there was no way to shut it off...and then I had to teach HER how she would have to transfer me to a higher tier so they could do their thing! I mean honestly Comcast! I shouldn't have to teach your people how to do their job. It was actually quite funny...but UGHH!! I cannot imagine the nightmare and hair-pulling the average tech illiterate customer must go through just to get help.


  • @chamont:

    neiltiffin, Do you have Comcast business or residential? I can't seem to find a straight answer (yet) on < /64 for residential customers (which I am).
    Monty

    Residential and it is hit and miss.  Checked it today an no IPv6.  Uptime 47 days.  Rebooted and IPv6 is back.