Ipv6 comcast



  • On 2.1, amd64 nanobsd

    Not sure where to start but, ipv6 is not working.

    
    Ethernet adapter Local Area Connection 2:
    
       Connection-specific DNS Suffix  . : localdomain
       Description . . . . . . . . . . . : LAN7500 USB 2.0 to Ethernet 10/100/1000 A
    dapter
       Physical Address. . . . . . . . . : 00-0E-C6-89-xx-xx
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::a4db:2673:24xx:xxx%16(Preferred)
       IPv4 Address. . . . . . . . . . . : 192.168.1.244(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Lease Obtained. . . . . . . . . . : Saturday, November 09, 2013 7:48:00 PM
       Lease Expires . . . . . . . . . . : Sunday, November 10, 2013 12:48:20 PM
       Default Gateway . . . . . . . . . : fe80::e291:f5ff:fexx:xxxx%16
                                           192.168.1.1
       DHCP Server . . . . . . . . . . . : 192.168.1.1
       DHCPv6 IAID . . . . . . . . . . . : 38587xxxx
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-D3-0C-CB-C8-xx-00-xx-xx-xx
    

    just put a few x's in there but w/e

    Interfaces ->Wan
    DHCP6 is set, with a prefix deligation of /60

    Lan ipv6 is set to track interface, everything else left at defaults.

    System->Advanced->Networking ipv6 is checked

    Firewall rules lan,

    ipv6 Source * , port *, dest *, port *.

    No ipv6 connectivity is working though.

    With openwrt it works flawlessly though. (Trunk builds)

    EDIT: also tried with a /64, and it still doesn't work.



  • Works fine here with Comcast. The only remaining problem is modem resets. IPV6 connectivity is lost upon modem reset and does not recover.

    I don't think Comcast has deployed IPV6 universally. Is it available in your area?



  • Yeah it's here. Works fine with openwrt.

    It actually used to work on pfsense on some of the testing builds, but only for a few days.

    I guess nobody really needs ipv6 but I just kind of want it lol.



  • If you set your delegation size to anything other than /64, make sure you enable "send prefix hint" as Comcast will only give you a /64 otherwise.



  • I'm using a 64 now, rebooted pfsense and the modem.
    Still doesn't work.

    On status->gateways

    it shows WAN_DHCP6 and  fe80::201:5cff:xxxx:xxxx (i put those x's)
    and that looks valid to me

    not sure why it's not working for the pc's though



  • Comcast recently changed their IPV6 connectivity. Before I was able to use DHCP on WAN, but now I had to twitch it to 6to4 Tunnel. LAN can still be Track Interface.

    I found this out when I plugged directly into my modem, and ran ipconfig /all in Windows. It said it was using a 6to4 tunnel for ipv6.

    It may take a while for ipv6 connectivity to work on the computers on the network. Despite my router being able to ping ipv6.google.com, my computer wasn't able to load ipv6.google.com. I gave up and tried again a few hours later, without making any changes, and it was working.



  • That is definitely not true for Comcast in general; my native v6 connection continues to work just fine, without any 6to4 tunneling.



  • Yup … Nothing changed here. Comcast native dual-stack IPv6 is working just fine.



  • ditto…



  • @jcyr:

    IPV6 connectivity is lost upon modem reset and does not recover.

    Are you saying if someone unplugs the power cable to their modem, and plugs it back in, it no longer supports ipv6? Can you elaborate? I recently lost ipv6 around the time I got a new IP address after changing the spoofed mac address on my pfsense box.



  • No, that quote was about temporary loss of IPV6 connectivity after a modem reset. Temporary in the sense that a pfSense reboot is required to restore it. It's a known pfSense 2.1 flaw…



  • You guys were right, I tried multiple settings with WAN IPV6 until I just unchecked everything under DHCP v6 client configuration. Now it works fully. I don't know what changed, but before I could request just the prefix.



  • I am having this same issue. I have tried every combo I can think of and still cannot get an IPv6 address on the LAN side. I get a WAN ipv6 address and can ping from the pfsense box to the Netgear IP and to the outside world.

    Any ideas??



  • I am on Comcast as well and they support IPv6.  I too have problems getting it to work correctly so disabled it for now.  Is this something by region?  I am Northern California region area if that makes any difference?

    What I did not like if I allow each device to be assigned IPv6 that can be seen on the internet by disabling the DHCP v6 for the LAN.  Granted each device have it's own firewall but I rather this be NAT'D same way as IPv4.  This been long discussed on various websites about this.

    Any thoughts?



  • I found that block bogon network was breaking my IPV6 on comcast. It was blocking the dhcpv6 replies from getting to the router.

    Darkk, your machines having public IPV6 addresses is how IPV6 is supposed to work. That's the entire point. But they are still firewalled by pfsense, you do not need NAT to have firewalling.

    Incoming connections to ipv6 addresses behind your pfsense firewall will be blocked by pfsense, you still have to open the ports you need. But now because you're free of nat, you don't have the previous limitations of one service per port on your single wan IP. You can open port 80 for a webserver for example on several different servers, and because they each have public IPV6 addresses, those rules don't overlap.

    Being free of NAT is wonderful.



  • @clinta:

    I found that block bogon network was breaking my IPV6 on comcast. It was blocking the dhcpv6 replies from getting to the router.

    Same here.



  • @Darkk:

    What I did not like if I allow each device to be assigned IPv6 that can be seen on the internet by disabling the DHCP v6 for the LAN.  Granted each device have it's own firewall but I rather this be NAT'D same way as IPv4.  This been long discussed on various websites about this.

    Any reasonably modern device should support IPv6 privacy extensions, and will use a random temporary address (that also changes over time) for any outbound communication, not the SLAAC-assigned one that's derived from its MAC address. This provides effectively provides the same degree of privacy as NAT in IPv4, except that instead of seeing connections from a bunch of different ports on a single dynamically assigned IP, the outside world now sees connections from a bunch of random addresses in a dynamically allocated prefix.



  • Any reasonably modern device should support IPv6 privacy extensions, and will use a random temporary address (that also changes over time) for any outbound communication, not the SLAAC-assigned one that's derived from its MAC address.

    Unfortunately this renders any per host bandwidth controls available using dummynet pipes unusable. In many ways I've found IPV6 less flexible (useful) than IPV4.



  • Any plans for patches to fix ipv6? I tried unblocking bogon, still no go.



  • @jcyr:

    Any reasonably modern device should support IPv6 privacy extensions, and will use a random temporary address (that also changes over time) for any outbound communication, not the SLAAC-assigned one that's derived from its MAC address.

    Unfortunately this renders any per host bandwidth controls available using dummynet pipes unusable. In many ways I've found IPV6 less flexible (useful) than IPV4.

    I'm not familiar with dummynet, but from a general networking perspective if your router that's limiting bandwidth is on the same lan as the device you want to limit you can see it's mac address and should be able to use that for unique host identification and control.



  • Dummynet does not support rate/limiting per mac address. It is a layer three pipe.



  • I'm having the same issue with my Comcast IPv6. I used to use an Airport Extreme as my router and connected directly to my modem from two different PCs and I've had perfect native IPv6 compatibility for months now (I'm in Oregon). Today I tried using pfSense, but it's only working for IPV4.

    I've tried every option I can think of under my WAN connection, but nothing seems to change it. The problem is that pfSense just doesn't get an IPv6 address from Comcast while my other router has no problem.

    I'm not sure if this is related, but every other router and computer I've tried has always gotten a 24.21.XXX.XXX IP address. pfSense is getting me a 76.27.XXX.XXX IP address. My connection still works fine (hence being able to post this), I just thought that it was odd.



  • @awesomekyle:

    I'm having the same issue with my Comcast IPv6.
    I've tried has always gotten a 24.21.XXX.XXX IP address. pfSense is getting me a 76.27.XXX.XXX IP address.

    When we replace the SMC modems with Mororola 6141's on several Comcast commercial account customers we got the opposite. We now have several customers on the 24.19.x.x range from the 76.x.x.x range…  We were told ahead of time this would happen actually.

    Which modem are you using?  Gateway modem in bridge mode by chance?

    edit- Ive only set on WAN-

    IPv6 Configuration Type= DHCP6
    DHCPv6 Prefix Delegation size  64

    Send IPv6 prefix hint- checked.



  • I'm using an Arris TG862G.

    Per a suggestion on Reddit, I tried changing the prefix to 56 along with sending the prefix hint and I actually got an IPv6 address for my WAN interface. However, my clients weren't getting any addresses. I rebooted pfSense to see if that would fix it, but when I did, I lost my IPv6 address. My settings haven't changed, and I've tried putting it back to /64, but still no IPv6 address.



  • @awesomekyle:

    I'm using an Arris TG862G.

    Per a suggestion on Reddit, I tried changing the prefix to 56 along with sending the prefix hint and I actually got an IPv6 address for my WAN interface. However, my clients weren't getting any addresses. I rebooted pfSense to see if that would fix it, but when I did, I lost my IPv6 address. My settings haven't changed, and I've tried putting it back to /64, but still no IPv6 address.

    Did you set your LAN port IPv6 to track interface?  Then under "track IPv6 interface" lower on the LAN page-  track WAN and 0 should work.

    On WAN I also have block bogons unchecked. Check your LAN firewall rules for an IPv6 outgoing rule.




  • @awesomekyle:

    I'm using an Arris TG862G.

    Per a suggestion on Reddit, I tried changing the prefix to 56 along with sending the prefix hint and I actually got an IPv6 address for my WAN interface.

    The TG862G is a gateway (router), not just a modem.  You had Comcast put it in bridge mode?  If not, that would explain a WAN address on pfSense and nothing else.  In order to get a DHCP-PD addressing for the LAN, pfSense needs to talk directly to Comcast and that requires the TG862G to be put into bridge mode by Comcast.

    You mentioned the Airport Extreme, is that truly in router mode or is it operating in bridge mode?



  • @chpalmer:

    @awesomekyle:

    I'm using an Arris TG862G.

    Per a suggestion on Reddit, I tried changing the prefix to 56 along with sending the prefix hint and I actually got an IPv6 address for my WAN interface. However, my clients weren't getting any addresses. I rebooted pfSense to see if that would fix it, but when I did, I lost my IPv6 address. My settings haven't changed, and I've tried putting it back to /64, but still no IPv6 address.

    Did you set your LAN port IPv6 to track interface?  Then under "track IPv6 interface" lower on the LAN page-  track WAN and 0 should work.

    On WAN I also have block bogons unchecked. Check your LAN firewall rules for an IPv6 outgoing rule.

    Thanks for the screenshot.  I finally got mine working perfectly now.  Although have to try it running Windows 7 as I use Kubuntu 13.10 all the time now.  I did enable the privacy using "prefer public address" in Kubuntu.

    EDIT: Also, I do have Block bogon networks checked on the WAN so it's working fine with it.



  • Doesn't "prefer public address" _dis_able the privacy extensions?



  • Well, either that or it's disabled?  See screenshot. I will have to research this.

    EDIT: I tried to use 'prefer temporary address' setting and it disables the privacy….Hmmm




  • Seems I have to figure out how to keep Kubuntu from using my PC's MAC address in the IPv6 address space.  It's not PfSense issue, it's Linux so I have to fix it.

    EDIT: After some Googling found the answer.  Have to add net.ipv6.conf.eth0.use_tempaddr=2 in the /etc/sysctl.conf which will force the privacy settings.  The Kubuntu Network Manager GUI apparently can't change that setting.  Bummer.  No big deal.  Long as I can change it in the config file then it's good. Have to keep eye on this since any network security updates may overwrite this.  It's a known issue.

    Ran a couple of IPv6 Test sites and it no longer showed my real MAC address.  Yay!



  • It can change this setting; in fact, the corresponding option is right there in your screenshot: By selecting "prefer public address," you explicitly told it to use the SLAAC address (which contains your MAC) for outgoing connections; the setting you actually want is "prefer temporary address," which will use a randomly generated address (that even changes periodically) for outgoing connections. That is precisely what the IPv6 privacy extensions are.



  • Yes that would be true and I did select it.  However, when I go back into it says it's disabled so had to modify the file manually.




  • Anyone who is still having problems with Comcast's native IPv6, please try a 2.1.1 snapshot, and post your experiences to the 2.1.1 board.
    https://forum.pfsense.org/index.php/board,56.0.html

    As with any snapshot builds, take care when using them. They're just automatically built with no testing. Using the "full backup" feature is always a good idea with snapshots, then you can easily revert back without reinstalling.



  • @cmb:

    Anyone who is still having problems with Comcast's native IPv6, please try a 2.1.1 snapshot, and post your experiences to the 2.1.1 board.
    https://forum.pfsense.org/index.php/board,56.0.html

    As with any snapshot builds, take care when using them. They're just automatically built with no testing. Using the "full backup" feature is always a good idea with snapshots, then you can easily revert back without reinstalling.

    Upgrading now to the January 25 build. Will let you know how it works. I was able to finally get my pfSense to hand out IPv6 address on the LAN but the WAN side was always trying to route across the link local address to the Comcast Netgear. From the insise I could ping6 my router LAN address and WAN address but could never get any further.



  • Give a try with a snapshot from late tomorrow since behaviour should be improved.