No LAN side IPv6
-
I've been using Comcast IPv6 for a while now and it has been consistently inconsistent. That said, it has worked in the past, but my unchanged configuration seems to be broken right now.
Anyway my latest problem is that I can pull a IPv6 address, but it only works from the pfSense box. So, for example I can ping6 google.com from my pfSense box, but from any other LAN machine, it doesn't work. IPv4 works fine.
I have restarted everything, but nothing seems to work.
-
What is comcast supposed to be giving you? Should be an address on a /64 for your WAN port then a /48 or /56 for your local network. What are the specs for what they're doing?
-
On the WAN side it is 128
On the LAN side it is 64.WAN side gateway is fe80::201:5cff:fe74:cc46. Does that seem right?
-
No. That's a link-local address. Didn't Comcast give you any documentation to work with?
A network segment cannot be a /128 since there's no other address to communicate with.
-
Actually a WAN-side IPv6 address isn't even necessary. I ran an Asus router with Tomato for weeks with no WAN IPv6 address other than link-local, and I'm doing the same as I send this with pfSense.
WAN should be set up for DHCP6, and if you request a prefix smaller than /64, make sure to check the box to send a hint, otherwise you'll likely end up with a /64 anyway. If you don't want a WAN IPv6 address - it's not necessary to have one - you can also check the box to request only a prefix.
With Comcast, residential service customers can request anything between /64 and /60 for the LAN, depending on how many subnets you want for your network. Business customers can likely request more subnets, but I don't know what the limit is for them.
LAN should be set up to Track Interface, then select WAN under the IPv6 section. If you request a /64, the box under that will need to be 0. If you requested additional subnets, then you can make it any value within the limit displayed based on how many subnets you requested (i.e. /60 = 0-F)
-
That makes sense. You can always VIP something out of the allocation if you want pfSense itself to listen. Thanks.
-
Just a note… if you do run with no WAN side IPv6 address, and you're running the 2.2 beta, you'll have issues with unbound (DNS Resolver). pfSense sticks a blank access control entry into the config, since there's no WAN IPv6 address, keeping unbound from starting properly.
-
A network segment cannot be a /128 since there's no other address to communicate with.
Yes, your WAN address will be a /128 on Comcast.
Your are talking to the CMTS. Routing is to the link-local address, the CMTS inserts the route to the /128.
-
It appears to be working now. All I did was go into the LAN interface in the interfaces section of pfSense, (changed nothing) clicked save, and then did the same on my WAN.
As I said, consistently inconsistent .
