Skip to content
R

New problem solver

 • 

37 Messages

Wed, Feb 24, 2021 9:11 PM

/59 prefix delegation block changed...

I have a /56 static on Comcast Business.  Recently I had a cable modem issue (as determiend by comcast) and the cable modem was replaced.  Everything is working, but I received a different /59  (still inside my /56) so I had to renumber several vlans!  How do I keep this from changing?  

Thank you,


Robert

Accepted Solution

New problem solver

 • 

23 Messages

9 months ago

Alright.. I realize this is an older post but I was having issues because of this exact situation - that is, I configured a bunch of vlans with subnets within the /59 that the comcast business gateway handed out, and it was all just lovely for a while... until at some point I restarted and all of my IPv6 systems that weren't on the same vlan as the gateway broke because I got a different /59.  I believe I've managed to configure everything to request and actually get the same prefix each time.

For context, my gatway is the CGA4131COM and I'm using an OPNsense 22.1.1 box as my router/firewall. I have four vlans configured on OPNsense.

WAN - connected to the gateway, LAN for my private network for user devices, PUB for all of my public facing servers where my static IPv4 addresses live, and SRV for internal servers that don't need to face the internet at large and shouldn't necessarily be in the same network as the end user devices.

on the LAN, PUB, and SRV vlan interfaces, the IPv6 configuration type is set to "Track Interface" which pulls from the pool of subnets in the delegated prefix assigned to the WAN interface, and I gave each a prefix ID within that - there's 32 IDs to pick from 0x0 to 0x1f.

I initially set the WAN interface to use DHCPv6 as the configuration type, and under the details, had it set to Basic, provided a prefix length of 59, and got a a prefix xxxx:xxxx:xxxx:1a0::/59 the other vlans got a /64 in that range with the prefix ID added to the end (for example, the PUB vlan id was 0x0 so it got xxxx:xxxx:xxxx:1a0::/64. I gave the LAN vlan an id of 0xc so it's subnet was xxxx:xxxx:xxxx:1ac::/64, etc). Everything was good until I had to restart the gateway after which the prefix was xxxx:xxxx:xxxx:160::/59... which.. broke everything.

It turns out that in the /56, there are only 8 /59 subnets to delegate so I found that if I restarted the gateway a few times, it would eventually give me the 1a0 prefix again.  Obviously this is a workaround that's less than ideal.  On the WAN interface, there is an "Advanced" option, but the integrated help wasn't particularly helpful so I eventually dug into the innards of the behind-the-scenes configuration.  It's FreeBSD and I was able to look up the manpage for dhcp6c.conf and also compare the file generated with the "Basic" mode with the one that was generated by the  "Advanced" mode.

Here's what eventually worked:
Configuration Mode: Advanced

In the Interface Statement section

Send Options: ia-na 0, ia-pd 0

Request Options: domain-name-servers,domain-name

Script: /var/etc/dhcp6c_wan_script.sh

(this was in the basic configuration file, which is why I included it.. the naming may be different so you'll probably need to look at the basic script first)

In the Identity Association section

Check Non-Temporary Address Allocation

id-assoc na ID: 0 (or whatever number you put after id-na in Send Options above)

Address IPv6-address: leave blank or specify an address in the /64 that the business gateway is in

Preferred Lifetime: leave blank or infinity if an address is requested above.

Valid Time: leave blank

Check Prefix Delegation

id-assoc pd ID: 0 (or whatever number you put after id-pd in Send Options above)

Prefix IPv6-Prefix: xxxx:xxxx:xxxx:1a0::/59 (that is, the specific /59 prefix you want)

Preferred Lifetime: infinity

Valid Time: leave blank

In the Prefix Interface section

Prefix Interface Site-Level Aggregation Length: 5

(this appears to be the difference in bits between /59 and /64)

everything else can be left blank/default.

On the Gateway itself, under connection -> local IP network, in the IPv6 section:

Ensure that Stateful(Use Dhcp Server) is checked.  Prefix delegation will not work otherwise.  I set the lease time to Forever and saved those settings.

After restarting the gateway and OPNsense, it is now consistently giving me the 1a0 prefix that I have everything configured to use.

I know this is one specific setup with a particular gateway and firewall, but I know OPNsense is a fork of pfsense so it ought to be similar, and if you are able to dig into the weeds a bit on your router's configuration, you might be able to find where you can set it to request a specific prefix every time.  This particular gateway appears to honor that.

(edited)

New problem solver

 • 

23 Messages

As a followup, I've rebooted both my firewall and my CGA4131COM a few times just to make sure it's working as it ought to.  I am now consistently getting the correct prefix, so the CGA4131COM (at least the revision/firmware I have) honors the request if asked nicely.. or.. y'kno.. in a protocol compliant way I suppose.  Configuring other routers to properly make that request is beyond the scope of my experience, but it is clearly possible and now that I've managed to set it up, I'm sure it'll save me from random unexpected IPv6 "outages" going forward.

Contributor

 • 

27 Messages

That's using BSD eh?  I don't see those advanced type options for daemons under linux like dhclient.  Wonder if there's an alternate.

New problem solver

 • 

23 Messages

yeah, pfsense and opnsense are based on BSD and I did the configuration using the web GUI which is just a front end for the configuration files.  The actual operation is determined by the content of the dhcp6c.conf.

It has continued to keep the correct prefix so there shouldn't be any reason why other routers, particularly linux based systems, can't also request a specific prefix. 

I'll have to tinker with some VMs to see if I can figure out how to do it with other systems... I have six other potentially available prefixes to tinker with, after all.

Contributor

 • 

27 Messages

I could probably do something with dibbler or some other software.

I wasn't aware that DHCPv6 IA_PD could even specify a desired PD network number.  I thought it only had an argument for desired PL assignment.

New problem solver

 • 

23 Messages

For what it's worth, this is the sanitized dhcp6c.conf file that was generated on my OPNsense box:

interface lagg0_vlan1 {
  send ia-na 0;
  send ia-pd 0;
  request domain-name-servers;
  request domain-name;
  script "/var/etc/dhcp6c_wan_script.sh";
};
id-assoc na 0 {
};
id-assoc pd 0 {
  prefix xxxx:xxxx:xxxx:1a0::/59 infinity;
  prefix-interface bridge0 {
    sla-id 12;
    sla-len 5;
  };
  prefix-interface lagg0_vlan2 {
    sla-id 0;
    sla-len 5;
  };
  prefix-interface lagg0_vlan3 {
    sla-id 5;
    sla-len 5;
  };
};

If working with the configuration directly, of course substitute appropriate values for that particular setup.

In my case, the system itself has two physical interfaces so I've LAGG'd them and set up several VLANs. VLAN 1 is the cable modem network.  Bridge0 is the private network (end user devices) and is bridged with the OpenVPN TAP interface and gets the xxxx:xxxx:xxxx:1ac::/64 prefix (12 = 0xC, and 64 = 59+5).  VLAN 2 is the same vlan where my public IPv4 addresses live, so web server, mail, nextcloud, minecraft, etc.. and gets xxxx:xxxx:xxxx:1a0::/64.  VLAN 3 is my private server network - LDAP, PostgreSQL, other services and containers that have no business being exposed directly to the world, and it gets xxxx:xxxx:xxxx:1a5::/64.

I wasn't aware that I could explicitly request a specific prefix either but renumbering and/or rebooting the cable modem until I got the right prefix was supremely inconvenient.  Obviously there wasn't a lot of other helpful information on the support forums which is how I ended up on this thread in the first place, and the OPNsense and pfsense help wasn't particularly helpful either so I ended up having to dig into the man page for the underlying configuration file and just kept futzing with the GUI inputs until the config file looked like I thought it should and then rebooted OPNsense and the cable modem a few times to confirm.  OPNsense also has a "Config File Override" option wherein you can specify the complete path to an alternate configuration file and it won't try to generate one.. I didn't really want to get that far into the weeds if I could help it.

In any case, I hope this helps. If not directly, then at least by getting people pointed in the right direction notionally for their setup. 

New problem solver

 • 

9 Messages

2 years ago

you got it easy. I just had my modem upgraded and I got an entirely different /56 assignment. To make matters worse, every time the modem reboots I get a different /59 assignment to my firewall. There is no way to statically assign anything IPv6 inside of the modem's web interface so ipv6 is pretty broken in terms of being able to set anything statically. At least my old modem kept the same /59 assigned to my firewall the entire time I had it.

Official Employee

 • 

55 Messages

2 years ago

Hello and thank you for reaching out to us. I apologize for the delayed response time but thank you for sticking with us to address your questions and concerns! I am here to help! In order to get started can you please send me a private message with your full name and service address? To send a private message, click my name "ComcastDena", then click "send message".

New problem solver

 • 

37 Messages

2 years ago

I clicked your name but don't see a "send message" button. Please advise.

If I click the message button & type in your name, it doesn't work either:

(edited)

New problem solver

 • 

37 Messages

2 years ago

@MikeAce , do you have a static /56 assigned as well?

Official Employee

 • 

55 Messages

If you're signed in to your Forums profile and because you have already posted to the public page, you should have the option to do so. After clicking on one of our names, do you happen to see the "Send a message" button in the top right corner?

New problem solver

 • 

37 Messages

2 years ago

@Comcast_Dena , Yes I do have that, but as per my screenshot it can't find you to send a message to.  If I type Comcast_D, it will  show me 3 or 4 other people I can send a message to, but not to you.  Maybe if you could send me a message I could just reply?

Official Employee

 • 

55 Messages

Have you tried without the underscore? ComcastDena

New problem solver

 • 

9 Messages

2 years ago

I've never actually received an official word from Comcast business that IPv6 assignments are truly static. When I got the new modem and I saw my delegated /56 had changed, the tier 3 tech had no idea about the intended behavior. It's very disappointing because I have a static IPv4 block that did transfer over

New problem solver

 • 

37 Messages

2 years ago

@MikeAce : My static IP block /56 shows under my static ips next to my static ipv4 ips.  Do you have static ipv4 ips?  If not it may not be static.

New problem solver

 • 

9 Messages

2 years ago

Yes I have a static /28 of IPv4

New problem solver

 • 

37 Messages

2 years ago

It should also show you a /56 next to your /28 in your account.  If a /56 doesn't show up, that is the issue.  You may have to ask them to assign you one so it stays static.  Might be dynamic otherwise. Maybe @Comcast_Dena can assist if that is the case.

New problem solver

 • 

9 Messages

2 years ago

Yeah it says I have a /56 delegated prefix and it stays the same with the modem. as soon as the modem was changed out though I got a different /56 and Tier 3 didnt have an answer

New problem solver

 • 

37 Messages

2 years ago

Wow, so Tier3 couldn't figure out why your /56 wasn't matching up with what they assigned you?  I'd hope they could fix that same as they fix static ipv4 blocks not routing to you...wow...

(edited)

New Contributor

 • 

6 Messages

2 years ago

I'm having this same problem.  We have a static /56.. our system is configured to request a /59 (largest block have been able to pull).  This has been working for years with no issues.  Just 3 days ago this delegated prefix changed (different bits within our /56) requiring us to renumber all our systems, software, DNS...etc.

The problem is now that since then traffic stops passing on the newly delegated prefixes after about a day of uptime... This has happened twice so far over the past two days and we've had to renumber each time.  No idea how to wake up Comcast's systems to allow traffic to pass.  Previously for residential when this would happen you could just kick the DHCP and it would update Comcasts filter to allow traffic to pass again but here nothing seems to work anymore.

We can receive IPv6 packets yet all outgoing IPv6 packets on the delegated prefix are dropped after it leaves our WAN port to Comcast.  Ran a packet capture and can see the IPv6 packets going out of the WAN interface.  The /64 on our WAN interface works fine and we can ping out from it but everything on our production LAN network using the delegated prefix has no working IPv6 after a days time it stops working.  All of the packets are being dropped.

Official Employee

 • 

17 Messages

Hello, @packeteater, thank you for sharing your experience with us as well. I am sorry to hear of the trouble you are experiencing with your services. I would like to confirm, did you issues begin after going through a modem replacement?

New Contributor

 • 

6 Messages

2 years ago

Modem has not been replaced and there have been no hardware changes on our end.    I don't know if firmware updates were recently pushed to the modem.

Official Employee

 • 

24 Messages

That's definitely an interesting observation. You mentioned that this all started about three days ago, and it has happened a total of two more times over the last two days, is that correct? Does it seem to be happening at the same time of day each time, or does it seem more random than that?

New Contributor

 • 

6 Messages

2 years ago

Delegated /59 prefix we had been assigned for years was ...:43e0:: then it went to ...:4340:: and finally ...:4300::.  First time it took a while to notice the LAN prefix had changed.

What I know is that after each change it works for about a day probably somewhat less.  Unsure exactly how long.  After this outgoing packets would be dropped.  This happened both times from 43e0 to 4340 and 4340 to 4300.  I don't know if both were exactly the same interval but it was about the same.

No idea what triggers changes.  For all I know it could have been automatic or triggered by rebooting CM or system or fiddling with DHCP trying to poke whatever is blocking traffic.  The last time it changed was on phone with a Comcast CSR.