CG3000DCR IPv6 interferes with my DHCP and DNS

This infomation would have been nice two weeks ago when I was pulling my hair out tying to figure out what the heck was going on.  I eventually pushed a GPO to my machines to not use IPv6, excluding my server.  This cost our business several thousand dollars due to end users not being able to connect to exchange or the server.  Really comcast????  

Realizing you have rogue DHCP servers in an enterprise can be a real bitch even if they are DHCP v4.   I have a client that had network instability for a month when another contractor installed what they THOUGHT was a hub but was actually a router with DHCP enabled.  I only caught it because I had 1 system that just happened to misbehave when I was there and the customer doesen't use 192.168.1.X as their internal subnet - and I'm looking at the status of the interface going "WTF is this machine picking up 192.168.1"

I STRONGLY RECOMMEND to Comcast that ALL of their Business gateway routers be FACTORY DEFAULTED to have IPv6 DHCP turned OFF by default.  You do not need to be handing out DHCP IPv6 to tech installers who are just plugging a laptop into the modem and hitting 10.0.10.1 to configure it.

UPDATE!!  So now we can't email anyone at googe or that is hosted by google... after a little checking around  the bloody modem is send my emails (we host our own server) with IPv6 address.  This is not acceptable as, you guessed it... our certificates, reverse dns, spf records, etc are not set up for IPv6.  

If you have IPv6 as well as IPv4 connectivity, IPv6 is preffered. Your only option would be to somehow filter the AAAA records at your DNS server, or configure your mail server as an IPv4 only host.

I would recommend advertising only IPv4 MX records at this point anyway, as some sendmail versions have problems cleanly falling back to IPv4 if there is no IPv6 connectivity. 

---

@dano2004 wrote:

UPDATE!!  So now we can't email anyone at googe or that is hosted by google... after a little checking around  the bloody modem is send my emails (we host our own server) with IPv6 address.  This is not acceptable as, you guessed it... our certificates, reverse dns, spf records, etc are not set up for IPv6.  

---

Finally fixed issues.  Had to create both spf and DKIM for exchange.  This corrected the issue with using IPv6 and emailing google and comcast users.  I did set up AAAA record and added MX record for IPv6 as well as the SPF... wasn't until I did the DKIM that things worked.  Still waiting on Comcast to add my reverse dns recored for IPv6 address, but once that is done then all of the recommended settings should be set. 🙂

DKIM isn't needed for Gmail.  In fact SPF isn't either - however if they get but a single spam complaint from one of their users from spam that got relayed through your mailserver, they will blacklist you unless you have at least a SPF record.  The main thing they seem to care about is a correct PTR record - and a very high quality spam-to-ham ratio from your server.

I don't allow companies with so-called "opt in" (or so they claim) mailing lists on our systems so our ham-to-spam ratio is excellent - Gmail is very forgiving to us as a result, we only get blacklisted when one of our users lets a password go though a phish email and the bad guys start relaying, even though we shut them down pretty quick.  And the block never lasts more than a few hours after I close the hole.

Unfortunately, SPF and DKIM both seem to have become worthless judging by the amount of spam I get in our honeypots that have valid SPF & DKIM.

I acknowledged this as 'solved' when the firmware was upgraded to have a
checkbox to disable IPV6. But I left my workaround in place so the CG3000DCR
was not on the site LAN.

I just connected a system directly to it and watched with wireshark.
With firmware version V3.01.05, the DHCPv6 checkbox is not actually working.
IPV6 remains fully active.
With DHCPv6 unchecked the CG3000DCR still responds ICMPv6 router advertisement.
And that response still includes the Comcast DNS servers.
I am not going to test the "Assign DNS Manually" settings.
Those might work to point to some local IPV6 DNS server.
But testing the corner cases of this chronically buggy firmware is not worthwhile use of my time.

---

@LunarG wrote:

 

I acknowledged this as 'solved' when the firmware was upgraded to have a
checkbox to disable IPV6. But I left my workaround in place so the CG3000DCR
was not on the site LAN.

I just connected a system directly to it and watched with wireshark.
With firmware version V3.01.05, the DHCPv6 checkbox is not actually working.
IPV6 remains fully active.
With DHCPv6 unchecked the CG3000DCR still responds ICMPv6 router advertisement.
And that response still includes the Comcast DNS servers.
I am not going to test the "Assign DNS Manually" settings.
Those might work to point to some local IPV6 DNS server.
But testing the corner cases of this chronically buggy firmware is not worthwhile use of my time.

---

Well, keep in mind that DHCPv6 and ICMPv6 router advertisements (RAs) are actually 2 different things. With DHCPv6 on, a packet trace SHOULD show periodic UDP packets on port 546/547 being broadcast from the Netgear, alongside the RAs. With DHCPv6 off, a packet trace SHOULD just show the RAs.

To completely disable IPv6 on the Netgear, you would need a way to disable both DHCPv6 AND announced RAs. I don't have this gateway, so I can't comment on whether it gives you this capability.

I will say that in my experience, Netgear products tend to have pretty awful firmware, and Netgear in my experience typically takes a "don't care" attitude to this. I see firmware-related problems across all ranges of Netgear devices that remain unsolved, and I have seen them make pretty egregious, basic mistakes numerous times. I personally don't recommend them as a brand. Just my 2cents

What about just setting in bridge mode (or equivilant) and placing a different router between the Comcast unit and the LAN shielding from IPV6 DHCP?