CGA4131COM - DHCPv6-PD is broken and not routing packets
Maybe the community can help my problem on IPv6 and the Technicolor CGA4131COM modem not actually doing a DHCPv6-PD properly.
There are several posts here that document the same problem but then go quite... maybe they got fixed? Maybe they gave up.
User fwpowell has beat this drum as well.
I upgraded to 600mbps service for my business.
For the past 3 years I have had 150mbps or 300 mbps service with the Netgear CG3000DCR and the Cisco DPC3939B, the internal configuration has been the same for those years. I have not had an IPv6 delegation problem in those 3 years and enjoyed great service. Ever since I upgraded to the 600mbps service, which required the CGA4131COM modem, my configuration has been broken.
The CGA4131COM manifests the problem as such:
The modem will happily delegate a /59 network via DHCPv6-PD proof:
Feb 10 00:58:50 firewall-primary dhcp6c: reset a timer on mvneta2, state=SOLICIT, timeo=0, retrans=1091 Feb 10 00:58:50 firewall-primary dhcp6c: get DHCP option IA_PD prefix, len 25 Feb 10 00:58:50 firewall-primary dhcp6c: IA_PD prefix: 2603:300b:xxxx:20::/59 pltime=345600 vltime=345600
The router now assigns these IP's to the internal interfaces:
Feb 10 00:58:50 firewall-primary dhcp6c: create a prefix 2603:300b:xxxx:20::/59 pltime=345600, vltime=345600 `Feb 10 00:58:50 firewall-primary dhcp6c: add an address 2603:300b:xxxx:3a:208:a2ff:fe0c:e8e2/64 on mvneta1.300 `Feb 10 00:58:50 firewall-primary dhcp6c: add an address 2603:300b:xxxx:24:208:a2ff:fe0c:e8e2/64 on mvneta1.4 `Feb 10 00:58:50 firewall-primary dhcp6c: add an address 2603:300b:xxxx:21:208:a2ff:fe0c:e8e1/64 on mvneta0 `Feb 10 00:58:50 firewall-primary dhcp6c: add an address 2603:300b:xxxx:22:208:a2ff:fe0c:e8e2/64 on mvneta1.100 `Feb 10 00:58:50 firewall-primary dhcp6c: add an address 2603:300b:xxxx:26:208:a2ff:fe0c:e8e2/64 on mvneta1.6
So far everything is good and behaving like a documented standard. Now the internal interfaces try to ping an external site:
root ~ % ping6 2001:558:1c2:449::1 PING6(56=40+8+8 bytes) 2603:300b:xxxx:3a:208:a2ff:fe0c:e8e2 --> 2001:558:1c2:449:xxxx::1 --- 2001:558:1c2:449:xxxx::1 ping6 statistics --- 10 packets transmitted, 0 packets received, 100.0% packet loss
Looking at a packet capture of the wire between the router and modem we see:
00:39:23.389365 IP6 2603:300b:xxxx:3a:208:a2ff:fe0c:e8e2 > 2001:558:1c2:449:xxxx::1: ICMP6, echo request, seq 21, length 16 00:39:23.400403 IP6 fe80::10:18ff:fe12:1a5d > ff02::1:ff0c:e8e2: ICMP6, neighbor solicitation, who has 2603:300b:xxxx:3a:208:a2ff:fe0c:e8e2, length 32
The modem does not recoginize the sending IP, so it does a Layer 2 'who has' to see if something responds. Since this is a Layer 2 broadcast on a seperate VLAN than the internal Layer 3 interface, nothing responds and the packet is dropped. Nothing will ever or should respond to this request. If the modem was working properly as a router for a range it delegated it would forward the packets without a 'who has' request.
What should be happening?
The modem should forward the IPv6 packet on since it delegated the prefix. I believe this is due to the firewall never actually being disabled in the modem. The logs show:
FW.IPv6 INPUT drop , 272 Attempts, 2020/2/09 18:09:05 Firewall Blocked FW.IPv6 FORWARD drop , 2409 Attempts, 2020/2/09 18:09:05 Firewall Blocked
If the firewall was disabled, why would there by drops recorded? Also this ould be why it is working in a 'true bridge' mode which is only possible if the account does NOT have static IPv6 addresses.
What can be done?
This is a very simple thing to test for Comcast. Provision yourself a modem, launch any number of free routing/firewall products (pfSense, Linux with dhcp6c, any Cisco router, etc.), get a DHCPv6-PD from the modem, assign an IP internally, try to ping anything... even the modem's internal interface.
So far I have done an escalation with my account executive, I have tried for 2 weeks to get a resolution with the support team on the forums, tried multiple calls to the support call center, had 3 tech visits, and other conversations with Comcast employees. The only answer I get from Comcast is that they do not support anything past the modem and they do not support anything beyond the first /64 of the /56 IPv6 assignment.
At this point if you require IPv6 address space from the assigned /56 I would avoid any speeds over 300mbps and ask from any other modem in Comcast's offering.