New Contributor
•
13 Messages
February 7 Firmware Upgrade Broke IPv6
Comcast did an automatic upgrade on Feb 7, 2024 to my business class modem. Following the upgrade, the modem is rejecting all incoming IPv6 packets except those that are ESTABLISHED,RELATED. I have both the IPv6 and IPv4 firewalls disabled in the settings, but the IPv6 firewall is apparently applying the default configuration and cannot be turned off. It has been extraordinarily frustrating to report it because Comcast reps keep asking "What sites can you not get to?", obviously not understanding that I am referring to NEW incoming packets. I reported the issue within an hour of the update, and it's now almost 36 hours later and still broken. I would love to be able to buy my own modem to avoid the repeated Comcast disastrous upgrades, most of which re-enable Security Edge although each time they disable it they promise me it will never come back. Unfortunately, I can't because I have static IP addresses. I asked tech support to revert my modem to the previous firmware, but after the requisite six hour wait, they told me they don't have any way to do that. I would appreciate any ideas anybody might have for getting this fixed. I have services that depend on incoming IPv6 packets, and all are down.
Comcast_Paula
Official Employee
•
26 Messages
11 months ago
@user_c7e85c Thank you for reaching out on our forums for help with the recent update. I'm so sorry to hear about how much trouble this has caused you with everything. I know it's crucial for your business to have this rolled back and corrected. I would love to help out and make sure that we get you in contact with the right team, or set up a repair appointment to have the modem exchanged. Please send us a direct message with your name and the service address.
Please send us a direct message with your full name, full address, and phone number. • Click "Sign In" if necessary
Click the "Direct Messaging" icon in the top right corner
Click the "New message" (pencil and paper) icon
The "To:" line prompts you to "Type the name of a person". Instead, type "Comcast Business" there
As you are typing a drop-down list appears. Select "Comcast Business" from that list
An "Comcast Business" graphic replaces the "To:" line
Type your message in the text area near the bottom of the window
Press Enter to send it
2
0
idolum
New Contributor
•
6 Messages
11 months ago
This happened to me too, but on Jan 26th and so far Comcast hasn't been able to figure it out and claim everything is fine.
Thankfully my modem at home hasn't been updated and it still works, but it's only a matter of time until they bust that too I'm sure.
Almost $3000 a year I pay for this...
1
idolum
New Contributor
•
6 Messages
11 months ago
(even though 'Disable entire firewall' is turned on)
0
0
allan
New Contributor
•
13 Messages
10 months ago
Thank you! I did not think to check the modem firewall! I was using tcpdump and wondering why my interface is not getting the IPv6 packets. Tier 2 support said they only support IPv6 up to the modem and the GUA is reachable, so they closed it. I am on my second Tier 2 ticket on this.
Edit: Definitely something on the firmware as I factory reset my modem and had support set up my static IP addresses again. They confirmed both IPv4 and IPv6 are correctly configured.
(edited)
2
0
user_c7e85c
New Contributor
•
13 Messages
10 months ago
Checking the firewall won't help you. The firmware upgrade is defective. It says the IPv6 firewall is disabled but it is actually enforcing in the default mode. I have been dealing with this for more than two weeks and getting nowhere. Comcast says they're "working on it" but has not acknowledged the problem and has not given me a date when it will be fixed. You're not alone. There are many affected customers--probably every business account that has gotten the upgrade. I have repeatedly asked them to downgrade my firmware and they say they can't, although I know that they have done it for another customer with the same problem. Unfortunately there is nothing you can do except continue to complain.
4
0
gantzm_mi
New Contributor
•
13 Messages
10 months ago
Having a very similar experience all of the sudden. Hosts running IPv6 connected to the router can connect to hosts on the Internet. Hosts behind my router on an IPv6 subnet can't seem to reach the Internet. This was working fine just a few days ago. My router is getting proper prefix delegation from the Comcast router and my IPv6 subnet is working correctly. It appears that either the Comcast router is ignoring the Router Advertisements or the firewall is blocking the communications.
Going to guess this is the cause of the issue:
(edited)
5
0
user_c7e85c
New Contributor
•
13 Messages
10 months ago
So what's it going to take for Comcast to pay attention to this? I don't think they're even working on it. If they were, they would have quickly rolled back the firmware until they could fix it. At this rate it could take years.
4
0
allan
New Contributor
•
13 Messages
10 months ago
I seem to have struck out. Tier 2 support would not even look at this forum post even after mentioning it several times. He kept saying they do not support IPv6 and they are only responsible for delegating a prefix to the customer. I explained to him that I just want Comcast to route that traffic to my equipment and not block it; I can support my own hardware. He kept saying they are not blocking my traffic, except for the 5 ports globally blocked like SMTP and SMB. That traffic are the ones recorded in the modem's firewall logs. When I mentioned about firmware upgrades possibly breaking this, he said they did not perform any recent upgrades. I requested to be escalated and his response was they are the escalation team. I kept telling him that I am not seeing IPv6 packets on a tcpdump of the interface, and the modem is not sending it to me. That is all I ask of them; send me that packet. I was unable to convince him.
Maybe someone else would have better luck. For 13 minutes, I tried.
Edit: This means the entire /56 delegated prefix is useless for hosting services as only outbound IPv6 traffic works. I stripped my DNS zone of IPv6 addresses as I don't think this is getting resolved anytime soon.
(edited)
10
0
user_c7e85c
New Contributor
•
13 Messages
10 months ago
I just got a call from tier 2 technical support hoping to resolve the problem of "not being able to get to certain websites." I tried to explain why that ticket was wrong, that the problem is that the modem is blocking incoming IPV6 packets, and that it can only be fixed by reverting the firmware or correcting the firmware. She said she would send a tech to replace my modem--which I refused, of course, since that would cause even more trouble by changing my IPv6 delegation. I asked her to escalate this issue to whatever department manages firmware, but she assured me that Comcast doesn't have a firmware department. This *might* be funny if it weren't causing critical disruptions to service, now at 2.5 weeks.
0
0
gantzm_mi
New Contributor
•
13 Messages
10 months ago
Some potentially good news: The issue is getting escalated! I just had a phone chat with an intelligent Comcast employee who took some great notes and is forwarding our issue to folks that deal with these specific kinds of problems.
I'll refrain from naming names as I don't want anyone getting distracted from a bombardment of messages.
5
0
gantzm_mi
New Contributor
•
13 Messages
10 months ago
I just received a call from Comcast Business. The internal team that deals with this has indicated the firmware is buggy and a patch is in the works. No ETA for the patch was given though.
I would imagine this issue has to work its way back to the modem vendor ( Technicolor? ) , software updated, patches tested, then pushed back to Comcast for testing, then pushed out to the modems.
But, at least we have an acknowledgement and are moving forward.
1
0
gantzm_mi
New Contributor
•
13 Messages
10 months ago
Huge update!
A firmware patch was pushed out to my modem. The new firmware version is "CGA4332COM_6.7p9s1_PROD_sey". I've tested both versions of the IPv6 firewall settings and this patch appears to correct the issues.
It will be interesting to see if this version has been pushed to everyone and if it has fixed the issues.
0
0
user_c7e85c
New Contributor
•
13 Messages
10 months ago
Yes, I got it yesterday morning. It does fix the issues. One thing to look out for--the upgrade changed my setting for the IPv4 firewall. I re-entered my custom setting of "disable the firewall completely" and it worked. The IPv6 firewall setting remained disabled, and it actually works now. :)
1
adamr
New Contributor
•
3 Messages
9 months ago
Would this cause a huge slow down in speed?
I've been working with Comcast since mid February when my speed when from 2GBs down to 200Mbs. they replaced the modem, it worked for a day or two and then slowed down again. At the time I said is it possible the modem they swapped it out for had previous firmware on it? They assured me that wasn't it. A few days later, same thing happened. I just heard from my local supervisor who has been very responsive.. and he said that it is a firmware problem after all but doesn't have any info on when it will be fixed. My modem information is below. How can I tell if I have the new firmware referenced in this thread?
2
0
allan
New Contributor
•
13 Messages
4 months ago
Is anyone else seeing issues with IPv6 not getting thru the Comcast modem again? Similar to before, this is inbound from the Internet. But it is intermittent this time, and not completely blocked.
The Comcast modem sends "Destination Unreachable (Address unreachable)" ICMP for IPv6 PING traffic during the outage period. And, I see "FW.IPv6 INPUT drop" logged on the modem even though "Disable entire firewall" is checked for IPv6. IPv4 goes through the modem fine during this outage so it is not an Ethernet cable or coax problem.
I already restarted the modem, and also pulled power for 10 seconds. I also enabled-disabled the IPv6 firewall just to be sure. None of these made any difference.
Edit: For future searchers, the problem was traced to OpenBSD ICMPv6 Neighbor Discovery protocol. OPNsense is working on a fix here -> https://github.com/opnsense/src/issues/218. Applying their test kernel resolved this issue.
(edited)
0
0