New problem solver
•
24 Messages
How to setup IPv6 without Comcast DHCPv6 prefix delegation
With the troubles I've had with IPv6 with this week's modem firmware update, I've determined how to utilize IPv6 without the modem's DHCPv6 PD. I've already commented on this in another thread, but I've decided to start another thread here as I've learned a bit more and so far things seem stable. I've also never seen this explained on these forums (though the last time I checked was definitely a while ago).
I've set this up with PfSense, but I'm going to keep this relatively general as I'm sure it will work on most other competent routers.
Set your WAN and LAN interfaces to static. Assign an IPv6 address to your WAN interface that's in the same /64 that it was in previously when using DHCPv6 or SLAAC/autoconf before.
For your LAN interface, assign it a /64 that falls under your allocated /56. If you have more than one LAN interface, repeat using distinct prefixes that fall under your /56.
At least for PfSense, you'll need to add a default gateway for IPv6. PfSense won't let you pick up your IPv6 gateway automatically. It must be static. Use the modem's global address .Do NOT use the link-local address of your Comcast modem. While the link-local address will also work, I've found it can change on its own where as the global address seems to be stable (or at least less unreliable).
Under PfSense, you don't need to set an explicit default IPv6 gateway for your WAN interface. Even with the "None" setting, it will work as long as you have a default IPv6 gateway defined under the routing settings. If you have no default IPv6 gateway defined in the routing settings, you'll obviously have no default gateway at all. :)
Enable router advertising on your WAN interface. Under the subnets setting, you need to add your /56 network in order for external traffic to be routed to your LANs. You probably want to leave DHCPv6 off for your WAN interface to avoid conflicts with the modem (though if you want control over your IPv6 WAN, you could probably enable the DHCPv6 server on your WAN interface after disabling DHCPv6 on your modem).
Enable router advertising on your LAN interfaces as before. You can also enable DHCPv6 on your LAN interfaces too if you like and it will work fine.
IMPORTANT NOTE about DHCPv6 static mappings on your LAN interfaces... When previously using DHCPv6 prefix delegation from the Comcast modem, I could define static mappings with the addresses formatted as ::xxxx:4, etc. And DHCPv6 was smart enough to fill in the prefix that had been delegated to the given LAN interface... When not using DHCPv6 prefix delegation from the modem, this no longer works. You'll need to have the full IP's in your static mappings. Ie, the previous example would have to be like: 1111:2222:3333::xxxx:4. This seems to a general thing, and not limited to PfSense from what both research and IRC have told me (at the absolute least, it's an ISC DHCPD thing).
That's it. Pretty straight forward. My IPv6 has been stable for over 24 hours now (and the most stable it's been since the firmware update) with the above setup.
Even before this recent firmware update, IPv6 under Comcast was never great for me. Occasionally, something would break with the IPv6 PD on the Comcast modem, and I could fix things by essentially refreshing my interfaces on the router (even this didn't work with this week's firmware update, I had to power cycle the modem to get IPv6 backup). Sometimes this would happen several times in a week, other times I'd have no problems for a good 3-4 months. Most of the time it would happen, no changes had been made to the router. I worked with a friend who has a ton of IPv4/IPv6 experience who's also on Comcast Business to no avail. Their IPv6 is reliable, but they've also refused to upgrade to faster service in order to stay with an older and more reliable modem.
Caveats:
- The prefixes I'm using for my LANs are the same ones that had been allocated previously to me by DHCPv6 in order to avoid re-IP'ing again. I suspect it would still work reliably had I chosen entirely different prefixes (that still fall under my /56).
- With DHCPv6 PD, asking for /56 never worked. The best I could get working was a /59, which is still a fair amount more than I could ever need. While I think /56 will work following the above instructions, I could be wrong. If having problems, it may make sense for you to limit it to /59 (both in terms of the range you allocate your LAN prefixes from as well as the router advertising) Just In Case as the limitation may not simply be with the DHCPv6 server in the modem, but could also be due to some other limitations in the modem's firmware or hardware.
- To get around having to statically add your modem's global address as a static route, you can probably set the WAN interface of your router to use DHCPv6 or SLAAC while keeping your LAN interfaces strictly static, but I haven't tried this yet. This could negate the need to have router advertising on your WAN interface as well.
- Even with your router advertising itself as the route for your /56, I've found that other devices on your WAN's network have trouble talking to devices on your LANs. I've had to add a static IPv6 route on other devices that are on the WAN. I set the router's WAN address as the default route for my LAN networks. Ie, this works for Linux:
route -A inet6 add <LAN>/64 gw <WAN-IPv6-ADDRESS>
I think what's happening is that the Comcast modem is advertising itself as the route for my /56 as I see devices on the WAN network sending neighbor solicitations for addresses on the LAN they're trying to reach in spite of being on different prefixes. Perhaps disabling DHCPv6 on the Comcast modem would resolve this? Also, with the above command, you could probably alter it to be for your entire /56, but I haven't messed with it too much.
Hope someone finds this useful!
Accepted Solution
blmoore
New problem solver
•
10 Messages
4 years ago
LAN subnet needs to be inside the /59, but not the same /64 as the WAN.
0
blmoore
New problem solver
•
10 Messages
4 years ago
Excellent find and write up!
I can confirm, at least with my Cisco 3941B that only the /59 gets routed to me in spite of setting RA to advertise my /56. Not an issue for my with my 3 subnets. I may toy around with this at some point, but I'm just happy to have v6 working again after the updates last week.
My old 3941B usually did PDs correctly, but that broke last week and they started behaving like the Technicolors do where my first inside interface would end up in the same /64 as the WAN. I'll try this on one of my other sites with the Technicolor to see if this works on them.
Thanks!
0
packeteater
New Contributor
•
6 Messages
4 years ago
Have been unable to get this working without prior PD.
Assigned LAN a different /64 outside of the /59 from last PD and it doesn't work.
Reboot modem with working static configuration and it stops working.
Switch on DHCPv6 then back to static and it works again.
This indicates to me this solution is illusionary and only works temporarily because of PD rather than instead of it.
(edited)
0
0
hiryu
New problem solver
•
24 Messages
4 years ago
Alas, IPv6 was broken again this morning. The modem would route traffic to the LAN, but IPv6 traffic FROM the LAN would not be routed by the modem even though the LAN could ping6 the modem. Even a modem restart wouldn't fix it.
Perhaps a new modem would fix it... I've had several over the years; these modems don't seem to last long. Newer modems did fix my problems although none of the previous ones were specifically IPv6 related.
Alas, in spite of figuring out how to sidestep Comcast's DHCPv6 PD, I'm still having a lot of problems as of this last week and today I decided to disable IPv6 entirely at least for now, if not for the foreseeable future.
0
blmoore
New problem solver
•
10 Messages
4 years ago
Mine broke as well. I will need to get something working again soon as v6 testing is part of my job. I will post back if I discover anything new.
0
0
rob__jr
New problem solver
•
38 Messages
4 years ago
Thank you for testing & updates in this thread.
My solution has been to use one of my static ipv4 addresses as a tunnel endpoint to run 6in4. I use HE.net for the other endpoint & it takes about 30 minutes to setup & you get a /48 routed to you. That is assuming you can live with the latency penalty. Also realize that 6-in-4 isn't encrypted, so treate it as such.
0
0
hiryu
New problem solver
•
24 Messages
4 years ago
I used to have a HE tunnel back in the day... The problem is that I was trying to run servers over it, and port 25 was understandably blocked. Once I managed to get sendmail to not use IPv6 for any outgoing connections, I found that many IRC servers also blocked due to spammers and bots...
I finally decided not to use it anymore when I realized the random slowness everyone was complaining about was when they were connecting to IPv6 enabled sites and the tunnel was just substantially slower.
That being said, IPv6 tunnels absolutely have their utility... It's just not something that makes sense for me personally. Might work for blmoore though.
0
mahdi_c
Contributor
•
12 Messages
4 years ago
IPv6 is no longer working on business lines in Seattle, as of this week. Comcast, it was working two weeks ago. Please fix it.
0
0
bearhntr
New Contributor
•
1 Message
3 years ago
I live in Metro Atlanta, and COMCAST states they have IPv6 in my area. I have pfSense 2.5.2 installed on a VM at the moment in a host with 2 NICs, one NIC assigned to its own vSwitch and Port Group. pfSense is installed and has both vSwitches attached and I get 2 NICs in pfSense (The port Groups are labelled LAN and ISP). I set the pfSense WAN port to DHCP and DHCP6 and I get an address for both of these. That much I understand.
I then followed another article and set LAN port IPv6 to "Track Interface" which has a STATIC IPv4 address of and it does get an IPv6 address which looks like this: :xxxx:xxxx:xxxx:xxxx
That is where I am lost. I have set SVR_2019 - running on another VM on the same host (which is my AD DS / DNS and DHCP server) and it is working fine for IPv4 (STATIC 1 / ) and the GATEWAY is my pfSense. What I want to do is use IPv6 as well. I leave the NIC in the server to DHCP for IPv6 and have STATIC IPv4 configuration - everything works. If I could figure out how to get it to pull an IPv6 address from the pfSense - once it got one - then I could make it static.
Does anyone have any ideas?
[Edit: Removed personal information]
(edited)
4
0