How to setup IPv6 without Comcast DHCPv6 prefix delegation

With the troubles I've had with IPv6 with this week's modem firmware update, I've determined how to utilize IPv6 without the modem's DHCPv6 PD. I've already commented on this in another thread, but I've decided to start another thread here as I've learned a bit more and so far things seem stable. I've also never seen this explained on these forums (though the last time I checked was definitely a while ago).

I've set this up with PfSense, but I'm going to keep this relatively general as I'm sure it will work on most other competent routers.

Set your WAN and LAN interfaces to static. Assign an IPv6 address to your WAN interface that's in the same /64 that it was in previously when using DHCPv6 or SLAAC/autoconf before.

For your LAN interface, assign it a /64 that falls under your allocated /56. If you have more than one LAN interface, repeat using distinct prefixes that fall under your /56.

At least for PfSense, you'll need to add a default gateway for IPv6. PfSense won't let you pick up your IPv6 gateway automatically. It must be static. Use the modem's global address .Do NOT use the link-local address of your Comcast modem. While the link-local address will also work, I've found it can change on its own where as the global address seems to be stable (or at least less unreliable).

Under PfSense, you don't need to set an explicit default IPv6 gateway for your WAN interface. Even with the "None" setting, it will work as long as you have a default IPv6 gateway defined under the routing settings. If you have no default IPv6 gateway defined in the routing settings, you'll obviously have no default gateway at all. :)

Enable router advertising on your WAN interface. Under the subnets setting, you need to add your /56 network in order for external traffic to be routed to your LANs. You probably want to leave DHCPv6 off for your WAN interface to avoid conflicts with the modem (though if you want control over your IPv6 WAN, you could probably enable the DHCPv6 server on your WAN interface after disabling DHCPv6 on your modem).

Enable router advertising on your LAN interfaces as before. You can also enable DHCPv6 on your LAN interfaces too if you like and it will work fine.

IMPORTANT NOTE about DHCPv6 static mappings on your LAN interfaces... When previously using DHCPv6 prefix delegation from the Comcast modem, I could define static mappings with the addresses formatted as ::xxxx:4, etc. And DHCPv6 was smart enough to fill in the prefix that had been delegated to the given LAN interface... When not using DHCPv6 prefix delegation from the modem, this no longer works. You'll need to have the full IP's in your static mappings. Ie, the previous example would have to be like: 1111:2222:3333::xxxx:4. This seems to a general thing, and not limited to PfSense from what both research and IRC have told me (at the absolute least, it's an ISC DHCPD thing).

That's it. Pretty straight forward. My IPv6 has been stable for over 24 hours now (and the most stable it's been since the firmware update) with the above setup.

Even before this recent firmware update, IPv6 under Comcast was never great for me. Occasionally, something would break with the IPv6 PD on the Comcast modem, and I could fix things by essentially refreshing my interfaces on the router (even this didn't work with this week's firmware update, I had to power cycle the modem to get IPv6 backup). Sometimes this would happen several times in a week, other times I'd have no problems for a good 3-4 months. Most of the time it would happen, no changes had been made to the router. I worked with a friend who has a ton of IPv4/IPv6 experience who's also on Comcast Business to no avail. Their IPv6 is reliable, but they've also refused to upgrade to faster service in order to stay with an older and more reliable modem.

Caveats:

The prefixes I'm using for my LANs are the same ones that had been allocated previously to me by DHCPv6 in order to avoid re-IP'ing again. I suspect it would still work reliably had I chosen entirely different prefixes (that still fall under my /56).
With DHCPv6 PD, asking for /56 never worked. The best I could get working was a /59, which is still a fair amount more than I could ever need. While I think /56 will work following the above instructions, I could be wrong. If having problems, it may make sense for you to limit it to /59 (both in terms of the range you allocate your LAN prefixes from as well as the router advertising) Just In Case as the limitation may not simply be with the DHCPv6 server in the modem, but could also be due to some other limitations in the modem's firmware or hardware.
To get around having to statically add your modem's global address as a static route, you can probably set the WAN interface of your router to use DHCPv6 or SLAAC while keeping your LAN interfaces strictly static, but I haven't tried this yet. This could negate the need to have router advertising on your WAN interface as well.
Even with your router advertising itself as the route for your /56, I've found that other devices on your WAN's network have trouble talking to devices on your LANs. I've had to add a static IPv6 route on other devices that are on the WAN. I set the router's WAN address as the default route for my LAN networks. Ie, this works for Linux:
```
route -A inet6 add <LAN>/64 gw <WAN-IPv6-ADDRESS>
```
I think what's happening is that the Comcast modem is advertising itself as the route for my /56 as I see devices on the WAN network sending neighbor solicitations for addresses on the LAN they're trying to reach in spite of being on different prefixes. Perhaps disabling DHCPv6 on the Comcast modem would resolve this? Also, with the above command, you could probably alter it to be for your entire /56, but I haven't messed with it too much.

Hope someone finds this useful!

Responses

Accepted Solution

blmoore

New problem solver

•

10 Messages

3 years ago

LAN subnet needs to be inside the /59, but not the same /64 as the WAN.

0

blmoore

New problem solver

•

10 Messages

3 years ago

Excellent find and write up!

I can confirm, at least with my Cisco 3941B that only the /59 gets routed to me in spite of setting RA to advertise my /56. Not an issue for my with my 3 subnets. I may toy around with this at some point, but I'm just happy to have v6 working again after the updates last week.

My old 3941B usually did PDs correctly, but that broke last week and they started behaving like the Technicolors do where my first inside interface would end up in the same /64 as the WAN. I'll try this on one of my other sites with the Technicolor to see if this works on them.

Thanks!

0

packeteater

New Contributor

•

6 Messages

3 years ago

Have been unable to get this working without prior PD.

Assigned LAN a different /64 outside of the /59 from last PD and it doesn't work.

Reboot modem with working static configuration and it stops working.

Switch on DHCPv6 then back to static and it works again.

This indicates to me this solution is illusionary and only works temporarily because of PD rather than instead of it.

(edited)

0

hiryu

New problem solver

•

24 Messages

3 years ago

Alas, IPv6 was broken again this morning. The modem would route traffic to the LAN, but IPv6 traffic FROM the LAN would not be routed by the modem even though the LAN could ping6 the modem. Even a modem restart wouldn't fix it.

Perhaps a new modem would fix it... I've had several over the years; these modems don't seem to last long. Newer modems did fix my problems although none of the previous ones were specifically IPv6 related.

Alas, in spite of figuring out how to sidestep Comcast's DHCPv6 PD, I'm still having a lot of problems as of this last week and today I decided to disable IPv6 entirely at least for now, if not for the foreseeable future.

0

blmoore

New problem solver

•

10 Messages

3 years ago

Mine broke as well. I will need to get something working again soon as v6 testing is part of my job. I will post back if I discover anything new.

0

R

rob__jr

New problem solver

•

38 Messages

3 years ago

Thank you for testing & updates in this thread.

My solution has been to use one of my static ipv4 addresses as a tunnel endpoint to run 6in4. I use HE.net for the other endpoint & it takes about 30 minutes to setup & you get a /48 routed to you. That is assuming you can live with the latency penalty. Also realize that 6-in-4 isn't encrypted, so treate it as such.

0

hiryu

New problem solver

•

24 Messages

3 years ago

I used to have a HE tunnel back in the day... The problem is that I was trying to run servers over it, and port 25 was understandably blocked. Once I managed to get sendmail to not use IPv6 for any outgoing connections, I found that many IRC servers also blocked due to spammers and bots...

I finally decided not to use it anymore when I realized the random slowness everyone was complaining about was when they were connecting to IPv6 enabled sites and the tunnel was just substantially slower.

That being said, IPv6 tunnels absolutely have their utility... It's just not something that makes sense for me personally. Might work for blmoore though.

0

mahdi_c

Contributor

•

12 Messages

3 years ago

IPv6 is no longer working on business lines in Seattle, as of this week. Comcast, it was working two weeks ago. Please fix it.

0

B

bearhntr

New Contributor

•

1 Message

3 years ago

I live in Metro Atlanta, and COMCAST states they have IPv6 in my area. I have pfSense 2.5.2 installed on a VM at the moment in a host with 2 NICs, one NIC assigned to its own vSwitch and Port Group. pfSense is installed and has both vSwitches attached and I get 2 NICs in pfSense (The port Groups are labelled LAN and ISP). I set the pfSense WAN port to DHCP and DHCP6 and I get an address for both of these. That much I understand.

I then followed another article and set LAN port IPv6 to "Track Interface" which has a STATIC IPv4 address of and it does get an IPv6 address which looks like this: :xxxx:xxxx:xxxx:xxxx

That is where I am lost. I have set SVR_2019 - running on another VM on the same host (which is my AD DS / DNS and DHCP server) and it is working fine for IPv4 (STATIC 1 / ) and the GATEWAY is my pfSense. What I want to do is use IPv6 as well. I leave the NIC in the server to DHCP for IPv6 and have STATIC IPv4 configuration - everything works. If I could figure out how to get it to pull an IPv6 address from the pfSense - once it got one - then I could make it static.

Does anyone have any ideas?

[Edit: Removed personal information]

(edited)

4

0

CC_ElizabethA

Contributor

•

17 Messages

Hello, @bearhntr! Thank you for taking the time to comment with your IPV6 questions here. The help our team can provide with your set-up is limited, as your equipment is beyond the point of demarcation for us. I recommend testing your devices through http://test-ipv6.comcast.net/ to make sure that they are ready for IPV6. If there are any errors that need to be fixed the site should walk you through resolving them.

Please let us know if this helps you!

I no longer work for Comcast.

3 years ago

0

tmittelstaedt

Problem solver

•

326 Messages

@bearhntr

Remember that with your pfsense, IPv4 is translated IPv6 is routed. You cannot just tack on an IPv6 address to the LAN port that is out of a subnet on the WAN port and expect it to work. I uploaded a guide you might want to read in a series of 3 posts.

3 years ago

0

DofTNet_Enterprises

New problem solver

•

25 Messages

I run OPNsense which is a fork of pfsense, but I don't know how much it's diverged since the fork. In case it will help, I posted some details on my setup here which covers how I set up my WAN interface and I can add some additional details on how I have my VLANs set up. Prefix delegation is kinda necessary and the cable modem will only hand out a /59 prefix, one of a possible seven outside the first one that it uses for it's own network.

Once my WAN interface was getting the delegated prefix, I set each of my VLAN interfaces to Track Interface, and under the Track IPv6 Interface section, I set the IPv6 Interface to WAN. There is a field called IPv6 Prefix ID - in that I put a hex number from 0x00 to 0x1f which identifies which /64 out of the /59 prefix is provided to that interface - there's 32 /64s in /59 and if you have more than one LAN interface, you'll need to assign a different /64 to each one. Finally, I checked the box next to "Allow manual adjustment of DHCPv6 and Router Advertisements" on two of my three private VLAN interfaces because I needed to adjust the default settings that OPNsense sends out in the router advertisements and DHCPv6 responses for a couple of the networks.

After that, I went to the services menu and expanded DHCPv6 and made the changes to the dhcpv6 ranges, DNS, ntp, etc. that I needed to customize for the two VLANs that I checked that box on... once I applied the settings and back on the dashboard, made sure that radvd and dhcpd6 were running, made sure each interface had an address in the correct /64 (which is the /59 + the Prefix ID. e.g if my /56 is x:x:x:100::/56 and OPNsense gets x:x:x:1a0::/59, one vlan with prefix ID of 0x5 will get x:x:x:1a5::/64, and another with prefix id of 0xc x:x:x:1ac::/64)

I refreshed the network adapters on systems in each vlan to verify they were getting RAs and DHCPv6 settings and from there it should just work. If it works, you can set a static IPv6 address within the same /64. You shouldn't have to set a gateway because it should still configure that from the RA but if you need to, probably use the link-local IPv6 address of the LAN interface on OPNsense (or pfsense, as the case may be)

2 years ago

0

M

mistermac

1 Message

@DofTNet_Enterprises I know your post is several years old, but I wanted to let you know your steps worked, but I had to disable the IPv6 firewall on my CGA4332COM internet gateway before it would work.

5 months ago

0