IPv6 Setup with Comcast Business

I figured I will share a trick that made my Comcast Busines IPv6 connection a bit more useful. I do have a Comcast Business connection and pay for a static /29 for IPv4. Note that Comcast does advertise, but not actually support static IPv6 addresses. So this is provided "as is" and "works for me". The IPv6 address assigned to the modem has been static for me. Where things get "weird" is between the modem and your firewall.

I am using the "Comcast Business" branded Cisco DPC3941B modem with WiFi/VoIP. (I do have Wifi and VoIP disabled). 

The modem receives a /56 from Comcast. The "first" /64 is used for devices connected directly to the modem. Customer routers connected to the modem have the option to request a prefix. If you request a prefix, the requested prefix size is ignored as far as I can tell (typical for DHCPv6). But you should get a /60 or a /59.

So if your modem receives 2001:db8:1111:2200:/56 from Comcast:

2001:db8:1111:2200::/64 is used for devices connected to the modem.

The first router you connect receives something like 2001:db8:1111:22f0::/60

second router: 2001:db8:1111:22e0::/60 

third router: 2001:db8:1111:22d0::/60

... and so on.

The problem: once the modem reboots, all bets are off as to which prefix is assigned to what router. It looks like the modem will actually avoid reusing prefixes it used before. So now you may end up with 2001:db8:1111:22c0::/60 . Worse, the subnet may change from /60 to /59. It behaves more like DHCPv4 in avoiding to reuse a recently used address.

In DHCPv6, clients are not identified by MAC address. Instead, they use a "DUID", an identifier that *may* include the MAC address. The DUID is typically written to a file (in Unix) or a registry key (in windows) and does not change if you reboot or install a new network card. So as long as this value doesn't change, you *should* get the same address, which isn't true for Comcast. BUT... if you change the DUID, you get a different address.

So the "trick" to get the same address back after a modem reboot: Delete the DUID (which will trigger creating a new, different one), restart the DHCP client and repeat until you get the address you want (from within the modem's /56). 

I am including below a script I use for Opnsese to do this.

If you have two firewalls in a failover configuration: Make sure they use the same DUID, so they get the same prefix.

(replace the prefix below to the one you want. It has to be within the prefix assigned to the modem. You may get /60s vs. /59s)

#!/usr/local/bin/bash

if [ ! -f /tmp/em0_pdinfo ]; then
echo "no prefix file yet"
exit
fi

prefix=$(cat /tmp/em0_pdinfo)
if [ "$prefix" == "2001:db8:1111:22c0::/59" ]; then
echo "all good"
exit
fi
pid=$(cat /var/run/dhcp6c.pid)
kill -9 $pid
sleep 5
/usr/local/sbin/dhcp6c -c /var/etc/dhcp6c.conf -p /var/run/dhcp6c.pid