Skip to content
jb_geek's profile

Contributor

 • 

21 Messages

Tue, Jan 19, 2021 10:00 PM

Questions about Comcast Business Delegated Prefixes

It's my understanding that DHCP-PD is only responsible for doling out IPv6 prefixes to routers which ask for them, and generally does nothing about the routing of those prefixes, leaving the routing up to the implementer.

I'm wondering how Comcast implements the routing side?  Is there a standard setup which comcast uses?  Do we use routing protocols like RIPvng?  Or is there some convention (routes just to shoved through the router through which the req came from?)  Or can you use ICMPv6 Route Announcements that the cable modem will honor?

On the CGA4131COM, it seems to just presume that the delegated prefix is just on the inside LAN interface (the entire /56).  

Responses

New Contributor

 • 

2 Messages

2 m ago

You're right that is how it should work in bridge mode, and it did when I had the Netgear, they made a fine cable-modem.  This Technicolor (which to be honest is more of a mono-chromatic device IMHO :-P) is much less capable.

When I first got my CGA4131COM I put it into bridge mode and then the static IP's broke. I couldn't dedicate the time to any further troubleshooting when I upgraded due to work and life obligations.  I needed the static IPv4 addresses more than the IPv6 PD at the time due to some services I was running... and I just gave up on IPv6 for the LAN then.

Its been quite a while since I upgraded, it was before COVID-19, but the reason I couldn't have the modem in bridge mode was that it effectively stopped all L3 services (like you would expect it to) and comcast is using OSPF to get the /29 prefix I am being delegated onto the cable-modem (I have no idea how the netgear worked in bridge-mode and still had OSPF, maybe they had to notion of VRF's / namespaces while the Technicolor doesn't ::shrug::).

Since I am using a SRX of course I said that I could setup OSPF on it, all I needed was the MD5 authentication key (which they used to ensure only their devices to neighbor up to the CMTS) and they were unwilling to provide it to me.  This was understandable.

So I had to put the modem back into pass-through mode to get my /29 working again.

It appears that Comcast has no option today to support BOTH IPv6 PD and statically assigned IPv4 blocks.  This is EXTREMELY frustrating.

I have no idea how they can get away with offering paid services that are basically mutually exclusive.

I am going now to resort to doing NAT66 just to get it to work since my SRX is acting weird by not responding to the neighbor solicitations for prefixes that I am manually configuring on my LAN side interfaces (out of the delegated /56 block they allow).  It could be the code on my SRX but, since I no longer have access to get juniper releases I am kinda at an impasse there.  NAT66 is not ideal but I just need to get this working right now.

I may try and call support again to see if I can get anywhere but the gate-keeping to get to a clueful individual there is really strong.  Maybe some strategically announced tweets can get help, I don't know.

Contributor

 • 

21 Messages

2 m ago

Yes.  If you read some of the threads I've posted here, I explain what I encountered.

I'm not using anything as fancy as an SRX, just a Linux box running gentoo (https://protectli.com/product/fw4b/).

Long story short, my olllld SMC D3G-CCR died, and CB replaced it w/ a Technicolor CGA4131COM.  It was configured in passthrough mode.  As soon as it was turned on, I knew something was up, since my 6in4 tunnel to HE stopped working.  I checked everything over on my config, and couldn't find anything wrong.  Then started snooping the interfaces, and only saw 6in4 packets outbound from my router to the HE tunnel server.  No incoming.  I tried ever config option on the Technicolor to turn off firewalls to no avail.  It was simply blocking IP protocol 41 (6in4).  Nothing I could do about it. 

Customer support wasn't very useful.  They couldn't figure out why it was happening.  My guess was the the firmware, or stock/enforced config simply blocked anything but UDP, TCP, IPv6, ICMP, and maybe a few others like IPSEC, GRE, IGMP (not tested, so who knows).  The only solution they could come up with was replacing the Technicolor with a Netgear CG3000CR, which is working great.  As soon as we hooked it up and got my /29 back in place, 6in4 tunnel started working again.

While I was waiting for them to get me the Netgear, I experimented w/ the Technicolor's Native IPv6 and DHCPv6/PD.  What I found (IIRC) was that it wouldn't delegate, really, at all.  It wouldn't give me any other part of the /60 (or whatever it was) for my inside LAN via IPv6 PD.  Others have confirmed that it doesn't put routes in for any delegated prefix even when a few have managed to get it to do this properly (with older firmware version).  Basically, the Technicolor put the entire delegated IPv6 range directly on its inside interface.

So the "solution" I came up with was to basically to Proxy ND for everything.  Since the modem had the entire IPv6 range living on its inside interface, I used a daemon called ndppd (https://github.com/DanielAdolfsson/ndppd) which answered ND for IPv6 addresses which lived on the inside of my router.  When inbound traffic would come into the Technicolor from the DOCSIS side, it'd send an ND for that IPv6, which my router would answer for.  The Technicolor would then transmit the packet to my router, which would then correctly route it.

Obviously not a great solution, since every IPv6 one uses winds up needing a neighbor entry on the Technicolor, and who knows what its limits are, and how bogged down it gets when it starts accumulating lots of ND cache entries, etc, etc.

But that's the only thing I got to work for CB native IPv6.

Since I got the Netgear replacement, I haven't investigated using CB native IPv6 again.  But from what I've read, this is one of a handful modems for which DHCPv6 PD works as expected (request a subnet, get assigned one, and it routes it to the requesting router).

Now I'm getting calls from CB saying that the service I'm using is discontinued, so I'm pretty sure they're going to want to put me into a new  faster plan and replace my netgear with the Technicolor CGA4131COM, aka Comcast Business Router (CBR), which will break everything again.

BTW.  Are your real name initials O.D.?  :-)

(edited)

Contributor

 • 

21 Messages

2 m ago

@enigma62333 BTW, the previous modem probably still had an L3 virtual interface(s) even in bridge mode, just like all "L3 switches" do, if only just for management.

But I can only imagine a few scenarios where they could make that work with the CM doing the OSPF with the CMTS.

How'd it work?  Did you have to advertise your IPv4 prefix on the SRX, or did the CM do it all for you?

Of course, they could be doing any manner of "hackery" and "unnatural acts" to make something like that work, since they control the software.  Like masquerading your SRX's MAC and outside IP address for the purpose of OSPF, and bridging everything else.

Problem solver

 • 

312 Messages

2 m ago

I use a Netgear CG3000CR myself on a business line with statics.   Yesterday at 11 am the modem started flopping the circuit up and down.  I called Comcast and finally got them to dispatch a tech who came out and said he's seen this before with those modems and the modem was bad.  He DID NOT have a replacement in his truck but he said he had one at the office.  I _also_  GAVE HIM a spare Netgear CG3000CR which I had on the shelf - which he said he COULD NOT use as it would have been reported as lost  (don't ask how I got it, I didn't pay anyone for it however) 

Long story short he got back 3 hours later with a Netgear.  (for all I know he never did have one at the office and merely used the spare one I gave him) and put it in and I got everything back up.   It is kind of irritating though since for whatever reason Comcast ties the static IPv6 block to the modem (it would be interesting to know the algorithm they use) and of course with the new modem my static IPv6 block changed.  So I had to spend the rest of the day changing DNS server entries and such.  And I'll have to spend hours on the phone with Comcast tech support getting them to recreate my reverse address IPv6 entries for my mailservers.

However, the tech repeatedly said that the Netgear was obsolete and Comcast was trying to replace them with newer modems.  He offered me 2 choices a Technicolor and an Arris modem.   In looking online it appears that back in 2015, Technicolor purchased Cisco's cable modem business so technically there is no such thing as a Cisco cable modem any longer.  All Cisco cable modems are Technicolor modems.

I am very glad to see this thread as I basically browbeat the tech into giving me a Netgear modem even though the last time I reviewed these forums was a few years ago and at that time everyone was reporting bugs in Cisco's DHCPv6 modem firmware.  I see that NOTHING has changed in the last 6 years in terms of correcting IPv6 in the modem firmware. 

I did put a nastygram in the response to the customer survey from Comcast for what that's worth.

My setup is a Cisco 2800 router running IOS 12.4 behind the Netgear cable modem.  Most of my servers are all on the network in between the cable modem and the Cisco 2800 and my management network is privately numbered and behind the Cisco (and I have other servers there as well)  I have the Cisco 2800 configured to request DHCPv6-PD from the Netgear cable modem for a /60 that is handed out via SLAAC to the inside systems.

I used to use a HE tunnel years ago but stopped that and went to native IPv6.  I'm glad I did as it appears now that HE is blocking port 25.

Official Employee

 • 

19 Messages

Hello, @, thank you for taking the time to reach out in our forum and help further our awesome community. I'd be happy to help see if we can avoid you reaching out and spending hours updating reverse address IPv6 entries. In order to get started can you please click the chat bubble in the top right corner and send a message to our "Comcast Business" handle? 

Contributor

 • 

21 Messages

2 m ago

 @,

I didn't know that Technicolor had bought Cisco's cable modem business.  EGADs.  I wonder if they even have the staff to fix whatever IOS/NX version it's running (presuming it wasn't some bespoke OS for the cab modem ... which it could be if Cisco bought it from someone else first).

I wonder if the Arris modems work right?  I've been getting calls from CC and I know they're going to want me to update my cabmodem.  They're saying the speeds I'm running have been discontinued, etc.  Maybe there's an option.  :-p

BTW, SMTP still works for me via my HE tunnel.  I think it's something you can turn on, or have them turn on.

{jimb@ngt/pts/6}~> nc -6 -v 2607:f8b0:400e:c07::1a 25
2607:f8b0:400e:c07::1a: inverse host lookup failed:
(UNKNOWN) [2607:f8b0:400e:c07::1a] 25 (smtp) open
220 mx.google.com ESMTP z23si7850589plo.44 - gsmtp
quit
221 2.0.0 closing connection z23si7850589plo.44 - gsmtp

Can't remember if I had to do something to make it work.  I vaguely remember there's a checkbox on the tunnel CPL, but not sure.

Problem solver

 • 

312 Messages

2 m ago

Nobody has called me and told me my speeds have been discontinued.  Years ago they did do a speed change and I upgraded to a slightly faster speed but nobody said anything about replacing the cable modem.  The Netgears are good for roughly up to 100-150Mbts beyond that their internal CPU's get overwhelmed so unless you are going to exceed that speed, I doubt they are going to make you change the modem model out.  They DO have an interest in getting the old 4-channel cable modems off their network of course (like early SMC and early Motorola models) but unless your area is VERY congested and there's very few cable heads in your area, they have no incentive to replace the modem.

I don't have the time to find bugs in Comcast's end user gear.  There's commercial gear out there that works perfectly well but I can't use it because Comcast insists on renting me the gear if I have static IP's.  So IMHO this is their problem.  I would ASSUME that Technicolor IS working on bugs in their latest modem model but is ignoring the older models they inherited from the Cisco purchase.  That's pretty common in the business.  If it was a decade ago when I didn't have a bunch of users on my servers I would be willing to do more experimentation.

Problem solver

 • 

312 Messages

2 m ago

"thank you for taking the time to reach out in our forum and help further our awesome community. I'd be happy to help see if we can avoid you reaching out and spending hours updating reverse address IPv6 entries. In order to get started can you please click the chat bubble in the top right corner and send a message to our "Comcast Business" handle?"

comcast_marcos I have found the chat to be slower than just calling in.  The issue with RDNS is that most of your support people even in the business help have only done a few rdns entries for IPv6 and they have to spend time finding a supervisor to figure out how to do it.  IPv4 they understand but not IPv6.

Contributor

 • 

21 Messages

2 m ago

@,

Basically getting calls talking about "retired speeds" prob want to upsell me to a higher bracket.  :-p

Funny about the RDNS, since IPv6 RDNS works the same as IPv4, and is in fact simpler and easier to do things like delegations, since it's broken down on nybble chunks of address space, unlike IPv4.

Problem solver

 • 

312 Messages

2 m ago

Yes but Comcast does not delegate IPv6 rDNS even though I run my own nameservers.  And I HAVE been told by Comcast techs in the past when calling in that the IPv6 allocations ARE static if you have an IPv4 static assignment - and they WILL put in rDNS entries for IPv6 (which would be pointless if the IPv6 was actually dynamic)   Technically the IPv6 prefix is static - mine HAS NOT changed even though my modem has been changed out 4 times since I got my static IPv4 assignment a decade ago - but the catch is that the prefix is NOT tied to the IPv4 static assignment, it's tied to the modem - either the modem's serial number, or the modem's MAC address.  Every time I've gotten a new modem the prefix has changed.  But it has never changed while I've had that particular modem.   I use SLAAC and have turned off the IPv6 privacy extensions so as long as the MAC address of my servers don't change, the renumbering is merely changing the one octet in the middle of the address, on the router itself.  The servers automatically renumber themselves.  (dns does not, though.  :-( )

Contributor

 • 

21 Messages

2 m ago

@tmittelstaedt,

OUCH.  I would use DHCPv6 w/ reservations, or just statics for my server host number which need rDNS.  Esp. since comcast won't delegate your prefix for rDNS to your own name servers. 

IMHO, they should at LEAST provide some web UI or an API to do this.  Something like dyndns (not sure how that actually works with IPv6 TBH).

Unfortunately, CB seems to be basically a residential ISP masquerading as a business ISP.  :-)

(edited)

Problem solver

 • 

312 Messages

2 m ago

Since rDNS delegation has to be on an octet boundary and that is very simple with IPv6, an API or UI is really a lot of extra effort for nothing.  Remember that renumbering under IPv6 using SLAAC is -very- easy.  The servers don't even have to be rebooted or anything.  You just change the number in the router and the servers move the old IP to a disabled status and assume the new one.  Of course this is assuming you have the servers registering into the DNS server and modifying their own nameserver records which I do not have setup.   If I DID have that setup then Comcast could drop in a new modem or the Comcast modem could change the prefix at will and I wouldn't even notice.

Using DHCPv6 and/or static IPv6 is actually going backwards and making things harder for yourself.

I actually think Comcast got into IPv6 with the best of intentions.  They chose Cisco, SMC and Netgear for CPE devices instead of some low-end manufacturer like Actiontec or Belkin or Linksys.  Those first 3 were known as the "professional" network hardware companies.   What Comcast didn't count on though was first SMC crashing and burning and being acquired by Accton in 2015 which did NOT want to mess with CPE gear and dumped it, and Cisco deciding they didn't want to mess with CPE gear and selling it off to Technicolor, and Netgear deciding that they were successful enough that they didn't need to sell a billion CPE devices a year to a behemoth like Comcast for a dollar each.  (or whatever cut rate price it was)  Nowadays Netgear sells cable modems direct to end users and they are doing it off their website at $180 each so they get 100% of that price.  Far more profitable than an OEM deal with Comcast where they sell those same devices to Comcast for like $25 each what do they need Comcast for?  Plus the firmware would have to be completely rewritten to support OSPF and all the back-end lockout-the-user rubbish that Comcast uses.

Of those three, Netgear was the only one that DID properly work the bugs out of their firmware.  Back around 8-9 years ago when Comcast was still buying those gateway devices from Netgear, SMC and Cisco, they filed bugs on DHCPv6-PD with all 3 of them and only Netgear correctly fixed their firmware.  SMC tried but their firmware was buggy on the SMC devices for other reasons and they ended up withdrawing from the CPE market due to financial/internal reasons.  And Cisco is notorious in the industry for "getting around to it" and you often have to wait years for them to get firmware fixed.  For example I use RV320 VPN routers at one customer of mine - these are great little devices, run off embedded Linux and all of that - but Cisco didn't finally get all of the security holes and bugs fixed in them until December of last year and they had already stopped production on the devices and replaced them with the RV340.   When Cisco sold the CPE products to Technicolor they agreed to fix bugs but knowing them they likely just dragged out the fixes until Technicolor gave up trying to get help from them.

And of course, today the entire focus is on super high speeds because people are wanting to stream 4k television.  So Technicolor is not going to put any development money into anything other than the newest and fastest CPE device they have.  The bug you reported 2 months ago was sort-of fixed by Technicolor so it's not like they are ignoring it.  And Comcast cannot do anything other than forward bug reports to Technicolor.

The CPE market is all about volume, volume, volume which means all manufacturing happens in China and I am sure that Technicolor is probably making an average of maybe $5 per box, if even that.  Since Comcast's owns their entire fleet of business CPE devices they are surely sitting on warehouses full of older Netgear/SMC/Cisco devices gathering dust.   There is zero, zilch incentive to Ebay off old Comcast CPE devices because even if you have a spare business CPE device in case of a CPE failure, Comcast will NOT use it since they will have put it on their Lost list.  And once a device goes on the Lost list the Comcast techs have no alternative but to return it to Comcast's central warehouse if they run across one.  So for any new customer in any given city that signs up with Comcast, if they are a basic service then Comcast has a warehouse of CPE devices that are a decade old that they can give them.  Comcast doesn't need to buy Technicolor modems unless they get a new subscriber that wants the fastest service out there.

I have assisted several customers who have dynamic IP numbering on Comcast's network to decline the CPE rental and use their own.  I can tell you from experience that if a CPE was EVER rented from Comcast and NOT returned to them at the end of the rental period they will NOT add it back into their network if it shows up.  In fact, the frontline techs will TRY to the best of their abilities to do it but it won't work.  You can take CPE devices that are the same exact model number that come from rival Cable Internet companies and Comcast will have NO problems adding them and then pushing out the Comcast-specific firmware and rewriting the firmware in those devices.  And because they are Bring Your Own devices, they will NEVER go on the lost list.  But if Comcast owns it, they never let go of it.

If you want a real business class service you will be forking over $500 or more a month for real fiber and the handoff will be Ethernet and you will do your own routing there will be none of this set top box you have to rent nonsense.  Comcast DOES in fact sell that service and I have another customer who has 6 sites in my city that are all Metro Ethernet with Comcast fiber.  The handoff is pure bridged VLANs.

So to say they are masquerading as a business ISP is false - the "Xfinity" service IS intended for residential dynamic use and for SOHO use where the Comcast device is the ONLY router/firewall/etc.  No masquerading about it.  The fact that DHCP-PD woks at all after a fashion is a bonus.

Contributor

 • 

21 Messages

2 m ago

@tmittelstaedt IMHO there's no excuse for something calling itself a business service not to have working DHCPv6 PD.  They charge business rates (I'm paying about $220/m for my com biz and phone service), so we should get biz service.

SLAAC is fine.  I run that inside also, except for a few servers, which I run statics on.  I don't see IPAM being a big burden.  It's normal for any sort of organization.  IMHO, SLAAC works great for client hosts, but I'd rather have statics or reservations on servers.  Even with dyndns style service running locally.

(edited)