Okay, Comcast swapped my Cisco for a Netgear as the Cisco doesn't offer functional PD. The Netgear displays a /56 prefix, but it doesn't delegate.
Network is setup like this:
Gateway -> Server 2012r2 router/firewall -> office network
Gateway and router have 2601:xx:xxxx:xx00::/64 addresses, office network has subnet 2601:xx:xxxx:xx37::/64
IPv4 is Static
The IPv6 setup page shows:
But, the router advertises:
ICMPv6 Option (Prefix information : 2601:xx:xxxx:xx00::/64) <- I think this is okay, should still be another 255 subnets available(?)
ICMPv6 Option (Route Information : Medium 2601:xx:xxxx:xx00::/56) <-
sets itself as default gateway to reach /56, pretty sure should be on-link. This seems to be set by the "user defined prefix" option, which appears to have little other effect. For example: if I set the user defined prefix to 2601:xx:xxxx:xxyy::/zz (56 <= zz <=64; 00 <= yy <= FF), the gateway advertises an on-link prefix of 2601:xx:xxxx:xxyy::/64 and a route for 2601:xx:xxxx:xxyy::/zz with it's link-local as the gateway. I'm not sure, but I think this means the gateway is insisting that any prefix shorter than /64 is between itself and comcast. Which would make the Netgear as useless as the other two gateways.
EDIT: Okay, I think I had that backwards, the gateway should be the default gateway for that prefix.
DHCPv6 isn't sending IA_PD data, though that could be because the router isn't requesting it.
From the LAN, I can ping the router's external interface, but get "Destination Net Unreachable" if I ping the gateway (or anything past it). When I cap some packets, I see the gateway replying to my internal hosts with ICMPv6 error 5 "Source address failed ingress/egress policy", which I gather is it's way of saying "That's not my prefix, go f yourself"
From my external interface (same /64 as gateway) I can ping globally.
This is the case no matter what I set on the gateway.
The only settings I haven't tried on the gateway are manual DNS and EUI-64. On the router's external interface, I've flipped every flag there is - Managed, other config, advertising, default route advertising, dhcp, ignore default route, router discovery... I've set addresses (including anycast, as per Microsoft's page on IPv6 addressing), routes, and my hair on fire.
Could be I'm doing something wrong on the router side since I'm new to using windows for routing. Fairly new to IPv6 too, but didn't have any trouble pulling a /60 from comcast and handing out /64 with an old OpenWRT router when I had their home service.
To anyone who knows IPv6 better than I - please let me know if you see something I'm doing wrong. Same for Server 2012r2 RRAS.
If you know basically nothing about either, but do have an idea about what the problem is, or a fix, please let me know.
no PD by default in dhcpv6. It does it magically when conditions are right.
Thanks, but I've read it.
Looks like the heart of the issue is the gateway's filtering policy. It rejects packets who's source /64 doesn't match it's /64 when it should be filtering according to the assigned /56. So, instead of the 265 subnets it claims to have available, I have exactly 1.
Gateway's local subnet - 2601:xx:xxxx:xx00::/64
I set an address with prefix 2601:xx:xxxx:xx01::/64 on an interface connected directly to the gateway. If I ping google, the filters should match the first 56 bits and forward the packet, right? Except it won't. No matter what I set for the prefix or it's length, only packets with the same, useless, 64 bits as the gateway will pass. And naturally, I can't use that prefix on both sides of the router.
I just got off the phone after spending 15 minutes trying to explain this to a tier 2 tech who just kept asking if I wanted DHCP turned on, or a new gateway. He didn't seem to understand anything I asked, or that I was talking about IPv6, not 4.
Wouldn't even pass me along to tier 3, where maybe I could find someone who at least knows there is a difference between 4 and 6.
Did you read my post titled
Using the SMC D3G with IPv6 and static IPv4
from June of this year? It's equally applicable to the Cisco (although the cisco does not crash every 6 hours or so) Some good info in there.