Native IPv6 with Comcast Business and pfSense 2.3

Our ISP, Comcast, has recently rolled out native IPv6 support in our area, so this week I decided to set up our library to be dual stack. The first thing that had to happen was getting a Comcast tech to change out our SMC modem for a Netgear modem. According to Comcast tech support, the SMC doesn’t support IPv6.

Once the modem was switched out, I went in and turned off every feature I could in the modem. No DHCP, no firewall, etc. This is because we use a pfSense firewall in our library. Apparently you can’t do a true bridge mode with Comcast, but this is the best approximation. Call it a fake bridge mode.

Next to setup IPv6 I used the following settings. I enabled User defined prefix, but left everything default under it. I also enabled DHCPv6 and Rapid Commit. I left the rest unchecked. I can’t tell you exactly what each option does, because according to Comcast tech support there is no documentation to consult on this modem. Frustrating! However, after much trial and error and lost internet connection, these settings worked for me. Hit apply and your modem will reboot. Then move to your firewall.

On your firewall go to your Wan interface (which I creatively called “Comcast”)

Under the IPv6 Configuration setting select DHCPv6.

Below on the same page, under the DHCP client configuration select the following options. There are is one gotcha here. Apparently, their netgear modem ignores the requested delegation size if it is larger than a /60 and will only give you a /60 or a /64. Comcast tells you they give you a /56, but that resulted in failure, so request a /60 and everything will be happy. This does limit you to 16 subnets, but that was plenty for me.

Next move on to your LAN interface, in this case call LebStaff. Under IPv6 Configuration Type select “Track Interface”

Below on the same page select your WAN interface as the IPv6 Interface and set the IPv6 prefix ID. This is a hex digit (0-9 or a-f for a total of 16 options) that will identify your /64 subnet.

Do this for each LAN interface you have. Next go under the Services tab and select DHCPv6 Server/RA

You can select whatever you wish under this section. I chose the leave the DHCPv6 server off and set my router announcement to unmanaged. One of the cool features of IPv6 is that clients can configure their own IP addresses. Using unmanaged for your router advertisement tells clients to do this. I also selected high for my router priority. There shouldn’t be any other routers on this subnet, but if there were I wouldn’t want them overriding this one.

Next go into your firewall rules and add a rule to pass IPv6 traffic on all of your LAN interfaces (but not on your WAN interface). If you miss this step you will be very frustrated when you can’t connect to any IPv6 resources.

The next step is to go to the routing menu under the system tab. Edit the automatically created DHCPv6 gateway and set the monitor IP address to an IPv6 only website. In this case I used ipv6.google.com. If you don’t do this step, your gateway will always show as down even when it is up. The reason for this is that the Netgear modem doesn’t respond to pings, so when pfSense tries to ping the gateway, it gets no response and reports the gateway as down. ipv6.google.com does respond to pings, but is only accessible over IPv6, so if the IPv6 gateway is in fact down, ipv6.google.com will not be available.

Finally reboot your router, when it comes back up, you should see your new gateway online and that all of your lan interfaces have IPv6 addresses in the subnet that you specified. Although I have blurred my IP’s, you can see what it will look like. The short blurs are IPv4 and the long blurs are IPv6. One quick note, I have found that I have to go into my WAN interface and click save after rebooting my router. If I don’t do this, I won’t have internet connectivity on any of my lan interfaces (though I will be able to ping out from the router). I don’t know if this is a Comcast modem issue or a firewall issue, but I didn’t have this issue until they changed out my modem, so I have my suspicions.

Now go to http://test-ipv6.com/ and enjoy the native IPv6 goodness.