Native IPv6 with Comcast Business and pfSense 2.3

Our ISP, Comcast, has recently rolled out native IPv6 support in our area, so this week I decided to set up our library to be dual stack. The first thing that had to happen was getting a Comcast tech to change out our SMC modem for a Netgear modem. According to Comcast tech support, the SMC doesn’t support IPv6.

Once the modem was switched out, I went in and turned off every feature I could in the modem. No DHCP, no firewall, etc. This is because we use a pfSense firewall in our library. Apparently you can’t do a true bridge mode with Comcast, but this is the best approximation. Call it a fake bridge mode.

Next to setup IPv6 I used the following settings. I enabled User defined prefix, but left everything default under it. I also enabled DHCPv6 and Rapid Commit. I left the rest unchecked. I can’t tell you exactly what each option does, because according to Comcast tech support there is no documentation to consult on this modem. Frustrating! However, after much trial and error and lost internet connection, these settings worked for me. Hit apply and your modem will reboot. Then move to your firewall.

On your firewall go to your Wan interface (which I creatively called “Comcast”)

Under the IPv6 Configuration setting select DHCPv6.

Below on the same page, under the DHCP client configuration select the following options. There are is one gotcha here. Apparently, their netgear modem ignores the requested delegation size if it is larger than a /60 and will only give you a /60 or a /64. Comcast tells you they give you a /56, but that resulted in failure, so request a /60 and everything will be happy. This does limit you to 16 subnets, but that was plenty for me.

Next move on to your LAN interface, in this case call LebStaff. Under IPv6 Configuration Type select “Track Interface”

Below on the same page select your WAN interface as the IPv6 Interface and set the IPv6 prefix ID. This is a hex digit (0-9 or a-f for a total of 16 options) that will identify your /64 subnet.

Do this for each LAN interface you have. Next go under the Services tab and select DHCPv6 Server/RA

You can select whatever you wish under this section. I chose the leave the DHCPv6 server off and set my router announcement to unmanaged. One of the cool features of IPv6 is that clients can configure their own IP addresses. Using unmanaged for your router advertisement tells clients to do this. I also selected high for my router priority. There shouldn’t be any other routers on this subnet, but if there were I wouldn’t want them overriding this one.

Next go into your firewall rules and add a rule to pass IPv6 traffic on all of your LAN interfaces (but not on your WAN interface). If you miss this step you will be very frustrated when you can’t connect to any IPv6 resources.

The next step is to go to the routing menu under the system tab. Edit the automatically created DHCPv6 gateway and set the monitor IP address to an IPv6 only website. In this case I used ipv6.google.com. If you don’t do this step, your gateway will always show as down even when it is up. The reason for this is that the Netgear modem doesn’t respond to pings, so when pfSense tries to ping the gateway, it gets no response and reports the gateway as down. ipv6.google.com does respond to pings, but is only accessible over IPv6, so if the IPv6 gateway is in fact down, ipv6.google.com will not be available.

Finally reboot your router, when it comes back up, you should see your new gateway online and that all of your lan interfaces have IPv6 addresses in the subnet that you specified. Although I have blurred my IP’s, you can see what it will look like. The short blurs are IPv4 and the long blurs are IPv6. One quick note, I have found that I have to go into my WAN interface and click save after rebooting my router. If I don’t do this, I won’t have internet connectivity on any of my lan interfaces (though I will be able to ping out from the router). I don’t know if this is a Comcast modem issue or a firewall issue, but I didn’t have this issue until they changed out my modem, so I have my suspicions.

Now go to http://test-ipv6.com/ and enjoy the native IPv6 goodness.

5 thoughts on “Native IPv6 with Comcast Business and pfSense 2.3”

  1. I got this for my Comcast internet connection – it’s just a modem (no need to “bridge” mode because that’s all it does to begin with). It was approved in my area (near Seattle).

    Motorola Ultra Fast DOCSIS 3.1 Cable Modem, Model MB8600, plus 32×8 DOCSIS 3.0, Certified by Comcast XFINITY and Cox Communications
    by Motorola
    Link: http://a.co/8BjHIAD

    It is sick AF. 280+ Mbps download on a supposedly 250 Mbps residential connection. Also use behind pfSense.

    Thought you might like to know…

  2. This article left me with a lot of questions.

    Can you explain why you chose DHCPv6 over 6to4 , Tracking, etc for you WAN interface?

    What does “Tracking” mean for the interface type?

    1. DHCPv6 means that my wan interface is dynamically getting handed an IPv6 block from my ISP, in this case comcast. Comcast does not currently offer static IPv6 addresses. A 6to4 tunnel is a way to enable IPv6 when your isp doesn’t support it. You tunnel the traffic over IPv4 to an IPv6 endpoint such as tunnelbroker.net.

      Tracking an interface means that the subnets to the IPv6 block that are allocated to the WAN can be handed out to the LAN interfaces.

  3. Can someone tell me how can I obtain the static ipv6 address from Comcast? (IL) I tried it…but I spend on the phone line and chat a total of almost 20 hours with all idiots and I am done…Do you have some a special number that you can call and talk with smart people or tech support?

Leave a Reply to AveryFreeman Cancel reply

Your email address will not be published. Required fields are marked *