Re: [pfSense] IPv6 with Comcast and two pfSense - invalid prefix length, XID mismatch

2016-05-20 Thread WebDawg 
On Fri, May 20, 2016 at 1:31 PM, Moshe Katz  wrote:

> On Fri, May 20, 2016 at 12:19 PM, WebDawg  wrote:
>
> > On Fri, May 20, 2016 at 11:06 AM, Moshe Katz 
> wrote:
>
> They will not let you bring your own modem if you have a static IP.
>
> I wrote the last message on my tablet, so I had to keep it short, but I can
> explain further now.
>
> Basically, when you get static IPs from Comcast, they do not want to set up
> the routing for them upstream in the central office (like most other ISPs
> would do).
> Instead, they assign your "Business IP Gateway" device (which is a
> modem/router/firewall combination) a dynamic IP that is in the same block
> of IPs that the entire rest of your neighborhood has.  After the Business
> IP Gateway has received its dynamic address, it advertises itself (I
> believe using RIP) as the next hop to the IP addresses that have been
> allocated to you.
>
> Additionally, the Gateway runs a DHCP server in the 10.x.x.x range. Any
> computer on your network that requests an address on DHCP will receive a
> private address from the Gateway and the Gateway will perform NAT.
>
> In effect, this allows you to have your public addresses and private
> addresses on a single connection to the Internet, with the public addresses
> routed and the private addresses NAT'ed.
>
> To make a long story short, not only will Comcast not allow you to use a
> simple Arris Surfboard modem for static IPs, the way their system is set up
> would not even work if you tried to use a plain modem, because your modem
> wouldn't be able to claim the addresses.
> In theory, Comcast could just allow you to set up your own RIP
> advertisements from your own hardware. I'm guessing that the reason they
> don't want to do that is because they'd rather have full control.
>
> Moshe
>
> --
> Moshe Katz
> -- mo...@ymkatz.net
> -- +1(301)867-3732
>
>
Hmm,

That would be the solution then?  Setup RIP.  Has anyone asked?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 with Comcast and two pfSense - invalid prefix length, XID mismatch

2016-05-20 Thread Moshe Katz 
On Fri, May 20, 2016 at 12:19 PM, WebDawg  wrote:

> On Fri, May 20, 2016 at 11:06 AM, Moshe Katz  wrote:
>
> > If you have static IPs from Comcast, you cannot put the device in bridge
> > mode. The way that Comcast static IPs work is that your Comcast device
> > advertises itself to the rest of Comcast's network as the route to your
> > static addresses. In effect, just pretend that this Comcast device is in
> > Comcast's central office and that you can't change anything about it.
> >
> > Moshe
> >
>
> Wow.
>
> No wonder there are issues.  I have only seen a few good modems as of late
> from any cable provider.
>
> Are there people having the same issues with the newer Arris Cable Modem?
> I see the responses in the thread, will they issue static ip addresses with
> just modems/Arris?
>
> Really, they will not let you bring your own device with a compatable Arris
> modem?
>
> I hate the all in one devices that they give out.  I had issues with one
> until I put it into bridge mode.  It would not NAT correctly.
>
> At another location, I demanded a modem.  I was paying for their fastest
> internet 100M down at the time and there was no way I was going to add all
> that overhead to the connection and depend on garbage firmware.
>
>
They will not let you bring your own modem if you have a static IP.

I wrote the last message on my tablet, so I had to keep it short, but I can
explain further now.

Basically, when you get static IPs from Comcast, they do not want to set up
the routing for them upstream in the central office (like most other ISPs
would do).
Instead, they assign your "Business IP Gateway" device (which is a
modem/router/firewall combination) a dynamic IP that is in the same block
of IPs that the entire rest of your neighborhood has.  After the Business
IP Gateway has received its dynamic address, it advertises itself (I
believe using RIP) as the next hop to the IP addresses that have been
allocated to you.

Additionally, the Gateway runs a DHCP server in the 10.x.x.x range. Any
computer on your network that requests an address on DHCP will receive a
private address from the Gateway and the Gateway will perform NAT.

In effect, this allows you to have your public addresses and private
addresses on a single connection to the Internet, with the public addresses
routed and the private addresses NAT'ed.

To make a long story short, not only will Comcast not allow you to use a
simple Arris Surfboard modem for static IPs, the way their system is set up
would not even work if you tried to use a plain modem, because your modem
wouldn't be able to claim the addresses.
In theory, Comcast could just allow you to set up your own RIP
advertisements from your own hardware. I'm guessing that the reason they
don't want to do that is because they'd rather have full control.

Moshe

--
Moshe Katz
-- mo...@ymkatz.net
-- +1(301)867-3732
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 with Comcast and two pfSense - invalid prefix length, XID mismatch

2016-05-20 Thread WebDawg 
On Fri, May 20, 2016 at 11:06 AM, Moshe Katz  wrote:

> If you have static IPs from Comcast, you cannot put the device in bridge
> mode. The way that Comcast static IPs work is that your Comcast device
> advertises itself to the rest of Comcast's network as the route to your
> static addresses. In effect, just pretend that this Comcast device is in
> Comcast's central office and that you can't change anything about it.
>
> Moshe
>

Wow.

No wonder there are issues.  I have only seen a few good modems as of late
from any cable provider.

Are there people having the same issues with the newer Arris Cable Modem?
I see the responses in the thread, will they issue static ip addresses with
just modems/Arris?

Really, they will not let you bring your own device with a compatable Arris
modem?

I hate the all in one devices that they give out.  I had issues with one
until I put it into bridge mode.  It would not NAT correctly.

At another location, I demanded a modem.  I was paying for their fastest
internet 100M down at the time and there was no way I was going to add all
that overhead to the connection and depend on garbage firmware.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 with Comcast and two pfSense - invalid prefix length, XID mismatch

2016-05-20 Thread Moshe Katz 
If you have static IPs from Comcast, you cannot put the device in bridge
mode. The way that Comcast static IPs work is that your Comcast device
advertises itself to the rest of Comcast's network as the route to your
static addresses. In effect, just pretend that this Comcast device is in
Comcast's central office and that you can't change anything about it.

Moshe
On May 20, 2016 11:54 AM, "WebDawg"  wrote:

> On Wed, May 18, 2016 at 6:14 PM, Steve Yates  wrote:
>
> > We have an application with a Comcast-provided SMC router and two pfSense
> > routers (Comcast <- building <- tenant).  The building router (v2.3.0)
> gets
> > an IPv6 address and can ping out.  However in its DHCP logs I see:
> >
> > dhcp6c  invalid prefix length 64 + 4 + 64
> > dhcp6c  XID mismatch (several of these)
> >
> > Am I correct that "invalid prefix length" means the Comcast router isn't
> > delegating a /60 properly?  I have it set:
> >
> > DHCPv6 Prefix Delegation size   60
> > Send IPv6 prefix hint   checked
> >
> > If I as for a /56 I get "invalid prefix length 64 + 8 + 64."
> >
> > My second question was going to be about getting IPv6 to the PCs inside
> > the tenant router but unless I'm mistaken I need a couple more /64
> networks
> > for that (what a waste of IPs...I know there's a lot but still...).
> >
> > Thanks,
> >
> > Steve Yates
> > ITS, Inc.
> >
> > ___
> >
> >
> Am I correct to assume that you are putting this device in bridge mode?
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 with Comcast and two pfSense - invalid prefix length, XID mismatch

2016-05-20 Thread WebDawg 
On Wed, May 18, 2016 at 6:14 PM, Steve Yates  wrote:

> We have an application with a Comcast-provided SMC router and two pfSense
> routers (Comcast <- building <- tenant).  The building router (v2.3.0) gets
> an IPv6 address and can ping out.  However in its DHCP logs I see:
>
> dhcp6c  invalid prefix length 64 + 4 + 64
> dhcp6c  XID mismatch (several of these)
>
> Am I correct that "invalid prefix length" means the Comcast router isn't
> delegating a /60 properly?  I have it set:
>
> DHCPv6 Prefix Delegation size   60
> Send IPv6 prefix hint   checked
>
> If I as for a /56 I get "invalid prefix length 64 + 8 + 64."
>
> My second question was going to be about getting IPv6 to the PCs inside
> the tenant router but unless I'm mistaken I need a couple more /64 networks
> for that (what a waste of IPs...I know there's a lot but still...).
>
> Thanks,
>
> Steve Yates
> ITS, Inc.
>
> ___
>
>
Am I correct to assume that you are putting this device in bridge mode?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 with Comcast and two pfSense - invalid prefix length, XID mismatch

2016-05-19 Thread Olivier Mascia 
There's indeed no NAT concept in IPv6 but you can use NPt to assign globally 
routable IPs on WAN and have them match to a translated locally routable prefix.

Say you have x:y:z:a::/64 on the WAN side which translate to fd01::/64 on the 
LAN side.

-- 
Meilleures salutations, Met vriendelijke groeten,  Best Regards,
Olivier Mascia (from mobile device), integral.be/om


> Le 19 mai 2016 à 21:59, Steve Yates  a écrit :
> 
> Is there a way to force pfSense to do NAT for IPv6?  If so then we could make 
> it work.  I understand that's not the point of IPv6 but...
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 with Comcast and two pfSense - invalid prefix length, XID mismatch

2016-05-19 Thread Steve Yates 
Is there a way to force pfSense to do NAT for IPv6?  If so then we could make 
it work.  I understand that's not the point of IPv6 but...

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Moshe Katz
Sent: Thursday, May 19, 2016 2:13 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] IPv6 with Comcast and two pfSense - invalid prefix 
length, XID mismatch

I'm going to have to guess that you are out of luck for IPv6 then.

If you find anyone at Comcast who is 1) capable of understanding technical 
feedback, 2) receptive to such feedback, and 3) high enough up the chain of 
command to make things happen, I'd be happy to join a campaign to convince that 
person to get this fixed.

Moshe

P. S. Something tells me that we will have moved on to IPv6 or IPv8 (or maybe 
even abandoned IP entirely for something else) by the time anything happens to 
get this fixed. This is Comcast we're talking about after all, a multi-year 
winner and runner-up of Consumerist's "Golden Poo Award" for worst company in 
America.

--
Moshe Katz
-- mo...@ymkatz.net
-- +1(301)867-3732

On Thu, May 19, 2016 at 2:49 PM, Steve Yates <st...@teamits.com> wrote:

> I neglected to mention it but I did find and read many 
> articles on Comcast modem support.  As a whole the posts were rather 
> conflicting and confused so it seemed that it may or may not 
> work...older posts were more likely to say it wasn't working.
>
> We do have a static IPv4 block.  Sadly a few years ago when we 
> tried to increase speeds we were down for a time because their other 
> non-SMC modem couldn't handle static IPs reliably and they had to 
> scrounge for an SMC box for us.  I inferred the techs knew this but 
> Comcast was switching modems anyway.  So, I'm hesitant to ask for a different 
> one.
> :-/  Maybe it is different now.
>
> I don't see anything in the SMC interface about a firmware 
> update.  It's Comcast branded so I assume their firmware.  Maybe we'd 
> have to call.  It has v 3.1.6.57 now.
>
> The SMC does show an IPv6 address, LAN DHCPv6 enabled with a 
> range, and has an "External Router Delegated Prefix" section that is 
> empty.  The building router gets its IP from that range.  The SMC has 
> a different WAN IPv6 address in 2001:558:...::/64.  At the bottom of 
> its Gateway Summary/Network tab I see:
>
> LAN IPv6 Prefixs Delegations2601:249::::/64
>
> ...with the LAN IP range.  (yes, it is spelled "prefixs")
>
> --
>
> Steve Yates
> ITS, Inc.
>
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Moshe 
> Katz
> Sent: Wednesday, May 18, 2016 10:10 PM
> To: pfSense Support and Discussion Mailing List 
> <list@lists.pfsense.org>
> Subject: Re: [pfSense] IPv6 with Comcast and two pfSense - invalid 
> prefix length, XID mismatch
>
> On Wed, May 18, 2016 at 7:14 PM, Steve Yates <st...@teamits.com> wrote:
>
> > We have an application with a Comcast-provided SMC router and two 
> > pfSense routers (Comcast <- building <- tenant).  The building 
> > router
> > (v2.3.0) gets an IPv6 address and can ping out.  However in its DHCP
> logs I see:
> >
> > dhcp6c  invalid prefix length 64 + 4 + 64
> > dhcp6c  XID mismatch (several of these)
> >
> > Am I correct that "invalid prefix length" means the Comcast router 
> > isn't delegating a /60 properly?  I have it set:
> >
> > DHCPv6 Prefix Delegation size   60
> > Send IPv6 prefix hint   checked
> >
> > If I as for a /56 I get "invalid prefix length 64 + 8 + 64."
> >
> > My second question was going to be about getting IPv6 to the PCs 
> > inside the tenant router but unless I'm mistaken I need a couple 
> > more
> > /64 networks for that (what a waste of IPs...I know there's a lot 
> > but
> still...).
> >
> > Thanks,
> >
> > Steve Yates
> > ITS, Inc.
> >
> >
>
> Comcast's support documents claim that "Business IP Gateway" devices 
> (a.k.a. your SMC modem/router) are allocated a /56. However, there 
> seem to be indications on Comcast's forums and other networking forums 
> that they aren't doing that properly on certain models with certain 
> firmware. (One example is
>
> http://forums.businesshelp.comcast.com/t5/IPV6/Dual-Stack-on-SMC-D3GCC
> R-and-Cisco-DPC3939B/td-p/20504/page/2
> is from over a year ago, but that could still be an issue now given 
> the speed which these companies release firmware updates.)
>
> Can you check if there is a firmwar

Re: [pfSense] IPv6 with Comcast and two pfSense - invalid prefix length, XID mismatch

2016-05-19 Thread Moshe Katz 
I'm going to have to guess that you are out of luck for IPv6 then.

If you find anyone at Comcast who is 1) capable of understanding technical
feedback, 2) receptive to such feedback, and 3) high enough up the chain of
command to make things happen, I'd be happy to join a campaign to convince
that person to get this fixed.

Moshe

P. S. Something tells me that we will have moved on to IPv6 or IPv8 (or
maybe even abandoned IP entirely for something else) by the time anything
happens to get this fixed. This is Comcast we're talking about after all, a
multi-year winner and runner-up of Consumerist's "Golden Poo Award" for
worst company in America.

--
Moshe Katz
-- mo...@ymkatz.net
-- +1(301)867-3732

On Thu, May 19, 2016 at 2:49 PM, Steve Yates <st...@teamits.com> wrote:

> I neglected to mention it but I did find and read many articles on
> Comcast modem support.  As a whole the posts were rather conflicting and
> confused so it seemed that it may or may not work...older posts were more
> likely to say it wasn't working.
>
> We do have a static IPv4 block.  Sadly a few years ago when we
> tried to increase speeds we were down for a time because their other
> non-SMC modem couldn't handle static IPs reliably and they had to scrounge
> for an SMC box for us.  I inferred the techs knew this but Comcast was
> switching modems anyway.  So, I'm hesitant to ask for a different one.
> :-/  Maybe it is different now.
>
> I don't see anything in the SMC interface about a firmware
> update.  It's Comcast branded so I assume their firmware.  Maybe we'd have
> to call.  It has v 3.1.6.57 now.
>
> The SMC does show an IPv6 address, LAN DHCPv6 enabled with a
> range, and has an "External Router Delegated Prefix" section that is
> empty.  The building router gets its IP from that range.  The SMC has a
> different WAN IPv6 address in 2001:558:...::/64.  At the bottom of its
> Gateway Summary/Network tab I see:
>
> LAN IPv6 Prefixs Delegations2601:249::::/64
>
> ...with the LAN IP range.  (yes, it is spelled "prefixs")
>
> --
>
> Steve Yates
> ITS, Inc.
>
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Moshe Katz
> Sent: Wednesday, May 18, 2016 10:10 PM
> To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
> Subject: Re: [pfSense] IPv6 with Comcast and two pfSense - invalid prefix
> length, XID mismatch
>
> On Wed, May 18, 2016 at 7:14 PM, Steve Yates <st...@teamits.com> wrote:
>
> > We have an application with a Comcast-provided SMC router and two
> > pfSense routers (Comcast <- building <- tenant).  The building router
> > (v2.3.0) gets an IPv6 address and can ping out.  However in its DHCP
> logs I see:
> >
> > dhcp6c  invalid prefix length 64 + 4 + 64
> > dhcp6c  XID mismatch (several of these)
> >
> > Am I correct that "invalid prefix length" means the Comcast router
> > isn't delegating a /60 properly?  I have it set:
> >
> > DHCPv6 Prefix Delegation size   60
> > Send IPv6 prefix hint   checked
> >
> > If I as for a /56 I get "invalid prefix length 64 + 8 + 64."
> >
> > My second question was going to be about getting IPv6 to the PCs
> > inside the tenant router but unless I'm mistaken I need a couple more
> > /64 networks for that (what a waste of IPs...I know there's a lot but
> still...).
> >
> > Thanks,
> >
> > Steve Yates
> > ITS, Inc.
> >
> >
>
> Comcast's support documents claim that "Business IP Gateway" devices
> (a.k.a. your SMC modem/router) are allocated a /56. However, there seem to
> be indications on Comcast's forums and other networking forums that they
> aren't doing that properly on certain models with certain firmware. (One
> example is
>
> http://forums.businesshelp.comcast.com/t5/IPV6/Dual-Stack-on-SMC-D3GCCR-and-Cisco-DPC3939B/td-p/20504/page/2
> is from over a year ago, but that could still be an issue now given the
> speed which these companies release firmware updates.)
>
> Can you check if there is a firmware update for the SMC box?
>
> Is there any way to check in the settings of the SMC box to see what it
> got from Comcast? None of my customers are using that model at the moment,
> so I can't tell you where to look.
>
> If you do not have static IPs from Comcast, your best option is probably
> to replace the Comcast-provided router with a Motorola/Arris Surfboard
> modem and have the building pfSense talk directly to Comcast through that.
> However, for some reason that defies all logical explanation, Comcast will
> not let you BYOM if

Re: [pfSense] IPv6 with Comcast and two pfSense - invalid prefix length, XID mismatch

2016-05-19 Thread Steve Yates 
I neglected to mention it but I did find and read many articles on 
Comcast modem support.  As a whole the posts were rather conflicting and 
confused so it seemed that it may or may not work...older posts were more 
likely to say it wasn't working.

We do have a static IPv4 block.  Sadly a few years ago when we tried to 
increase speeds we were down for a time because their other non-SMC modem 
couldn't handle static IPs reliably and they had to scrounge for an SMC box for 
us.  I inferred the techs knew this but Comcast was switching modems anyway.  
So, I'm hesitant to ask for a different one.  :-/  Maybe it is different now.

I don't see anything in the SMC interface about a firmware update.  
It's Comcast branded so I assume their firmware.  Maybe we'd have to call.  It 
has v 3.1.6.57 now.

The SMC does show an IPv6 address, LAN DHCPv6 enabled with a range, and 
has an "External Router Delegated Prefix" section that is empty.  The building 
router gets its IP from that range.  The SMC has a different WAN IPv6 address 
in 2001:558:...::/64.  At the bottom of its Gateway Summary/Network tab I see:

LAN IPv6 Prefixs Delegations2601:249::::/64

...with the LAN IP range.  (yes, it is spelled "prefixs")

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Moshe Katz
Sent: Wednesday, May 18, 2016 10:10 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] IPv6 with Comcast and two pfSense - invalid prefix 
length, XID mismatch

On Wed, May 18, 2016 at 7:14 PM, Steve Yates <st...@teamits.com> wrote:

> We have an application with a Comcast-provided SMC router and two 
> pfSense routers (Comcast <- building <- tenant).  The building router 
> (v2.3.0) gets an IPv6 address and can ping out.  However in its DHCP logs I 
> see:
>
> dhcp6c  invalid prefix length 64 + 4 + 64
> dhcp6c  XID mismatch (several of these)
>
> Am I correct that "invalid prefix length" means the Comcast router 
> isn't delegating a /60 properly?  I have it set:
>
> DHCPv6 Prefix Delegation size   60
> Send IPv6 prefix hint   checked
>
> If I as for a /56 I get "invalid prefix length 64 + 8 + 64."
>
> My second question was going to be about getting IPv6 to the PCs 
> inside the tenant router but unless I'm mistaken I need a couple more 
> /64 networks for that (what a waste of IPs...I know there's a lot but 
> still...).
>
> Thanks,
>
> Steve Yates
> ITS, Inc.
>
>

Comcast's support documents claim that "Business IP Gateway" devices (a.k.a. 
your SMC modem/router) are allocated a /56. However, there seem to be 
indications on Comcast's forums and other networking forums that they aren't 
doing that properly on certain models with certain firmware. (One example is
http://forums.businesshelp.comcast.com/t5/IPV6/Dual-Stack-on-SMC-D3GCCR-and-Cisco-DPC3939B/td-p/20504/page/2
is from over a year ago, but that could still be an issue now given the speed 
which these companies release firmware updates.)

Can you check if there is a firmware update for the SMC box?

Is there any way to check in the settings of the SMC box to see what it got 
from Comcast? None of my customers are using that model at the moment, so I 
can't tell you where to look.

If you do not have static IPs from Comcast, your best option is probably to 
replace the Comcast-provided router with a Motorola/Arris Surfboard modem and 
have the building pfSense talk directly to Comcast through that.
However, for some reason that defies all logical explanation, Comcast will not 
let you BYOM if you use static IPs.

Some people (also mentioned in the forum link above) have gotten prefix 
delegation to work by asking Comcast to switch their SMC router for a Netgear 
one.

--
Moshe Katz
-- mo...@ymkatz.net
-- +1(301)867-3732
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 with Comcast and two pfSense - invalid prefix length, XID mismatch

2016-05-18 Thread Moshe Katz 
On Wed, May 18, 2016 at 7:14 PM, Steve Yates  wrote:

> We have an application with a Comcast-provided SMC router and two pfSense
> routers (Comcast <- building <- tenant).  The building router (v2.3.0) gets
> an IPv6 address and can ping out.  However in its DHCP logs I see:
>
> dhcp6c  invalid prefix length 64 + 4 + 64
> dhcp6c  XID mismatch (several of these)
>
> Am I correct that "invalid prefix length" means the Comcast router isn't
> delegating a /60 properly?  I have it set:
>
> DHCPv6 Prefix Delegation size   60
> Send IPv6 prefix hint   checked
>
> If I as for a /56 I get "invalid prefix length 64 + 8 + 64."
>
> My second question was going to be about getting IPv6 to the PCs inside
> the tenant router but unless I'm mistaken I need a couple more /64 networks
> for that (what a waste of IPs...I know there's a lot but still...).
>
> Thanks,
>
> Steve Yates
> ITS, Inc.
>
>

Comcast's support documents claim that "Business IP Gateway" devices
(a.k.a. your SMC modem/router) are allocated a /56. However, there seem to
be indications on Comcast's forums and other networking forums that they
aren't doing that properly on certain models with certain firmware. (One
example is
http://forums.businesshelp.comcast.com/t5/IPV6/Dual-Stack-on-SMC-D3GCCR-and-Cisco-DPC3939B/td-p/20504/page/2
is from over a year ago, but that could still be an issue now given the
speed which these companies release firmware updates.)

Can you check if there is a firmware update for the SMC box?

Is there any way to check in the settings of the SMC box to see what it got
from Comcast? None of my customers are using that model at the moment, so I
can't tell you where to look.

If you do not have static IPs from Comcast, your best option is probably to
replace the Comcast-provided router with a Motorola/Arris Surfboard modem
and have the building pfSense talk directly to Comcast through that.
However, for some reason that defies all logical explanation, Comcast will
not let you BYOM if you use static IPs.

Some people (also mentioned in the forum link above) have gotten prefix
delegation to work by asking Comcast to switch their SMC router for a
Netgear one.

--
Moshe Katz
-- mo...@ymkatz.net
-- +1(301)867-3732
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] IPv6 with Comcast and two pfSense - invalid prefix length, XID mismatch

2016-05-18 Thread Steve Yates 
We have an application with a Comcast-provided SMC router and two pfSense 
routers (Comcast <- building <- tenant).  The building router (v2.3.0) gets an 
IPv6 address and can ping out.  However in its DHCP logs I see:

dhcp6c  invalid prefix length 64 + 4 + 64
dhcp6c  XID mismatch (several of these)

Am I correct that "invalid prefix length" means the Comcast router isn't 
delegating a /60 properly?  I have it set:

DHCPv6 Prefix Delegation size   60
Send IPv6 prefix hint   checked

If I as for a /56 I get "invalid prefix length 64 + 8 + 64."

My second question was going to be about getting IPv6 to the PCs inside the 
tenant router but unless I'm mistaken I need a couple more /64 networks for 
that (what a waste of IPs...I know there's a lot but still...).

Thanks,

Steve Yates
ITS, Inc.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold