Skip to content
cdwiegand's profile

New Contributor

 • 

3 Messages

Tuesday, August 6th, 2019 10:00 PM

Will Business Class actually support routing static IPv6 blocks?

I run a firewall between my network and the Comcast "cable modem", but I'm unable to get DHCPv6-PD to work, and I'm guessing Comcast has turned off DHCPv6 entirely from what I'm reading. If that's the case, how am I supposed to route my /64 (or "/56", but we really only get a /64, and I'd be happy with that, to be honest!) to my firewall if the Comcast "modem" keeps doing it for me? My firewall gets the public IP from the /64 block, but I want to route the /64 block to my firewall so I can run a secure network but have IPv6 use. And no, I refuse to use Comcast's own firewall, not gonna happen in a million years.

Advocate

 • 

1.1K Messages

5 years ago

Good morning, cdwiegand.

 

I appreciate you posting on your IPv6 inquiry. If you are subscribed to a static block, then you also have IPv6 available to you as well. You'll be able to view your IPv6 and IPv4 blocks through the business portal: https://business.comcast.com/help-and-support/internet/comcast-business-internet-view-your-static-ip-address/

New problem solver

 • 

10 Messages

5 years ago

@Comcast_phil You didn't answer his question. It was: "how am I supposed to route my /64".

 

The comcast IPv6 support has been beyond frustrating. I can't get my internal IPv6 to route either.

Administrator

 • 

261 Messages

5 years ago

Your specific network configuration would not be within our demarcation; the information Phil provided is correct but any routing and firewalls that are not within our equipment would not be something we can speak to. I would be interested in any community input on this topic though and hope that the forums users jump in with suggestions. 

 

Gina

New Contributor

 • 

3 Messages

5 years ago

Well, given that I have a rack in the H5 colocation facility down in DTC, I can speak to how it's done with Cogent and CenturyLink - you get a /112 (or similar) to route the real subnet, just like how in IPv4 land we get a /30 that we put both routers in, and the upstream router sends all traffic for "our" /24 (in IPv6 the /64 assigned) to our side's router IP in that /30 or /112 and we get the full subnet routed to us that way.

 

The way Comcast does it doesn't allow us to route any subnet to our own router/firewall - it naively assumes we're OK with using Comcast's router as our only firewall between our devices and the internet. I cannot do that, so we don't have IPv6 in our house. Perhaps we need a way to request an additional IPv6 block and then the ability to route it via your router to a static IPv6 address we can assign to our router? Or if your routers supported DHCP-PD then we could just get a /64 out of the /56 that's actually assigned? I've tried for months using current-patched install pfSense, as well as a current-patched Unifi USG - both common firewall systems, and have never gotten successful DHCP-PD negotiation to work with my Comcast-provided Cisco DPC3941B. If I could get a static IPv6 prefix, and have it routed to my firewall, though, then I could do my own internal addressing and still perform my own filtering that I require.

New problem solver

 • 

8 Messages

5 years ago

I feel your pain. I have a CGA4131COM after upgrading from 150 to 300 mbps service. I had a Netgear CG3000DCR with my 150 mbps service and IPv6 DHCP-PD worked flawlessly in routed mode with it with a Cisco ASA 5550 firewall for the outside interface and I could assign a static IPv6 address on my interior facing interfaces in the /59 block.

After the  CGA4131COM was installed, everything broke. Nothing would route through the CGA4131COM unless I put it in bridge mode. Comcast wanted to replace the CGA4131COM with a DPC3941B, but a friend has that gateway with his business service and he had the same issues I did. So to be able to have useful IPv6 behind a Comcast Business gateway, and one can't use a CG3000DCR, goodbye static IPv4 addresses...bridge mode is the only way IPv6 DHCP-PD will work if you have a firewall or router behind it. The firmware on the Technicolor gateways needs to be fixed so that IPv6-PD will work as it does with the Netgear CG3000DCR.

Administrator

 • 

261 Messages

5 years ago

I'm so glad to see the community input here! This article may also be of use: https://business.comcast.com/help-and-support/internet/comcast-business-static-ip-local-area-network/

 

-Gina

New problem solver

 • 

8 Messages

5 years ago

Hi Gina,

 

The link that you posted is great for IPv4, but the issues here are with IPv6. It is disappointing that an old Netgear CG3000DCR will properly route IPv6 DHCP-PD and cllients behind a firewall or router and the Techicolor gateways do not unless they are in bridge mode. It would be great if Comcast could upgrade the firmware on the Technicolor gateways to have the same IPv6 DHCP-PD function as the old Netgear gateway.

 

Administrator

 • 

261 Messages

5 years ago


@cdwiegand wrote:

I run a firewall between my network and the Comcast "cable modem", but I'm unable to get DHCPv6-PD to work, and I'm guessing Comcast has turned off DHCPv6 entirely from what I'm reading. If that's the case, how am I supposed to route my /64 (or "/56", but we really only get a /64, and I'd be happy with that, to be honest!) to my firewall if the Comcast "modem" keeps doing it for me? My firewall gets the public IP from the /64 block, but I want to route the /64 block to my firewall so I can run a secure network but have IPv6 use. And no, I refuse to use Comcast's own firewall, not gonna happen in a million years.


My two cents-- in order to manually route your ipv6 blocks to your firewall, you'll need to deactivate that mode in your Comcast modem. This is done by configuring passthrough mode on your gateway. This is done by disabling the firewall in the modem and then disabling ipv6 LAN Address assignement. This can be done on the modem settings of the Cisco BWG, Technicolor CBR, SMC 8014, SMC D3G, and the Netgear CG3000.

 

Ken

 

Ken