I'm losing my mind with static IPv6, a pool of addresses, and DHCP-PD.
September 21, 2016 5:37 PM Subscribe
I'm one of those lucky, bleeding-edge people with Comcast's Gigabit Pro service (the symmetrical, 2Gb fiber service they've started rolling out for bragging rights, so they can say they have twice the speed of Google Fiber). It comes with fixed IPv4 and IPv6 addresses, and I'm having a hell of a time configuring the IPv6 portion in my router. Tech support is useless, even with the Comcast-supplied router. Can someone geekier than me help me out?
Unlike Comcast's regular cable service, IPv6 with this service is NOT just a matter of "set your router to 'native' and forget it," where Comcast just automagically hands you and all your devices IPv6 addresses dynamically, and you're good to go. You get a fixed /48 pool of addresses assigned to you (which I understand is a metric fuckton of addresses, to use the clinical term), and then you can have at it.
Gigabit Pro is a weir,d hybrid product â it's only available to residential customers, but it's supported and installed by Comcast's business/enterprise people. So their support is fast and good, sort of. But they expect you to have in-house IT staff and they don't really help you much. I'm reasonably geeky, but I'm not so well-versed on IPv6. From what I can tell through Google, etc., my router needs to hand out addresses from the pool using DHCP-PD (because it would be a nightmare having to statically configure all my various devices). Oddly enough, the only officially supported router (the one they provide) doesn't even have DHCP-PD, so I'll go back to my trusty Asus RT-AC66U, which does.
At first, this is the ONLY information I got about the link. I'm deliberately replacing a couple of portions with Z's and Y's for privacy (and I'm hoping that's sufficient):
IPV6 : 2001:ZZZZ:YYYY:1900::928/126
There was no WAY I could configure the router with that, so I emailed for more, and they emailed back with this:
IPv6 Allocated and Assigned IP Space:
IPv6 Assign to your Layer 3 device:
P2P IP: 2001:ZZZZ:YYYY:1900::928/126
Gateway Address: 2001:ZZZZ:YYYY:1900::929
Usable Address: 2001:ZZZZ: YYYY:1900::92A
Broadcast: 2001:ZZZZ: YYYY:1900::92B
DNS Servers:
Primary: 2001:558:FEED::1
Secondary: 2001:558:FEED::2
Now, here's the part that's killing me: How do I plug this into my router's IPv6 settings area?
There are a number of different ways to set up IPv6, and I've narrowed it down to a few. Here are screenshots of what I suspect are the most likely configuration methods. I've tried several different ways of pasting these numbers in, but nothing works. Some will result in a client (i.e., my laptop â a macOS machine) managing to fetch an IPv6 address, but no connectivity, no matter what. Always IPv4 only. Do I enter the trailing /126 or not? Or is it /48? What's this about LAN prefix and pool? I thought IPv6 was all about not needing NAT, so why would the LAN and WAN prefix/pool be two separate things? Shouldn't they be the same? (I ask because when I was messing with the Comcast-provided router, a Netgear, it gave me an error about the two pools being the same, saying they needed to be different. Uhhh, sounds like it's forcing me to NAT or something?)
Anyway, I'm pulling my hair out, and Comcast support keeps either talking over my head or giving me the "we don't support customer equipment" runaround (yes, EVEN WITH the Netgear they provide). If I tell the Netgear router to "auto-detect" (not an option with my Asus), it sets up a (very inefficient) 6to4 tunnel that is totally unconnected to the pool of IPv6 addresses I've been assigned, and that does me no good.
So . . . help? Many thanks.
Unlike Comcast's regular cable service, IPv6 with this service is NOT just a matter of "set your router to 'native' and forget it," where Comcast just automagically hands you and all your devices IPv6 addresses dynamically, and you're good to go. You get a fixed /48 pool of addresses assigned to you (which I understand is a metric fuckton of addresses, to use the clinical term), and then you can have at it.
Gigabit Pro is a weir,d hybrid product â it's only available to residential customers, but it's supported and installed by Comcast's business/enterprise people. So their support is fast and good, sort of. But they expect you to have in-house IT staff and they don't really help you much. I'm reasonably geeky, but I'm not so well-versed on IPv6. From what I can tell through Google, etc., my router needs to hand out addresses from the pool using DHCP-PD (because it would be a nightmare having to statically configure all my various devices). Oddly enough, the only officially supported router (the one they provide) doesn't even have DHCP-PD, so I'll go back to my trusty Asus RT-AC66U, which does.
At first, this is the ONLY information I got about the link. I'm deliberately replacing a couple of portions with Z's and Y's for privacy (and I'm hoping that's sufficient):
IPV6 : 2001:ZZZZ:YYYY:1900::928/126
There was no WAY I could configure the router with that, so I emailed for more, and they emailed back with this:
IPv6 Allocated and Assigned IP Space:
IPv6 Assign to your Layer 3 device:
P2P IP: 2001:ZZZZ:YYYY:1900::928/126
Gateway Address: 2001:ZZZZ:YYYY:1900::929
Usable Address: 2001:ZZZZ: YYYY:1900::92A
Broadcast: 2001:ZZZZ: YYYY:1900::92B
DNS Servers:
Primary: 2001:558:FEED::1
Secondary: 2001:558:FEED::2
Now, here's the part that's killing me: How do I plug this into my router's IPv6 settings area?
There are a number of different ways to set up IPv6, and I've narrowed it down to a few. Here are screenshots of what I suspect are the most likely configuration methods. I've tried several different ways of pasting these numbers in, but nothing works. Some will result in a client (i.e., my laptop â a macOS machine) managing to fetch an IPv6 address, but no connectivity, no matter what. Always IPv4 only. Do I enter the trailing /126 or not? Or is it /48? What's this about LAN prefix and pool? I thought IPv6 was all about not needing NAT, so why would the LAN and WAN prefix/pool be two separate things? Shouldn't they be the same? (I ask because when I was messing with the Comcast-provided router, a Netgear, it gave me an error about the two pools being the same, saying they needed to be different. Uhhh, sounds like it's forcing me to NAT or something?)
Anyway, I'm pulling my hair out, and Comcast support keeps either talking over my head or giving me the "we don't support customer equipment" runaround (yes, EVEN WITH the Netgear they provide). If I tell the Netgear router to "auto-detect" (not an option with my Asus), it sets up a (very inefficient) 6to4 tunnel that is totally unconnected to the pool of IPv6 addresses I've been assigned, and that does me no good.
So . . . help? Many thanks.
A /48 is a ton of addresses, but the /126 they describe is not. It's an absurdly small IPv6 address space. It has a single usable address. You obviously cannot give all your devices address in that space.
It seems like a /126 is typically used for an inter-router point-to-point link. Thus the "P2P IP" in their sparse instructions. Presumably the routers then do something else over that link to negotiate the actual /48 assignment. You might ask them what protocol your router is supposed to be speaking over this link.. Or go back to the officially supported router and try to find a way to configure it for a P2P link and hope it knows the protocol to use.
(As for DHCP, you should not need it though could of course use it. With a /48, you have more than enough addresses to for the router to simply broadcast the prefix and let devices generate addesses based on their MAC address.)
posted by joeyh at 7:56 PM on September 21, 2016
It seems like a /126 is typically used for an inter-router point-to-point link. Thus the "P2P IP" in their sparse instructions. Presumably the routers then do something else over that link to negotiate the actual /48 assignment. You might ask them what protocol your router is supposed to be speaking over this link.. Or go back to the officially supported router and try to find a way to configure it for a P2P link and hope it knows the protocol to use.
(As for DHCP, you should not need it though could of course use it. With a /48, you have more than enough addresses to for the router to simply broadcast the prefix and let devices generate addesses based on their MAC address.)
posted by joeyh at 7:56 PM on September 21, 2016
Response by poster: Just to add a little clarity: Comcast gives you a Juniper ACX2100 as your (I believe this is the term) Layer 2 device, and it actually has BOTH a 2Gb fiber handoff AND a 1Gb copper handoff. (So, yes, you are technically getting TWO preposterously fast links, for a total of 3Gb of bandwidth. Yes, it's completely batshit insane.) All of the info I pasted up above is for the 1Gb copper handoff (I'm not ready to set up the copper handoff right now, but there's a whole SEPARATE set of info for that â both IPv4 and IPv6).
I believe the P2P address you saw there is supposed to be assigned to the router that you set up "behind" the Juniper; that's where the /126 (and thus, one single usable address) comes in. The /48 is for all devices behind that router . . . I assume.
Yes, this is the Internet connection for a rowhouse in Baltimore. (To be fair, it's for business purposes and will soon be shoveling a crapload of data around.) It's crazy, I know. And I LOVE it. (I'd love it more if I could get the IPv6 part up and running, though . . . )
posted by CommonSense at 8:17 PM on September 21, 2016
I believe the P2P address you saw there is supposed to be assigned to the router that you set up "behind" the Juniper; that's where the /126 (and thus, one single usable address) comes in. The /48 is for all devices behind that router . . . I assume.
Yes, this is the Internet connection for a rowhouse in Baltimore. (To be fair, it's for business purposes and will soon be shoveling a crapload of data around.) It's crazy, I know. And I LOVE it. (I'd love it more if I could get the IPv6 part up and running, though . . . )
posted by CommonSense at 8:17 PM on September 21, 2016
Best answer: You have the general idea right. Assign ::930/126 to your router's WAN port and set its IPv6 default route to 929. Assign a /64 out of the /48 to your router's LAN interface (it doesn't actually matter which part of the block you use, since Comcast is routing the whole thing to ::930) and enable either DHCPv6 or stateless autoconf to assign the addresses to hosts. DHCPv6 is better in that it can supply v6 DNS server addresses and such, and it doesn't expose your Ethernet MACs to the world, but either will work.
posted by wierdo at 9:13 PM on September 21, 2016
posted by wierdo at 9:13 PM on September 21, 2016
Best answer: BTW, it's not likely that your Asus will actually route 1Gbps. It might since it isn't having to do NAT, but I doubt it will do more than 500Mbps or so.
I recommend either a Ubiquiti Edgerouter, or even better, a Mikrotik RB3011. The Edgerouter has a simpler web interface, but for more advanced stuff the Mikrotik is easier to configure than using the underlying Vyatta configs on the Edgerouter, IMO. The RB3011 has an SFP port so you can use the copper port and one of the fiber ports so you can get 1Gbps to two different segments (or team them for 2Gbps to a single segment, but any individual connection will be limited to 1Gbps). You have to step up to the Edgerouter Pro to get SFP ports on the Ubiquiti kit.
You could even get away with a $100 RB2011, but throughput will drop quickly as you add firewall rules. The 3011 will easily run a stateful firewall at 1Gbps, even with NAT.
Both will speak in terminology that Comcast will find easier to support.
posted by wierdo at 9:24 PM on September 21, 2016
I recommend either a Ubiquiti Edgerouter, or even better, a Mikrotik RB3011. The Edgerouter has a simpler web interface, but for more advanced stuff the Mikrotik is easier to configure than using the underlying Vyatta configs on the Edgerouter, IMO. The RB3011 has an SFP port so you can use the copper port and one of the fiber ports so you can get 1Gbps to two different segments (or team them for 2Gbps to a single segment, but any individual connection will be limited to 1Gbps). You have to step up to the Edgerouter Pro to get SFP ports on the Ubiquiti kit.
You could even get away with a $100 RB2011, but throughput will drop quickly as you add firewall rules. The 3011 will easily run a stateful firewall at 1Gbps, even with NAT.
Both will speak in terminology that Comcast will find easier to support.
posted by wierdo at 9:24 PM on September 21, 2016
Best answer: Here's a start: https://imgur.com/a/qcf2J - you haven't actually posted all the information needed to fill it out completely.
There's actually two different IPv6 subnets involved here, the one that your WAN interface (a /126) and the gateway will communicate on, and the one that will be distributed to your local network (a /48). You've posted the information for the WAN interface, so that's what I filled out. The only missing piece of the puzzle is your "LAN IPv6 Address" - the router traditionally goes on the first usable IP in the network, so this address will be the network address of your /48 plus one. So if your 48 is something like 2001:abcd::/48 (or 2001:abcd::0/48 if they write it strangely), then you'd put 2001:abcd::1 in there.
posted by jordemort at 10:09 PM on September 21, 2016
There's actually two different IPv6 subnets involved here, the one that your WAN interface (a /126) and the gateway will communicate on, and the one that will be distributed to your local network (a /48). You've posted the information for the WAN interface, so that's what I filled out. The only missing piece of the puzzle is your "LAN IPv6 Address" - the router traditionally goes on the first usable IP in the network, so this address will be the network address of your /48 plus one. So if your 48 is something like 2001:abcd::/48 (or 2001:abcd::0/48 if they write it strangely), then you'd put 2001:abcd::1 in there.
posted by jordemort at 10:09 PM on September 21, 2016
Oh and you don't really need DHCP-PD, anything that supports IPv6 these days also supports SLAAC (stateless auto configuration) so you can just leave the Auto Configuration Setting at "Stateless" and IPv6-capable devices will discover your router and make up their own addresses without any manual intervention.
posted by jordemort at 10:12 PM on September 21, 2016
posted by jordemort at 10:12 PM on September 21, 2016
Response by poster: jordemort: You got it! Between your explanation, âĪb>wierdo's, one of the Comcast emails and some more hammering away, I was able to get it. I plugged in values based on both your advice, but things weren't working. Your advice about the LAN block got me a lot closer, but the problem was that I didn't have the LAN usable block info for the 1G fiber link; I only had it for the copper. I tried the copper info, thinking that'd work, but nope, no dice (since I'm using the copper handoff).
For the fiber, it was something something 59b, so I guessed that maybe it might be something something 58b for the copper, and sure enough, that was right. Suddenly, everything fell into place. And I have to say, the various websites used to test whether your IPv6 link is working loaded faster than I have ever, EVER seen them load. EVER. I'm talking about INSTANT. This is despite a horrendously botched upgrade of my MacBook Pro to Sierra earlier today (ugh, don't ask). Even despite that horrendous disaster, the pages almost seemed to load before I finished typing the URL.
You're brilliant. And for the record, you beat Comcast's supposedly top-notch enterprise tech support. I'm going to send them this URL to rub their noses in the fact that the anonymous Internet community, once again, came to the rescue while they failed. As usual.
(They're monopolist bastards, but the internet's damn fast, though, I'll give 'em that.)
I owe you folks a drink if you're ever in Baltimore!
posted by CommonSense at 10:50 PM on September 21, 2016
For the fiber, it was something something 59b, so I guessed that maybe it might be something something 58b for the copper, and sure enough, that was right. Suddenly, everything fell into place. And I have to say, the various websites used to test whether your IPv6 link is working loaded faster than I have ever, EVER seen them load. EVER. I'm talking about INSTANT. This is despite a horrendously botched upgrade of my MacBook Pro to Sierra earlier today (ugh, don't ask). Even despite that horrendous disaster, the pages almost seemed to load before I finished typing the URL.
You're brilliant. And for the record, you beat Comcast's supposedly top-notch enterprise tech support. I'm going to send them this URL to rub their noses in the fact that the anonymous Internet community, once again, came to the rescue while they failed. As usual.
(They're monopolist bastards, but the internet's damn fast, though, I'll give 'em that.)
I owe you folks a drink if you're ever in Baltimore!
posted by CommonSense at 10:50 PM on September 21, 2016
Response by poster: Oh, and weirdo: I was saving the good equipment for the fiber handoff. I've been looking into Microtik already, or perhaps rolling my own PFsense-based box for that. Then, if funds permitted, I'd "trickle down" and upgrade the router on the copper side as well. The Asus was leftover from the cable modem connections and I figured I'd use it temporarily while I had it lying around, until something better came along.
Ubiquiti appeals to me; I recently put in an their 802.11ac access point, and I've heard good things about their EdgeRouter series. All of the devices you've named are most definitely on my radar. Thanks!
posted by CommonSense at 10:53 PM on September 21, 2016
Ubiquiti appeals to me; I recently put in an their 802.11ac access point, and I've heard good things about their EdgeRouter series. All of the devices you've named are most definitely on my radar. Thanks!
posted by CommonSense at 10:53 PM on September 21, 2016
Edgerouter is fine, it's just slower than a RB3011 once you load it down with firewall rules, a VPN server, and so forth, and is more of a PITA to do really advanced configuration on since you have to drop to a command line to do it. I'm sure if I familiarized myself more with Vyatta, I'd be able to make it do anything the Mikrotik can do.
I do prefer Ubiquiti's APs to the Mikrotik gear, though. It's just the routers I don't particularly care for.
Congrats on the 2Gb, by the way. I'd kill for even 200Mb. ;) (Both Comcast and at&t have gigabit service in my market, but not at my address) Could be worse, though, at least at&t's v6 service works, unlike when I had Comcast until late last year.
posted by wierdo at 2:36 AM on September 22, 2016
I do prefer Ubiquiti's APs to the Mikrotik gear, though. It's just the routers I don't particularly care for.
Congrats on the 2Gb, by the way. I'd kill for even 200Mb. ;) (Both Comcast and at&t have gigabit service in my market, but not at my address) Could be worse, though, at least at&t's v6 service works, unlike when I had Comcast until late last year.
posted by wierdo at 2:36 AM on September 22, 2016
« Older Applying for a new job posting at company that... | Why do things look darker when they're wet? Newer »
This thread is closed to new comments.
Can't help with the specific configuration you need, but can probably at least clear that up for you.
One of the benefits (the only real benefit, I think) of NAT is that it forms a natural firewall: if the devices behind your NAT router don't actually have IP addresses that even exist on the wider Internet, then they can't be reached or probed or interfered with except via ports you specifically forward in your router.
With IPv6, all IP addresses are public and potentially routable. So instead of relying on NAT to create a natural firewall, an IPv6 router needs to do the firewalling explicitly: you create a range of IPv6 addresses for devices you don't want reachable from outside by default, use that for your LAN, and just tell your router not to forward any packets there that you didn't specifically allow.
It ends up looking and feeling a lot like NAT, in that you end up with some range of IP addresses that you can consider private to your own devices. The difference is that your private IP addresses are now not also used by anybody else in the world, so you never need to translate them; when you do actually need to set up connections between your devices and somebody else's, the other end will get your devices' individual IP addresses rather than a shared public-facing address belonging to your router.
posted by flabdablet at 6:27 PM on September 21, 2016 [1 favorite]