Reply
New Member
Posts: 12
Registered: ‎09-26-2010
Kudos: 14

Comcast Residential IPv6 with EdgeOS 1.6.0 on EdgeRouter Lite

[ Edited ]

I took a look at this forum when attempting to get IPv6 connectivity established with Comcast on my home network. I didn't really find a clear solution, so I thought I'd post the changes required to a stock config to get IPv6 running. This includes requesting a /64 prefix from the ISP and distributing on your local network.

 

Since EdgeOS 1.6.0 supports prefix delegation and identity associations it's really easy to get working. If you are not familiar with IPV6 prefix delegation the RFC is actually a good place to look to understand the truth. The following instructions I think require EdgeOS 1.6.0 at a minimum to work.

 

Assumptions

 

 eth0 = LAN interfarce

 eth1 = Comcast facing interface (ISP)

 

Config Modifications (enter via CLI)

 

 # Enable your comcast facing interface to request an IPv6 prefix assignment via DHCPv6

 # Tell comcast that you would like a /64 prefix to delegate to an internal interface (eth0) via a DHCPv6 Identity Association (IA_PD)

 set interfaces ethernet eth1 dhcpv6-pd pd 0

 set interfaces ethernet eth1 dhcpv6-pd pd 0 interface eth0

 set interfaces ethernet eth1 dhcpv6-pd pd 0 prefix-length 64 

 

 # Setup your LAN facing interface to send router advertisements and distribute IPv6 addresses from the /64 prefix comcast assigned. 

 set interfaces ethernet eth0 ipv6 router-advert prefix ::/64

 set interfaces ethernet eth0 ipv6 router-advert managed-flag true 

 

 

Notes

 

  • Once you commit these commands Comcast will assign a /128 IP address to eth1. 
  • You will also receive a /64 IP address representing the IPv6 prefix (or network) they have routed via the /128 address assigned to your eth0 interface (who needs NAT with IPv6?)
  • You will only see the /128 IPv6 address in the web UI, however the /64 is visible from the CLI (UBNT please fix)

Updates

 

  • 8/28/15 :  Per powerofmoy, It seems that ipv6 router-advert managed-flag true is required on later versions of EdgeOS to get address assignment working. Thanks!

ubnt@ubnt:~$ show interfaces

Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down

Interface    IP Address                        S/L  Description                 

---------    ----------                        ---  -----------                 

eth0         172.16.1.1/24                     u/u  inside                      

             2601:9:6800:4de:26a4:3cff:fe05:de18/64

eth1         24.6.90.133/21                    u/u  outside                     

             2001:558:6045:df:3c22:f782:1bb2:2952/128

eth2         -                                 u/D                              

lo           127.0.0.1/8                       u/u                              

             ::1/128                          

ubnt@ubnt:~$ show ipv6 route

Codes: K - kernel route, C - connected, S - static, R - RIPng, O - OSPFv3,

       I - ISIS, B - BGP, * - FIB route.

 

K>* ::/0 via fe80::201:5cff:fe24:3181, eth1

C>* ::1/128 is directly connected, lo

C>* 2001:558:6045:df:3c22:f782:1bb2:2952/128 is directly connected, eth1

C>* 2601:9:6800:4de::/64 is directly connected, eth0

C * fe80::/64 is directly connected, eth1

C>* fe80::/64 is directly connected, eth0

 

From this point all of your IPv6 enabled devices should pickup their IPv6 addresses and you should have full IPv6 connectivity to the internet.

 

Andrews-iMac:~ aschwabe$ ping6 www.netflix.com

PING6(56=40+8+8 bytes) 2601:9:6800:4de:4508:e728:8155:dbd9 --> 2620:108:700f::36f5:681f

16 bytes from 2620:108:700f::36f5:681f, icmp_seq=0 hlim=48 time=35.050 ms

16 bytes from 2620:108:700f::36f5:681f, icmp_seq=1 hlim=48 time=35.581 ms

16 bytes from 2620:108:700f::36f5:681f, icmp_seq=2 hlim=48 time=35.136 ms

16 bytes from 2620:108:700f::36f5:681f, icmp_seq=3 hlim=48 time=34.340 ms

16 bytes from 2620:108:700f::36f5:681f, icmp_seq=4 hlim=48 time=33.590 ms

 

Good luck!

 

New Member
Posts: 12
Registered: ‎05-06-2014

Re: Comcast Residential IPv6 with EdgeOS 1.6.0 on EdgeRouter Lite

Any chance there are any firewall setups that could accompany this?  I would like to have IPV6 I had it with Comcast prior to changing out my router.  However, this part I can figure out its the rest of the firewall configuration I would like to get correct as well before enabling IPV6.  Any help would be much appreciated.

Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3136
Solutions: 945
Contributions: 16

Re: Comcast Residential IPv6 with EdgeOS 1.6.0 on EdgeRouter Lite

Here's my sample Comcast IPv6 config - link.

EdgeMAX Router Software Development
Emerging Member
Posts: 96
Registered: ‎12-09-2013
Kudos: 27

Re: Comcast Residential IPv6 with EdgeOS 1.6.0 on EdgeRouter Lite

Tested and works. Now how do I enable the firewall so my machines are not accessible by the whole world?

Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3136
Solutions: 945
Contributions: 16

Re: Comcast Residential IPv6 with EdgeOS 1.6.0 on EdgeRouter Lite

The firewall in the config I posted above will prevent remote access unless it's is initiated from the LAN side.

EdgeMAX Router Software Development
New Member
Posts: 16
Registered: ‎08-07-2015
Kudos: 3
Solutions: 2

Re: Comcast Residential IPv6 with EdgeOS 1.6.0 on EdgeRouter Lite

So I set this (and followed UBNT-stig's config a bit) but I'm not receving the /64 address on my internal LAN side interface. Any ideas?

 

Relevant config below:

 ethernet eth0 {
     address <redacted>
     description outside
     dhcp-options {
         name-server no-update
     }
     dhcpv6-pd {
         pd 0 {
             interface eth1 {
                 host-address ::1
                 prefix-id :1
                 service slaac
             }
             prefix-length 60
         }
         rapid-commit enable
     }
     duplex auto
     firewall {
         in {
             name WAN_IN
         }
         local {
             name WAN_LOCAL
         }
     }
     ipv6 {
         router-advert {
             prefix ::/64 {
             }
         }
     }
     speed auto
 }
ethernet eth1 {
     address 192.168.1.1/24
     address 192.168.2.1/24
     description inside
     duplex auto
     ipv6 {
         router-advert {
             prefix ::/64 {
             }
         }
     }
     speed auto
 }
Established Member
Posts: 1,420
Registered: ‎10-01-2014
Kudos: 701
Solutions: 67

Re: Comcast Residential IPv6 with EdgeOS 1.6.0 on EdgeRouter Lite

The only difference I can see at a quick glance between my working configuration and yours, is the "/" before the prefix length. Are there any firewall rules that might be blocking Comcast's ICMPv6 and their DHCPV6 server to local (router)?

 

        dhcpv6-pd {
            no-dns
            pd 0 {
                interface eth0 {
                    host-address ::1
                    prefix-id :1
                    service slaac
                }
                interface eth0.2 {
                    host-address ::1
                    prefix-id :2
                    service slaac
                }
                interface eth0.3 {
                    host-address ::1
                    prefix-id :3
                    service slaac
                }
                interface eth0.4 {
                    host-address ::1
                    prefix-id :4
                    service slaac
                }
                interface eth0.5 {
                    host-address ::1
                    prefix-id :5
                    service slaac
                }
                interface eth0.6 {
                    host-address ::1
                    prefix-id :6
                    service slaac
                }
                interface eth2 {
                    host-address ::1
                    prefix-id :7
                    service slaac
                }
                prefix-length /60
            }
            rapid-commit enable
        }

This is my ruleset from External (WAN) to local (router) - note rules 510 and 7000:

 

    ipv6-name ipv6-ext-local {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            description "Allow established connections"
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            description "Drop invalid packets"
            state {
                invalid enable
            }
        }
        rule 3 {
            action drop
            description "Drop IPv6 bogons"
            source {
                group {
                    ipv6-network-group ipv6Bogons
                }
            }
        }
        rule 500 {
            action drop
            description "Block IPV6-ICMP ping from the Internet"
            icmpv6 {
                type ping
            }
            protocol ipv6-icmp
        }
        rule 510 {
            action accept
            description "Allow IPV6-ICMP"
            limit {
                burst 1
                rate 50/minute
            }
            protocol ipv6-icmp
        }
        rule 3000 {
            action drop
            description "Drop brute force SSH from Internet"
            destination {
                port ssh
            }
            protocol tcp
            recent {
                count 3
                time 30
            }
        }
        rule 3100 {
            action accept
            description "Allow SSH"
            destination {
                port ssh
            }
            protocol tcp
        }
        rule 7000 {
            action accept
            description "Allow DHCPV6 responses from ISP"
            destination {
                port dhcpv6-client
            }
            protocol udp
            source {
                port dhcpv6-server
            }
        }
    }

 

Please help the community find useful posts and solutions by using the "Kudos" and "Accept as Solution" buttons!
New Member
Posts: 16
Registered: ‎08-07-2015
Kudos: 3
Solutions: 2

Re: Comcast Residential IPv6 with EdgeOS 1.6.0 on EdgeRouter Lite

[ Edited ]

Thank you for the prompt response. 

 

There are almost no firewall rules, and none that should be blocking it. Can I turn off the firewall without removing existing rules in order to test?

 

I will remove the / in the ::/64 and report back.

 

EDIT: An update: replacing prefix-length ::/64 with prefix-length ::64 did not do it. 

These are the settings for your WAN interface, yes? What does your internal (LAN side) interface config look like? 

My router is properly getting an IPv6 address, and is working on an IPv6 internet. I can ping6 things (that have IPv6 addresses) successfully all day long, but the router is not advertising anything in the appropriate range the LAN.

 

Mine is below:

admin@ubnt# show interfaces ethernet eth1
 address 192.168.1.1/24
 address 192.168.2.1/24
 description inside
 duplex auto
 ipv6 {
     router-advert {
         prefix ::/64 {
         }
     }
 }
 speed auto

Must I remove the / from that prefix as well? I'm very new to IPv6, but trying to get ahead of the curve Man Happy

Established Member
Posts: 1,420
Registered: ‎10-01-2014
Kudos: 701
Solutions: 67

Re: Comcast Residential IPv6 with EdgeOS 1.6.0 on EdgeRouter Lite

[ Edited ]

You can always delete ruleset allocation in the interface, however, I hate lowering "shields", so if you're confident nothing is blocking, just 'set enable-default-log' for the key rule set (WAN to Local) and then check the logs after a dhcp renew. Also, you may have to delete the DUID.

 

release dhcpv6-pd interface eth1
delete dhcpv6-pd duid
renew dhcpv6-pd interface eth1

 

Please help the community find useful posts and solutions by using the "Kudos" and "Accept as Solution" buttons!
New Member
Posts: 16
Registered: ‎08-07-2015
Kudos: 3
Solutions: 2

Re: Comcast Residential IPv6 with EdgeOS 1.6.0 on EdgeRouter Lite

Release, deleted duid, renewed, no go. How do I enable-debug-log for (what I assume is the firewall rule)? Sorry, am newbie.

Established Member
Posts: 1,420
Registered: ‎10-01-2014
Kudos: 701
Solutions: 67

Re: Comcast Residential IPv6 with EdgeOS 1.6.0 on EdgeRouter Lite

[ Edited ]

If you use the CLI:

set firewall name <rule name for WAN-Local> enable-default-log

Tab completion is your friend.

Please help the community find useful posts and solutions by using the "Kudos" and "Accept as Solution" buttons!
New Member
Posts: 1
Registered: ‎05-07-2015
Kudos: 2

Re: Comcast Residential IPv6 with EdgeOS 1.6.0 on EdgeRouter Lite

[ Edited ]

I'm a first time commenter on these forums.  What worked for me was setting the configuration consistent with this command.  (Hopefully I got this right, since I'm not at home where my ERL resides at the moment)

 

set interfaces ethernet eth0 ipv6 router-advert managed-flag true

 

In my setup, I've also set the respective host-address, prefix-id, and service parameters as blank for the interfaces under "pd 0".  My config is consistent with the original post plus the managed-flag parameter here.

 

I managed to derive this via the following two online references:

https://github.com/irvingpop/edgemax-dhcpv6-pd-wizard

 

http://community.arubanetworks.com/t5/Controller-Based-WLANs/Explain-the-M-and-O-bit-in-IPv6-DHCP-se...

 

I've confirmed that two clients on my network (OS X with 10.10.3 and Win10 Home) obtain "non-SLAAC" IPv6 addresses.  Moreover, online IPv6 tests pass using Chrome.

 

good luck

 

roy

 

New Member
Posts: 16
Registered: ‎08-07-2015
Kudos: 3
Solutions: 2

Re: Comcast Residential IPv6 with EdgeOS 1.6.0 on EdgeRouter Lite

Current configuration:

 

admin@ubnt# show interfaces 
 ethernet eth0 {
     address <redacted>
     description outside
     dhcp-options {
         name-server no-update
     }
     dhcpv6-pd {
         pd 0 {
             interface eth1 {
             }
             prefix-length 64
         }
     }
     duplex auto
     firewall {
         in {
             name WAN_IN
         }
         local {
             name WAN_LOCAL
         }
     }
     speed auto
 }
 ethernet eth1 {
     address 192.168.1.1/24
     address 192.168.2.1/24
     description inside
     duplex auto
     ipv6 {
         router-advert {
             managed-flag true
             prefix ::/64 {
             }
         }
     }
     speed auto
 }

Should I be seeing a /64 assigned to my internal interface (in my case, eth1)? I do not.

admin@ubnt# run show interfaces 
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address                        S/L  Description                 
---------    ----------                        ---  -----------                 
eth0         address redacted                  u/u  outside                     
             2601:200:4301:6b00::d635/128     
eth1         192.168.1.1/24                    u/u  inside                      
             192.168.2.1/24                   

Thank you very much for the additional help.

 

Established Member
Posts: 1,420
Registered: ‎10-01-2014
Kudos: 701
Solutions: 67

Re: Comcast Residential IPv6 with EdgeOS 1.6.0 on EdgeRouter Lite

Here's my PD config, you might want to try setting your prefix to /60, here is my config (includes my vlans PD assignments etc.):

 

        dhcpv6-pd {
            no-dns
            pd 0 {
                interface eth0 {
                    host-address ::1
                    prefix-id :1
                    service slaac
                }
                interface eth0.2 {
                    host-address ::1
                    prefix-id :2
                    service slaac
                }
                interface eth0.3 {
                    host-address ::1
                    prefix-id :3
                    service slaac
                }
                interface eth0.4 {
                    host-address ::1
                    prefix-id :4
                    service slaac
                }
                interface eth0.5 {
                    host-address ::1
                    prefix-id :5
                    service slaac
                }
                interface eth0.6 {
                    host-address ::1
                    prefix-id :6
                    service slaac
                }
                interface eth2 {
                    host-address ::1
                    prefix-id :7
                    service slaac
                }
                prefix-length /60
            }
            rapid-commit enable
        }
Please help the community find useful posts and solutions by using the "Kudos" and "Accept as Solution" buttons!
Established Member
Posts: 1,420
Registered: ‎10-01-2014
Kudos: 701
Solutions: 67

Re: Comcast Residential IPv6 with EdgeOS 1.6.0 on EdgeRouter Lite

[ Edited ]

BTW, I tried your configuration, but got this error message - maybe because I'm running v1.7.0:

 

prefix-id must be less than :: for prefix /64
Commit failed

However, you have been assigned an IPv6 /128 address, which is the same output I have. My internal interfaces have /64 delegated IPv6 addresses from Comcast.

Please help the community find useful posts and solutions by using the "Kudos" and "Accept as Solution" buttons!
Established Member
Posts: 1,420
Registered: ‎10-01-2014
Kudos: 701
Solutions: 67

Re: Comcast Residential IPv6 with EdgeOS 1.6.0 on EdgeRouter Lite

[ Edited ]

For eth1, try the configuration I have for my eth0 to get an address assigned. It should look like this for your configuration:

 

 

dhcpv6-pd {
         pd 0 {
             interface eth1 {
                    host-address ::1
                    prefix-id :1
                    service slaac
             }
             prefix-length 64
         }
     }

 

Please help the community find useful posts and solutions by using the "Kudos" and "Accept as Solution" buttons!
New Member
Posts: 12
Registered: ‎09-26-2010
Kudos: 14

Re: Comcast Residential IPv6 with EdgeOS 1.6.0 on EdgeRouter Lite

powerofmoy,

 

Thanks for the update on the setting router-advert managed-flag!

 

I updated to EdgeOS 1.7.0 and IPv6 stopped working without this setting. I've added your comment to the original example at the top of the thread.

 

Many thanks!

Emerging Member
Posts: 74
Registered: ‎11-22-2013
Kudos: 24
Solutions: 1

Re: Comcast Residential IPv6 with EdgeOS 1.6.0 on EdgeRouter Lite

[ Edited ]

In 1.8.0a2 CPU jumps to 100% when I put in the following commands.

 

 set interfaces ethernet eth1 dhcpv6-pd pd 0

 set interfaces ethernet eth1 dhcpv6-pd pd 0 interface eth2

 set interfaces ethernet eth1 dhcpv6-pd pd 0 prefix-length 64 

 

I believe there is a problem with dhcpv6-pd. After rebooting my eth1 (WAN) interface is no longer listed in the GUI and I have to manually set the interface via CLI.

 

I also find the same issue in 1.7.0

 

Once I remove my ipv6 settings from eth1 CPU goes back down to normal.

 

ethernet eth1 {
     address dhcp
     dhcpv6-pd {
         pd 0 {
             interface eth2 {
                 service slaac
             }
             prefix-length 64
         }
     }
 }
New Member
Posts: 12
Registered: ‎09-26-2010
Kudos: 14

Re: Comcast Residential IPv6 with EdgeOS 1.6.0 on EdgeRouter Lite

FWIW I'm running 1.7.0 with these settings and my CPU is at 6% while pulling down 6Mbps...

 

Emerging Member
Posts: 74
Registered: ‎11-22-2013
Kudos: 24
Solutions: 1

Re: Comcast Residential IPv6 with EdgeOS 1.6.0 on EdgeRouter Lite

[ Edited ]

That is weird, I wonder if it is because of how my ISP does DHCP (I am with Telus). Hopefully UBNT can help.

 

More digging, top shows tons of dhcp-pd processes running

 

11908 root      20   0 11896 5920 3108 R   3.7  1.2   0:01.28 dhcpv6-pd-respo
11910 root      20   0 11764 5868 3108 R   3.7  1.2   0:01.29 dhcpv6-pd-respo
11955 root      20   0 10564 4648 2904 R   3.7  0.9   0:00.73 dhcpv6-pd-respo
11959 root      20   0 10300 4464 2896 R   3.7  0.9   0:00.67 dhcpv6-pd-respo
11961 root      20   0 10432 4520 2900 R   3.7  0.9   0:00.68 dhcpv6-pd-respo
12002 root      20   0  5540 2764 1824 R   3.7  0.6   0:00.31 vyatta_gen_radv
12010 root      20   0  5144 2404 1800 R   3.7  0.5   0:00.18 dhcpv6-pd-respo
12012 root      20   0  5144 2384 1800 R   3.7  0.5   0:00.18 dhcpv6-pd-respo
11882 root      20   0 13012 6816 3180 R   3.5  1.4   0:01.63 dhcpv6-pd-respo
11885 root      20   0 12880 6768 3180 R   3.5  1.4   0:01.59 dhcpv6-pd-respo
11887 root      20   0 12664 6588 3160 R   3.5  1.3   0:01.52 dhcpv6-pd-respo
11891 root      20   0 12748 6644 3180 R   3.5  1.3   0:01.53 dhcpv6-pd-respo
11894 root      20   0 12532 6436 3160 R   3.5  1.3   0:01.45 dhcpv6-pd-respo
11899 root      20   0 12532 6408 3160 R   3.5  1.3   0:01.43 dhcpv6-pd-respo
11905 root      20   0 12400 6248 3160 R   3.5  1.3   0:01.37 dhcpv6-pd-respo
11912 root      20   0 11764 5800 3108 R   3.5  1.2   0:01.25 dhcpv6-pd-respo
11914 root      20   0 11632 5644 3104 R   3.5  1.1   0:01.17 dhcpv6-pd-respo
11916 root      20   0 11632 5684 3104 R   3.5  1.1   0:01.17 dhcpv6-pd-respo
11927 root      20   0 11368 5384 3076 R   3.5  1.1   0:01.03 dhcpv6-pd-respo
11929 root      20   0 11368 5400 3076 R   3.5  1.1   0:01.02 dhcpv6-pd-respo
11945 root      20   0 10792 4852 2952 R   3.5  1.0   0:00.82 dhcpv6-pd-respo
11948 root      20   0 10792 4876 2952 R   3.5  1.0   0:00.81 dhcpv6-pd-respo
11951 root      20   0 10792 4832 2948 R   3.5  1.0   0:00.78 dhcpv6-pd-respo

 

 

This post resolved the issue for me https://community.ubnt.com/t5/EdgeMAX/Multiple-dhcpv6-pd-response-pl-processes/td-p/1107003

Reply