Yeah, you're right. I'm absolutely positive Comcast is saying that I have a /56.

I want to blame comcast's routing on their equipment, but that would mean that none of my subnets would work. The fact that I can get c0ff to work on the switch means that there's routing happening.

Then, like you, i'd immediately start to doubt the /56 really exists.

Here's the info from comcast's site:

Here's the information from pfSense:

pfSense - Netgate Device ID: dfgdrg90i4509yrogihj4509yudeo

*** Welcome to pfSense 2.4.3-RELEASE-p1 (amd64) on pfSense ***

WAN (wan) -> igb0 -> v4: xx.xx.17.177/30
v6/DHCP6: xxxx:xxxx:xx:c000:21b:21ff:fe74:6ba4/64
LAN (lan) -> igb1 -> v4: 172.16.0.254/16
v6: xxxx:xxxx:xx:c0ff::254/64

Here's what the Comcast device says:

Internet:Active
Local time:2018-09-04 05:37:34
System Uptime: 7 days 5h: 15m: 26s
WAN IP Address (IPv4): xx.xx.17.178
WAN Default Gateway Address (IPv4): xx.xx.56.1
WAN IP Address (IPv6): xxxx:xxxx:xxxx:1:54a5:b8d6:b9cf:575d
WAN Default Gateway Address (IPv6): fe80::267e:12ff:fef0:d822
Delegated prefix (IPv6): xxxx:xxxx:xx:c000::/56
Primary DNS Server (IPv4): 75.75.75.75
Secondary DNS Server (IPv4):75.75.76.76
Primary DNS Server (IPv6):2001:558:feed::1
Secondary DNS Server (IPv6):2001:558:feed::2
WAN Link Local Address (IPv6): fe80::fe91:14ff:fec8:d068
DHCP Client (IPv4):Enabled
DHCP Client (IPv6): Enabled
DHCP Lease Expire Time (IPv4): 3d:2h:47m
DHCP Lease Expire Time (IPv6): 0d:1h:0m
WAN MAC:FC:91:14:C8:D0:68
CM MAC:FC:91:14:C8:D0:66

Thanks for the information. The issue is a lot more clear now. The one that gets the /56 is not your PFsense device, but the Comcast CPE device. On the PFsense, you only get the /64 provided through Stateless Address AutoConfiguration (SLAAC).

I'm not even sure how you get the ping/traceroute to work with xxxx:xxxx:xx:c0ff::/64, as this subnet is not really passed from the Comcast CPE to the PFsense. It could be that the PFsense device is doing NAT from this /64 to the external one.

The ideal would be to use the PFsense device as the CPE as you have total control over it, which is not the case for the Comcast CPE.

Regards,

Comcast swears up and down I can use the whole /56. When I ask for help on how, they will not say a word.

When I try to hit them with logic just like you laid out, they just say I don't know what I"m doing. Then I start getting upset and spew a lot of RFC jargon in their ear, which does no good. I'm thinking I'm going to drop back down to residential service and use an HE tunnel. I hate to do that, but I cannot play this game anymore.

What good is it to allocate 4 million addresses to someone, tease them with the ability to use up to 256 subnets, and then make it not work. I don't sees a security benefit, nor do I see any technical benefit at all. It's almost like it's on purpose.

I know this thread is dated, but in case someone runs up against a brick wall as I did with Comcast Business, their CPE gateway and IPv6, they have some accurate information. Harold is correct that the Comcast CPE gateway gets the /56 block and you can do SLAAC or use the DHCPv6 server in the gateway, but in either case, you only get a /64. Pretty useless if, like me, you have multiple vlans. I finally setup tunnelbroker service with Hurricane Electric, and I have a /48 that I can use as I see fit, not some hodgepodge IPv6 menagerie from Comcast Business. The speed is almost as fast as my native IPv4. 

Can you add configuration on the Comcast CPE, like a static route for the entire /56 pointing at the PFsense device?

Regards,

I do not think so. I am looking now. There are configurable parameters, but I don't see anything about routing. Still looking. Very frustrated.

Do you not agree that is very odd to assign a /56 without making the whole thing usable?

> Do you not agree that is very odd to assign a /56 without making the whole thing >usable?

I definitely think that they should make the CPE configurable so you could use the entire /56.

It is also possible that the Comcast CPE is configured to act as a DHCPv6 server and to further delegate the IPv6 subnets out of the /56. Could you also verify that?

Regards,

So I dropped the switch down to layer 2, gave all the IP/VLANs to pfSense and not everything works as it should. I do not understand.

I really want my cisco hardware doing the layer 3 heavy lifting.

Back to the drawing board, I guess. 

no changes to the mode,/gateway thing from comcast. Just reset everything and started from scratch. Switch is in dumb mode. PfSense is Assigning IPv6 addresses to clients, clients can ping the world.

I am not sure how the Comcast CPE routes traffic to the /56, if it does have a route for that prefix pointing at the PFsense device.

So, either the Comcast CPE knows how to route traffic to the PFsense device or your PFsense device does some sort of NAT.

Can you try accessing testipv6.com from one of the workstations and see what address is seen for that workstation on the Internet.

Regards,

---

@johnlutheran wrote:

PInging IPv6 addresses. DHCP is handled by a RedHat Server internally. I'll work on name resolution next. Just trying to get ICMP out to the internet first.

 

Just tried traceroute - looks like it stops at my router. I will investigate further.

 

Thanks.

---

From the computer, are you pinging hostnames or ipv6 addresses?

have you tried the usage of traceroute to peer where it breaks?

you assert you've got ipv4 working find, however I do no longer see any dhcp configuration to provide DNS server addresses to the workstation. Do you configure the computer manually?

Your IPv4 DNS ought to offer IPv6 cope with resolution, but it'd be correct to provide an IPv6 DNS server cope with to the workstations as comply with:

ipv6 dhcp pool dhcp-pool