dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
67

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

1 recommendation

NetFixer to amwdrizz

Premium Member

to amwdrizz

Re: [IPv6] Comcast IPv6 Address Assignment/Delegation

If you have a residential account (or a business class dynamic IP account and don't use Comcast's gateway router) and a router that supports DHCP6-PD, you will be assigned a /128 for the router's WAN and a /64 for the router's LAN.

Comcast does not yet support IPv6 for their static IPv4 business class accounts, but when they finally get around to it, I suspect that they will setup IPv6 PTR records just as they currently setup IPv4 PTR records. They will not delegate the rDNS to you, but you can contact business class support and request the PTR records that you want to use.
amwdrizz
join:2013-01-16
Winchendon, MA

amwdrizz

Member

I'll have to wait and see with the business side then. I didn't know that Comcast even offered PTR records for the static IPv4s.

Each individual I talked with in the business dept more than likely looked at me like I was crazy when I was asking about it awhile back on the IPv4 side of it. I will have to ask them more questions in the future then.

Thanks for additional info.

Mike Wolf
join:2009-05-24
Tuckerton, NJ

Mike Wolf to NetFixer

Member

to NetFixer
How do you know if a router supports DHCP6-PD ?

whfsdude
Premium Member
join:2003-04-05
Washington, DC

whfsdude

Premium Member

said by Mike Wolf:

How do you know if a router supports DHCP6-PD ?

Edit: Correct link, »www.ipv6ready.org/

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

1 recommendation

NetFixer to Mike Wolf

Premium Member

to Mike Wolf
said by Mike Wolf:

How do you know if a router supports DHCP6-PD ?

That is not necessarily easy to know before making a decision to purchase a particular router. The site that whfsdude See Profile pointed to will give you the specs for what is required to get the "IPv6 Ready" gold logo, but that site does not seem to have a current list of equipment that has passed the qualification tests (at least I could not find such a list).

Basically, you just have to trust that a vendor who displays that logo is entitled to use it. The D-Link DIR655 that I currently use had that logo on the retail box, and I looked for that logo in the product descriptions on several on-line retailers before purchasing it (and FWIW, that particular router is also on Comcast's recommended router list at »mydeviceinfo.comcast.net ··· egateway ).

Interestingly, the "IPv6 Ready" gold logo no longer appears on the web site order page of the retailer I used, or on several other sites I just checked, and the logo is not displayed on D-Link's own web pages for the DIR655 (in fact any mention of IPv6 is limited to indirect references in the firmware download page). I don't know what is going on with that; perhaps D-Link had been using that logo without authorization, and had to withdraw it? I do know that it seems to work just fine with Comcast's native dual stack (as illustrated below).





voiptalk
join:2010-04-10
Gainesville, VA
MikroTik RB750G
Cisco DPC3941

voiptalk

Member

On that D-Link DIR-655, you may want to verify that the IPv6 firewall ("IPv6 Simple Security" enabled) is working properly in FW 2.10.

I tested that router with 2.08 Beta01 and it worked properly .. all ports were blocked on a port scan. I upgraded to 2.10 and it was no longer working. Downgraded to 2.08 Beta01 and it functioned again. So, it looks like firewall is broken.

To run an IPv6 port scan: »ipv6.chappell-family.com ··· tcptest/

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

NetFixer

Premium Member

said by voiptalk:

On that D-Link DIR-655, you may want to verify that the IPv6 firewall ("IPv6 Simple Security" enabled) is working properly in FW 2.10.

I tested that router with 2.08 Beta01 and it worked properly .. all ports were blocked on a port scan. I upgraded to 2.10 and it was no longer working. Downgraded to 2.08 Beta01 and it functioned again. So, it looks like firewall is broken.

To run an IPv6 port scan: »ipv6.chappell-family.com ··· tcptest/

I had noticed some problems with the 2.10 IPv6 firewall too (including that the manual firewall rules don't seem to work as expected). I tried loading the older 2.07 firmware to see if its IPv6 firewall worked properly, but that required a factory default reset, and manually reentering the router config (a PITA since the 2.07 firmware's "reboot later" function did not seem to work properly), so I aborted that and went back to firmware version 2.10 (I started out at firmware release 2.10 because I followed Comcast's advice and did the automatic firmware update from the factory delivered version 2.00 before I configured it the first time). I had already disabled the DIR655 IPv6 firewall (at least until the next firmware release), and my own PEN testing (from outside my LAN) showed that my local firewall rules seem to be blocking all IPv6 inbound traffic except for the services that I have explicitly allowed.

And thanks for that external scan site; I will be putting that in my bookmarks for future use. That test did in fact find an open service that I had overlooked for one PC, and I have now fixed that (it was a service that required authentication, and also logged access attempts, so it was not a big risk, but I had not intended to leave it open to anything other than LAN/VPN access).

graysonf
MVM
join:1999-07-16
Fort Lauderdale, FL

graysonf

MVM

said by NetFixer:

And thanks for that external scan site; I will be putting that in my bookmarks for future use.

Here's another, nmap based for IPv6, very flexible, you can specify the IP to be scanned.

»nmapv6.packetsize.net/

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

NetFixer

Premium Member

said by graysonf:

said by NetFixer:

And thanks for that external scan site; I will be putting that in my bookmarks for future use.

Here's another, nmap based for IPv6, very flexible, you can specify the IP to be scanned.

»nmapv6.packetsize.net/

Thanks, I just tried it and (as expected) the only open services are the ones that I have explicitly left exposed.

That site likes to live dangerously by allowing outsiders to scan other sites from their server.

graysonf
MVM
join:1999-07-16
Fort Lauderdale, FL

graysonf

MVM

Well, like I said, very flexible

I didn't actually try it with IPs that were not mine. I limited it to my router and the machines connected to it.

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

1 edit

NetFixer to voiptalk

Premium Member

to voiptalk
said by voiptalk:

On that D-Link DIR-655, you may want to verify that the IPv6 firewall ("IPv6 Simple Security" enabled) is working properly in FW 2.10.

I tested that router with 2.08 Beta01 and it worked properly .. all ports were blocked on a port scan. I upgraded to 2.10 and it was no longer working. Downgraded to 2.08 Beta01 and it functioned again. So, it looks like firewall is broken.

This is a followup to my previous reply. Your post prompted me to take another look at the firmware version 2.10 IPv6 firewall settings. I found that the problems I originally saw were caused by using both the "IPv6 Simple Security" settings and the manual IPv6 firewall settings at the same time (and I had originally not created a default outbound rule since that is typically a built-in default for most router based firewalls). With the setup below, the IPv6 firewall rules in my DIR655 with firmware version 2.10 work properly, and I can now control my IPv6 firewall rules in a central place (which was one of my reasons for purchasing the DIR655). My primary problem with the DIR655 is its brain dead requirement to reboot the router after even the most innocuous change in order to have the change activated (and that has always been a D-Link quirk).