Howto:Spectrum IPv6 prefix delegation with static IPv4 on two-box modem & router

[kumba]

I live in central Florida and have Spectrum aka Charter as the local cable provider. For all business accounts they mandate a 2-box solution here, one modem and one gloriously garbage router. We also have a static IPv4 which requires their router to provide the static IP.

The problem is that the Spectrum router does not provide an IPv6 prefix delegation to anything downstream like OPNSense. No amount of bridge mode or anything else seems to make a difference. Whether this is a hardware or back-end config issue I don't know. Finding anyone at Spectrum support who even knows what IPv6 is let alone a prefix delegation is near impossible. So, I got creative and a little petty.

What I found is that if you have an intermediary switch or VLAN that goes between the Spectrum Modem and the Router that you can pull an IPv6 prefix delegation directly from Spectrum's modem without affecting the static IP. The problem is that Spectrum will kill routing to this prefix after a while. That's where a somewhat unexplained cron command to periodically kick the interface will keep the routing alive. It's a little hacky but works surprisingly well. This guide will assume you have some basic understanding of OPNSense and how you manage the interfaces, setup VLANS or switches, and an understanding of basic networking. Chances are if you care enough about IPv6 that you want it to work then you likely already have the skillset.

Here's how the Spectrum two-box network topology is re-connected:
Modem <---> Intermediary VLAN/Switch <---> Spectrum Garbage Router <---> WAN VLAN/Switch/OPNSense

It's important that the intermediary switch/VLAN be isolated since we need DHCP to work. While you can probably plug all this into one switch and have it work it would be less then ideal. IPv6 tends to be too smart for it's own good and IPv4 tends to be too dumb. The simplest way to do this would be to have three 1gig or faster NIC ports in your OPNSense box and a small cheap 5-8 port 1gig or faster dumb switch. Connect the Spectrum modem and router's WAN port to the dumb switch. Now connect one port from the OPNSense machine to the switch (SpectrumDHCP/opt1), connect a second port to the router's LAN port (SpectrumStatic/WAN), and connect a third port to your LAN Switch. No VLANs needed at all.

For the WAN interface I named it "SpectrumStatic" and configured the static IPv4 on it. This interface will connect to the Spectrum Router directly or the VLAN/Switch you setup. If you have a static IPv6 you can configure it here otherwise set IPv6 to 'None'.

On the OPT1 interface I named it "SpectrumDHCP" and set IPv4 to 'None' and IPv6 to 'DHCPv6. This interface should connect to the Intermediary Switch or VLAN. Towards the bottom of the configuration screen set the Prefix Delegation size to 64, Check "Send IPv6 Prefix Hint", then save. If you have a static IPv6 you can enable "Request only an IPv6 Prefix" to keep things simpler for OPNSense. What we are really after here is that prefix delegation.

On the LAN interface set IPv6 to 'Track Interface'. Towards the bottom of the configuration screen set the IPv6 interface to 'SpectrumDHCP', IPv6 Prefix ID to 0, and check Allow Manual adjustments of Router Advertisements, then save.

Lastly, go to Service --> Router Advertisements, and click on the name of your LAN interface. Set Router Advertisements to "Unmanaged" and check Advertise Default Gateway. You can optionally set the DNS Server to be the link-local address of the LAN interface if you want to use the local Unbound DNS service. By default the DNS servers obtained from Spectrum when getting the IPv6 prefix will be used.

You might need to reboot the router for everything to straighten itself out. I've noticed that OPNSense/FreeBSD gets a little finicky when you turn IPv6/IPv4 on and off or start moving interfaces around.

You can verify everything is working by going to Interface --> Overview, and looking at the different IP's assigned to each interface. Under SpectrumDHCP you should see "IPv6 Prefix" listed. If you do, you have your prefix delegation and all your LAN clients should have working IPv6.

Now for the catch. For some reason every few hours Spectrum or OPNSense or some combination thereof will decide to just break. Things will still look normal but the LAN can no longer reach the internet on IPv6. What I found is if I go into the Interfaces Overview, expand the SpectrumDHCP interface, and click 'reload', things will just start working. So it'd work for a while but at some point, usually in the next 24 hours, it will break. It has never worked for more then a day on its own.

The workaround I came up with is to used the "Periodic Interface Reset" command from the OPNSense cron jobs. You can set this up by going to System --> Settings --> Cron. Click on the "+" button to add a cron job to OPNSense. Change the Hours field to "*/4", the command to "Periodic interface reset", the parameters to 'opt1' since that's where our SpectrumDHCP interface is at, and give it a description to help you remember why it's there like "Reset Spectrum for IPv6 weirdness", then save. This will kick the SpectrumDHCP interface every 4 hours which keeps things chugging along just fine for me. If you find you can go longer or shoter, just change the 4 in "*/4" to whatever hourly interval you want. If you want it to run every hour, just change it to "*". Every two hours would be "*/2". Every 12 hours "*/12", etc.

So that's how you get a Static IPv4 with DHCP IPv6 and prefix delegation working on a Spectrum two-box solution with OPNSense. Fun fun. Now for some random notes and things:

Both WAN ports on the modem and Spectrum router are 2.5G capable. So while using a 1-gig switch is technically a bottleneck between the router and modem it won't matter unless you have more then 1-gig of internet. The good news is inexpensive 2.5G 5-port switches exist so it's not much of an issue to remedy. There's also no need to over-think dumb switches. They're dumb and all use the same 2 or 3 chipsets. Just don't get the most expensive or cheapest one. Anything middle of the road will do the job just fine.

Smart or Layer 3 managed switches with VLANs are nice but they're pricey and really not needed for the average small-office home-office setup.

When it comes to things like gateway groups and rules you will need to manage both the SpectrumStatic and SpectrumDHCP zones in the firewall. The one downside to this solution is potentially twice the management. I try to use floating rules when at all possible to simplify this.

My final note on all of this is to avoid the temptation to pull more then one IPv4/IPv6 from Spectrum. Multiple IP's from a single ISP's modem to a single OPNSense router do nothing for resiliency or redundancy. All it really does is over-complicate router management with no benefit. It's a "just because you can doesn't mean you should" sort of thing. My opinion is that it's really only worth managing multiple WAN connections when you have two different discrete ISP connections coming into the building. For example having Spectrum cable internet and FiOS fiber internet would be where I want multiple WANs in OPNSense. When everything is just going through a single modem only one IPv4 and one IPv6 is all you need for most setups. However, you can still pull another DHCP IPv4 from the spectrum modem and also get a /64 of IPv6 without prefix delegation from the Spectrum router. Enough to do some isolated homelab stuff or whatever floats your boat.

[Maurice]

Interesting approach, thanks for the detailed description. They only give you a /64 PD? That's nasty.

ISPs typically use DHCPv6 snooping on their edge routers for setting up the routes for delegated prefixes. These routes expire after some time. That's usually not an issue because the DHCPv6 IA_PD has a limited lifetime, too, so customer routers have to renew it periodically. This also prevents the route on the ISP edge router from expiring. What you're describing sounds like the route on your ISPs edge router expires too early for some reason.

What I'm wondering though: What prevents you from getting rid of the SGR? What wizardry does it perform that OPNsense can't emulate? Do they use some kind of VPN for the static IPv4 and don't give you the credentials? Or what's going on there?

You can optionally set the DNS Server to be the link-local address of the LAN interface if you want to use the local Unbound DNS service. By default the DNS servers obtained from Spectrum when getting the IPv6 prefix will be used.

By default, the LAN interface's GUA will be advertised as a DNS server. The DNS servers obtained from the ISP will only be advertised if Unbound is disabled.

Cheers
Maurice

[kumba]

Interesting approach, thanks for the detailed description. They only give you a /64 PD? That's nasty.

Ohhh, it's even stupider than that. Spectrum's router is already doing an IPv6 PD request but spectrum is only giving it a single /64 even though it's their own router on a business account. So that's why the router is unable to hand off any prefixes behind it. If they had just handed all their OWN routers a /60 they could delegate IPv6 all day long without a problem. Like I said, maybe I just haven't found the right support guy, but I've given up trying. This is hacky but works well enough for me.

What I'm wondering though: What prevents you from getting rid of the SGR? What wizardry does it perform that OPNsense can't emulate? Do they use some kind of VPN for the static IPv4 and don't give you the credentials? Or what's going on there?

Well, the short version is that the Spectrum uses RIP/RIPNG internally to manage routes between all the modems and routers on the network. This is secured by a key which I don't have. Once you have a static IP their router is required because that's how they route the IPs to you. Their router requests a dynamic IP through the modem and then announces the static IP on their network. The only way they will let me use just the modem is if I give up my static IP and use the base 500mb plan. Soon as I want 1GB or a static IP they tell me I have to use their router behind the modem. I'm guessing this router also phones home which might be part of why the edge keeps disconnecting me.

You can optionally set the DNS Server to be the link-local address of the LAN interface if you want to use the local Unbound DNS service. By default the DNS servers obtained from Spectrum when getting the IPv6 prefix will be used.

By default, the LAN interface's GUA will be advertised as a DNS server. The DNS servers obtained from the ISP will only be advertised if Unbound is disabled.

That wasn't my experience. If both DNS fields were left blank the IPv6 DNS servers for Spectrum is what my LAN clients got. Perhaps I have something set improperly elsewhere causing that.