Comcast business IPv6 vs rbldnsd & PSBL

Rik van Riel riel at
Tue Nov 29 19:13:59 UTC 2016

On Tue, 2016-11-29 at 13:34 -0500, Jared Mauch wrote:
> Folks at Comcast have told me to ask for the SMC gateway to be
> replaced with either the netgear or Cisco to solve that issue. 

Over the past year and a bit, I have had all three
of the Comcast business routers in my network.

The Netgear only stayed for one day - after about
10-15 minutes of "heavy" (~300kbit/s) DNS lookups
coming in from the outside, it was almost impossible
to make new TCP connections across the router, either
IPv4 or IPv6.

The SMC D3G-CCR mostly worked, except at some point
during the year, the fraction of traffic going over
IPv6 went high enough to wreck the D3G, causing it to
crash and reboot several times a day, without having
enough diagnostics for me to figure out what was going

The Cisco DPC3941B seems to fail in pretty much the
same way as the SMC D3G-CCR, but it has enough
diagnostics that I could finally figure out what was
happening. With "Gateway Smart Packet Detection" disabled,
and the "Firewall completely disabled", the logs are
still showing tens of thousands of dropped IPv6 connections
every day.

In other words, the config options that supposedly disable
the firewall completely, do not in fact disable the firewall
code, and I am still hitting connection tracking limits.

DNS lookups coming from randomized port numbers (to avoid
spoofing issues) mean every DNS query takes up another slot
in the connection tracking table.

Once the table is full, the router will search for a
re-usable slot before routing a packet. This can cause
ping times to (the router) to go as high as
800ms. This is from a system sitting 5ft from the router.

If the router does not find any re-usable slot in the
connection tracking table, packets can get lost.

This leads to the "fun" scenario where pinging the router
from a system directly connected to it shows 30% packet
loss, while streaming video over an already established
TCP stream continues at full speed!

Not a symptom I ever expected to see...

All rights reversed
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the NANOG mailing list