Hex DHCPv6 client stuck at "searching..." with Xfinity/Comcast

Same problem as this thread which got no responses: http://forum.mikrotik.com/t/dhcpv6-client-stuck-at-searching-xfinity/179864/1

Here is the output of “/ipv6/dhcp-client print”:

Columns: INTERFACE, STATUS, REQUEST
# INTERFACE  STATUS        REQUEST
0 ether1     searching...  prefix

And here is the output of “/ipv6 export hide-sensitive”:

# 2025-03-06 10:15:11 by RouterOS 7.15.3
# software id = TJ66-RM02
#
# model = RB750Gr3
# serial number = HD2089NGZYV
/ipv6 address
# address pool error: pool not found: comcast-ipv6 (4)
add address=::1 from-pool=comcast-ipv6 interface=bridge
/ipv6 dhcp-client
add interface=ether1 pool-name=comcast-ipv6 request=prefix use-peer-dns=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." disabled=yes dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=input comment="Replaces defconf rule for DHCPv6 client prefix delegation. https://forum.mikrotik.com/viewtopic.php\?p=1019432#p914681 & https://forum.mikrotik.com/viewtopic.php\?p=914681" \
    dst-address=fe80::/10 dst-port=546 log=yes log-prefix="UDP 546 (DHCPv6) - " protocol=udp
/ipv6 nd
set [ find default=yes ] interface=bridge
/ipv6 settings
set accept-router-advertisements=yes

I had tried following the recommendations here for setup:

• http://forum.mikrotik.com/t/ipv6-with-xfinity/173910/1
• http://forum.mikrotik.com/t/xfinity-comcast-dhcpv6-configuration-change/156031/7
• http://forum.mikrotik.com/t/xfinity-comcast-dhcpv6-configuration-change/156031/5

But I am a beginner to all this, and my understanding of the various pieces and how they interact is not very good. I know what DHCP is, what IP and UDP are, and a basic idea of how firewalls work.

The order of the rules in the filter firewall is important because within the same chain (in this case “input”) the rules are processed from top to bottom.

Currently your rule with the comment “Replaces defconf rule for DHCPv6 client prefix delegation…” sits at the bottom of the table. Which means it is ineffective, because above it there is this rule

add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN

That rule drops the packets and prevent them from reaching the “Replaces defconf rule for DHCPv6 client prefix delegation…” rule. What you need to do is to (use your mouse) drag the “Replaces defconf rule for DHCPv6 client prefix delegation…” and move it up, place it right below the original “defconf: accept DHCPv6-Client prefix delegation.” rule that you have disabled. In any case it should be placed before the “defconf: drop everything else not coming from LAN” rule on the input chain.

Wow, that worked! I didn’t even need to restart, I just clicked “Release” in the DHCP client and got an IPv6 address within seconds. I had added the firewall rule via the Terminal, and didn’t realize the order mattered. Thank you!