>This documents how I added IPv6 to my home network, which runs OpenBSD, using OpenBSD's ifconfig, slaacd, dhcp6leased, rad, and unbound. This should serve as a guide to other people in the same situation, but be aware you need to be running at least OpenBSD 7.6, as that is the version that added support for dhcp6leased and updated rad to handle DHCPv6 PD (prefix delegation). For older OpenBSD versions, you'll have to use ports, and there are multiple guides for that, use your friendly neighborhood search engine."
The author forgot Step 1. Ensure your ISP provides IPV6 services.
I guess one could choose between v4 or v6 but not both at the same time (dual stack). My mobile ISP also does it this way -- you either use IPv4 only on mobile data or IPv6 only with NAT64 and DNS64 to reach v4 hosts.
It's frustrating trying to work with ISPs. While there surely are business services available, as a normal customer, you're out of luck.
I count myself lucky, since I can at least get a public (dynamic) IPv4 address. The other option is DSLite with a single /64 via DHCP6. Well, I can't use that. So yeah, while it would be a fun journey trying out IPv6 - it's not feasable for me. And most likely, that holds true for others aswell.
There are options available - like the HE tunnelbroker - but those come with their own set of drawbacks.
My ISP supports ipv6, I spent a while yesterday setting it up because Hetzner VPS’s are slightly cheaper if you opt out of a v4 address so I wanted to try it out.
It all worked ok until I noticed I could access open ports on my Mac from the public internet, and then found out my router does not support blocking incoming traffic for IPV6.
Granted, it’s probably unfeasible for attackers to scan the entire space to find open ports, but I still wasn’t comfortable with leaving all my stuff exposed, so I disabled ipv6 again and came crawling back to v4.
Maybe when/if I get a better router that supports firewalling ipv6 I’ll try again.
Back before NAT was a thing, technically-inclined people like us would seek out firewalls on our computers. Nowadays most people have them in the form of with Windows Firewall and IPTables, but many people don't really understand how to use them because they're not as necessary as they were. I would imagine most people's interactions with Windows Firewall have just been to designate which networks are private and which are public, and only then because Windows automatically asks you when you connect to a network.
With IPv6, that's going to change again, and firewalls are going to become much more important once more - but It would explain why people can run without firewalls, right now. After all, currently the only things they're protecting against are from your local network, since your router is probably doing most of the external blocking already with NAT.
Of course, this doesn't help IPv6 adoption at all...
Not sure, depends on your threat model and how you organized your LAN.
I put my “trusted” devices in a special vlan and untrusted devices (IoT) in another one. Only trusted devices can access IoT devices but not vice versa.
Works pretty well.
But yeah that does require a more advanced router / switch as well.
I had a similar experience with my router and learned the hard way. On the positive side, I became much more careful with Windows, MacOS & UFW firewall . On the downside, I have no idea how to manage firewall settings on mobile devices with or without MDM
the router vendor never tested any of the ipv6 support. ipv6 firewall was broken in the UI, and iptables commands were blocked on the CLI. so there was no ipv6 firewall (it was allow-all)
It's not a disadvantage, it's the whole point of IPv6: each device can, once again, have it's own IP address like it was meant to be. That you probably want to run a firewall is nothing new. IPv4 and NAT have corrupted people's understanding of what the internet is.
Actually I think you'll find most people just connect their devices to the internet and expect them to just work. Their mental model of the internet is probably closer to a pure IPv6 internet than nerds and engineers who have had to learn all this extra complexity required to get IPv4 to keep working.
Fascinating. Me mentioning NAT as a positive (blocks all incoming ports) prompts people to reply with a word salad that contains "crappy" and "corrupted". Fact is, NAT is being used in almost every apartment LAN setup since, what, 30 years? Its no surprise that people grew used to the implicit port block. And therefore its no surprise that when switching to IPv6, some people will discover the hard way that they now need to do extra work.
But hey, why think about it rationally, if you can throw crappy and corrupted around?
It's because people saying stuff like "NAT good, IPv6 bad" makes many people afraid of v6. It's part of the problem. Any decent gear will come with a firewall with sane defaults and most people won't know about it, just like with NAT today. If you asked someone to configure a router from scratch (ie. one that came with insane defaults) then NAT would be more difficult to set up.
Oh, the touchy-feely CS industry. I miss the old days when feelings didn't really count. I dont care if not-quite-a-whole-sentence of mine makes people afraid of things they dont know enough about.
NAT is a crappy replacement for what can be done with a simple stateful firewall though… It kind of works for one use case (where you want to block everything or have no more than one host on a single forwarded port) but hinders or breaks literally every other use case! And then if you’re behind CGNAT you’re even more restricted!
(((spends weeks trying to find a router that supports it. Spends longer finding an ISP that supports it. Finds an ISP, multiple stacks poorly support it. Web browsers barely support it. major large websites still aren't running it. tools break with it enabled. Any ipv6 code needs a cluster-fuck of bind hacks to work cross-platform)))
Are you ready for the future, lads! Get ready! its coming!
Yes, and there are different definitions of 'support.' Since IPv6 has many deployment options 'support' might be the most basic, regular definition where the router tries to manage everything and won't work with the network your ISP uses.
Normally IPv6 is added as an afterthought. So it won't support many of the advanced features that the V4 interface does. E.g. its very basic to want to set static IPs -> MAC entries when running DHCP. Of the many routers I've tried that 'support' IPv6 they don't offer these features. V4 will also have features for UPnP and even though most routers are probably using miniupnpd (which has support for IPv6) the chances of it having been setup for the router are slim.
It's quite useful because UPnP can dynamically let traffic reach IPv6 global scope addresses in your network (with pin holing.) So without this feature networked software can't run services easily (arguably what was meant to be a key benefit for v6.) You know -- the funny thing is -- V6 was meant to give everyone 'public', 'routable' addresses. But the reality is because its firewalled (both at the router and the OS) coupled with the availability of services to automatically let traffic through -- I'd say its less reachable than IPv4. Those who hope that V6 is going to be the future of P2P are in for a bad surprise.
I ran pfSense at home, and while I'm sure their IPv6 support was fine enough in a business setting, it was useless in a residential setting. Seems they made some progress[1] in 2021, but that doesn't cover aliases so one could say it's still not fully supporting residential IPv6.
I switched to OpenWRT which has worked well enough.
The older Ubiquiti Edge Routers by default don't support IPv6 very well unless you go in by the CLI; you have to set everything up from scratch.
Trying to get it to run from scratch on an OpenWRT x86 image is also a royal PITA, but that might be just a quirk of how the x86 image is configured by default; I haven't had a chance to try it on hardware they support properly.
Related, I just recently got IPv6 in my home connection and tried to set it up with my EdgeRouter X. It was impossible even though I followed all the online instructions to the letter. I then installed OpenWrt on it and it worked like a charm, with IPv6 out of the box (I did customise my configuration later). I wrote a post about the process for anyone interested [0].
Yeah trying to get it to work via config tree is basically begging for pain and suffering. You need to create all the configurations from scratch via the CLI to have a chance for it to work in a semi sane way.
I was able to finally get it work on one of my subnets, but then everything sort of just fell apart because I have a segregated network aside from my main home network and for the life of me I couldn't get it to work on two different subnets. Then throw in the whole issue of firewall rules, since since the prefix my ISP assigns is dynamic; it changes every time the router reboots. I figured I'd have to write a little service to watch the prefixes and adjust the rules as needed but just seems too like too much grief to deal with.
Left it until now when I found that android does some weird shenanigans with DNS so it's back on my radar but it's not something I'm particularly looking forward to struggling with again.
I actually had the same deal with firewalls and prefixes, since I want to direct traffic to my server and its address obviously depends on the prefix. Turns out OpenWrt has a feature for this too [0], meaning you can use a destination address like "::1234/-56" in your firewall rules.
You'd be surprised how many cheap tenda wifi "access points" sold right now for 15€ still don't support v6, even though access points shouldn't mess with anything above L2.
Well, you still need a way to manage them. Having an administrative web interface accessible over IPv4 but not IPv6 was probably considered Good Enough by whoever wrote the firmware.
Same reason cable modems don't mess with anything above L2 but are still reachable at http://192.168.100.1/ (no IPv6 equivalent).
That's a link-local address range (like 169.254/16 in IPv4). You'd need to specify which local link to use in order to connect to it (e.g. http://[fe80::aa:bb:cc:dd%eth0]/) and it wouldn't traverse past a router so wouldn't work if you have your own router between you and your modem.
The closest analog would be something in fc00::/8 (which belongs to fc00::/7 which is the IPv6 analog to 10/8, 172.16/12, 192.168/16), but good luck getting cable modem firmware vendors to all agree on which random address to use within that and then actually implement web administration and diagnostics on it. That's what I was getting at by saying there's no IPv6 equivalent; they haven't done that.
> ? You managed to buy a router in 2024 that doesn't support IPv6?
I have a netgear Orbi at home that works just fine, but when I turn on IPv6 it loses internet connectivity after a few hours and takes minutes to reset. Not wanting to be bothered with it, and not having a need for IPv6 I just turned it off. That setup is about a year old.
What web browser would "barely" support it? I use Firefox on Linux and have not noted any problems. Well, I don't check every connection and whether the server would have supported it. But whenever I checked for curiosity IPv6 was used when supported.
I used that when IPv6 was new for me. It looks nice. Many Web pages contact several servers (even with ad blocking) So not sure a single icon can be more than entertaining.
It can be simple. I use an ISP that's been providing IPv6 for years, and they were kind enough to document what users need to do to get it working (https://www.geekzone.co.nz/forums.asp?topicid=240157). However, if you use their routers (Fritz!Box), it works out of the box.
I use a third-party router (Synology) and only had to check the IPv6 box to get it running—even with multiple VLANs in my network.
There are plenty of IPv6 services around. If a service is behind Cloudflare, it's likely IPv6 will be enabled by default. It is the same with other services, including some cloud providers now giving IPv6 addresses but charging for IPv4.
My iinet connection doesn't support it; My aussie broadband one did; My starlink connection didn't; My telstra one didnt (the routers they provided didnt even support v6); Maybe starlink supports v6 now but I know people were complaining about this early on (router UI had no mention of v6 but maybe possible?)
It seems to be that you have to choose the ISPs that support it if you want it here (im based in Australia.)
Got to say, Fritz!Box really makes the setup and maintenance easy.
You will hit a wall if you want subnets and stuff but before that everything really works and they support their boxes for 6 to 10 years with updates.
Not cheap thought.
Also, router supporting IPv6 technically doesn't mean it supports all features you'd need for home network. Most routers support RA and that's it... it's very common to find ones that don't even support firewall rules for v6.
Yes. This post only applies to people who have already manually configured a network for IPv4. Most devices from the past 10 years will "just work" on a v6 capable network with no configuration required (nor even an awareness that v6 is in use).
The author forgot Step 1. Ensure your ISP provides IPV6 services.
Otherwise, good documentation for the record.