User Tools

Site Tools

This wiki is read only and for archival purposes only. >>>>>>>>>> Please use the new OpenWrt wiki at <<<<<<<<<<

IPv6 HowTo for Backfire and Attitude Adjustment until 12.09

This guide DOES not apply to Attitude Adjustment AFTER 12.09, Barrier Breaker or any other upcoming releases. See OpenWrt native IPv6-stack for new documentation.
Please make sure that ip6tables is installed and enabled before setting up ipv6 interfaces!
 opkg update && opkg install ip6tables kmod-ip6tables && fw restart 

Please also see →ipv6.theory for a load of links to IPv6 related documentation.

Native IPv6 access

For this, you need to obtain an IPv6 address from your ISP. Technically this could be a /128 prefix (exactly one IPv6 address), but according to rfc6177 this should be a /64 prefix. You may also get bigger range, like /56 or /48. Within this range you may use all the IPv6 addresses to your liking without any NAT-induced headaches.

Some of the ISPs currently known to support IPv6 to the customer are listed here: ipv6.isp.

In the following example, the assigned prefix is 2001:123:456::/48. Within this prefix, I choose to affect the network 2001:123:456:789::/64 to the internal LAN. The router has the fixed IP 2001:123:456:789::1


config interface lan option ifname eth1 option type bridge option proto static option ipaddr option netmask option ip6addr '2001:123:456:789::1/64'

When using PPPoEv6, enable ipv6. You may also further reduce the MTU from 1492 to 1452: Experience shows that it prevents many problems. You can try to increase this size, not bigger than 1492.

config interface wan option ifname eth0 option proto pppoe option username '<username>' option password '<password>' option keepalive 5 option defaultroute 1 option peerdns 1 option ipv6 1 option mtu 1452

6in4 tunneling

6in4 is a method to encapsulate IPv6 traffic into an IPv4 tunnel. It is mostly used by tunnel brokers and requires manual configuration.

A very excellent forum topic on the topic of a static 6in4 tunnels is at

Both resources assume a static prefix, and thus a manual configuration.

The ISP known to use this are:

  1. (France)


The package 6in4 must be installed to use this protocol. This package is available in Backfire 10.3.1-rc4 and later.

opkg update && opkg install 6in4


  • Examples of 6in4 tunneling are also on the config/network page.
  • For this connectivity mechanism, a third "interface" is created which will become the default outgoing interface for IPv6 packets.

Static 6in4 tunneling

/etc/config/network for static tunneling:

config interface henet option proto 6in4 option ipaddr '' option peeraddr '' option ip6addr '2001:0db8:1f0a:1359::2/64'

Note: you may want to check that your public IP is matching the IP address on your WAN interface. Details in Static IPv6-in-IPv4 tunnel behind one-to-one NAT.

Dynamic 6in4 tunneling

The example below illustrates a dynamic tunnel configuration for the Hurricane Electric broker with dynamic IP update enabled. The local IPv4 address is automatically determined and tunnelid, username and password are provided for IP update.

/etc/config/network for dynamic tunneling:

config interface henet option proto 6in4 option peeraddr '' option ip6addr '2001:0db8:1f0a:1359::2/64' # see notes below for why ip6prefix is required option ip6prefix '2001:0db8:1f0b:1359::2/64' option tunnelid '12345' option username 'username' # you no longer need to use your portal password (see notes below) # option password 'password' # use updatekey for security option updatekey 'updatekey'

In this example configuration:

  • is the local IPv4 address (assigned by ISP)
  • is the remote IPv4 address (the other side of the tunnel)
  • 2001:0db8:1f0a:1359::2/64 is the local IPv6 tunnel endpoint (labeled "Client IPv6 Address" on the Tunnel Details page in your HE account).

as of change set 41358

  • tunnelid is provided by the tunnel broker.
  • username, password and updatekey are the plain text entries from your HE Tunnel Broker account.

and the following no longer applies

:!: For Hurricane Electric tunnels, the username is NOT the username for The username is the user id listed on the main page of your account (called the "API Key" elsewhere). The password is the md5 hash of the password. For details, see

:!: (from notes here protocol.dhcpv6) has introduced updatekey as default for new tunnels in February 2014.

:!: (from notes here protocol.dhcpv6) although ip6prefix isn't required, sourcerouting, enabled by default, will prevent forwarding of packets unless ip6prefix is specified.

With Attitude Adjustment, once you have added the above interface definition you have to run /etc/init.d/network restart in order to have it effected.

This tunnel, like a VPN, creates a third network interface, called henet in this example. A default IPv6 route using this interface is automatically created when this interface connects successfully.


:!: To apply IPv6 firewall rules to the tunnel interface, add it to the "wan" zone in /etc/config/firewall:

config 'zone' option 'name' 'wan' option 'network' 'wan henet' option 'input' 'REJECT' option 'forward' 'REJECT' option 'output' 'ACCEPT' option 'masq' '1'

:!: To allow 6in4 traffic to always reach your tunnel endpoint, it may be necessary to pass IPv4 protocol 41 traffic with the following firewall configuration stanza:

config rule option src wan option proto 41 option target ACCEPT

You will need the ip6tables package for these firewall rules to work. You can run the following command to install this package:

opkg update && opkg install ip6tables kmod-ip6tables


Routed Addresses

To enable routing of IPv6 traffic through the tunnel, add a static IPv6 address in a valid routed subnet to the local-facing interface.

:!: For Hurricane Electric tunnels, the prefix for the routed subnet is specified in tunnel details page on in the Routed IPv6 Prefixes section, and is formed by incrementing the last digit of the third quad in the tunneling prefix. For example, if the IP address 2001:0db8:1f0a:1359::2/64 is the local IPv6 tunnel endpoint, the local interface would be assigned an address in 2001:0db8:1f0b:1359::/64 subnet, typically 2001:0db8:1f0b:1359::1/64

config interface lan option ifname eth0 option type bridge option proto static option ipaddr option netmask option ip6addr '2001:0db8:1f0b:1359::1/64'

Clients that auto-configure using SLAAC (stateless address auto-configuration) will need to know this routed prefix. To broadcast the prefix to clients on the local network, use radvd.

Packet Forwarding

The router must be configured forward packets between the remote and local interfaces. See the Enable Routing section. The forwarding is enabled by default in trunk, but must be manually enabled in Backfire.

Enable Routing in Backfire

To forward packets between interfaces, a kernel-level setting must be enabled. To enable packet forwarding, edit /etc/sysctl.conf

And uncomment the following line in /etc/sysctl.conf:

# net.ipv6.conf.all.forwarding=1

The line should look like this:


Now restart sysctl to apply the new setting.

/etc/init.d/sysctl restart
To verify the setting has been applied, issue the following command:
cat /proc/sys/net/ipv6/conf/all/forwarding
should return 1


  • Enable firewall logging
  • On the router, ping
  • On a local host, ping the public IP address of the router's local interface (2001:0db8:1f0b:1359::1 in the example configuration).
  • On a local host, ping

6to4, 6rd

(Note: This section lack the 6rd example, so this is for 6to4)

6to4 is a translation mechanism to transform ipv6 packets into IPv4, and back, using specific relay servers.

6rd (rapid deployment) is similar to 6to4 with some restrictions for large ISP routing. However it is only supported in kernel superior or equal to 2.6.33 due to specific routing scheme.

In order for 6to4 to work, you need to install the package 6to4 and kmod-sit available from 10.03.1-rc4.

opkg install 6to4 kmod-sit

If, like me, you are working with 10.03, you can still install by downloading the package from the newer source.

opkg install

:!: Replace brcm47xx with the architecture you are working with.

For this connectivity mechanism, a third "interface" is created which will become the default outgoing interface for IPv6 packets.

An example of /etc/config/network for the ISP "", or any ISP for that matter, may be:

config interface 6rd option proto 6to4 option adv_subnet 1 # Selects the advertised /64 prefix, default 1 if not specified option adv_interface lan

Although there are many more options, most of those (like ipaddress and the advertising interface) are configured automatically by default. Just check out /etc/config/network and search for the paragraph 6to4.

Even radvd and your lan interface is configured automatically by default by taking the lan interface and a /64 prefix of the external IP-range to be routed on. All you need to do is change the ignore 1 on the interface to ignore 0. Also remember to enable radvd (/etc/init.d/radvd enable) before doing ifup on the 6to4 interface. Otherwise the auto configuration of radvd will fail.

My /etc/config/radvd looks as follows:

config interface option interface 'lan' option AdvSendAdvert 1 option AdvManagedFlag 0 option AdvOtherConfigFlag 0 option ignore 0 config prefix option interface 'lan' # If not specified, a non-link-local prefix of the interface is used option prefix \'\' #These are supposed to be 2 single-quotes option AdvOnLink 1 option AdvAutonomous 1 option AdvRouterAddr 0 option ignore 1

To apply IPv6 firewall rules to the tunnel interface, add it to the "wan" zone in /etc/config/firewall:

config zone option name 'wan' option network 'wan 6rd' option input REJECT option forward REJECT option output ACCEPT option masq 1

Add the following rules to your /etc/config/firewall to allow incoming encapsulated IPv6 packets:

config 'rule' option 'target' 'ACCEPT' option 'name' '6to4' option 'src' 'wan' option 'proto' '41'

This can also be done via the LuCI webinterface.

(note: option 'target' 'DROP' stealthed the tunnel; did this along along with dropping UDP and ICMP on the UCI firewall configuration)

rem: In my configuration, lan interface did not obtain global ipv6 address automatically, while computers in lan did. Because of this ipv6 sites were available when accessing from router, but were inaccessible from lan. Manually adding global ipv6 address to lan interface solved this issue. For example:

 ifconfig lan-br 2002:a5a6:2131:1::1/64 
for 2002:a5a6:2131::1/16 6rd address

hejnm1am: You need to install package 'ip' to fix this. See Either install 'ip' package or change line 163 in /lib/netifd/proto/ to use ifconfig.

TSP Tunneling

The Tunnel Setup Protocol is used by some tunnel brokers. Gogo6 (ex Freenet6) is one of the most popular and offers free service for individuals.

:!: The packages gw6c and kmod-sit must be installed to use this protocol (e.g.: opkg update && opkg install gw6c kmod-sit).

gw6c is configured through a specific config file: /etc/config/gw6c.

First create a free account on freenet6 here then procede to fill gw6c configuration file on your router.

The example below assumes the user have an account, required to redistribute a prefix on a LAN. The userid/passwd fields must be filled with the above registration credentials.

config gw6c basic #Comment out next line to enable gw6c option disabled 0 #Leave empty if connecting anonymously option userid <YOURFREENET6USERID> option passwd <YOURFREENET6PASSWD> #For anonymous use and #account holders should use option server #auth_method <anonymous|any|passds-3des-1|digest-md5|plain> #Use anonymous with anonymous access and #any if you are account holder option auth_method any config gw6c routing #host_type <host|router> option host_type router option prefixlen 64 option ifprefix br-lan :!: prefixlen 64 did not work for me; prefixlen 56 works ! #DNS server list to which the reverse prefix #will be delegated. Separate servers with : option dns_server config gw6c advanced #Location where to store configuration file option gw6c_conf /tmp/gw6c.conf option gw6c_dir /usr/share/gw6c option auto_retry yes option retry_delay 30 option keepalive yes #keepalive interval option interval 30 #tunnel_mode <v6v4|v6udpv4|v6anyv4|v4v6> option if_tunnel_mode v6anyv4 option if_v6v4 sit1 option if_v6udpv4 tun option if_v4v6 sit0 option client_v4 auto option client_v6 auto option template openwrt option proxy_client no config gw6c broker option broker_list /etc/config/gw6c-broker-list.txt option last_server /etc/config/gw6c-last-server.txt # Always use last known working server? <yes|no> option always_same_serv no config gw6c logging option log_console 0 option log_stderr 1 option log_file 1 #optional, good for debugging option log_syslog 0 option log_filename /var/log/gw6c.log option log_rotation yes #Max size when using log file rotation #possible values: 16|32|128|1024 option log_maxsize 32 #<USER|LOCAL[0-7]> option syslog_facility USER

:!: When installed the program gw6c takes care of a lot of details itself, including radvd configuration : In this case, manual radvd configuration is not requiered: The /etc/config/radvd must be kept disabled.

Start Gateway6 client with the following command: /etc/init.d/gw6c start
Auto-start after Openwrt booted up: /etc/init.d/gw6c enable
Use /etc/init.d/gw6c with reload or restart to load the latest config file.

:!: Firewall (Barrier Breaker): ip6tables does not allow traffic to be forwarded from lan to wan by default (see this forum topic). To get around this, you can insert the following line into /etc/firewall.user (or via Luci Firewall → Custom Rules)

ip6tables -I FORWARD -o sit1 -j ACCEPT

:!: Untested - Please correct as needed

:!: In newest ATTITUDE ADJUSTMENT dependencies might be broken. You might have to check manually if the Packet kmod-sit gets instaleld. If it is missing radvd startscript will fail: INTERFACE_SETUP_FAILED.

NAT64 tunneling

The NAT64 is one technique to provide to the user a routable ipv6 while using a NAT technique to keep access top IPv4 websites (The client may NOT have a routable IPv4 anymore).

Some ISP are experimenting this: AAISP (UK)

:!: to be completed - please help ?

IPv6 on softwire

Some ISPs use so-called 'softwires' to provide IPv6 connectivity (e.g. SFR in France). It's basically L2TP + PPP on top of IPv4, see ipv6.softwire.

Propagate IPv6 subnet to LAN

Once IPv6 works on the router, it is necessary to spread it on the internal network. Multiple methods are possible, from static routing to auto-configuration. For the latter, two options described below exist. Note that when using static WAN connection, you need to add lines

option accept_ra 1
option send_rs	0

to config interface wan section of your /etc/config/network.


The router advertisement daemon (radvd) is fully supported by OpenWRT. Please consult the radvd UCI page, for a full complement of configuration options.

To begin with, install RADVD with:

opkg update && opkg install radvd

The simplest case is static IPv6 affectation:


config interface option interface 'lan' option AdvSendAdvert 1 option AdvLinkMTU 1452 # Optional - only provide if it is also provided in /etc/config/network option ignore 0 # Or delete the line altogether config prefix option interface 'lan' # Optional: only necessary if the lan interface has multiple # global IP addresses assigned to it; or the subnet is larger than /64 option prefix '2001:123:456:789::/64' # Optional option ignore 0 # Or delete the line altogether config 'rdnss' option 'interface' 'lan'

This configuration is sufficient to enable radvd on the router, and broadcast auto-configuration announces (default routes and dns servers) to the clients on LAN.

The MTU specified MUST be identical to the one set in the /etc/config/network section, if provided. If you're connecting through a tunnel, ensure that your MTU matches that of your tunnel. Otherwise, do not provide it.

Don't forget to enable radvd at boot. You can do this in the LuCI web interface at Administration → Services → Initscripts. Look for radvd and check whether it is enabled. To enable radvd at boot and to start radvd right now without rebooting, do

/etc/init.d/radvd enable
/etc/init.d/radvd start

use logread to check for start up messages


This shows you how to set up DHCPv6 so that LAN clients have their IPv6 addresses from a pool, instead of concatenating random numbers, or some function of their MAC address, with your prefix.

First, you need to install a DHCPv6 server

opkg update && opkg install wide-dhcpv6-server

Now enable the server in /etc/config/dhcp6s

config 'dhcp6s' 'basic' option 'enabled' '1' option 'interface' 'br-lan' option 'config_file' '/etc/dhcp6s.conf'

Then create a config file /etc/dhcp6s.conf with something like:

interface br-lan { address-pool pool1 86400; }; pool pool1 { range 2001:123:456:789::1000 to 2001:123:456:789::2000 ; };

This allocates addresses from a pool of 4096 with a lease time of 24 hours.

If you will need static IPv6 (::3000) assigned to host you can specify this with something like:

host somehostname { duid 00:01:02:03:04:05:06:07:08:09:10:11:12:13; address 2001:123:456:789::3000 infinity; };

Where duid is DHCPv6 Client DUID (can be found in Windows at "ipconfig /all" for example).

Finally, you need to change some radvd settings so that it tells clients to use DHCPv6 to get the rest of their settings:

config interface option interface 'lan' option AdvSendAdvert 1 option AdvManagedFlag 1 option AdvOtherConfigFlag 1 option ignore 0

Then restart the services and you're away (hopefully!)


If ps does not show dhcp6s running then you can run it interactively:

dhcp6s -s /etc/dhcp6s.conf -d -f -D br-lan

(where br-lan is your local lan interface). Things to check include:

  1. the network interface (br-lan in the above) does not match
  2. typos in /etc/dhcp6s.conf


This feature is new and not yet supported by UCI. You will need Attitude Adjustment to make this work.

We can use DHCPv6 enabled version of dnsmasq for:

  1. Router advertisement
  2. Configuration of clients
    • SLAAC
    • DHCPv6

With dnsmasq-dhcpv6 you will replace dnsmasq, radvd or wide-dhcpv6-server, depending on your current configuration.

opkg remove dnsmasq
opkg update && opkg install dnsmasq-dhcpv6

Once we have dnsmasq-dhcpv6 installed we need to enable router advertisement and choose in what mode we want to configure clients. For details on modes, see dnsmasq man page. The modes are:

  • ra-only
  • slaac
  • ra-names
  • ra-stateless

Since there is not UCI support yet, we have to add the configuration manually to /etc/dnsmasq.conf file. Configuration in this file is merged with the UCI generated config.


The dhcp-range option defines IPv6 prefix used by clients and configuration mode, here ra-names (SLAAC). Last line enables router advertisement.


  • Your client's global unique IPv6 address has to be generated in SLAAC mode using modified EUI-64 method. Correct address look like this:
  • The global unique IPv6 address has to be pingable from your router. SSH into your router and run:
    • ping 2001:0db8:1f0b:1359:021d:baff:fe06:3764
    • In case you can't ping it, its probably your client's firewall blocking ICMPv6 Echo Requests from 2001:0db8:1f0b:1359::/64 network. You need to make accept rule in the firewall. Note that despite you have no problem to ping fe80::021d:baff:fe06:3764%br-lan, you still have to create the accept rule for the mentioned network.

To see if it works, follow these steps:

  1. Add log-dhcp entry to /etc/dnsmasq.conf config file.
  2. Restart dnsmasq with /etc/init.d/dnsmasq restart.
  3. See if dnsmasq obtained the ping confirmation, and thus was able to add AAAA record to its DNS cache.
    • logread | grep "SLAAC-CONFIRM"
    • This may return something like this if everything is working fine:
      Jul 1 12:00:00 openwrt dnsmasq-dhcp[1957]: SLAAC-CONFIRM(br-lan) 2001:0db8:1f0b:1359:021d:baff:fe06:3764 pc

Directly forward ISP's NDP proxy address to LAN

It can help you, if your ISP give you /64 IPv6 address and radvd,dhcpv6 useless for you. Original idea by user (diway) from openwrt forum This method idea is: bridge wan and lan with filter ipv6 packets options, for direct resolve your adress from provider(ISP).

  • Remove (radvd,dhcpv6,dnsmasqv6)or others that you install early when tryed methods above. And remove that options that you do at configuration files /etc/config/network or otherone (repair "before ipv6 state" of your deivce).
  • Install ipv6 support and ebtables(if you haven't it at your repository, try beta or svn):
opkg update && opkg install kmod-ipv6 ebtables

1. At first determine your WAN interface device name, and correct comands below(change eth0.1 to your WAN device name). Edit /etc/init.d/network, at end of start() section add thoose lines:

ebtables -t broute -A BROUTING -i eth0.1 -p ! ipv6 -j DROP brctl addif br-lan eth0.1

2. At /etc/config/network, make thoose:

Add this on the "config interface lan" section

option accept_ra 1 option send_rs 1

Add this on the "config interface wan" section

option accept_ra 0 option send_rs 0

3. At /etc/config/firewall, make thoose:

Add this to the "config defaults" section

option disable_ipv6 0

4. At /etc/sysctl.conf, make thoose:

Add this at the end to enable firewalling on ipv6 even for bridged interfaces

net.bridge.bridge-nf-call-ip6tables=1 net.bridge.bridge-nf-call-iptables=0

5. If you need IPv6 firewalling ONLY! First install:

opkg update && opkg install kmod-ip6tables ip6tables

Then correct comands below(change eth0.1 to your WAN device name). At /etc/firewall.user, add thoose lines:

# First, delete all: ip6tables -F ip6tables -X # Allow anything on the local link ip6tables -A INPUT -i lo -j ACCEPT ip6tables -A OUTPUT -o lo -j ACCEPT # Allow anything out on the internet ip6tables -A OUTPUT -o eth0.1 -j ACCEPT # Allow Link-Local addresses ip6tables -A INPUT -s fe80::/10 -j ACCEPT ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT # Allow multicast ip6tables -A INPUT -s ff00::/8 -j ACCEPT ip6tables -A OUTPUT -s ff00::/8 -j ACCEPT # Allow ICMPv6 ip6tables -A INPUT -p icmpv6 –icmpv6-type echo-request -j ACCEPT –match limit –limit 30/minute ip6tables -A INPUT -p icmpv6 -j ACCEPT ip6tables -A OUTPUT -p icmpv6 -j ACCEPT ip6tables -A FORWARD -p icmpv6 -m physdev ! –physdev-in eth0.1 -j ACCEPT ip6tables -A FORWARD -p icmpv6 –icmpv6-type echo-request -m physdev –physdev-in eth0.1 -j ACCEPT ip6tables -A FORWARD -p icmpv6 –icmpv6-type echo-reply -m physdev –physdev-in eth0.1 -j ACCEPT ip6tables -A FORWARD -p icmpv6 –icmpv6-type neighbor-solicitation -m physdev –physdev-in eth0.1 -j ACCEPT ip6tables -A FORWARD -p icmpv6 –icmpv6-type neighbor-advertisement -m physdev –physdev-in eth0.1 -j ACCEPT ip6tables -A FORWARD -p icmpv6 –icmpv6-type router-advertisement -m physdev –physdev-in eth0.1 -j ACCEPT # Allow forwarding ip6tables -A FORWARD -m state –state NEW -m physdev ! –physdev-in eth0.1 -j ACCEPT ip6tables -A FORWARD -m state –state NEW -p tcp –dport 22 -m physdev –physdev-in eth0.1 -j ACCEPT ip6tables -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT ip6tables -N DROP ip6tables -A DROP -j REJECT –reject-with icmp6-port-unreachable # Set the default policy ip6tables -A INPUT -j DROP ip6tables -A FORWARD -j DROP ip6tables -A OUTPUT -j DROP

That's all, reboot your router. After check your LAN PCs and roters WAN ipv6 address.

DNS check and configuration

If you can do a succesful ping6 from the router, then obviously your DNSmasq succesfully queries the IPv6 address, and you have IPv6 connectivity.


Though, if you can't do the ping6 above, though you can do a ping6 [2a00:1450:8002::93], then your DNSmasq (or the server from which it queries) does not succesfully query the IPv6 addresses, and you need to fix this problem.


IPv6 only access

:!: (Using an intermediate machine to contact IPv4-only servers)



TAYGA is an out-of-kernel stateless NAT64 implementation for Linux that uses the TUN driver to exchange IPv4 and IPv6 packets with the kernel.

First, install tayga:

opkg update && opkg install tayga

Now, create NAT64 interface:

config interface nat64 option proto tayga option ipv4_addr option ipv6_addr 2001:db8:1::7f00:1 option prefix 64:ff9b::/96 option dynamic_pool option accept_ra 0 option send_rs 0

where is your dynamic pool, 64:ff9b::/96 is "unused /96 prefix" and 2001:db8:1::/64 is your IPv6 prefix used in LAN.

Don't forget to add this interface to LAN firewall zone.

ifup tayga && ping6 64:ff9b::


DNS64 is a special mechanism, that returns AAAA records for hosts that only have A records. ATTENTION! This breaks DNSSEC!

ISC bind supports DNS64 since version 9.8.0.

opkg update && opkg install bind-server bind-host

Modify default configuration (/etc/bind/named.conf):

acl rfc1918 { 10/8; 192.168/16; 172.16/12; }; options { directory "/tmp"; auth-nxdomain no; # conform to RFC1035 allow-query { localnets; localhost; }; listen-on { any; }; listen-on-v6 { any; }; dns64 64:ff9b::/96 { clients { any; }; mapped { !rfc1918; any; }; exclude { 64:ff9b::/96; ::ffff:0000:0000/96; }; suffix ::; }; edns-udp-size 512; max-udp-size 512; };

# /etc/init.d/bind restart

Point your resolver to (or ::1) and try it:

# host has address has IPv6 address 64:ff9b::c257:32 mail is handled by 5 # host is an alias for has address has IPv6 address 2001:200:dff:fff1:216:3eff:feb1:44d7

Normal AAAA records are returned for hosts that have it and translated ones for those who don't.



Privacy Extensions

Microsoft Windows

Privacy extensions are enabled by default. Correct working of some services sometimes require disabling part or all privacy extensions.

Disabling privacy extensions for global IPv6 addresses

With this settings the Windows client will obtain modified EUI-64 global unique address, while it will also generate global temporary IPv6 address. This is recommended setup, because you only make public your MAC address, but your privacy is retained (you won't be easily traceable by your IP).

  • One time settings (reseted with reboot):
    • netsh interface ipv6 set global randomizeidentifiers=disabled store=active
  • Permanent settings:
    • netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent
  • Current settings can be viewed with:
    • netsh interface ipv6 show global store=active
      netsh interface ipv6 show global store=persistent
Disabling privacy extensions for all IPv6 addresses

This settings disables all privacy extensions. Your global unique IPv6 address will be generated using modified EUI-64 method and your global temporary IPv6 address will be disabled. Your MAC address is made public and :!: you will be easily traceable.

  • One time settings (reseted with reboot):
    • netsh interface ipv6 set privacy state=disabled store=active
  • Permanent settings:
    • netsh interface ipv6 set privacy state=disabled store=persistent
  • Current settings can be viewed with:
    • netsh interface ipv6 show privacy store=active
      netsh interface ipv6 show privacy store=persistent


Packet filter

Warning No1: There is no NAT in IPv6. While NAT was never intended as a security feature, it did nonetheless serve as one, because unless you specified portforwardings the ports were unavailable. However, the same level of security can be achieved by setting the policies to DROP and inserting -j ACCEPT -m conntrack –ctstate ESTABLISHED,RELATED at the beginning of the chains.
Warning No2: IPv6 specs demand, that Path MTU Discovery is working correctly because a packet fragmentation is not being performed! So if you configure your packet filter like an imbecile and drop all ICMPv6 packets without distinguishing, you will break this functionality and funny things will occur! Cf. → RFC4890 – ICMPv6 Filtering Recommendations
Note: firewall v1 (e.g. still in Backfire 10.03.1-rc4 and up to r25353) has no default rules at all and ip6tables configuration needs to be done from scratch. Insert the rules below to make the packet filter function properly.
ip6tables -A FORWARD -i br-lan -j ACCEPT
ip6tables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A FORWARD -j REJECT
doc/howto/ipv6.txt · Last modified: 2015/09/28 01:51 by tmomas