Once in a while my IPv6 privacy extension stops working in my Debian server and it never works until the interface is restarted. I use a script to check if privacy extension is working and if not I use systemctl restart networking to restart the interface. I do not like doing this because it disconnects all active connections. Is there any better way to force restart the privacy extension system without interface restart?

Problem starts when the modem loses Internet for few minutes but the prefix remains the same. It could be a problem with the Linux kernel.

Is there a dataset availabel for ISPs that periodically change the IPv6 prefix assigned to customers? Or is there a way to measure it?

Hi!

Trying to get smartphone WiFi clients to connect and stay connected to an IPv6-only network I find myself configuring Option 108 in ISC DHCP Server which is easy enough, but I can’t seem to find how to get it to signal Option 108 without also offering an IPv4.

If this is really unavoidable, may I ask for your insights on how to best do this?

For example I am tempted to use the 192.0.0.0/24 range but that might conflict with actual 464XLAT already in use within the phones, or the 169.254.0.0/16 range as a much bigger pool of sacrificial addresses but I suspect some software might conflate APIPA with lack of connectivity…

I also tried setting the IPv4 max lease time to only a few seconds (while keeping Option 108 to a high value) but then clients just disconnect after a few seconds too.

I guess it shouldn’t matter if clients released their IPv4 as soon as they honor Option 108 but looking at Wireshark they accept the offer and then just continue with IPv6 without releasing the IPv4 address.

I've run into a weird issue after setting up Pihole on my network. Here's the rundown:

• Pihole works great for IPv4. No issues there.
• IPv6 is the problem child. My ISP router was in Stateless Mode, and I set the Pihole's IPv6 address as the DNS. Windows picked it up, but Android devices stuck with the router's IPv6 address as the DNS.
• Android lacks DHCPv6 support. Some research confirmed this.
• Solution... sort of. Enabled IPv6 support (SLAAC + RA) on Pihole and switched the router to Stateful Mode. Android devices are now happy.
• Windows is now unhappy. The IPv6 DNS shows up on my laptop briefly after connecting to wifi, then vanishes.

Here are the relevant router settings:

Router IPv6 Lan Settings. DHCP Modes include: DHCPv6 Server, DHCPv6 Relay, None.

RA settings. Advertise Modes include: Unsolicited Multicast, Unicast only.

Additional Notes:

• Windows does get an IPv6 address and can ping within the LAN, but it can't reach external IPv6 addresses (like Cloudflare's DNS).
• Disabling IPv6 isn't really an option, since that's my only public-facing address from the ISP, and I selfhost some services on there.

What am I doing wrong? What do I need to change in the settings so that Android and Windows can both get IPv6 addresses and IPv6 DNS? Any insights or suggestions from IPv6 gurus out here would be much appreciated!

vultr.com cheapest option says it is "ipv6 only", I only need this to host portfolio applications, am I going to have any issue if I proceed this way?

After much searching, I can't find a good solution. 99% of the results are people trying to disable ipv6, this really clutters up my search results for "ipv6 disabled on restart" or other searches to that effect...

Anyways, it's not a huge deal but after reboots, and seems like some wake-ups, I have to go into the adapter settings and click the "ipv6" to turn it back on.

How do I get the setting to stay activated?!

When activated it works great, just won't persist after reboots and sometimes wake from sleep.

Thanks for any help!

Edit: In my case, the culprit was my VPN (ProtonVPN). Specifically, I have "IPv6 leave protection" turned on, disabling this fixed this issue. However, with IPv6 support coming to Proton VPN, and now understanding the culprit, I re-enabled the feature.

My ISP supports IPv6, but I have disabled this on my Asus Router (Merlin firmware), because of DNS resolve issues. It works fine on IPv4 only.

It would be great to set a static IPv6 for my AdguardHome instance and force other devices to use both IPv4+IPv6 for it.

Is this possible? I don't see any page on my Asus Router to configure static IPv6 leases. If I understand correctly, you can get a direct IPv6 from your ISP, but force the internal DNS right? I also want to use it for internal DNS name entries, which does work fine on IPv4.

Thanks!

.

All, More questions. So I have a /127 given to me by my isp. I’ve also been given a /40 from arin. I am using a l3 switch with an iOS similar to Cisco cli. I’m trying to route my /40 to the /127 transit network and can’t figure it out. The isp is giving me access vlan x. I have my LAN in vlan y with the /40. I can reach the switch remotely with the /127, but can’t get past that to my internal LAN. I have a static route pointing to the /127, but when I check vlan interfaces my internal is not up. Can’t seem to get it up. Thank you for any help!

I discovered that if you know all the ipv6 address of a site then you can add them to your c:\windows\system32\drivers\etc\hosts file and then you can browse that site with ipv6 only so I was wondering if anyone know all the ipv6 addresses that tumblr.com uses? cause I see that it has ipv6 record for mx & nameserver.

If i would be running an IPv6-only environment with NAT64/DNS64 and i my application would log connected IP's. When i would connect from my home IPv4 network, to the application which is in the IPv6 only network, for over example ssh. Would it show the translated IP prefix::IPv4 adres? as well as would its source be the gateway due to it being translated there?

Hey there,

I'm seeking advice on configuring an IP token for a MacBook within my LAN.

In my setup, all LAN clients are Linux machines, each with an individual IPv6 token. These tokens are utilized to generate IPv6 addresses in accordance with the prefix provided by router advertisements. Additionally, these machines generate "random" temporary addresses for outgoing connections, yet they remain accessible via their "static" token suffix.

For instance, within my LAN, the ULA prefix is fd:f00::/64. With a token of ::42, a Linux client would generate the address fd:f00::42/64. Similarly, for internet connections, clients utilize static addresses in the format 20a2:foo:bar::token/64, while temporary addresses like 20a2:foo:bar::random/64 are generated for outgoing connections.

I'm curious about setting up a similar configuration on my wife's MacBook. Unfortunately, macOS lacks the "ip" command, and my searches in the GUI haven't yielded any success.

Any insights or guidance would be greatly appreciated!

Recently I've been noticing that browsers and clients devices in general seem to prefer IPv4 over IPv6, as I stated on a previous post my ISP delegates my OpenWrt a dynamic /64 prefix over DHCPv6 that is routable from the internet but their network uses MPLS so each prefix or even IP on my network gets a different routing policy.

​

sudo traceroute -eA --back 2001:4860:4860::8888
traceroute to 2001:4860:4860::8888 (2001:4860:4860::8888), 30 hops max, 80 byte packets
 1  2800:bf0:174:11d7::1 (2800:bf0:174:11d7::1) [AS27947]  0.513 ms  0.424 ms  0.365 ms
 2  2800:bf0:1fff:f4a0::1 (2800:bf0:1fff:f4a0::1) [AS27947]  7.806 ms  7.735 ms  8.796 ms
 3  * * *
 4  ::ffff:10.201.222.36 (::ffff:10.201.222.36) [*] <MPLS:L=49710,E=0,S=0,T=1/L=48725,E=0,S=1,T=1> '-5'  2.589 ms  2.557 ms  2.448 ms
 5  ::ffff:10.201.222.24 (::ffff:10.201.222.24) [*] <MPLS:L=50148,E=0,S=0,T=1/L=48725,E=0,S=1,T=2>  2.331 ms  2.217 ms  2.104 ms
 6  2607:f8b0:830c::1 (2607:f8b0:830c::1) [AS15169] '-10'  99.581 ms 2607:f8b0:82a4::1 (2607:f8b0:82a4::1) [AS15169] '-9'  89.497 ms 2607:f8b0:84c2::1 (2607:f8b0:84c2::1) [AS15169] '-9'  88.612 ms
 7  dns.google (2001:4860:4860::8888) [AS15169] '-12'  87.634 ms  86.877 ms  87.022 ms

​

sudo traceroute -eA --back 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  homelab-router.lan (10.1.0.1) [*]  0.301 ms  0.206 ms  0.103 ms
 2  186.33.134.1 (186.33.134.1) [AS27947]  8.605 ms  8.521 ms  8.405 ms
 3  10.224.11.10 (10.224.11.10) [*]  2.162 ms  2.309 ms  2.291 ms
 4  10.201.222.36 (10.201.222.36) [*] <MPLS:L=49710,E=0,S=0,T=1/L=49535,E=0,S=1,T=1> '-5'  2.037 ms  2.000 ms  1.911 ms
 5  10.201.222.24 (10.201.222.24) [*] <MPLS:L=50148,E=0,S=0,T=1/L=49535,E=0,S=1,T=2>  1.913 ms  1.815 ms  1.791 ms
 6  * * *
 7  dns.google (8.8.8.8) [AS15169] '-11'  13.112 ms  14.499 ms  12.951 ms

​

https://preview.redd.it/yjefai0ys3rc1.png?width=1624&format=png&auto=webp&s=f461d55930fe708da2f883b1bbcab568cb7e623d

https://preview.redd.it/0dsa97y0t3rc1.png?width=1624&format=png&auto=webp&s=b186df04e1ee0efee92645adf1dc225f3fd67c42

https://preview.redd.it/zt0iywn1t3rc1.png?width=1624&format=png&auto=webp&s=3ad6d8bce4c4bb48e853aa6fa69d7be0ebce17cf

I have tried emailing their support but they just ignore me.

I found this pretty surprising, I noticed that I was not having a public IPv6 address when I tried out http://test-ipv6.com/ and then when I dug into the options I saw the fact that Mullvad defaults to turning off IPv6 and even recommends not turning it on..

https://reddit.com/link/1bpqo83/video/vxv4qqr4f1rc1/player

All, I’ve just had a 10G fiber installed, and I’m given a /127. No ipv4. I’ve been trying to setup my router to do some sort of translation (nat64) so that I can reach ipv4 only domains. Anyone have experience doing this? The l3 switch I’m using is a fs 5860. Any configuration help would be greatly appreciated.

So this may be more of an r/mikrotik question since that’s my router. But here’s the issue. I’ve asked my ISP for a ipv6 prefix and they don’t support it. Oh well. But the other thing I’m trying to do is setup some stuff on AWS and they’ve updated policy to charge for v4 public addresses. So I want to do those “The right way” and use as little v4 as possible.

The issue I’m running into is I can not ping or connect to ipv6 at all on my home lan. I presume I need to setup lan v6 (I think it’s fc30:: or something? I have it written down) and then some NAT protocol to translate local v6 to my wan’s v4 with an ephemeral port. But I can’t find any documentation on how to do that and what protocol I would need to implement.

Or is this all crazy?

Hello,

I am working for a business with multiples sites located on multiple continents. Each site, depending on its size, can have a different connection setup.

We are going to ask for a /32 to every RIRs where we are geographically attached. I am wondering if it will be well accepted/easy to request from our ISPs to advertise our sub-prefixes ?

I am refering to the situation where there is no eBGP session with them.

Thanks,
R

I just changed isp’s and now I only have an ipv4 address. The strange thing is that the new isp uses the same network as the old one and with the old one I got ipv6. Is there any way I could get ipv6 back ?

Edit: the isp is orange belgium

I am converting a BitTorrent container setup from docker-compose to Kubernetes (bare metal), however, according to curl -6 ifconfig.co from inside the Transmission pod, Kubernetes is leaking my IPv6 address where the docker containers aren't.

The wg0 file, docker-compose.yaml, and deployment.yaml files are here for reference: https://pasteb.in/?86d4650734930bb9#5QHc5mpM8xw9dUWsv1NbpmzATRRLbpotkb8Ny8emuuhu

I am new to Kubernetes--I've had a friend holding my hand through the transition from Docker so far. This is one of the last container sets I have to convert, but my friend has very little direct CNI/IPv6 experience and isn't sure how to crack this one. I am using Calico as a CNI.

Host networking isn't a viable solution as my server's entire connection to the internet would then be captured by the VPN, which would complicate hosting other services.

Thanks for your help!

Edit: I feel a bit stupid now, but the problem was that the VPN container was taking a long time to connect to the server, so I was passing the curl command before the tunnel was established. Once the tunnel is established, I get a different IPv6 address from curl.

https://whynoipv6.com/

Also Google's IPv6 statistics have been broken for a month now. https://www.google.com/intl/en/ipv6/statistics.html

I have several business sites, VPS systems and dedicated servers, all of which have complementary IPv6 allocations, typically as a /48 or /56 though occasionally just a /64. Today I was quoted $768/yr for a single /64 subnet for a dedicated server from its respective datacenter owner. Is resale of IPv6 allocation even permissible by ARIN terms of service? I was under the impression that IPv6 addresses were to be allocated, not sold.

EDIT 1: lots of scrutiny about the colloquial use of the words “resale” and “sold”. Yes it’s a lease, rental, service charge - whatever you would like to call it. The salient point is they want me to exchange money for something that is typically free, and by my understanding, the amount quoted significantly exceeds their total annual ARIN fees for their entire IPv6 allocation, which is why I am perplexed. I have never seen any fees for IPv6.

IPv6 addresses are hard to remember, so what I'm looking for is a piece of software that after being allocated role names, classes of roles names, and subnet divisions or allocations according to the class of the roles, can allocate IP addresses for host names without knowing the exact details of the IP addresses, but can be queried to provide them.

eg. if I request a name such as docker.webserver.proxy.doodah.001 the software will allocate an IP address or an address range for docker.webserver.proxy.doodah automatically, and will allocate IPs for virtual hosts or other services running on the host or the hosts in that range.

The idea is that I control the whole network, routers, switches and all, right up to BGP. Once I determine that a service needs to be provided within a particular subnet at some particular physical or virtual location, then based on the name and type of the service provided, the IP address and or range is allocated and routed accordingly, with DNS being setup as well.

I'm not interested in anything complicated. IPv6 address are too awkward to remember. All I need is a tool that allocates IP addresses from a range based on the hostname. The rules-derived host names alone should be enough, with the rule-based nature ensuring no conflicts with host name or IPs allocated.

I may not have explained myself well enough, but I'm sure software like that already exists, and there may be a package that implements it.

This seems to be question where the title seems to be clearer than the explanatory text.

In a post on /r/FiOS last November, user /u/sdrawkcab25 wrote:

Just FYI there will be a firmware update sent this month (tentatively) to all Nokia ONTs that is designed to fix the IPv6 bug with Intel devices.

No further information about such an update appears available in the public sphere, so far. If true, such an update would suggest that the frame-padding behavior of the Nokia ONTs was more at fault than the default driver settings of the Intel NICs.

I am running a WireGuard server in Kubernetes on Ubuntu Server 23 with host networking. While IPv4 works, I need help figuring out why IPv6 traffic isn't leaving the container. For example, as a wireguard client, a traceroute6 shows that traffic reaches the wireguard server at 2601:204:b00b:42c::1, but this IPv6 traffic never makes it to the host machine's LAN interface at enp3s0. Running tcpdump yields similar results: IPv6 traffic appears on wg0, but not on enp3s0.

I've obfuscated my prefix for privacy reasons; unfortunately, my prefix does not contain 'b00b'.

I should also mention that these configs worked just fine in Docker, so it's not a matter of the configs being wrong or not being a valid prefix. It's only after porting to k8s that IPv6 stopped working.

Here is the wireguard config:

[Interface]

Address = 10.14.14.1, 2601:204:b00b:42c::1

ListenPort = 51820

MTU = 1300

PrivateKey =

PostUp = iptables -A FORWARD -i enp3s0 -j ACCEPT

PostUp = iptables -A FORWARD -o enp3s0 -j ACCEPT

PostUp = iptables -t nat -A POSTROUTING -o enp3s0 -j MASQUERADE

PostUp = ip6tables -A FORWARD -i enp3s0 -j ACCEPT

PostUp = ip6tables -A FORWARD -o enp3s0 -j ACCEPT

PostUp = ip6tables -A FORWARD -i wg0 -o enp3s0 -j ACCEPT

PostDown = iptables -D FORWARD -i enp3s0 -j ACCEPT

PostDown = iptables -D FORWARD -o enp3s0 -j ACCEPT

PostDown = iptables -t nat -D POSTROUTING -o enp3s0 -j MASQUERADE

PostDown = ip6tables -D FORWARD -i enp3s0 -j ACCEPT

PostDown = ip6tables -D FORWARD -o enp3s0 -j ACCEPT

PostDown = ip6tables -D FORWARD -i wg0 -o enp3s0 -j ACCEPT

​

[Peer]

# peer_pphone

PublicKey =

PresharedKey =

AllowedIPs = 10.14.14.2/32, 2601:204:b00b:42c::2/128

PersistentKeepalive = 25

​

...and an exmaple client config:

[Interface]

Address = 10.14.14.2, 2601:204:b00b:42c::2

PrivateKey =

ListenPort = 51820

DNS = 75.75.75.75,75.75.76.76,2001:558:feed::1,2001:558:feed::2

​

[Peer]

PublicKey =

PresharedKey =

Endpoint = my.webaddr.com:21421

AllowedIPs = 0.0.0.0/0, ::/0

​

Here is the output of 'ip -c -6 route show' on the wireguard host:

​

::1 dev lo proto kernel metric 256 pref medium

2601:204:b00b:420::/64 dev enp3s0 proto ra metric 100 expires 3595sec pref medium

2601:204:b00b:42c::1 dev wg0 proto kernel metric 256 pref medium

2601:204:b00b:42c::2 dev wg0 metric 1024 pref medium

2601:204:b00b:42c::3 dev wg0 metric 1024 pref medium

2601:204:b00b:42c::4 dev wg0 metric 1024 pref medium

2601:204:b00b:42c::5 dev wg0 metric 1024 pref medium

2601:204:b00b:42c::6 dev wg0 metric 1024 pref medium

fd2b:938d:7743:1::/64 proto ra metric 100 expires 1343sec pref medium

`nexthop via fe80::d358:7828:fa79:4a97 dev enp3s0 weight 1` 

`nexthop via fe80::d9c7:c6cc:58c8:1181 dev enp3s0 weight 1` 

fe80::/64 dev enp3s0 proto kernel metric 256 pref medium

fe80::/64 dev br-45b26225ad0a proto kernel metric 256 linkdown pref medium

fe80::/64 dev br-4d301d3707dd proto kernel metric 256 pref medium

fe80::/64 dev br-8745f19da673 proto kernel metric 256 pref medium

fe80::/64 dev vethca97195 proto kernel metric 256 pref medium

fe80::/64 dev br-d9ec277ec93b proto kernel metric 256 pref medium

fe80::/64 dev veth3e9a2b2 proto kernel metric 256 pref medium

fe80::/64 dev br-3606b1dbef9e proto kernel metric 256 pref medium

fe80::/64 dev veth5f2e53f proto kernel metric 256 pref medium

fe80::/64 dev br-8a6e7b3004eb proto kernel metric 256 pref medium

fe80::/64 dev veth42b0ce5 proto kernel metric 256 pref medium

fe80::/64 dev veth4730c27 proto kernel metric 256 pref medium

fe80::/64 dev cali151eafd1c9f proto kernel metric 256 pref medium

fe80::/64 dev calia50db85314e proto kernel metric 256 pref medium

fe80::/64 dev calib00d4512918 proto kernel metric 256 pref medium

fe80::/64 dev cali2018d45df2e proto kernel metric 256 pref medium

fe80::/64 dev cali339a2a73fab proto kernel metric 256 pref medium

fe80::/64 dev calia28aed46668 proto kernel metric 256 pref medium

fe80::/64 dev cali5d667b293c0 proto kernel metric 256 pref medium

fe80::/64 dev calia8fc0d7cff4 proto kernel metric 256 pref medium

fe80::/64 dev calif47c6967706 proto kernel metric 256 pref medium

fe80::/64 dev caliaeb0ffaab04 proto kernel metric 256 pref medium

fe80::/64 dev caliaf5a7cc0076 proto kernel metric 256 pref medium

fe80::/64 dev cali4497ec7f2ec proto kernel metric 256 pref medium

fe80::/64 dev calic7ba6791d16 proto kernel metric 256 pref medium

fe80::/64 dev veth3c7f6d9 proto kernel metric 256 pref medium

default via fe80::6cf2:67ff:fed0:9b95 dev enp3s0 proto ra metric 100 expires 1795sec pref medium

​

Here is the relevant firewall zone definition:

​

trusted (active)

target: ACCEPT

icmp-block-inversion: no

interfaces: enp3s0 wg0

sources: 2601:204:b00b:420::/64 2601:204:b00b:42c::/64 10.14.14.0/24 10.0.0.0/24 192.168.0.0/16

services:

ports:

protocols:

forward: yes

masquerade: no

forward-ports:

source-ports:

icmp-blocks:

rich rules:

​

Confirmation that ipv6 forwarding is enabled on the host system:

-> % cat /proc/sys/net/ipv6/conf/all/forwarding

1

​

And last but not least, here is the Kubernetes deployment:

​

apiVersion: apps/v1

kind: Deployment

metadata:

name: wireguard

spec:

selector:

matchLabels:

app: wireguard

replicas: 1

template:

metadata:

labels:

app: wireguard

spec:

nodeSelector:

kubernetes.io/hostname: obsidiana

hostNetwork: true

containers:

- name: wireguard

image: linuxserver/wireguard:latest

securityContext:

privileged: true

capabilities:

add:

- NET_ADMIN

- SYS_MODULE

volumeMounts:

- name: wireguard-configfiles

mountPath: /config

- name: lib-modules

mountPath: /lib/modules

envFrom:

- configMapRef:

name: wireguard-config

volumes:

- name: wireguard-configfiles

hostPath:

path: /srv/wireguard/config

- name: lib-modules

hostPath:

path: /lib/modules

We make various embedded systems that currently support IPv4. We are in the early stages of adding support for IPv6 for our US government and other customers.

Is Dual-stack (support for both at the same time) pretty standard, and required, or can we do only IPv4 and only IPv6 - but not both at the same time?

Sorry if this is a really naive question.

Hi,

Would like to implement ULA for address stability. Right now I’m explicitly using GUA and have manually defined addresses for all vlan interfaces and a static route to and from firewall and L3 switch. RA takes care of assigning addresses for everything else.

I know that I could replicate the same with ULAs to have both GUA and ULA address assigned to each device but what I don’t understand is when my GUA prefix changes, I’ll have to reconfigure each of the manually assigned GUA addresses anyway no? Or is there a better way?

Links:

• https://www.bottlecaps.de/index/
• https://www.bottlecaps.de/rex/

Germany is now at 72% IPv6 adoption according to Google (and rising), so only 28% of users from Germany can't access the website (which is presumably mostly used by German users).

To compare, big tech companies started dropping support for Internet Explorer 6 in 2010, back when it still had a global market share of around 10%.

So I have 2 routers, the main one is quite far away and secondary one is connected through ethernet and also is used by 2 pc. My isp provides faster internet speed when connected to ipv6 but I'm only able to access that speed on my main router since I can't figure out how to get ipv6 on my second router. Can anyone help with this? I'm also a noob at these stuff.

Hi,

I don't post often so apolgies if i missed any rules:

​

I am student doing an internship project, regarding an IPv4 to dualstack enviornment migration. I am a bit overwhelmed by the amount of availble paths

to take within IPv6 and my networking skills are still rather lacking. My recent post it was quite vague, so this is my attempt about being a bit more clear.

I am hoping for a bit of peer feedback about my current decisions.

​

A bit of background about the current situation;

It think the best description is a small/medium sized company with a focus on different SAAS projects. The actual running hardware the standard Small business

topology Firewall, Routers, loadbalancers, switch, storage server and virtualmachine hosting servers. I can distribute a /32.

​

- Im considering using the [prefix]:[prefix]:[location]:[VLAN]:[host]:[host]:[host]:[host] as form of notation

currently.

- My plan is using decimal notation for the VLAN numbers. Because using their Hexadecimal counterpart seems te reduce readability alot, while

the downside of using subnet range seems minimal considering the insane amount adresses available anyways.

- I am considering to make a a separate subnet for the loadbalancer. something like a /52, Because the only other options seems to give everyloadbalancer

a IP in the range of each subnet? My colleague brought this idea because of the loadbalancers difference with handeling L4 and L7 traffic and the X-Forwarded-For header.

However i don't quite seem to grasp issue fully yet.

- We currently have a jail & test VLAN. I am considering just giving this it own /48, to separate it even more. Personally this seems like a wise decision.

this one is just on here for some peer feedback.

- For workstation SLAAC seems fine for distribution, Or is DHCPv6 a major benefit even for smaller companies?

- Can SLAAC also be considerd for the roll out of Servers adresses or is a static IP roll out with ansible a wiser

solution for this. (I know it also depends on the server a bit, bit in general).

- Lastly are there any lessons learned by your Dualstack implementation that you think are worth sharing?

​

​

​