Running IPv6 in practice

Posted by gribozavr on Wed 3 Feb 2010 at 08:39

Many articles tell us about about initial setup of IPv6 and are completely silent about what to do next. Thus, I wanted to share my own experience.

Register a tunnel

Go to Hurricane Electric and register. Enter your external IPv4 address and choose a tunnel endpoint close to you. You will be allocated a /64 IPv6 address block for the tunnel that has two special addresses: 1 is server, 2 is client.

If you have a LAN and you want to configure IPv6 on each computer in LAN, request a routed /64 IPv6 block. If you have multiple LANs behind your router, then request a routed /48 block. All allocated networks will be routed through your router.

Configure IPv6

Now you need to configure a tunnel interface he-ipv6 (you can choose any name). Append the following stanza to /etc/network/interfaces (in place of the variables put your external IPv4 and tunnel IPv6 addresses):

auto he-ipv6
iface he-ipv6 inet6 v4tunnel
        address $CLIENT_IPv6
        netmask 64
        endpoint $SERVER_IPv4
        local $CLIENT_IPv4
        gateway $SERVER_IPv6
        ttl 64

Now bring the interface up and test the connection:

# ifup he-ipv6
# ping -n

DNS and Google

Unfortunately, is the Google domain that has AAAA records in public DNS. Because of too many misconfigured computers out there people could experience delays while using Google's services. The delay appears when a misconfigured client waits for a reply from an unreachable IPv6 server.

But for ISPs that have deployed IPv6 and are "capable enough" Google can provide a DNS server with AAAA records. Hurricane Electric has made the required arrangements. Their DNS server is 2001:470:20::2. You can either add that server to /etc/resolv.conf or configure a caching DNS server, such as bind and win a bit of speed.

I recommend doing the latter. There are two approaches to configure bind in this situation: you can either resolve only Google's domains through HE's server (and other domains through you ISP's server) or you can use HE's server for everything. I don't have a list of Google's domains, so we'll set up HE's server as a forwarder for bind.

Install package bind9 and edit /etc/bind/named.conf.options:

acl mynetworks {
  localhost;;           // your LAN via IPv4
  2001:XXXX:XXXX:XXXX::/64; // your tunnel IPv6 /64
  2001:XXXX:XXXX:XXXX::/64; // your routed IPv6 /64
  2001:XXXX:XXXX::/48;      // your routed IPv6 /48, if it exists

options {
  directory "/var/cache/bind";

  allow-query { mynetworks; };

  forwarders {

  auth-nxdomain no;
  listen-on-v6 { any; };

Restart bind and test it:

# dig +short @::1 AAAA
And configure your system to use it: enter in /etc/resolv.conf:
nameserver ::1

If you don't have a LAN, skip to firewall configuration section.


It is easiest to use stateless autoconfigutation to set up IPv6 on LAN. It is like DHCP, but the server doesn't keep track of addresses that were given out. The idea is the same: you give a server a /64 IPv6 net and the server offers clients to configure themselves for this network. Clients will get unique addresses based on their hardware Ethernet address.

Let eth0 be LAN interface and eth1 -- ISP interface. So far only he-ip6 interface has a global IPv6 address. eth0 also needs an IPv6 address so that clients would be able to talk to server. We could make a bridge of he-ipv6 and eth0 and use a single tunnel /64 network for everything, but that would be a more complex configuration than we can achieve. Or we could split a /64 into two /65's, but then stateless autoconfiguration won't work (and it is forbidden by RFC to have prefixes longer than 64 in global unicast address space, although it would technically work). That's why you've requested an additional routed /64 network -- it will be used on LAN. Let the routed /64 network be 2001:XXXX:YYYY:ZZZZ::/64.

If you have multiple LANs behind your router, then you should have requested a /48 network. CIDR principles apply to IPv6 the same way as in IPv4. You can subnet your /48 into 65536 /64's. That is, if you were assigned 2001:XXXX:YYYY::/48, then you can use 2001:XXXX:YYYY:1::/64, 2001:XXXX:YYYY:2::/64 and so on for every subnet. It is trivial to modify the following example to work in a multiple-LAN situation, so I won't discuss this further.

So, 1 LAN behind your router and its network subnet is 2001:XXXX:YYYY:ZZZZ::/64. Append to /etc/network/interfaces:

iface eth0 inet6 static
        address 2001:XXXX:YYYY:ZZZZ::1
        netmask 64

Install radvd package (stateless autoconfiguration daemon) and create its configuration file /etc/radvd.conf:

interface eth0
  AdvSendAdvert on;
  MaxRtrAdvInterval 30;

  prefix 2001:XXXX:YYYY:ZZZZ::1/64
    AdvOnLink on;
    AdvAutonomous on;
    AdvRouterAddr off;
    AdvValidLifetime 300;
    AdvPreferredLifetime 120;

Turn on forwarding for IPv6 in /etc/sysctl.conf:

And load new settings:
# sysctl -p

Now restart radvd:

# invoke-rc.d radvd restart
After this, all IPv6-capable computers on LAN will get an IPv6 address and gateway automatically (of course, if accepting route advertisements is enabled, but that is default). You can monitor the process on server with
# radvdump
and on client with
$ ip -6 addr

Stateless autoconfiguration does not deal with DNS settings, so you'll have to configure the resolver on clients manually (or via DHCP for IPv4, you should probably have that already).


Automatically configured IPv6 addresses are based on hardware Ethernet addresses and look like this: 2001:db8:d4b6:1:215:f2ff:fe55:2d85 -- hard to work with, impossible to remember. Multicast DNS comes to the rescue. Avahi is an open-source implementation of multicast DNS.

Install avahi-daemon and avahi-utils on every computer in LAN. Ensure that /etc/avahi/avahi-daemon.conf has the following lines to make Avahi will care about IPv6:

Restart avahi-daemon if needed. After that all computers in LAN will get names based on their hostnames, like hostname.local. But, by default these names will resolve into IPv4 addresses. To make IPv6 default, edit resolver configuration file /etc/nsswitch.conf. Replace line
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
hosts: files mdns_minimal [NOTFOUND=return] dns mdns

You can list all "records" in multicast DNS with:

$ avahi-browse -r -a

Squid and IPv6

If you were using squid, of course you'll want it to work properly with IPv6 sites, too. Squid got proper IPv6 support only around 3.1.0.x version. Currently 3.1 is beta, so you can find it in experimental. For me it works great for 4 months already, and I hope it will for you too. Just add all your allocated IPv6 blocks to ACLs as you did with IPv4.

IPv6 firewall

In IPv4 days NAT was enough to protect unsuspecting client computers from bad guys on the Internet. But now all client computers have got global routable IPv6 addresses and they need to be protected. The protection boils down to rejecting all incoming connections to the client subnet except a to few allowed ports.

ip6tables is not much that different from iptables, it is even easier: no NAT, no port forwarding. Nevertheless, after I started writing a second firewall script I felt that I'm doing duplicate work. I tried to combine IPv4 and IPv6 rules in a single script that calls both iptables and ip6tables.

The script itself is targeted at a very common network configuration with a single Internet connection and a single LAN behind the router. IPv4: packet filtering for the firewall host itself, NAT, port forwarding. IPv6: packet filtering for the firewall host and the LAN. Here's the result: rc.firewall (there is local copy here too).



Posted by madduck (2001:0xx:0xx:0xxx:0xxx:0xxx:xx) on Wed 3 Feb 2010 at 10:12

[ Parent | Reply to this comment ]

Posted by aantigua (2001:0xx:0xx:0xxx:0xxx:0xxx:xx) on Thu 4 Feb 2010 at 02:05
Nice article!! I have a couple of Debian boxes on my LAN getting IPv6 from HE... nice tunnel broker!!! maybe the best at this moment.

[ Parent | Reply to this comment ]

Posted by Anonymous (58.108.xx.xx) on Thu 4 Feb 2010 at 03:05

Thanks for sharing.

[ Parent | Reply to this comment ]

Posted by Zombie (2001:0xx:0xx:0xxx:0xxx:0xxx:xx) on Thu 4 Feb 2010 at 04:44
Great article.
Running Bind just for a DNS forwarder is overkill IMHO. I did it with dnsmasq.
My dnsmasq.conf:


[ Parent | Reply to this comment ]

Posted by rm (2002:0xx:0xx:0xxx:0xxx:0xxx:xx) on Thu 4 Feb 2010 at 04:53
You do not need to "request a routed /64 IPv6 block" - it is automatically provided by default on every tunnel. It is the /48 block that needs to be requested (if you want it).

[ Parent | Reply to this comment ]

Posted by Anonymous (91.99.xx.xx) on Thu 4 Feb 2010 at 21:19
Thanks for good article
I am confused, Is it possible by this tunnel to reach servers with IPv4??

[ Parent | Reply to this comment ]

Posted by gribozavr (2001:0xx:0xx:0xxx:0xxx:0xxx:xx) on Fri 5 Feb 2010 at 03:14
It is not possible because HE gives you only IPv6 blocks (and does not assign you an IPv4 address). Conventional ISPs in the near future should give IPv6 addresses as well as an IPv4 one or set up some means of protocol translation.

[ Parent | Reply to this comment ]

Posted by Anonymous (217.216.xx.xx) on Thu 4 Feb 2010 at 23:34

[ Parent | Reply to this comment ]

Posted by Anonymous (87.97.xx.xx) on Sun 7 Feb 2010 at 17:42
Coming in fashion huh?
On the contrary, people seems don't care about it anymore. IPV6 was mostly used by irc kiddies at the beginning and still is. Don't tell me that your company upgrades to ipv6 or anyone uses it except Chinese cellphone makers cause it's not true.
Just because some monkey such as Carolyn Duffy Marsan tries to get a name by writing crap articles it doesn't mean that there is much of a truth behind it...

[ Parent | Reply to this comment ]

Posted by Anonymous (217.216.xx.xx) on Mon 8 Feb 2010 at 17:45
I strongly disagree with you, sir.

Time will tell.

[ Parent | Reply to this comment ]

Posted by AJxn (2001:0xx:0xx:0xxx:0xxx:0xxx:xx) on Tue 2 Mar 2010 at 16:51
[ View Weblogs ]
I have IPv6 at home, since 1 year (my solution is OpenWRT and using I also use it when I connect to my work, as all universities in Sweden shall have IPv6 servers by now. All computers at work (a couple of thousands) is all on IPv4 and IPv6.
This site run on both IPv4 and IPv6.

So yes, it comes into fashion now, and it geting more and more in need. If you go to you will see that it's only 22 /8 IPv4 nets left.

Yes, I do use IPv6, as you can see on my IP address in this post.

[ Parent | Reply to this comment ]

Posted by Anonymous (217.7.xx.xx) on Mon 8 Feb 2010 at 09:12
Thanks for this article, it should motivate me to use my ISP IPv6.

I just want to add that I'm using ferm (packaged in Debian) for an easier firewalling. It just manages IPv6 as IPv4, it's really useful :

[ Parent | Reply to this comment ]

Posted by Anonymous (93.192.xx.xx) on Sun 14 Mar 2010 at 21:19
I never heard of Ferm, but using http-equiv="refresh" in the HTML code for HTTP redirects doesn't necessarily increase my trust in this project...

[ Parent | Reply to this comment ]

Posted by AJxn (2001:0xx:0xx:0xxx:0xxx:0xxx:xx) on Tue 2 Mar 2010 at 17:09
[ View Weblogs ]
Clients can use ufw for an simple firewall with IPv6. You have to turn it on for IPv6 first (in /etc/default/ufw set IPV6=yes)

On IPv6 clients you could also install package rdnssd (and resolvconf). Then the client will automaticly set the DNS servers for your IPv6 network from your . Otherwise it will only use IPv4 dns servers.
You also get some usefull diagnostic tools.

[ Parent | Reply to this comment ]

Posted by banchieri (2a01:0xx:0xx:0xxx:0xxx:0xxx:xx) on Tue 7 Sep 2010 at 11:36
[ View Weblogs ]

For firewalling, I use Shorewall (for IPv4) and Shorewall6 (for IPv6); both version 4.4.x. You may download Debian packages from Roberto Sanchez's repository.

[ Parent | Reply to this comment ]

Posted by AJxn (130.243.xx.xx) on Sat 31 Jan 2015 at 11:24
[ View Weblogs ]

Yes, that works to for protecting your LANs, but for protecting a client, ufw works great. It set up firewalls for both IPv4 and IPv6.

[ Parent | Reply to this comment ]

Posted by banchieri (89.15.xx.xx) on Wed 4 Feb 2015 at 18:41
[ View Weblogs ]

Hadn't had a real need to protect my clients so far. But yes, ufw is a nice tool for protecting clients in a "personal firewall" fashion. Therefore, I install it by default nowadays, yet configure and activate it only in rare cases.

[ Parent | Reply to this comment ]

Posted by AJxn (83.253.xx.xx) on Wed 4 Feb 2015 at 20:13
[ View Weblogs ]

Newest version of ufw do have some support for routing. But the version in Debian is the version just before that version in Ubuntu that suports that.

[ Parent | Reply to this comment ]

Posted by rbees (24.180.xx.xx) on Thu 20 Jan 2011 at 12:24
I am able to ping6 some external hosts, but it appears not all. Also for some reason when I navigate to the ipv6 test sites they alwaly show I am connected via v4 and not v6. I am using the any-cast and not a dedicated tunnel from a broker. I have one from a broker but am unable to get it to share to the internal hosts even though the internal hosts have v6 addresses. The external host is headless Lenny, the internals are a mixed lot.

Any ideas why?

[ Parent | Reply to this comment ]

Posted by AJxn (2001:0xx:0xx:0xxx:0xxx:0xxx:xx) on Wed 9 Mar 2011 at 01:57
[ View Weblogs ]
What is 'ip add show' and 'ip -6 rout show' give on your IPv6 router and on your clients?
How doest it look in your IPv4 router? Do you open protocol 41 (I think) in the IPv4 firewall?

[ Parent | Reply to this comment ]

Posted by AJxn (91.95.xx.xx) on Sun 11 Sep 2011 at 03:33
[ View Weblogs ]
Hurricane Electric has support for DDNS and IPv6 now. So you can get your reversed DNS to work for your IPv6 addresses.

[ Parent | Reply to this comment ]

Posted by Anonymous (132.160.xx.xx) on Thu 15 Mar 2012 at 10:12
My local short addressing isn't working like yours! dig @::1 won't work, but, dig @2001:470:1f0f:6a6::1 does work. Any ideas?

[ Parent | Reply to this comment ]

Posted by Anonymous (77.47.xx.xx) on Thu 15 Mar 2012 at 13:05
Please ensure that:
1. ::1 is assigned to lo interface ("ip a" or "ping6 ::1")
2. That Bind listens on the lo interface and on IPv6 address on the lo interface ("netstat -unlp | grep :53")

[ Parent | Reply to this comment ]

Posted by Anonymous (79.223.xx.xx) on Fri 27 Jul 2012 at 15:40
Hi, it's about the tunnel between the "he-ipv6" and "eth0". you said

(We could make a bridge of he-ipv6 and eth0 and use a single tunnel /64 network for everything)

can you please tell me how I can make it?

[ Parent | Reply to this comment ]

Posted by AJxn (83.253.xx.xx) on Wed 4 Feb 2015 at 20:20
[ View Weblogs ]

Just read and follow the part with the title "Routing" in the article. Do not filter away all ICMPv6. If you do,IPv6 will stop working. Don't forget to set forwarding of IPv6. That should be enough to get IPv6 to work.

[ Parent | Reply to this comment ]

Posted by AJxn (130.243.xx.xx) on Sat 31 Jan 2015 at 11:29
[ View Weblogs ]

The address $CLIENT_IPv4 should be your machines IP to reach Internet. Not the global IP of your IPv4 NAT.
But you should register your NAT:s external IPv4 address in HE. There are ways of automaticly update by an API, downloading an URL, like with curl or wget.

[ Parent | Reply to this comment ]

Posted by AJxn (81.233.xx.xx) on Wed 4 Feb 2015 at 20:34
[ View Weblogs ]

You should never split away any smaller nets than /64. Do never split into /65. Preferably the LAN should never be something else than /64, as that is asking for trouble. You could have larger like /48 or /56, but /64 is what should be used. That is 216 or 28 numbers of LAN of standard /64 size. We even should use /64 for tunnels witch uses only two IPv6 addresses.

So, if an ISP doesn't gives each user at least one /56 range and preferably a /48 range of IPv6 nets when asked, you should change ISP. Because then they are incompetent handling IPv6.

[ Parent | Reply to this comment ]

Sign In







Current Poll

Will you stick to systemd as the default in Debian?

( 910 votes ~ 35 comments )