IPv6 was drafted in the mid-1990s when it was realized that IPv4 addresses would quickly be exhausted due to the explosive growth of the Internet. Since the IPv4 protocol was originally a research project, approximately 4.3 billion unique IP addresses was considered more than enough. I doubt many imagined our current world where nearly everything would be connected to the Internet.
Various techniques such as assigning smaller sized networks to organizations and the utilization of NAT (Network Address Translation) helped extend the time before IPv4 addresses would be exhausted. IPv4 addresses may finally be exhausted despite the alarm bells sounding in 2011. Despite the early warnings, the world is only at 25.6% adoption according to Google's stats at the time of this writing.
Conceptually IPv6 is similar to IPv4, but when it came to implementing it, I quickly realized that I left my comfort zone of IPv4. While IPv6 is not necessarily radically different, there are enough differences to make one feel uneasy about the proper way to implement it. I have stumbled my way through the process by reading several articles, blogs, forums, etc., but I am now comfortable enough to have a functioning IPv6 network.
In this how-to, I will be configuring IPv6 for Comcast Xfinity since that is my Internet service provider. If you have another service provider your configuration may vary especially when it comes to configuring your WAN interface. Also keep in mind that there are other ways you may create your IPv6 network – SLAAC vs DHCPv6, for example.
One thing to be aware of is that I have read that some devices/Operating Systems do not support or fully support DHCPv6 such as the Android OS. I was not expecting that since I would have thought IPv6 support is well established at this point but it is possible that is not necessarily the case. This information may be out of date, and I do not have any Android phones to test if it is true. You may need to use the “Assisted” option for “Router Advertistements” so that you may use DHCPv6 along with SLAAC for the devices that do not fully support DHCv6 (see the optional section at the end of this how-to).
A word of caution… after assigning IPv6 addresses, you need to ensure you have the appropriate firewall rules in place that (most likely) mimic your current IPv4 rules. There is the possibility that you could break some functionality of your existing network because devices/operating systems often default to use the newer IPv6 protocol once it is enabled and addresses are assigned. I wanted to add this word of caution because it happened to me!
Enabling IPv6 in OPNsense
IPv6 should be enabled by default in OPNsense. I recall turning off IPv6 support when I first set up OPNsense since I did not have time to learn how to properly setup and secure IPv6. I have seen others who have also been hesitant to implement IPv6 until they could fully understand how it works to prevent malicious activity from slipping through via IPv6 or to prevent users from working around firewalls, proxies, etc.
To ensure IPv6 is globally enabled, go to Firewall > Settings > Advanced. The first option is “Allow IPv6”.
Setting up WAN Interface for IPv6
Now that IPv6 is enabled, the WAN interface needs configured. Go to Interfaces > [WAN] to configure the WAN interface. For the “IPv6 Configuration Type”, choose DHCPv6. This allows your OPNsense router to obtain a globally routable IPv6 address from your ISP.
In in the “DHCPv6 Client Configuration” section, a few options will need to be modified. The most important option (if you wish to have more than one VLAN) is to set the “Prefix delegation size” option to “/60”. This will give you a total of 16 networks, which should be plenty for most advanced home networks. If you leave the prefix at the default “/64” size, you can only have one local network. The “/64” prefix is the smallest network allowed by IPv6, which is a huge number of addresses. Because the IPv6 address space is so large, there is no long term concern for exhausting the address space even if everyone has their own “/64” network.
I saw mention that Comcast Xfinity business customers may request a “/56” prefix which would allow for 256 networks, but I do not know if it works for residential customers. Some have said it worked for them while others may have had issues obtaining the address space. I am content with a “/60” prefix since 16 VLAN is more than what I need now and probably in the future (even if I went a little crazy with network segmentation).
You may want to check “Send IPv6 prefix hint” since it sends the desired prefix size to the ISP. I do not know if it is required, but it could help if the ISP requires an implicit request.
One other thing is that you may want to check “Prevent release” to attempt to hold onto your assigned IPv6 address so that they will not change as often. Most likely, your IPv6 addresses will only change if you have been disconnected from the Internet for a while and your DHCP addresses are released. Of course, this may vary from one ISP to another.
The “Prevent release” option may only be important to you if you are hosting a public server and are referring to your IPv6 address directly. Like with IPv4, you could periodically run a script to update your IPv6 (AAAA) DNS record to keep your IPv6 address up to date if it happens to change, which would make the need to prevent your IP address from changing even less of an issue.
Verifying WAN IPv6 Address
With your WAN interface configured properly, you may notice on your OPNsense dashboard that you will have two gateways – one for IPv4 and one for IPv6. This is something that occurs automatically. You do not need to configure a second gateway for IPv6 manually. I tried that at one point when I was learning how to configure IPv6, but I realized that it was not necessary.
One thing that confused me and had me thinking that I did not have IPv6 configured properly is that the dashboard shows the link local IPv6 address and not your globally routable IPv6 address. A link local address will usually begin with “fe80”.
If you want to see your globally routable IPv6 address assigned to your router by your ISP, go to the Interfaces > Overview page. Once there, scroll down to the WAN interface and click the arrow to expand the WAN interface to reveal its detailed information.
You will see the same IPv6 link local address as displayed on the OPNsense dashboard but below it you should see your global IPv6 address. It may begin with “2001” or “2601”. Those seem to be common addresses assigned to routers by Comcast (and possibly other ISPs) based on various discussions/posts I have seen in my research. If you can see such, it is a promising sign that you are properly set up on the WAN interface.
We can go a step further in verifying IPv6 is working on the WAN interface by pinging a website from the WAN IPv6 address. Go to Interfaces > Diagnostics > Ping. For the “Host” enter “google.com” or any website that is accessible via IPv6. Select “IPv6” as the IP protocol. The “Source Address” can be left at the default, which should be the WAN interface. You can select WAN if you want to be certain it is using that interface. The default “Count” of 3 is adequate for testing IPv6 connectivity.
You should notice that your IPv6 WAN address is the source address (which mine begins with “2001”) and the destination address is google.com's IPv6 address, which begins with “2607”. If you received all of the packets, you should have the WAN setup properly. Congrats!
Now we need to move on to the LAN network(s) to fully enable IPv6 in your network.
Configuring LAN interface(s)
Configuring the LAN/VLAN interfaces took me longer to figure out because there are several options you can select for assigning IPv6 addresses to your devices: Static IPv6, DHCPv6, SLAAC, 6rd Tunnel, 6to4 Tunnel, and Track Interface. Whew! Which option to choose? There are more options to choose from than IPv4 (if you do not count all of the IPv4 point to point connection options). With IPv4, one would choose either static or DHCP to configure IP addresses.
Some have suggested using “SLAAC” while others have suggested using “Track Interface” which works with DHCPv6 (the IPv6 version of DHCP). SLAAC dynamically generates IPv6 addresses based on an algorithm. Originally, SLAAC included the unique MAC address of the network device but in our secure-aware/tracking-aware world, it was realized that generating deterministic IPv6 addresses would be problematic from a privacy/security perspective.
Since I am requesting multiple prefixes from my ISP using DHCPv6 on the WAN interface, I decided to use DHCPv6 for assigning addresses to my VLAN interfaces and network devices. I do not know how SLAAC works when requesting multiple prefixes for your network. However, SLAAC may be the easiest option if you only have one LAN interface since it requires less configuration. DHCPv6 is likely to be the choice many advanced home network users will pick due to being able to obtain a larger network prefix for network segmentation.
Keep in mind that a prefix size of “/60” is considered to be a larger prefix size than “/64” because it allows the last 4 bytes of the first 64 bytes of an IPv6 address to be assigned to various subnetworks/VLANs. A “/64” prefix indicates a single IPv6 network. This is similar to IPv4 when using the CIDR notation ("/8” is a larger network than “/24”, for instance).
To configure the LAN interface(s), go to Interfaces > [LAN] (or other VLAN). For “IPv6 Configuration Type”, select “Track Interface”. That should cause the “Track IPv6 Interface” section to display on the current page.
The “IPv6 Interface” to track should be set to WAN unless perhaps you have more than one WAN interface/gateway. For the “IPv6 Prefix ID”, you may enter anything from 0 to F (hexadecimal) since we have 4 bytes to allocate to our local networks (up to 16 networks). So that means we can enter 0-9 for the first 10 networks and then A-F for networks 11 through 16. For my network, I just started with 1 to be similar to IPv4 (192.168.1.0). Also, I was not sure initially if the WAN interface would use the 0 (zero) prefix ID. Then I realized that my WAN interface is assigned its own IPv6 address starting with “2001” by Comcast and my VLANs got assigned to another completely different network starting with “2601”. I was not expecting that, but I think it may be a common practice by ISPs (or at least Comcast). (Perhaps viewers of this site could shed some light on why this is the case in the comments section on this page.)
That should be all you need to do to for the interface configuration. Repeat this process for all of your networks. You may not reuse any of the prefix IDs. You need to use 0 through F if you have a “/60” prefix.
Create DHCPv6 Firewall Rule
You may have noticed that at this point, you do not have any IPv6 addresses assigned to your interfaces (other than link local addresses). Since you are using DHCPv6 for all of your LAN/VLAN interfaces using the “Track interface” setting, a firewall rule needs to be created to allow the DHCPv6 traffic from your ISP to assign IPv6 addresses to your local devices. This is a very critical tip I found on this blog). Otherwise, no IPv6 addresses are assigned to devices on your local network(s). Because the ISP is the one assigning the addresses, you have to allow DHCPv6 traffic to pass through to your local network. This is one difference from IPv4 where IP addresses are usually assigned by your router's DHCP service or manually by you.
Remember how I mentioned that we can request to have multiple globally routable network address by requesting a prefix greater than “/64” and how it sounds scary since all of our devices can now have a publicly accessible IPv6 address? (Unlike IPv4 where the router would get a single IPv4 address and the devices are “hidden” behind a NAT firewall)
Do not worry! By default on the WAN/LAN interfaces, the OPNsense firewall is configured to allow all outgoing IPv4/IPv6 connections on the LAN interface but block incoming connections from outside your network unless a device in your network initiates communication to something outside your network. Therefore, devices using IPv6 are protected by default from being accessed directly from the Internet similar to your typical consumer grade router. However, you should still further lock down network access via firewall rules. I hope that eases concerns that everything will be immediately exposed to the Internet for IPv6 enabled devices since there is no longer a NAT firewall to hide behind because it is not necessary with IPv6. There is plenty of address space for everyone! If you use a proper set of firewall rules, you can still be as secure (or perhaps more secure with advanced firewall rules) than you were with a NAT firewall.
To add the DHCPv6 rule to allow your ISP to assign your IPv6 address, go to Firewall > Rules > WAN. Then click “Add”. Choose “Pass” for the “Action” and “IPv6” for the “TCP/IP Version”. For the “Protocol”, choose “UDP”. “Source” should be “any” and the “Source Port Range” of “Other” should be set to 547. “Destination” should be “any” and the “Destination Port Range” of “Other” should be set to 546. You may enter a description like “Allow IPv6 DHCP traffic”. I recommend putting descriptions since it helps you later when you are not sure what a rule is supposed to be doing and you forgot why you added it.
At this point you may need to reboot your OPNsense router (I do not think I had to). You should now be able to obtain IPv6 addresses on your home network and be able to access IPv6 enabled websites! Once you can see you have an IPv6 address assigned (ipconfig at the command prompt for Windows users and ifconfig at the terminal for Linux users), you can test it out by using the similar ping6 command we used directly from the OPNsense firewall when testing the WAN interface:
ping6 -c 3 google.com
A Basic Set of IPv6 Firewall Rules
Firewall rules for IPv6 is one area where I was not sure how to tackle, but once I started digging into it, I discovered it is not greatly different than IPv4. In fact, some IPv4 and IPv6 rules may be combined into a single rule since OPNsense allows you to select both protocols when adding/editing rules. This functionality is useful when you are allowing or blocking ports on a particular interface or defining rules which are not specific to either protocol.
As of OPNsense 19.7, they added the ability to see what firewall rules are autogenerated for IPv4 and IPv6 protocols that you cannot modify. It is indicated by a folder icon on the left and the count of autogenerated rules on the right. If you click on that count, it will display the autogenerated rules. You will notice on the LAN interface under the Firewall rules page that there are several IPv6 rules to allow access to the DHCPv6 server on the LAN network using the link local addresses. These rules are essential for IPv6 to function properly, which is why they cannot be disabled (at least not easily from the web interface).
At a bare minimum, you may want the following 3 rules:
- A rule to allow access to the interface's gateway
- A rule to block access to other VLANs on your network to keep your networks segmented
- A rule to allow all other traffic to any destination, which allows Internet access
As I discussed in my OPNsense firewall rules how-to, rules are evaluated from top to bottom of the rule list. Once the traffic matches a particular rule, no other rules are evaluated. Therefore, it is recommended to put your most specific/strict rules first followed by the more general rules. Unless you are locking everything down super tight, the last rule most likely will be an “allow all other traffic” rule. For home use, that may be sufficient since that makes your firewall act more like a consumer grade router and traffic will flow as most home users expect. We still have a much greater controll of our network than a consumer grade router by using OPNsense. Remember, we should be blocking as much unwanted traffic as possible before reaching the last “allow all” rule to help things be more secure.
Because of the last “allow all” rule, you must put a “block access to all other VLANs” to prevent the “allow all” rule from allowing network traffic to flow freely between all of your networks, which defeats the purpose of segmenting your network. Since there is a “block access to all other VLANs” rule, you need to create a rule to allow access to the interface's gateway so that network traffic can flow to the Internet (and any other allowed access on other VLANs).
When thinking about creating the rules, you may find it helpful to start from the bottom with the most general rule and start adding more specific rules above the generic rules. If that sounds confusing, then start from the top with specific rules and work toward the generic rules. I took both approaches when creating rules as I was learning how to define rules for my network. The rules can be reordered once you add them so you can add them in any order and then arrange them properly.
Allow Access to the Interface's Gateway
To create the rule to access the interface's gateway, there are already built-in aliases in OPNsense that you can make use of to reference the interface IP addresses. This is useful because it allows us to combine the IPv4 and IPv6 rules:
|Action||TCP/IP Version||Source||Source Port||Destination||Destination Port||Description|
|Pass||IPv4+IPv6||LAN net||*||LAN address||*||Allow access to the interface's gateway|
Block Access to Other VLANs
Before adding the “allow all” rule you need to add a block rule to keep your networks properly segmented. To do this, use the following values:
|Action||TCP/IP Version||Source||Source Port||Destination||Destination Port||Description|
|Block||IPv4+IPv6||LAN net||*||PrivateNetworks||*||Block access to other VLANs|
In this rule, I am using an alias that I created to block all of the IPv4 private network addresses, but I also am including the IPv6 prefix that is obtained from the ISP. I am using “/60” to block access to all 16 of the network prefixes that have been assigned to my home network. It is ok to mix IPv4 and IPv6 addresses in the same alias. I have not noticed any errors and the rules seem to work for both protocols, which is nice. Because they can be combined into a single alias, I do not need to create two separate firewall rules and aliases. The alias should look something like the following:
Technically the IPv6 range I specified in the PrivateNetworks alias are not private addresses but we are treating those networks as private networks since the firewall rules are restricting the network traffic on those networks. We are essentially setting up our internal network interfaces for IPv6 similar to IPv4 which uses a NAT firewall – but we do not need that extra layer of network address translation. We just simply apply firewall rules to our globally assigned IPv6 network addresses to protect our devices from exposure on the Internet!
Allow Access to All Other Destinations
The final rule allows access to all external networks and devices that are not explicitly blocked by prior rules. If you want to be really strict with your network traffic you may want to not include such a general rule. However, it is difficult (to impossible) to track and allow all possible destinations that you may need for your home network. It is easier to block as much bad traffic as you can and just allow the rest to pass through the firewall or at least restrict access enough to make it more difficult for malware to infiltrate your network. Defense in depth is a good approach to take.
To allow all other traffic, use the following values:
|Action||TCP/IP Version||Source||Source Port||Destination||Destination Port||Description|
|Allow||IPv4+IPv6||LAN net||*||any||*||Allow access to all other destinations|
(Optional) Create Statically Assigned IPv6 Addresses via DHCPv6
While the above will be sufficient to have a basic functioning IPv6 network, you may desire to assign static IPv6 addresses to your devices via your router similar to IPv4. This is a convenient way to centrally assign static addresses without the need to go to every device and enter the static IP configuration. There are extra steps you must take to statically assign IPv6 addresses if you are using DHCPv6.
Allow Manual Adjustments for DHCPv6 and Router Advertisements
Go back to each interface's page like I mentioned in the “Configuring LAN Interface(s)” section. In the “Track IPv6 Interface” section, check “Allow manual adjustment of DHCPv6 and Router Advertisements”. This option enables the LAN interface, for instance, to show up on the DHCPv6 services page.
Enable DHCPv6 Server to Apply Manual Adjustments
Since we are manually configuring DHCPv6, you will need to enable the DHCPv6 server to allow manual changes to take place. This step is sort of confusing because we already set up the DHCPv6 service when enabling “Track Interface” for all of our interfaces and IPv6 address do get automatically assigned. However, when you want full control so you can specify the DHCP range and statically assign IPv6 addresses (among other options), it seems the manual changes have to be enabled in this manner.
Now to go Services > DHCPv6 > [LAN]. Check “Enable DHCPv6 server on LAN interface” and then enter your desired DHCPv6 range. This range is what is automatically assigned to any of your network devices that are set to automatically obtain an IPv6 address through DHCP. It is not the range that you use to statically assign IPv6 addresses. Any static IPv6 address must fall outside of the specified range. To keep things relatively simple, you may just use the last 2 bytes/16 bits of the IP address since that still provides you a whopping 65,536 addresses! You will notice that the second half of the IPv6 address is displayed on the page and the full range of addresses is possible to select from:
:: - ::ffff:ffff:ffff:ffff
The double colon means there are consecutive sets of zeros such as 0000:0000:0000:0000. So the above range could be written as 0000:0000:0000:0000 - ffff:ffff:ffff:ffff. This syntax is a shorter way to write IPv6 addresses since they are much longer than IPv4 addresses. Because the first half of the IPv6 address (the delegated prefix/subnet) has already been assigned, the DHCPv6 settings are only concerned with the second half of the address, which is why there is nothing displayed before the double colon. For our example, if you want to use the last 2 bytes/16 bits of the IPv6 address for DHCP simply enter the range:
:: - ::ffff
Configure the Router Advertisements for Each Interface
To adjust the “Router Advertisements” which works alongside DHCPv6, go to Services > Router Advertisements > [LAN]. Set the “Router Advertisements” to “Managed” if all of your devices support DHCPv6 or to “Assisted” if you have any devices which may not fully support DHCPv6. I believe this allows assigning IPv6 address with SLAAC. As mentioned earlier in this how-to, Android devices may not fully support DHCPv6. Again, I have not verified if that is true.
The only other option you may want to adjust is checking the “Use the DNS settings of the DHCPv6 server” option. I am not sure how necessary it is, but I checked it just in case because I am not manually specifying any special DNS servers for this specific interface on the “Router Advertisements” page. I would assume that leaving the DNS fields blank that it would default to the DNS servers that are specified by the DHCPv6 server (similar to the IPv4 configuration), but that may not be the case for IPv6.
Statically Assigning IPv6 Address
Finally after all that prior configuration, you can now start assigning IPv6 addresses. The interesting thing about creating a static IPv6 address is that you need to know the DUID of each device rather than using the MAC address like with IPv4. The DUID is something that is generated by the Operating System of each device so even if you swap hardware, the DUID stays the same until you reinstall the Operating System. I could not figure out how to find that DUID in Linux or even if you can discover it on devices like an iPhone.
The easiest way to find the DUID is to go to Services > DHCPv6 > Leases. It will list all of the devices which have been assigned IPv6 address via DHCPv6. If a device is not showing up, you may need to reboot the device (or possibly your router). Sometimes they could show up in the Leases page if the prior IPv6 address has expired (if it obtained one before you got all of your settings manually adjusted).
From the Leases page, you can click the [+] icon to set up a static IPv6 address. You need to make sure you pick an IPv6 address outside of the range of the DHCP address range that you specified earlier. When entering an IPv6 address, you should enter the full IPv6 address. I discovered that although you can specify only the second half of the IP address (it can figure out the first half based on the interface/network where the device resides), you will not be able to resolve local hostnames via IPv6. This can cause things to break in your network because when you are running IPv6 alongside IPv4, IPv6 often takes priority.
You may need to click the refresh icon to reload the IPv6 DHCPv6 service to have your devices uses their new statically assigned addresses. If that does not seem to work, rebooting your devices usually clears out the old, dynamically assigned IPv6 address. You could try disconnecting the device from the network and reconnecting it (through your network icon of your preferred OS or physically unplugging the network cable) if you do not want to completely reboot. Eventually the old IPv6 leases should expire and the new address should kick in. I like expediting the process so I can immediately test if my changes were successful.
The End Approaches…
There you have it! A basic but detailed explanation of what I learned when enabling IPv6 on my network. I know there are other areas that could be explored further like firewall rules, but perhaps that could be another future topic. Please keep in mind that there are likely other ways to configure IPv6, and I only described the approach I took that seems to work for me. I have not experimented a great deal with IPv6 beyond the basic functionality, but I can ping and access IPv6 websites. It took me a little while to begin to understand how to configure IPv6, and since I am still learning, please feel free to correct any mistakes I made in the comments below (be gentle) or if you have any interesting information about IPv6 you would like to share that will enhance our understanding of IPv6.
You can try accessing a site like Google's to see if you can access it via IPv6:
Or a more detailed test such as:
Thank you for sticking with me in this long article! I hope you found it useful.