IPv6 setup - part 1#

To those of you who are not familiar with computers and networking, the following will be a tough read, but I say to you it could also be a learning experience.

The examples below are based on my internet router (Fritz!Box) and network setup, but the principals will also apply in to many other setups.

What is IPv6?#

IPv6 (Internet Protocol version 6) is an addressing scheme that is used to provide computers with a unique address when they join a network or connect to the internet.

These are used to uniquely identify devices and allow communication with other devices. As at 2021, around 35% of internet traffic is using IPv6, the rest using the older IPv4 format.

Whilst IPv6 has been around for many years, the transition to IPv6 has been slow due to the challenges with many computers, applications and parts of the internet not yet supporting it.In order to simplify the transition many computers offer support for a dual stack IPv4/IPv6 mode, which itself can be problematic and requires more effort to manage configurations and for troubleshooting issues.

If you would like to know more, a great overview can be found here: Steve's-internet-guide.

Why IPv6? Why not?#

I started with a 'simple' goal - to provide IPv6 only access to my website.

After a couple of weeks, I have rebuilt my home network to primarily use IPv6, overcome many hurdles and gained an appreciation for IPv6.

Needless to say the goal morphed into - can I get by with only IPv6? The answer is Yes, mostly.

I am now primarily using IPv6 on my network. There are still several clients (sensors and smart switches) in my network that only use IPv4 and I see also some web sites on the internet that are IPv4 only. I handle this by having a separate WiFi network that supports the Dual stack IPv4/IPv6.

IPv6 is the future. It is gaining momentum with the need for more internet addresses, and brings a more secure networking protocol to the internet. It is only a matter of time before people will realize that managing two protocol stacks is more difficult than managing one.

Search engines provided a good resource for identifying the problems I faced along the way, however since everyone's network and infrastructure devices are different, these often were just a guide to finding the cause of a particular problem.

Issue: I have used this format to highlight each issue encountered along my journey to an IPv6 only network.

The following will hopefully help others in their journey.

My network overview.#

<---- picture of network ---->

ISP (Internet Service Provider) - I use an AU based provider Internode. They offer a dynamic IPv4 and a static /56 IPv6.

Dynamic means the address can change each time you restart your router. Static means it stays the same, helpful when you are communicating with other devices. /56 is the size of the network available to you.

I have read Internode offers up to 4 PPPoE connections. Ie: 4 connections to their network using your account. I have had 2 working.

NBN (National Broadband Network) - I use an NBN50 connection and get a maximum 23Mbps. The 50 in NBN50 means I pay for up to 50Mbps speed. The restriction is due to the last 500m being run over copper to my house. I believe it is known as a FTTC (Fibre To The Curb) connection. The connection is terminated at an old RJ11 telephone socket. It is more common for the connection to terminate in the home with an NTU (Network Termination Unit).

Internode provided a router (Fritz!Box 7490) and this is used to establish a VDSL (Very high-speed digital subscriber line) connection to the exchange and then establishes a PPPoE connection to the ISP network. I have kept this router in place in case I ever need ISP support for an outage. It also provides a DECT base station for a home phone and a WiFi fallback in case the rest of my network fails. (generally due to miss-configuration on my part.)

I use a USG (Unifi Security Gateway) for my entry to the home network and managing the firewall for traffic in and out. I cover the setup of this in the second part of this guide.

The USG has it's WAN port connected to the Fritz!Box and is the entrypoint for the home network. This provides the bridge to the Internet and the firewall for the home networks. It has several sub networks for internal use. (server & media, clients, iot devices, guest WiFi, v6 only)

Preparation - my ISP#

The ISP provides a web portal for managing my account and connection details. It is here that I logged in and selected the option to enable IPv6 for the connection.

What does this mean?#

Well with IPv6, there is a PPP network for the ISP to manage your router connection to the Internet. This is used to tell the router what your IPv6 Prefix is. The IPv6 Prefix which is linked to your account is then used for the device traffic in your network and into the Internet.

What if you use multiple PPPoE sessions?#

This was my first hurdle. I had previously connected the USG firewall to the internet by having it create it's own PPPoE connection to the ISP using a pass-through mode supported by the Fritz!Box. This allowed me to have a public IPv4 address directly on the USG.

Issue: My ISP was not providing my static IPv6 range to my USG when I made the connection using PPPoE. I would only receive a dynamic IPv6 address.

I subsequently realized that they weren't able to assign my static /56, because it was already in use on the initial PPPoE connection to the ISP for the Fritz!Box.

Configuring the Fritz!Box.#

The Fritz!Box needed to be setup to accept IPv6.

Checking the status, you can see the dynamic IPv6 address assigned for the PPP connection followed by the IPv6 prefix assigned for my network. (ie: my static /56)

Multiple addresses#

In the image above, we see the first difference with IPv6 in that devices can have multiple addresses, on different networks allowing for management or traffic restrictions to be easily setup at the network level. Only my Fritz!Box can communicate via the PPP connection to the ISP. All other devices must use the static /56 network that is assigned.

IPv6 offers further network address types:

GA global address (publicly routed across the internet)
ULA universal local address (used within a Home or Business. not publicly routed)
LL link-local address (used within a router, non-routed address)

You also have the option to define the client portion of the unique address:

EUI-64 (Address based on the MAC address of the device)
Stable Private (Static based on the GUID (global unique identity) for the client)
Privacy Extension Addresses (Temporary address that changes with time)

The below image (from an ipconfig command on a laptop) shows the assignment of different addresses to the device. When I browse a website it uses the Temporary IPv6 Address to mask the client since this changes periodically.

Port forwarding on the Fritz!Box.#

Firstly what is a Port? If you think of the IPv6 address as being your house, the port is equivalent to a door. There are multiple doors in your house. With computer devices there are 65,535 ports.

Traditionally with IPv4 you would tell your customers to come to your door (port 80 or port 443) and you would direct them to your web server IP using the port forwarding function on your router.

With IPv6, you don't have this option. You have to give the customer the exact location where they need to go, the global IPv6 address for your web server. Having this remain static becomes more convenient for you and your customers. It is also beneficial in that you can now have an end to end conversation using a single IP address with end to end encryption.

The downside is you now have the IP address of your web server out in the public domain. This raises the importance of ensuring unwanted traffic is kept out of the network.

This is handled via firewalls. The Fritz!Box calls this port sharing and client exposure.

In the Fritz!Box, I just enable the GUID (Global unique identifier) of the web server to be shared on the internet for the ports 80 & 443.

Note: this is only a filter (firewall) stopping any inbound traffic for any address other than the one with the defined GUID.

Whilst the device is exposed, traffic is restricted for Inbound traffic to the shared ports. For Outbound traffic the client can use any port.

You will see that PING6 is also enabled. This is an important tool/aid for the establishment of IPv6 connections and the validation of your network. PING6 is a tool that knocks on the door and returns a home/not-home message to the requesting computer.

IPv6 addressing on the Fritz!Box.#

IPv6 address assignment is handled in a much more automated way than with IPv4. This is to be expected as a lot of thought and experience went in to the new version and as a testament to the designers, no significant changes have been necessary since it's release.

ULA (unique local addresses)#

These are only used when no internet IPv6 connection exists, so I have kept this setting as the default. These allow for the home network to work in the case of an outage. (maybe you have a media player or NAS that is in use that needs to be reached from your internet connected TV.)

RA (Router Advertisement)#

This has to be checked since I have additional routers in the network. (ie: the Unifi USG)

The RA is used for the routers to inform of their presence, to build up the network topology and consequently know where to send the traffic.

DHCPv6 (IPv6 addresses for clients)#

DHCPv6 is the component that assigns an IPv6 address to a client on the network.

IA-NA is the process to assign a unique IP from an address pool. This is needed for devices that directly connect to the Fritz!Box.

IA-PD is the process for assigning a block of addresses to a connected router. (In my case the USG requests a block of size /60.)

Stocktake - Fritz!Box.#

At this point I am able to connect a client to the Fritz!Box (local wifi or Lan cable connection) and receive both a local IPv4 and a global IPv6 addresses, the later from my static /56 IPv6 prefix.

In the next section, I cover the configuration of the Unifi Security Gateway.