Previously, IP addresses were created using internet protocol version 4 (IPv4). However, due to the rapid growth of the Internet, there are no more unassigned IPv4 addresses, making it difficult for some networks to grow or add new devices and users. To ensure everyone can use the Internet freely, the Internet Engineering Task Force (IETF) developed internet protocol version 6 (IPv6).
Firewalla supports IPv6, but you may need to make some additional configurations to your network and features depending on your ISP.
- How does IPv6 work?
- What are the pros and cons of using IPv6?
- How do I set up IPv6?
- Validate that IPv6 works
-
Common issues with IPv6
How does IPv6 work?
Unlike IPv4, IPv6 utilizes 128-bit Internet addresses. Every address is broken into 8 groups separated by colons, each containing 16 bits. Here's an example of what an IPv6 address looks like:
2001:2345:670F:0000:0000:0123:876A:130B
What are the pros and cons of using IPv6?
Some benefits of IPv6 include:
- No need for NAT and Port Forwarding – more addresses make address conservation techniques unnecessary. It is much easier for you to host services (like game servers) without the need to do any port forwarding.
- Better multicast routing – IPv6 uses a special multicast address for one-to-many communication. When IPv6 transmits to a multicast group, it is sent to all interfaces associated with that address simultaneously.
- Simpler header format – IPv6 headers are designed to be less complex and easier to process.
- Faster routing – IPv6's simplified headers make the routing process as fast as looking at the mandatory header section.
However, due to IPv6's relative recency, some devices, websites, and servers may not be compatible, which can cause connection issues. If you run into issues and have checked all your rules, try turning off IPv6. Before you start configuring IPv6, please check and make sure your ISP has IPv6 support.
How do I set up IPv6?
When you create a WAN connection, the IPv6 option is always on by default. You won't have to do anything if you have a public IPv6 address.
To check your IPv6 settings and make further adjustments, go to the WAN page:
- Tap Edit.
- Scroll down and toggle IPv6 on. Change your IPv6 Connection Type and IPv6 Prefix settings as needed – you may need to ask your ISP about what configurations, such as IA_NA and prefix delegation size, you should set.
- Tap Save.
Note that if you have multiple WANs with IPv6 enabled, only one will be used for IPv6 delegation.
If IPv6 is enabled on your WAN connection, Firewalla will automatically turn on IPv6 on all your LANs.
You can configure your LAN's IPv6 settings separately. For example, enabling IPv6 on your personal home network but not your IoT network. On your LAN page:
- Tap Edit.
- Toggle IPv6 on. Choose your IPv6 Interface Type and make changes to your settings as needed.
- Tap Save.
Validate that IPv6 works
If you've turned on IPv6 for your WAN and LAN but your connection doesn't seem to be working, follow these steps to help identify what the issue could be.
Check if your IPv6 WAN is working:
- Go to your WAN detail page (Network Manager -> WAN). Scroll down and confirm that IPv6 is on, then check the IPv6 Address field.
- If the address begins with an f, it's a private IPv6 address. See No public IPv6 address.
- You can also check via a third-party IPv6-checking site. These sites will attempt to find if your network has an IPv6 address; if they can't find a public IPv6, see No public IPv6 address.
- If you're using a DHCPv6 connection type, check the IPv6 Prefix field. This information is obtained from the DHCPv6 reply, and the IPv6 addresses on LAN will be assigned from this prefix range. If None is displayed, IPv6 will not work. See WAN can't get prefixes.
Check if your IPv6 LAN is working:
- Go to your LAN detail page (Network Manager -> LAN). Scroll down and confirm that IPv6 is on, then go to a device connected to the LAN.
- If the IPv6 LAN isn't working, the the IPv6 address field will be empty. Check your device's local configurations to make sure it's IPv6-compatible and has IPv6 enabled.
If your WAN has a public IPv6 address and it seems like all your devices are getting IPv6 addresses, it's still worth checking with your ISP to confirm that they support IPv6 and that your IPv6 WAN settings (ie: connection type, prefix settings, etc) are configured correctly.
Common issues with IPv6
No public IPv6 address
If you're using IPv6 on your network and keep running into issues, the first thing you should do is confirm that your ISP supports IPv6. Some ISPs will only give you a public IPv6 address if you ask, and others don't offer IPv6 at all. Even if you've turned on IPv6 on your WAN in the Firewalla app and it seems to be working, you should check with your ISP directly.
It may also be possible that your IPv6 WAN isn't configured correctly. Consult your ISP to confirm that your Connection Type, IPv6 Prefix Settings, and other IPv6 configurations are set up as needed.
Link-local addresses are not public:
Link-local IPv6 addresses are used for communication within a single network segment or link and are not routable beyond that link. They have a specific prefix of "fe80::/10", meaning that they start with "fe80" followed by 54 bits of zeros and then the interface identifier. These addresses are not public IPv6 addresses. If you only have these, you do not have active IPv6.
IA_NA causes connection issues
Some ISPs require IA_NA (Identity association for non-temporary addresses) to be disabled in order to renew leases for DHCPv6 connections. See this forum post for more details: https://help.firewalla.com/hc/en-us/community/posts/10472935897235-Verizon-FIOS-IPv6-stability
To turn IA_NA off:
- Go to the WAN page and tap Edit.
- Tap IPv6 Connection Type (note that only DHCPv6 connections will have IA_NA).
- Toggle off IA_NA.
IPv6 traffic isn't being monitored
There are a few potential causes for why you might not be seeing IPv6 flows show up in the Firewalla app.
- IPv6 traffic will not be monitored by Firewalla in DHCP Mode .
- In Simple Mode , IPv6 traffic monitoring is turned off by default, but you can manually turn it on.
See our article on IPv6 Traffic Monitoring for more information.
IPv6 doesn't work when Firewalla is connected to a VPN
Firewalla's VPN Client does NOT support IPv6. IPv6 traffic will be blocked by Firewalla when a VPN Client connection is active. See our article on the VPN Client for more information.
Port Forwarding and VPN Server don't work
If you'd like to use a network with an IPv6 address to set up your Firewalla VPN Server or to do port forwarding, you'll need to make some extra changes to your DDNS Settings. Tap into the DDNS page either from your box's main page -> More -> DDNS or from your VPN server's setup page:
- Tap DDNS.
- Tap IP Address Type and select IPv6 Only. Tap Save.
- Tap WAN Interface and tap Specified. Select your IPv6-enabled WAN. Tap Save.
- On the DDNS page, you should see your IPv6 Address listed. If you don't see an IPv6 address, double-check that your IPv6 WAN is configured correctly.
WAN can't get prefixes
If you have a DHCPv6 connection type, your ISP should assign you at least one IPv6 prefix. If the Firewalla app says that your WAN doesn't have any prefixes, try the following:
- Confirm with your ISP that IPv6 is supported.
- Make sure your modem is in bridge mode.
- Ask your ISP to check the way it handles DHCPv6 exchange. For example, if a rapid-commit flag is not included in your ISP's server reply during DHCPv6 exchange, your box may not be able to get your IPv6 prefix(es). Known ISPs that have this issue:
If you believe that a missing rapid-commit flag is preventing your WAN from getting prefixes, you can temporarily disable rapid-commit until your ISP fixes the issue.
- SSH into your Firewalla box. How to access Firewalla using SSH?
- Edit /home/pi/.router/config/dhcpcd6/eth0.conf and comment out the following line:
-
#option rapid_commit
-
- Then, restart dhcpcd on your WAN, replacing eth0 with the name of your WAN:
-
sudo systemctl restart firerouter_dhcpcd6@eth
-
Comments
2 comments
INCOMPLETE article and INCOMPLETE implementation
First of all, most CONSUMER ISP's (and the majority of buyers of a FWA Firewalla are consumers) have no clue at all (resp. their call centers). So "..you may need to ask your ISP about what configurations, such as IA_NA and prefix delegation size, you should set." is for most a useless hint. Such ISP often give a /64 subnet only, delegated by the ISP router. Not changeable. And prefix delegation disabled, not discussable with them (if you're lucky to have someone on the phone who even understands what you're talking about). That means, Firewalla will receive IPv6 on the WAN side, but will be UNABLE to delegate any IPv6 address on the LAN side. Means: Everything connected to FWA won't have IPv6 (public). That is why I had to connect an additional direct cable from ISP router to my server for IPv6 protocol only, bypassing the pros of FWA on that protocol. Third, I do NOT UNDERSTAND why I am unable to set my own DNS servers for IPv6 on the FWA (for example Cloudflare). As a result of that lack I now have different DNS servers for Ipv4 (the ones I want, set at the FWA IPv4 setup) plus the DNS of my provider on IPv6 (delegated by the ISP router). That leads to issues.
One positive aspect is that I can enter at least a gateway address. So, why also not a DNS address? DHCPv6 has some issues and the implementation on provider side is not always clean....
It is still possible to get IPv6 working on the LAN side of Firewalla with such a provider (yes), by setting up everything manually (NOT using DHCPv6). Then, all devices, are pingable though IPv6. But Internet (browsing) on IPv6 won't work, because Firewalla does not receive a DNS server in that case and there is no option to enter one in the manual setup! ---> Improvement
Because some Browser or OS first try IPv6 and then rollback to IPv4, the result is WAITING time when opening websites with working both protocols, such as Google. They wait to resolve the hostname on IPv6, what won't work.
If someone wants to eliminate all that hassle then you need to get a provider who offers you a /48 subnet. Firewalla then will get a /64 subnet from that and is able to delegate IP's from that /64 pool to its devices.
And last: Why am I unable to configure a LAN interface with IPv6 ONLY? Why is it mandatory to also have IPv4? Why is there no 'Disable IPv4' switch? For testing or routing purpose (in the future) that would be useful.
(note: I am not english native)
Firewalla Team: Do not forget: The reason (one but major reason, there are others) why a CONSUMER pays 500 bucks for a Firewalla are the missing configuration options and possibilities on their (mandatory) ISP routers. So, they have to be there in the Firewalla. As for me, owning two Gold units since the very beginning, the lifecycle comes near. I might decide for another solution then, when I still am unable to configure basic stuff.
You can add "Buddy Telco" (https://www.buddytelco.com.au) to the list of ISPs that is missing a rapid-commit flag. They let me know that it is a conscious choice on their side, as it reduces reliability and stability. As such it would be great it this would be configurable in the app, instead of requiring editing config files.
Please sign in to leave a comment.