IPv6 syntax uses 128 bits shown as eight groups of four hexadecimal digits (0-9, a-f) separated by colons (e.g., 2001:db8:85a3:0:0:8a2e:370:7334), with shortcuts allowing omission of leading zeros (e.g., 0db8 becomes db8) and replacing one continuous block of zeros with a double colon (::) (e.g., ::1 for localhost), but :: can only be used once. Network prefixes use CIDR notation (e.g., 2001:db8::/32).
Full Format
- Structure: 8 groups of 16-bit hexadecimal numbers, separated by colons.
- Example:
2001:0db8:85a3:0000:0000:8a2e:0370:7334.
Abbreviation Rules
- Omit Leading Zeros: Remove any leading zeros from any group.
0db8becomesdb8.0000becomes0.0042becomes42.
- Compress Consecutive Zeros: Replace one continuous block of all-zero groups with a double colon (
::).- This
::can only be used once per address to avoid ambiguity. 2001:db8:0:0:0:0:2:1becomes2001:db8::2:1.0000:0000:0000:0000:0000:0000:0000:0001(localhost) becomes::1.
- This
Examples of Shortening
- Original:
2001:0db8:0000:0000:0000:ff00:0042:8329 - Step 1 (Omit Zeros):
2001:db8:0:0:0:ff00:42:8329 - Step 2 (Compress):
2001:db8::ff00:42:8329.
Network Prefixes (CIDR)
- Similar to IPv4, network masks use
/notation. - Example:
2001:db8:12::/64identifies the network portion (first 64 bits).
Address Format¶
An IPv6 address consists of 32 hexadecimal digits, in 8 sections of 4 digits each, separated by colons. It looks something like this: 1234:5678:90ab:cdef:1234:5678:90ab:cdef
IPv6 addresses have several shortcuts that allow them to be compressed into smaller strings following certain rules.
If there are any leading zeroes in a section, they may be left off. 0001:0001:0001:0001:0001:0001:0001:0001 could be written as 1:1:1:1:1:1:1:1.
Any number of address parts consisting of only zeroes may be compressed by using ::, but this can only be done once in an IPv6 address to avoid ambiguity. A good example of this is local host, compressing 0000:0000:0000:0000:0000:0000:0000:0001 to ::1. Any time :: appears in an IPv6 address, the values between are all zeroes. An IP address such as fe80:1111:2222:0000:0000:0000:7777:8888, can be represented as fe80:1111:2222::7777:8888. However, fe80:1111:0000:0000:4444:0000:0000:8888 cannot be shortened using :: more than once. It would either be fe80:1111::4444:0:0:8888 or fe80:1111:0:0:4444::8888, but it cannot be fe80:1111::4444::8888 because there is no way to tell how many zeroes have been replaced by either :: operator.
Determining an IPv6 Addressing Scheme¶
Because of the increased length of the addresses, the vast space provided in even a basic /64 size prefix, and the ability to use hexadecimal digits, there is more freedom to design device network addresses.
On servers using multiple IP address aliases for virtual hosts, jails, etc., a useful addressing scheme is to use the seventh section of the IPv6 address to denote the server. Then use the eighth section for individual IPv6 aliases. This groups all the IP addresses into a single recognizable host. For example, the server itself would be 2001:db8:1:1::a:1, and then the first IP alias would be 2001:db8:1:1::a:2, then 2001:db8:1:1::a:3, etc. The next server would be 2001:db8:1:1::b:1, and repeats the same pattern.
Some administrators like to have fun with their IPv6 addresses by using hexadecimal letters and number/letter equivalents to make words out of their IP addresses. Lists of hexadecimal words around the web can be used to create more memorable IP addresses such as 2001:db8:1:1::dead:beef.
Decimal vs. Hexadecimal Confusion¶
Creating consecutive IPv6 addresses with a hexadecimal base may cause confusion. Hexadecimal values are base 16 unlike decimal values which are base 10. For example, the IPv6 address 2001:db8:1:1::9 is followed by 2001:db8:1:1::a, not 2001:db8:1:1::10. By going right to 2001:db8:1:1::10, the values a-f have been skipped, leaving a gap. Consecutive numbering schemes are not required, and their use is left to the discretion of the network designer. For some, it is psychologically easier to avoid using the hexadecimal digits.
Given that all IPv4 addresses can be expressed in IPv6 format, this issue will arise when designing a dual stack network that keeps one section of the IPv6 address the same as its IPv4 counterpart.
IPv6 Subnets¶
Creating subnets with IPv6 is easier than IPv4. It’s also different. Want to divide or combine a subnet? All that is needed is to add or chop off digits and adjust the prefix length by a multiple of four. No longer is there a need to calculate subnet start/end addresses, usable addresses, the null route, or the broadcast address.
IPv4 had a subnet mask (dotted quad notation) that was later replaced by CIDR masking. IPv6 doesn’t have a subnet mask but instead calls it a Prefix Length, often shortened to “Prefix”. Prefix length and CIDR masking work similarly; The prefix length denotes how many bits of the address define the network in which it exists. Most commonly the prefixes used with IPv6 are multiples of four, as seen in Table IPv6 Subnet Table, but they can be any number between 0 and 128.
Using prefix lengths in multiples of four makes it easier for humans to distinguish IPv6 subnets. All that is required to design a larger or smaller subnet is to adjust the prefix by multiple of four. For reference, see Table IPv6 Subnet Table listing the possible IPv6 addresses, as well as how many IP addresses are contained inside each subnet.
| Prefix | Subnet Example | Total IP Addresses | # of /64 nets |
|---|---|---|---|
| 4 | x:: | 2 124 | 2 60 |
| 8 | xx:: | 2 120 | 2 56 |
| 12 | xxx:: | 2 116 | 2 52 |
| 16 | xxxx:: | 2 112 | 2 48 |
| 20 | xxxx:x:: | 2 108 | 2 44 |
| 24 | xxxx:xx:: | 2 104 | 2 40 |
| 28 | xxxx:xxx:: | 2 100 | 2 36 |
| 32 | xxxx:xxxx:: | 2 96 | 4,294,967,296 |
| 36 | xxxx:xxxx:x:: | 2 92 | 268,435,456 |
| 40 | xxxx:xxxx:xx:: | 2 88 | 16,777,216 |
| 44 | xxxx:xxxx:xxx:: | 2 84 | 1,048,576 |
| 48 | xxxx:xxxx:xxxx:: | 2 80 | 65,536 |
| 52 | xxxx:xxxx:xxxx:x:: | 2 76 | 4,096 |
| 56 | xxxx:xxxx:xxxx:xx:: | 2 72 | 256 |
| 60 | xxxx:xxxx:xxxx:xxx:: | 2 68 | 16 |
| 64 | xxxx:xxxx:xxxx:xxxx:: | 2 64 (18,446,744,073,709,551,616) | 1 |
| 68 | xxxx:xxxx:xxxx:xxxx:x:: | 2 60 (1,152,921,504,606,846,976) | 0 |
| 72 | xxxx:xxxx:xxxx:xxxx:xx:: | 2 56 (72,057,594,037,927,936) | 0 |
| 76 | xxxx:xxxx:xxxx:xxxx:xxx:: | 2 52 (4,503,599,627,370,496) | 0 |
| 80 | xxxx:xxxx:xxxx:xxxx:xxxx:: | 2 48 (281,474,976,710,656) | 0 |
| 84 | xxxx:xxxx:xxxx:xxxx:xxxx:x:: | 2 44 (17,592,186,044,416) | 0 |
| 88 | xxxx:xxxx:xxxx:xxxx:xxxx:xx:: | 2 40 (1,099,511,627,776) | 0 |
| 92 | xxxx:xxxx:xxxx:xxxx:xxxx:xxx:: | 2 36 (68,719,476,736) | 0 |
| 96 | xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:: | 2 32 (4,294,967,296) | 0 |
| 100 | xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:x:: | 2 28 (268,435,456) | 0 |
| 104 | xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xx:: | 2 24 (16,777,216) | 0 |
| 108 | xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxx:: | 2 20 (1,048,576) | 0 |
| 112 | xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:: | 2 16 (65,536) | 0 |
| 116 | xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:x:: | 2 12 (4,096) | 0 |
| 120 | xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xx:: | 2 8 (256) | 0 |
| 124 | xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxx:: | 2 4 (16) | 0 |
| 128 | xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx | 2 0 (1) | 0 |
A /64 is a standard size IPv6 subnet as defined by the IETF. It is the smallest subnet that can used locally if autoconfiguration is desired.
Typically, an ISP assigns a /64 or smaller subnet to establish service on the WAN. An additional network is routed for LAN use. The size of the allocation depends upon the ISP, but it’s not uncommon to see end users receive at least a /64 and even up to a /48.
A tunnel service provider such as tunnelbroker.net run by Hurricane Electric will allocate a /48 in addition to a routed /64 subnet and a /64 interconnect.
Assignments larger than /64 usually adopt the first /64 for LAN and subdivide the rest for requirements such as VPN tunnel, DMZ, or a guest network.
Special IPv6 Subnets¶
Special use networks are reserved in IPv6. A full list of these can be found in the Wikipedia IPv6 article. Six examples of IPv6 special networks and their addresses are shown below in IPv6 Special Networks and Addresses.
| Network | Purpose |
|---|---|
| ::1 | Localhost |
| 2001:db8::/32 | Documentation prefix used for examples (RFC 3849) |
| 3fff::/20 | Documentation prefix used for examples (RFC 9637) |
| 64:ff9b::/96 | NAT64 |
| fc00::/7 | Unique Local Addresses (ULA) – also known as “Private” IPv6 addresses. |
| fe80::/10 | Link Local addresses, only valid inside a single broadcast domain. |
| ff00::0/8 | Multicast addresses |
| ::ffff:0:0/96 | IPv4 Mapped Addresses |
Neighbor Discovery¶
IPv4 hosts find each other on a local segment using ARP broadcast messages, but IPv6 hosts find each other by sending Neighbor Discovery Protocol (NDP) messages. Like ARP, NDP works inside a given broadcast domain to find other hosts inside a specific subnet.
By sending special ICMPv6 packets to reserved multicast addresses, NDP handles the tasks of neighbor discovery, router solicitations, and route redirects similar to IPv4’s ICMP redirects.
pfSense® software automatically adds firewall rules on IPv6 enabled interfaces that permit NDP to function. All current known neighbors on IPv6 can be viewed in the firewall GUI at Diagnostics > NDP Table.
Router Advertisements¶
IPv6 routers are located through their Router Advertisement (RA) messages instead of by DHCP. IPv6-enabled routers that provide dynamic address assignment are expected to announce themselves on the network to all clients and respond to router solicitations. When acting as a client (WAN interfaces), pfSense software accepts RA messages from upstream routers. When acting as a router, pfSense software provides RA messages to clients on its internal networks. See Router Advertisements (Or: “Where is the DHCPv6 gateway option?”) for more details.
Address Allocation¶
Client addresses can be allocated by static addressing through SLAAC (Router Advertisements (Or: “Where is the DHCPv6 gateway option?”)), DHCP6 (IPv6 Router Advertisements), or other tunneling methods such as OpenVPN.
DHCP6 Prefix Delegation¶
DHCP6 Prefix Delegation delivers a routed IPv6 subnet to a DHCP6 client. A WAN type interface can be set to receive a prefix over DHCP6 (DHCP6, Track Interface). A router functioning at the edge of a large network can provide prefix delegation to other routers inside the network (DHCPv6 Prefix Delegation).
IPv6 and NAT¶
Though IPv6 removes almost any need for NAT, there are rare situations that call for the use of NAT with IPv6 such as Multi-WAN for IPv6 on residential or small business networks.
IPv6 all but eliminates the need for traditional port translated NAT (PAT) where internal addresses are translated using ports on a single external IP address.
Outbound NAT¶
While it is possible to perform Outbound NAT on IPv6 traffic, the best practice is to allow IPv6 traffic to pass without performing any address or port translation.
Prefix Translation (1:1 NAT)¶
It is possible to translate one IPv6 prefix to another, which is Network Prefix Translation (NPt). This is available in the pfSense® software GUI under Firewall > NAT on the NPt tab. For example, NPt can translate 2001:db8:1111:2222::/64 to 2001:db8:3333:4444::/64 while maintaining the host portion of the address. For more on NPt, see IPv6 Network Prefix Translation (NPt).
NAT64¶
pfSense software is capable of performing NAT64 which is useful as a transition mechanism to allow IPv6-only hosts access to IPv4-only resources. Several different functions must be configured for a full NAT64 configuration. See NAT64 and Configuring NAT64 for IPv6-only Clients for details.
IPv4 Mapped Addresses¶
There is also a mechanism built into IPv6 to access IPv4 hosts using a special address notation, such as ::ffff:192.168.1.1. The behavior of these addresses can vary between OS and application and can be unreliable.
NAT64¶
NAT64 is a form of NAT which enables clients with only IPv6 addresses to reach remote hosts using IPv4 addresses. NAT64 accomplishes this by mapping IPv4 addresses into a special IPv6 prefix dedicated to this purpose, such as the default NAT64 prefix, 64:ff9b::/96.
Note
Though NAT64-related settings allow this prefix to be set to a custom value, in practice the value rarely if ever deviates from the default prefix of 64:ff9b::/96.
See also
Requirements¶
To perform NAT64 there are a few prerequisites:
- The device performing NAT64 must have an external IPv4 address.
- If using this firewall for DNS, it must use the DNS Resolver.
- The internal interface with IPv6 clients does not need to have IPv4 configured.
- The local IPv6 interface must be properly configured, have appropriate firewall rules, etc. This can be a tracked WAN configuration or manually configured.
NAT64 Components¶
Several components come together to allow a fully-functioning NAT64 environment:
- NAT64 Firewall Rules on the local interface
- PREF64 in Router Advertisements
- DNS64 in the DNS Resolver
- Optionally configure DHCPv4 option
108/v6-only-preferredif the segment has local/private IPv4. - Configure DHCPv6 to at least advertise DNS servers to clients as not all clients are compatible with RDNSS/DNSSL and NAT64 requires working DNS.
See also
See NAT64 Configuration Recipe for a complete walk-through of configuring each component in NAT64.
How NAT64 Works¶
This is a basic summary of the process for an IPv6 client to successfully make NAT64 requests:
- IPv6 client discovers the NAT64 prefix via PREF64.
- IPv6 client performs a DNS lookup for a host.
- The DNS Resolver uses DNS64 to include mapped IPv4 addresses in its responses using the configured NAT64 prefix.For example, the client requests
www.example.comwhich resolves to203.0.113.5and has no IPv6 address. The DNS response to the client will include both203.0.113.5and the IPv6 mapped equivalent,64:ff9b::cb00:7105. - IPv6 client contacts the IPv4 host using the mapped address returned via DNS64.
- The firewall translates this request using NAT64 so the incoming IPv4 packet has both its source and destination translated to appropriate IPv4 addresses. This is a stateful mapping which allows the firewall to appropriately handle return packets for ongoing connections.
This entire process is transparent to the client software, such as a web browser. It will act as though it is communicating directly to IPv6 hosts even when using hostnames for sites with no IPv6 connectivity.
Contacting Remote IPv4 Hosts¶
IPv6 clients can contact IPv4 hosts using mapped addresses without DNS64 by manually appending the IPv4 address to the NAT64 prefix. For example, to contact the IPv4 address 203.0.113.5 the client would instead contact 64:ff9b::203.0.113.5. The client could also use the fully-IPv6 equivalent address, 64:ff9b::cb00:7105, but that is much more difficult for humans.
NAT64 does not enable IPv6 clients to talk to IPv4 hosts directly using IPv4 address notation. However, IPv6 clients may be able to do so if they have a customer-side translator (CLAT). This is completely dependent on the client, routers/firewalls are not involved in that functionality. The availability of a CLAT is up to the operating system and its enabled features, installed software, etc.
Note
NAT64 on pfSense software only allows IPv6 clients to contact IPv4 servers and exchange two-way traffic. NAT64 does not allow IPv4 remote hosts to reach local IPv6 hosts.
NAT64 and Policy Routing¶
NAT64 is compatible with policy routing. For example, if an IPv4 destination has a static route out through an alternate path, a NAT64 rule can be configured to match. The NAT64 rule should match the equivalent mapped destination with a gateway configured to ensure it takes the expected path.
NAT64 and other NAT¶
NAT64 translates traffic when it reaches a rule inbound on an interface. This happens before the firewall processes Outbound NAT rules. As a result, while the packets can be translated again by Outbound NAT, the packets would not likely match in a way that makes performing additional Outbound NAT practical as the packet would already have an external address and may not be distinguishable from other connections.