Linux – How to deploy IPv6 within a LAN using a Debian based router and prefix delegation


My ISP started using DHCPv6, which means with this /etc/network/interfaces

auto lo eth0 eth1

iface lo inet loopback

allow-hotplug eth0
iface eth0 inet static

allow-hotplug eth1
iface eth1 inet dhcp
iface eth1 inet6 dhcp

… my Debian Wheezy router finally gets an IPv6 address assigned (yay!).

But what do I need to do next in order to get my router to assign IPv6 addresses to all the workstations within the LAN?

With IPv4 all I had to do was to enable the DHCP client on the WAN interface, assign static IPv4 addresses to the router and the workstations and finally set up NAT (I used iptables -t nat -a POSTROUTING -s ! -d -j MASQUERADE for that).

With IPv6 there is no NAT. I've looked into radvd and isc-dhcp-server, but both seem to require a prefix set in their configuration files (ie. a prefix that doesn't change). My ISP however seems to provide me with a new prefix every time I reconnect.

I'm really lost.

Best Answer

You didn't say who your ISP was, but the following works on Comcast in areas where they have rolled out IPv6.

I had to use wide-dhcpv6-client since none of the other DHCPv6 clients could handle all of getting an address for the ISP-facing interface, prefix delegation, and Comcast's maximum /60 network mask at the same time.

After installing wide-dhcpv6-client, edit /etc/network/interfaces so your eth1 IPv6 settings look like this:

iface eth1 inet6 auto
        post-up sysctl -w net.ipv6.conf.ext0.accept_ra=2

Edit /etc/wide-dhcpv6/dhcp6c.conf so it looks like this:

profile default

  request domain-name-servers;
  request domain-name;

  script "/etc/wide-dhcpv6/dhcp6c-script";

interface eth1 {
    send rapid-commit;

    send ia-na 0;
    send ia-pd 0;

id-assoc na 0 {


id-assoc pd 0 {
    prefix ::/60 infinity;

    # Internal interface (LAN)
    prefix-interface eth0 {
        sla-len 4;
        sla-id 0;
        ifid 1;

The "na" section gets an IPv6 address for eth1 (facing your ISP). The "pd" section gets a prefix delegation for your internal network and will assign the IPv6 address "[prefix]::1" to eth0 (your internal interface). If you have additional internal networks, you can add additional "prefix-interface" sections for those interfaces and increment the "sla-id" for each one.

Then you need a router advertisement daemon on the system for your internal network. You can use either radvd or dnsmasq.

If you are using dnsmasq, the necessary additions to /etc/dnsmasq.conf for IPv6 are

# Enable IPv6 Router Advertisement (RA) features.

# Advertise delegated prefix based on the IPv6 address of eth0.
dhcp-range = ::1,constructor:eth0,   ra-stateless, ra-names, 4h

You'll need to install the dnsmasq from Debian testing since the version that ships with Debian wheezy does not do router advertisements properly.

Then ifdown and ifup your external interface, make sure dhcp6c is running, and see if both your external and internal interface have IPv6 addresses other than the link-local ones (the "fe80::..." addresses). If all of that worked, restart dnsmasq, and the systems on your LAN should start automatically configuring IPv6 addresses for themselves.