{"id":4871,"date":"2026-05-20T15:31:35","date_gmt":"2026-05-20T22:31:35","guid":{"rendered":"https:\/\/www.sheer.us\/weblogs\/?p=4871"},"modified":"2026-05-20T15:31:35","modified_gmt":"2026-05-20T22:31:35","slug":"ipv6-solution-for-provider-only-providing-a-64","status":"publish","type":"post","link":"http:\/\/www.sheer.us\/weblogs\/it\/ipv6-solution-for-provider-only-providing-a-64","title":{"rendered":"IPv6 solution for provider only providing a \/64"},"content":{"rendered":"

So, ChatGPT kept giving me *terrible* advice for what to do when a provider provides only a \/64 and you have a firewall in front of your LAN.<\/p>\n

The solution is actually fairly straightforward, providing you are using static or DHCP assigned addresses:<\/p>\n

0) Turn on routing and proxy ndp:
\n


\nnet.ipv6.conf.all.forwarding=1
\nnet.ipv6.conf.all.accept_ra=2
\nnet.ipv6.conf.all.proxy_ndp=1
\n<\/PRE><\/p>\n
1) Install ndppd.conf with a config file similar to this:<\/p>\n

\nroute-ttl 30000<\/p>\n
proxy ens192 {
\n    router yes
\n    timeout 500<\/p>\n
    rule 2605:9f80:2000:110::\/64 {
\n        static
\n    }
\n}
\n<\/PRE><\/p>\n
2) Create a interface on the upstream side of the firewall that is 2605:9f80:2000:110::2\/64
\n3) Create a interface on the downstream side of the firewall that is 2605:9f80:2000:110:8000::1\/65
\n4) Assign addresses inside that \/65 to other things on the LAN<\/p>\n
Advantages over the ChatGPT suggested solution of manually entering a \/128 route and creating a \/128 entry and adding a fd00 interface to every host:<\/p>\n
#1: It keeps the wire settigns “honest”. Setting a \/128 for each host means you are lying to the host about the wire. This can cause local traffic problems even if the router does route single-homed traffic<\/p>\n
#2: It’s *simple*. Set it up once, forget about it. Minimal configuration needed. No need to add additional configuration to the router as you add each host.<\/p>\n
#3: It fits conventional subnetting rules. Even though normally one never assigns ipv6 smaller than a \/64 so that self-addressing can work correctly, if one is using statics or a DHCP server this works just fine, while also fitting the way we usually subnet IP networks.<\/p>\n","protected":false},"excerpt":{"rendered":"
So, ChatGPT kept giving me *terrible* advice for what to do when a provider provides only a \/64 and you have a firewall in front of your LAN. The solution is actually fairly straightforward, providing you are using static or DHCP assigned addresses: 0) Turn on routing and proxy ndp: net.ipv6.conf.all.forwarding=1 net.ipv6.conf.all.accept_ra=2 net.ipv6.conf.all.proxy_ndp=1 1) Install […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[32,11],"tags":[],"_links":{"self":[{"href":"http:\/\/www.sheer.us\/weblogs\/wp-json\/wp\/v2\/posts\/4871"}],"collection":[{"href":"http:\/\/www.sheer.us\/weblogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.sheer.us\/weblogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.sheer.us\/weblogs\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/www.sheer.us\/weblogs\/wp-json\/wp\/v2\/comments?post=4871"}],"version-history":[{"count":1,"href":"http:\/\/www.sheer.us\/weblogs\/wp-json\/wp\/v2\/posts\/4871\/revisions"}],"predecessor-version":[{"id":4872,"href":"http:\/\/www.sheer.us\/weblogs\/wp-json\/wp\/v2\/posts\/4871\/revisions\/4872"}],"wp:attachment":[{"href":"http:\/\/www.sheer.us\/weblogs\/wp-json\/wp\/v2\/media?parent=4871"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.sheer.us\/weblogs\/wp-json\/wp\/v2\/categories?post=4871"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.sheer.us\/weblogs\/wp-json\/wp\/v2\/tags?post=4871"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}