IPv6 only on dedicated vlan


I've been wanting an IPv6 only environment and I've been wondering what the state in OpenWrt for such a thing is.
I would like to add a vlan in which clients will be run IPv6 only. I would wish for my OpenWrt doing the rest. I'd rather not use some google dns64 service but run something like that on my own on my Firewall. All other vlans should remain as is, meaning Dual Stack.

What do I need to make this real? Should I use something like Jool? How can I implement DNS64? My Hardware is potent enough so I could run something like that in a docker container. Can someone please just point me into the right direction.


First, do you have native IPv6 Internet from your ISP?

OpenWrt handles it fine - for years now, actually. You can configure the said network and simply not assign IPv4 addressing on the network in question - IPv6 only. Simple.

(Also setting your client only to get IPv6 addressing does the same thing, BTW.)

Some of these technologies are to get IPv4 in an IPv6 environment - the opposite of what [I thought] you described. One seems to be an alternative to what's already built into OpenWrt (or packages).

  • To be clear, your ISP is IPv4 (and maybe IPv6 too), correct?
  • And you want a VLAN that only uses IPv6, correct?

If your ISP is IPv6 enabled already it will be easier to setup. If they're IPv4-only, you'll need to find a 6in4 tunnel broker service.

Yes jool and for instance bind9 with dns64.


Yeah sorry, I forgot to mention. My provider is doing dual stack with both a static IPv4 public adress and a static routed /48 prefix.

The problem I'd like to solve is that my IPv6 only clients shall also be able to talk to IPv4 only hosts on the Internet (like github.com).

OK, well, the IPv6 part is easy - you'd remove the IPv4 addressing from that VLAN and DHCPv4 - then properly configure it to receive at least a /64 from your wan6 interface - DHCPv6 to be SLACC, RA-Service (Server Mode), DHCPv6 Server Mode (optional).

You want to:

  • Configure a network VLAN with IPv6 only addressing; then
  • Setup a way for those clients to reach the IPv4 Internet...?

That's seems like a cool project...but TBH, I've never disabled IPv4 then tried to get IPv4 over the IPv6 Internet thru another provider. I'm sure others can comment on that.

If you really wanted to test something like that, I'd just setup some IPv4 VPN provider that offers you a IPv6 endpoint address. :wink: That's the closest example I've got in my setup - I pass IPv4 traffic over IPv6 Internet, sounds almost the same. :thinking:

Nah, I don't want VPN. I will give this stuff a try and if I'm successful I'll make a Youtube video, so others can benefit.

1 Like

What's the use case - IPv6 only ISP?

Setup demonstration?


Update us - and maybe others have set it up and will respond - that's cool!

This requires nat64 protocol translation and you will probably also want dns64. There are the packages kmod-jool-netfilter and jool-tools-netfilter for doing nat64, but I've never used them so I can't advise you on setting that up. I also don't think dnsmasq can do dns64 for you, so you will need to find or set up a recursive dns resolver that has dns64 lying turned on.

Be aware that stateful transition technologies like nat64 are crap, and when you orchestrate the dns with the network state using things like dns64, it is even more crap. So I suggest you not do this unless it is necessary. Feel free to experiment as you like, but I think you will find you won't like this setup in the long run.

Haha, thank you for your frank words.
It's an experiment. Originally I'm coming from (as most of us) an IPv4 only world, like back in the days.

I've started using IPv6 in 2012. Since 2020 I've been running my network mostly IPv6 only. All my DNS records are AAAA. My static routes are mostly IPv6 for remote sites and for VPN Roadwarriors. So I can say I don't need IPv4 any more, except those nasty IPv4 only hosts on the Internet.

To me it seems natural that I would want to go into this IPv6 only direction more and more.
T-Mobile in Germany for example already offers to have mobile devices run as IPv6 only. I assume they use those transition mechanisms as well. At least in that scenario it's working really well, with few exceptions, like VoIP.

1 Like

Like I already mentioned choose bind9 for dns64. If you need I can dig up my minimal config I've once used for a personal proof of concept.
I'm on your site that ipv4 should considered ancient legacy and should be a thought of second class :wink:

unbound offers dns64 config

Wait...so you're saying that you wanna make your router a NAT64 gateway (so the OpenWrt does the 4 into 6 translation for that VLAN)?

Interesting. See: https://openwrt.org/packages/table/start?dataflt[Description_wiki*~]=nat64

Yes, Jool is available, good luck!

Yea; but that's when I just turn off IPv4...and leave it. :smile:

This is clearly for testing...as anyone on a true IPv6-only ISP wouldn't have the IPv4 connectivity to do what the OP is doing (i.e. T-Mobile devices). It's a cool project, though.

Edit: I just wanted to note, I'm not certain; but I believe [native] dual stack networks don't have any need for an IPv6 transition technology (per RFC's) - that's why I was quite lost at first. In any case, I never set it up, but I would see a need in the future (i.e. designing new networks to be IPv6 only internally, thereby eliminating IPv4 internally and IPv4-NAT altogether). You'd be adding the transition technology to your router, though - unless you're testing some futuristic device that truly was only built with an IPv6 stack... I don't see...but that would make this even more cool! :smiley:

It looks like Google has dns64 servers at addresses 2001:4860:4860::6464 and 2001:4860:4860::64 so you don't have to set up your own recursive resolver for dns64. Also, if you have trouble figuring out jool, there's another package called tayga which doesn't live inside the kernel and looks pretty easy to set up. If you go this route, be sure to use the standard 64:ff9b::/96 nat64 prefix as Google's dns64 servers require it.

T-Mobile uses 464xlat, which is a v6-only network that has nat64 and dns64 in the network, and nat46 in the phone to accommodate v4-only apps. Using v4-only apps on T-Mobile tends to be rather slow because of the nat46, especially on Android where the nat46 is always stateful. Iphones use faster stateless nat46 unless you are tethering. Fortunately, most apps are v6 capable now, so the situation has mostly abated.

Have fun with your experiment.