IPv6 - the beginning

Im trying to get familiar with IPv6 (as soon my ISP will offer IPv6 only).

  1. From what I read so far, it seems that even LAN devices (behind my OpenWRT router) get public address and there is no NAT - is this really true?

  2. And if that is true, for what reason there is Global Unicast (public) and Unique Local (private) addresses???

  3. Is it still possible to keep my LAN devices accessible only from LAN?

  1. yes.
  2. to remain accessible even if the internet connection is down.
  3. yes, that is the default with OpenWrt.

Thank GOD for point 3.
Still, if my LAN device (eg. my PC) is assigned with public IPv6, how OpenWRT prevents to access it from Internet? Firewall?
Also, what assign that public address to my local device/my PC? ISP or OpwnWRT?


Assuming you're using OpenWRT as your router then it should do it. In most cases (and assuming your ISP had given you a proper sized allocation, i.e. bigger than a /64) then most devices will configure through SLAAC, but you could use DHCPv6 instead if you wanted (altho not on Android devices which can only use SLAAC).


Firewall - then I assume there is one general rule to DROP any incoming (INPUT) packet to addresses in LAN.
If this is true, how FW differentiate PUBLIC WAN address from PUBLIC LAN addresses?

SLAAC - if i get it right, it offers FE80 Link-Local addresses. However my question is: what assigns PUBLIC address to my local device?
Could it be then by DHCP-relay running on OpwnWRT?

The firewall operates on interfaces. It knows which interface is connected to the internet and which are connected to LAN devices (these are the zones you see if you look at the firewall setup). It doesn't matter that devices in the LAN may have public IPv6 addresses, the firewall will still (by default) block any traffic that has arrived at a WAN interface unless it's related to a request made by a LAN device or there is a port forward/traffic rule in place.

SLAAC can work with GUA addresses as well. Ideally your ISP will advertise a /60 or bigger prefix to your router. Your router can then use that prefix to advertise a /64 block of addresses to LAN devices which will use SLAAC to assign an address. But each ISP works differently so it's difficult to be specific without knowing what your ISP does.

1 Like

My ISP is giving /64 and no RA (DHCPv6), so what I can do is to let OpenWrt WAN6 interface to relay ND to LAN side and then enable SLAAC on my LAN side to keep clients getting public v6 address with same prefix.

Thank you all very much for replies.
After some more readings and googling, this is all getting clear now.
Let me go through SLAAC process using @fakemanhk example to see if im getting it right.

  1. ISP assigns to Router public IPv6 address with 64 bit host space - /64.
    WAN host prefix = 2001:abcd::1/64 (Global Unicast address / Public IP)
    Network prefix = 2001:abcd::/64 (Subnet)

  2. Because ISP blocks/disallows RA (i guess this might be common scenario), router's WAN6 interface is set to relay ND to LAN.

  3. Host(s) on the LAN, uses SLAAC which is part of IPv6 protocol installed on OS (Win/Linux/other).

  4. SLAAC (on LAN host): uses Neighbor Discovery protocol (ND) to obtain Global Unicast IPv6 address from the router. In other words, SLAAC will try to get (Public) IP for LAN host.

In details:

  1. SLAAC (on LAN host) sends RS multicast message (ICMPv6) to Router asking for IPv6 global unicast prefix.
  2. Router responses with RA message, advertising its WAN IPv6 prefix (Public IP) and network prefix length (Subnet).
  3. SLAAC (on LAN host), based on RA message (point 6), assigns Global Unicast address / Public IP.
    Eg. 2001:abcd::7/64 (and GW and DNS).


  1. Local-link address (created in initial phase of SLAAC) is kept for internal communication (within LAN) in case internet connection is down.

This looks strange, your prefix has only first 32 bit non-zero and following by 32 bit zeros?
My home network is: 2400:aaaa:bbbb:cccc::/64 something like this.

Yes, this is what I am doing, and on LAN side I also enabled the NDP relay mode and running RA in server mode, also set RA Flags to NONE.

Yes! As this is 64 bit prefix (64 bit netmask) it should be as this:

WAN host prefix = 2001:aaaa:bbbb:cccc::1/64 (Global Unicast address / Public IP)
Network prefix = 2001:aaaa:bbbb:cccc::/64 (Subnet)

TY @fakemanhk