While we are still a few years off from turning off IPv4 on the internet, it is possible to turn off IPv4 in your SOHO (Small Office Home Office) network. Or turn it off on one of your SOHO networks. Google is showing over 40% of connections to the Internet Search Engine are over IPv6. By running an IPv6-only network in the SOHO, you will:
- Find out what breaks with IPv4 disabled
- Simplify your firewall rules, since only IPv6 is supported
- Discover how well most of the Internet works using DNS64/NAT64
I have been running an IPv6-only network in my house for a couple of years now, and it works amazingly well. There are items, such as my Internet Radio which do not work over IPv6, and I have a Dual Stack DMZ for IoT-like devices like that. But the major OSs (Windows, Mac, Linux, iOS, Android) all do IPv6 quite well these days.
Getting from here to there
The key to running IPv6-only, and still browsing the other 59% of the Internet is using a transition technology, DNS64/NAT64. This has two parts, a special DNS (Domain Name Server) which will synthesize IPv6 addresses (AAAA records) when a DNS request returns only an A record (IPv4-only).
Once your laptop has a synthesized IPv6 address, it will connect to the NAT64 (Net Address Translation v6 to v4) which will do the work of translating the synthesized IPv6 address to a real IPv4 address and send the packet out on the Internet.
Using OpenWrt for DNS64/NAT64
Fortunately, you can take any of the thousand or so routers supported by OpenWrt, and run both DNS64 and NAT64. OpenWrt is an actively developed open source project for SOHO routers.
Forgunately, DNS64 and NAT64 can run on the same OpenWrt router.
DNSMasq as a DNS/DHCPv4 server by default. Since we’ll be running IPv6-only, we won’t need the DHCPv4 server. I have disabled
DNSMasq and installed
unbound DNS server. Specifically because it has a checkbox that enables DNS64, making it the easiest DNS64 installation you will ever do.
Just click on the Enable DNS64 checkbox, and you are running a DNS64 server
Unbound’s DNS64 uses the well known prefix (WKP) of
64:ff9b::/96 by default, but can be changed to any IPv6-prefix in your network.
NAT64 on OpenWrt uses a handy packet tool called
jool. Jool can do many things but to get it configured for NAT64 requires the command line.
ssh into the router install
jool (on OpenWrt version 22.03)
opkg update opkg install kmod-jool-netfilter jool-tools-netfilter
jool instance add --pool6 64:ff9b::/96
You will most likely want this to be persistent across router reboots, therefore add the following to your /etc/rc.local file (before
exit 0. This can be done using the web interface, Luci, under System->Startup->Local Startup
Now that you have DNS64 and NAT64 running on your OpenWrt router, connect a laptop, and try to ping an IPv4-only website, such as
cira.ca (the Canadian Internet Registration Authority)
$ ping -c2 cira.ca PING cira.ca(a39c698e40c082be1.awsglobalaccelerator.com (64:ff9b::321:b811)) 56 data bytes 64 bytes from a39c698e40c082be1.awsglobalaccelerator.com (64:ff9b::321:b811): icmp_seq=1 ttl=120 time=13.1 ms 64 bytes from a39c698e40c082be1.awsglobalaccelerator.com (64:ff9b::321:b811): icmp_seq=2 ttl=120 time=14.7 ms --- cira.ca ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1002ms rtt min/avg/max/mdev = 13.146/13.928/14.710/0.782 ms
Ping tests DNS64 to synthesize an IPv6 address (see the WKP 64:ff9b::/96 is being used above), and NAT64 to do the actual ping (icmp message).
Running IPv6-only is a great way to check out what apps work (and what doesn’t work) on IPv6-only. A few notable apps that don’t work well on IPv6-only:
- Zoom (Jitsi works just fine on IPv6-only)
- Many VPN software/providers (Wireguard works well in IPv6-only)
That said it is amazing what does work well on IPv6-only. As a test, this past summer, I put our house guests on the IPv6-only network, and at the end of the week, I asked them if they had run into any problems. They replied they had no problems on the IPv6-only network during the week.
With the help of DNS64 and NAT64 on OpenWrt, you are now ready to run an IPv6-only network in your SOHO network, and see how the future of the Internet will work.
- as of 2022-10-24,
joolwill report (Xtables disabled)”, this is normal, as OpenWrt now uses netfilter
- To be fair, www.cira.ca has an IPv6 address, but cira.ca does not
- Be aware, that if you are a guest at my house, you will be put onto the IPv6-only network 😉
23 November 2022