La Vita è Bear

Get IPv6 working with my ISP and Unifi

Years ago when I was still at Google I used Comcast Business as my ISP. They have IPv6 support (at least at 2016-ish), and everything just works with Google Wifi system. Later, a small local ISP, Sail, became available at my area, so I switched over. They are almost better than Comcast at everything (just being “not Comcast” is already good enough for me), except one thing: they don’t support IPv6.

Or at least, they don’t support IPv6 officially. Things don’t work automatically in either Google/Nest Wifi system nor Unifi. When I talk to their tech support, they confirm that they don’t support IPv6 and don’t have a timeline for IPv6 support. But occasionally I plug my laptop to the RJ45 cable directly (bypass the router) to debug some issues, I always get an IPv6 address on my laptop that works. Which seem to suggest that they do have IPv6 support to some level, just not ready to “officially support it” for customers yet.

So this long weekend I tried to get it working on my Unifi system, and succeeded.

The setup that worked in the end

Note that this is just to document how I got it to work on this particular ISP (Sail). This is pretty much a YMMV situation and different ISPs would likely require different settings. If your ISP supports IPv6 officially, you should ask them for the configurations instead of following my notes here. 🙂

First, in Unifi’s WAN (Internet) settings:

  • Change Advanced from Auto to Manual
  • Change IPv6 Connection from Disabled to SLAAC
  • Make sure IPv6 Type is Single Network
  • Make sure Network below is Default (I do wonder if there’s a way to also enable IPv6 for the guest network, though)

After that, I can see that there’s an IPv6 address showing up with the IPv4 address on my ISP, and LAN (Networks) automatically configured the IPv6 part for the Default network. My local devices start to get an IPv6 IP with the same prefix as the IPv6 address I got on my WAN, and egress routing seem to work (traceroute6 ipv6.google.com works, curl -6 https://ifconfig.me shows the IPv6 address on that device, etc.).

But ingress routing doesn’t seem to work. When I traceroute6 to a device’s IPv6 address from outside (a server with IPv6 address I have access to), it ends at the router.

It turned out (thanks to Ed) that’s because the default firewall rules on Unifi blocks all traffic originated from external to internal. It makes some sense for IPv4 (does it though? for IPv4 the “internal” zone is all behind NAT so not routable anyways?), but it does not make much sense when you want to run servers on IPv6 in the internal zone.

So, I needed a second step, to add a firewall rule, to allow traffic from external zone to internal zone on IPv6. After that, everything works.

Other setups I tried that didn’t work

Before that, I also tried:

  • WAN setting as SLAAC with Prefix Delegation, with guessed PD size of 64: this gets the IPv6 address on the router from the ISP, local devices can get IPv6 addresses, but IPv6 doesn’t seem to be routable.
  • I also tried to change LAN setting to use prefix delegation on IPv6. That changed local devices to get a local IPv6 instead, but still unroutable.
  • From some unifi forum discussion someone suggest to change LAN setting to use static IPv6 as the one you get on WAN from ISP with netmask, that returned my local devices to public IPv6 addresses with the same prefix, but still unroutable.
  • DHCPv6 on WAN won’t get IPv6 address at all.
#English #ipv6 #unifi #sail