Guys, I'm scared, what's going on with IPv6?

Hey everyone,
I’ve been thinking about something for a while, and I’m finally going to ask it. First, let me explain what I know: We’ve got to get on board with IPv6 — we’re already way behind schedule, and IPv4 isn’t going to disappear overnight.
I use a bunch of SSH proxies and VPN providers, as well as the Tor and I2P networks. I’ve tried them with RedHat Fedora, Google Android, Microsoft Windows, Debian Rasberian, and Ubuntu KDE, and they all work great. IPfire doesn’t support IPv6.

When I asked what that meant exactly, it turned out that if a network device behind IPfire opens an IPv6 network, it routes through all iptables as if it weren’t there, and that in both directions. I was pretty alarmed at first, but I took some comfort in the fact that certain areas of the IPv6 network are inaccessible in the local area from the internet. It may be easy to get out, but it’s not quite so easy to get in.
Well, I thought to myself, and lived with it for the last 10 years.
I still make sure that there are no IPv6 network in my local network, but they’re now integrated as standard in many program configurations and are becoming more and more common.
I found some IPv6 rules in ipfire that are supposed to stop all traffic. I know this isn’t working very well, because I can set up IPv6 tunnels.

So, what are the plans and solutions of you guys?
Is this still a small problem, or am I off base here? Or would it be better to install a second router (like a Fritzbox) between the modem and IPfire? It’s not a top priority right now, but it’s starting to feel a bit urgent.
I’m not trying to start an argument or anything like that. I’ve been thinking about asking this for a while because I’m genuinely curious.

Thanks for sharing your thoughts and for the answers!
Hey, hope you’re doing well!

Not sure of everywhere, but in the US all location I have had to support only place I have seen IPv6 is at the ISP level, consumer broadband uses for their access but you still get IPv4 addresses locally, does not pass thru and local IPv6. Large enterprise data centres and many remote offices and all on our side of all SDWAN, routers Internet access is IPv4 for public space including partner VPN connectivity and we still use rfc1918 internally so mostly we have had no real push to IPv6 in the private sector unless telco/service provider etc

You are not the only one wondering about IPv6, only more in a broad sense and not totally specific to IPFire.

8 )

Hello guys,

interesting conversation. Let me add my two cents…

Before I will tell you how I currently see things, I will have to add a disclaimer that I am indeed a big proponent of IPv6. Sometimes people on this forum tell me that I am not open to future technology and that is simply incorrect. I just see things a little bit more real sometimes than others. And it is the same with IPv6.

IPv6 as a protocol is great. It solves so many problems. But at the same time, it brings a thousand new problems with itself. I would argue, that IPv4 with NAT, smaller network topologies that can be “fixed” with a lot of hacks is more beginner-friendly and allows networks to “grow” - in the bad sense. With IPv6, you will have to have a plain, flat network plan and if you designed your network from scratch, you won’t have any problems rolling it out. The truth is rather that many company networks are a total mess and nobody wants to touch them.

Therefore, I personally have given up to drum up attention to IPv6. Our IPFire user base has been incredibly… well… disinterested in it in the past. Literally every single conversation I had with people was around “We will just wait and see until it is here, but that probably won’t be in my lifetime…” or “Nah, we won’t donate a penny for this, because we don’t need it”. In the commercial space, conversations are more formal, but between the lines, admins don’t want to hear about it - “We don’t plan to introduce IPv6 into our networks in the next five years”. For everyone who is running a business, saying five years means nothing else but never.

I know of some ISPs that have offered large corporations completely free internet connectivity (really large corporations) with the only caveat that it will be IPv6 only (or at least that IPv6 should carry the majority of the traffic). They were laughed out of the room and said company decided to pay millions rather than think about IPv6.

It is a nightmare for admins. It is not only some extra address space that you are gaining. You are building a second company network. Usually the one they have is difficult enough to manage already. Nobody is thinking about adding a second one on top without doubling their network team. Looking at the current job market, nobody is hiring such roles at all. Instead they are all looking for saving costs and getting rid of as many people as possible. But that is another story.

Everything will get more complicated if you are running an actual dual-stack network. You will have more things to check when debugging connectivity issues. You will have two sets of firewall rules (one for IPv6, one for IPv4). If you are using NAT a lot in a grown network, you won’t be able to have those little hacks with IPv6. You will need to get address space, you need to rely on your printers, phone, light bulbs, middle boxes of any kind, whatever else you might have to properly support IPv6. I don’t think that we are there, yet.

And so people rather choose to stay on IPv4, because they actually don’t see any problems. Everyone (seems) to have enough address space. Their admins know IPv4 well.
They can hack their way around it. Anything else would probably require a lot of thinking, network redesign and migration and in the end, your CEO will just watch the same YouTube video and not even see any difference. So who is going to pay for all of this? It is very hard to sell the benefits of IPv6 when it comes to money.

We will stay on what we have for probably much longer. This is really sad, but it is the reality. IPv6 networks get deployed where it is very easy to do so. Your guest WiFi, home networks that only have one large subnet and no firewall rules anyways, mobile networks. All those cases where you hand out an IP address using DHCP (which Android for example does not even support for IPv6) and let people access the internet without any further ado. More complex scenarios are not happening at the moment and people are fighting hard against it.

And last but not least, as long as there is a single website on the internet that only supports IPv4 (GitHub, Wikipedia, formerly Twitter, …, the list is actually really long) we will either have to roll out transitional gateway or simply accept that those won’t be reachable. I suppose the latter is not a real option, and so there is only one good option left: Keep supporting IPv4. But if we have to do that, why bother with IPv6 on top?

So in essence, you won’t have to panic at all. IPv4 is not going anywhere and IPv6 is not going to universally replace it any time soon.

If you want to see proper IPv6 support in IPFire, you know how to make that happen…

Why would you want IPv6 in your whole network?
Wouldn’t it make the most sence to only have IPv6 at your WAN address only.
And NAT your network to IPv4 as it is?

There is no way to NAT between the two protocols in that way.

Now that is an interesting take on the state of IPv6 and answered a lot of my questions.

Thanks for the over head view, that was an eye opener.

I haven’t spent much time with IPv6 yet but have seen mention of an IPv6 to IPv4 bridge or NAT64 etc., would those be a stop gap solution of sorts to handle 6 outside 4 inside?

I have an edge firewall placed before the IPFire system that can handle IPv6 and has ntopng running and see a lot of local isp IPv6 traffic probing the system that I guess is normal behavior.

8 )

Yes, there are many technologies around that are supposed to help with transition.

I suppose not many are relevant any more except one which is NAT64. That is however likely to be completely irrelevant on a home/business internet connection because if your ISP won’t offer you a public IPv4 address any more, they would very likely deploy DS-Lite.

When I read this, I realize that implementing IPv6 doesn’t make sense as long as we continue to allocate the IPv4 address space the way it is currently allocated.

In the mobile communications sector, it would be impossible to function without IPv6, which is probably why the IPv4 address space is still sufficient.

My colleague from the US is in a good position to talk, as the largest address space is allocated there, which is not a criticism, just a fact.

If consumers in India, Africa, and China were to become more connected or demand increased there, there might be pressure among nations to upgrade to IPv6. ISPs, especially those with simultaneous mobile connections, fragment this with host names and DS-lite in order to manage as many customers as possible. When I consider how long I keep an IPv4 address, it is no longer a matter of dynamic IP allocation, with lease times of several months, which is why VPN providers are part of my everyday life.

And this is where the network device with IPv6 comes into the game, which worries me. Not only does the VPN tunnel work very well, but every piece of software could leave the network unnoticed via this network device.
Even though strict internal routing is specified for who uses which proxy, SSL tunnel, or VPN.

At the risk of being hitten , I as a network technician consider IPv6 a desaster!

Don’t get me wrong, we “need” more IPs on this planet because 4 billion is not sufficient anymore (with now even dishwashers having network interfaces… ) and there are some really good technical implementations / inventions with IPv6 like link local adresses to name only one (I would have to reread too much of my cisco trainings to list more and don’t want to bother you at this point)

BUT

as someone who actively manages networks at businesses, I often ask myself “Why couldn’t they just add one or two more octets to IPv4 and be good with it?”. You know your subnets… you KNOW 100 is your admin net, 101 is the LAN for the management, 102 is the WLAN for the management and so on (just for example)…

And you know your devices! You know “…100.10” is the DC-Server and the “…100.11” is the Exchange-server and the “…101.123” is the CEOs personal MFP and so one (again, just for example)…

And with IPv6 you are supposed to remember "Oh yeah… 2001:0db8:0000:08d3:0000:8a2e:0070:7344 is the DC, so I will make 2001:0db8:0000:08d3:0000:8a2e:0070:7345 the exchange and 2001:0db8:0000:08d3:0000:8a2e:0069:0001 the firewall and
2001:0db8:0000:08d3:0000:8a2e:0069:0010 the WIFI-controller…

I mean, really? To me this sounds like a weird scientist / technician who did never actually work in this field of expertise invented something that has to be utterly complex just because it can be…

Only my opinion!

In the US, T-Mobile and Verizon (and probably even more) are already IPv6-only and use NAT64 for years.

There is, but this technology is driven by the US and Europe and there is a lot less pressure than on those nations that you have named.

This is something I hear a lot. But I don’t think it is all bad. In a well-designed network, IPv6 has many advantages - and of course brings a lot of disadvantages, too.

I think those addresses can be remembered a lot better because you have a lot of structure. You wouldn’t have to write the entire address all of the time and the prefix should never change.

I know you can shorten IPv6 as well, I just wanted to exaggerate a little bit for the sake for argument. I also don’t want to make it all bad, I just think it’s not thought true on a logical level.

It may be that IPv4 is completely sufficient in many cases, but it should be noted in mind that Internet connections often no longer have a real IPv4 address. This is especially true if you are a customer of smaller providers. Particularly in the case of fiber optic Internet providers in Germany, which often only operate regionally and have expanded poorly served DSL areas, the corporate tariffs that provide a real IPv4 address are very expensive.

Nevertheless, it is also important for small businesses to set up VPN connections, for example. With CGN, only IPv6 is available as a protocol for incoming connections. In this case, the firewall must also be able to control the corresponding IPv6 traffic.

@lexuspolaris
As far as the readability of IPv6 addresses is concerned, it is also possible to create easy-to-remember addresses.

2001:0db8:85a3:08d3::10 DC
2001:0db8:85a3:08d3::11 Exchange
2001:0db8:85a3:08d3::1 Firewall
2001:0db8:85a3:08d3::2 WIFI Controller
2001:0db8:85a3:08d3::123 CEOs MFP

So what is the problem? In addition, there is DNS.

A network security product that does not support IPv6 today is, quite simply, outdated.

And you don’t really have to worry about maintaining duplicate firewall lists for each IP protocol. In other firewalls, rules with IPv4+IPv6 can be combined in one rule in the protocol selection. TCP and UDP ports are also the same for both protocols. So I don’t really see any extra effort involved. At most, for the developers who would have to implement this in IPFire.

You are invited to join the development team as IPv6 guru.

Unfortunately, I don’t have much programming knowledge. I am only a skilled IT specialist for system integration with a focus on networks and their configuration.

Certified LANCOM and Securepoint technician.

In the past, I have also worked with Checkpoint, Fortinet, Astaro, and NetASQ (now Stormshield). From earlier on, I was familiar with IPCop and Smoothwall. I have known IPFire for quite some time, but the fact that it still does not support IPv6 is simply a deal breaker, although I generally like the system in terms of configuration.

Well you can always support the IPFire-3.x development via donating on a regular basis
https://www.ipfire.org/donate

This is very true. But consider that you have a VPN server somewhere behind CGNAT which you want to connect to. That requires IPv6 all the way in between, and last time I checked, no airport, hotel or cowering space WiFi provided IPv6. So you will still not be able to connect to this VPN server. It becomes a gamble of whether you booked the right hotel.

@ms
It’s a chicken and egg problem. I’m sitting at home behind CGNAT from Vodafone Cable. My home network is accessible via WireGuard Tunnel which can only be reached via IPv6. If I am now in a network without IPv6, I use the Cloudflare WARP tool on my cell phone and start it.

This gives my cell phone a public IPv6 address and I can then set up my WireGuard tunnel to my home router. This also works perfectly with my laptop, where the WARP app is also available for Windows, Mac and Linux.

2025-07-28 17.37.241080×2174 382 KB

So there are no problems, only solutions. To turn the corner back to IPFire. For me, IPv6 support is a must-have in a firewall appliance.

There are countless providers that offer both, and with them this wouldn’t be a problem. In my case, I get a public IPv6 address, but I can’t use it with IPFire, even though there are some scenarios where I would like to use it.

I can only agree. Internally, IPv4 is perfectly fine, but it would be nice to be able to use IPv6 as well, especially over the WAN. A good example is my OnPremise-Exchange-Server. Exchange wants to use both protocols by default, and it was difficult to prevent the use of IPv6 for external communication, so it finally works correctly only with IPv4. It would be very helpful for many online services if both protocols could be used. In most cases, it’s not a matter of either/or.

But a tunnel in a tunnel is not really giving you great performance and might only work well as an experiment or proof-of-concept.