Setting up IPv6 on UniFi Security Gateway

Not as painful as you may expect!

We are running out of IPv4 addresses, thanks to a whole bunch of reasons, mostly to do with the fact that everyone wants in on this “Internet” business.

A quick primer.

Skip this section if you know all this and/or don’t care.

The IPv4 publicly-routable address space — the number of unique possible addresses that can communicate with one another over the public Internet — is a 32-bit (2³² or 2 multiplied by 2 thirty two times) number. That means that there are about 4 billion usable addresses.

With some of those being reserved for private networks, we can shove many more devices on the Internet than there are IP addresses via the miracle of NAT.

Network Address Translation(NAT)

All that being said, we still have thousands of new machines joining the Internet every day, thanks to cloud computing by way of Amazon, Google and Microsoft.

We will soon not have any more numbers to give out to things that want one.

Enter IPv6. Version 6 of the IP protocol has a bunch of differences, almost all of which I will ignore because they’re not relevant here, but the crucial one is that the IPv6 address space (see above) is 128 bits long.

For the non-mathematically-inclined, that isn’t 4 times as much — though sixteen billion is definitely a bigger number[citation needed] than four billion — it’s 79,228,162,514,264,337,593,543,950,336 times larger. Every time you add one more bit, the number doubles — that whole “multiply by 2 every time” thing.

UniFi

Ubiquiti Networks (UBNT) are a manufacturer of almost-enterprise-grade networking kit aimed at consumers and small businesses who can’t afford to pay Cisco or Juniper the bazillions of dollars they want for some of their toys.

Part of what makes their kit so appealing is that it’s manageable through either a dedicated hardware device called a Cloud Key which runs its management software or, if you don’t have spare cash, a downloadable version of the exact same software as the Cloud Key.

UBNT’s UniFi Controller manages all your UniFi devices which include:

• Wireless access points
• Internet routers
• Switches
• VoIP phones

This makes it ideal for home-gamer network geeks who want to have a flashy network setup without having to sell a kidney.

IPv6 and the UniFi Security Gateway with DHCPv6

Getting set up with IPv6 is actually a breeze with the USG.

The internet is offscreen to the left. No, really, that’s the internet over there.

This guide assumes you’ve already set up your USG and connected it to your UniFi Controller or Cloud Key. That and you’ve done all the network gubbins you need to make the UniFi stuff work with your network.

If you don’t have a USG but an EdgeRouter — look below!

Creating an IPv6 network with an EdgeRouter

If your ISP offers IPv6 connectivity, they will likely have assigned you an entire block of addresses to play with. In my case, I got an /64 block which, because of the magic of binary maths, fits into a 128-bit address space a staggering 18,446,744,073,709,551,616 times.

The 64-bit-wide block of addresses you might receive itself contains 18,446,744,073,709,551,616 possible numbers. So, finally, your toilet roll holder will have a routable public address!

To configure your USG with IPv6 support, you will firstly need version 5.7 or greater of the Unifi Controller as that adds native support for IPv6, meaning you don’t have to risk bricking your router by uploading malformed config files by accident.

Let’s go!

WAN

First things first: you will need to make sure your USG can talk to the world over IPv6.

• Go to your Devices page and select your USG
• In the USG flyout on the right, click the Config tab
• Open up the WAN section and scroll to the IPv6 section.
• Select Using DHCPv6 from the dropdown under Connection Type
• Enter your Prefix Delegation Size (the block your ISP assigned you) — mine is 64. Yours may vary.
• Queue and apply your changes. Your Internet connectivity may disappear at this point as the USG has to reprovision itself with the new settings.
• You can SSH into it and run some commands to check:

show ipv6 route
show interfaces
ping6 google.com

• The first will show you whether your USG has IPv6 routes available to it.
• The second will show you the USG’s IPv6 address
• The third will test whether you can ping Google over IPv6.

LAN

Once you’re happy that the USG is ticking along happily, you will also need to let devices on your network know that IPv6 addresses are available to them. Because IPv6 addresses are designed to be publicly-routable, using it sort of does away with NAT (see above).

Every device on your network (in our case) will get an IPv6 address which it can use to talk to the wider world without the need for your router to do address translation. Both IPv4 and 6 will play nicely with each other side-by-side.

In the Settings panel, head over to Networks and edit whichever network you would like to enable IPv6 on. In my case, it was the only one but you may wish to be choosy.

• Open up the Configure IPv6 Network panel
• Select Prefix Delegation from the options.
• Make sure you’re using the right WAN interface (usually WAN1)
• Enter the network block size in the IPv6 Prefix ID field
• Enable IPv6 Router Advertisement
• Leave all the other stuff alone
• Save and apply.

At this point, you may want to reconnect your device to the network, restart or request another IP address using your favourite way.

You can check whether you have an IP6 address by running ifconfig if you’re on Linux or Mac or ipconfig if you’re a Windows guy.

If all went well, you should see some IPv6 addresses assigned. You can further check that things are working as you’d expect by going here and running the test.

Enjoy!