How to Configure a Full IPv6 /64 Block on Debian for Global Reachability Without Explicit Address Binding


1 views

When trying to make an entire IPv6 /64 block available on a Debian server's network interface without explicitly binding each address, many administrators encounter reachability issues where addresses work locally but not remotely. This stems from missing routing configurations and kernel-level address handling.

The initial approach using:

ip route add local 2001:41d0:2:ad64::/64 dev lo

works for local communication because the Linux kernel processes these packets internally. However, remote accessibility requires:

  1. Proper neighbor discovery (NDP)
  2. Correct routing table entries
  3. Firewall configurations

Here's the proper way to configure /etc/network/interfaces:

auto eth0
iface eth0 inet6 static
    address 2001:41d0:2:ad64::1/64
    netmask 64
    gateway 2001:41d0:2:adff:ff:ff:ff:ff
    up sysctl -w net.ipv6.conf.eth0.accept_ra=2
    up sysctl -w net.ipv6.conf.eth0.proxy_ndp=1
    up ip route add local 2001:41d0:2:ad64::/64 dev lo

1. Proxy NDP:

sysctl -w net.ipv6.conf.eth0.proxy_ndp=1

This allows the host to respond to Neighbor Discovery requests for any address in the /64 block.

2. Router Advertisements:

sysctl -w net.ipv6.conf.eth0.accept_ra=2

Ensures proper handling of router advertisements while keeping static configuration.

After configuration, verify with:

# Check NDP proxy status
cat /proc/sys/net/ipv6/conf/eth0/proxy_ndp

# Verify routing table
ip -6 route show table local

# Test connectivity
ping6 2001:41d0:2:ad64::1
ping6 2001:41d0:2:ad64::random

Ensure your firewall allows ICMPv6 and related traffic:

ip6tables -A INPUT -p icmpv6 -j ACCEPT
ip6tables -A INPUT -d 2001:41d0:2:ad64::/64 -j ACCEPT

For services that don't need unique addresses:

ip -6 addr add 2001:41d0:2:ad64::1/128 dev eth0 anycast

When remote access fails:

  1. Verify global route advertisement from ISP
  2. Check for ACLs on upstream routers
  3. Test with tcpdump on both ends

When working with IPv6 in Debian-based systems, many administrators encounter difficulties when trying to assign entire /64 blocks to network interfaces instead of individual addresses. The standard approach of manually adding each address becomes impractical for larger allocations.

The initial approach using ip route add local on the loopback interface works for local traffic because:

ip route add local 2001:41d0:2:ad64::/64 dev lo

This tells the kernel to consider all addresses in the /64 block as local to the machine. However, remote accessibility requires additional configuration.

Here's a proper /etc/network/interfaces configuration that works with OVH-style allocations:

auto eth0
iface eth0 inet6 static
    address 2001:41d0:2:ad64::1
    netmask 64
    gateway 2001:41d0:2:adff:ff:ff:ff:ff
    post-up ip route add local 2001:41d0:2:ad64::/64 dev lo

After applying these changes, verify with:

ip -6 addr show dev eth0
ip -6 route show table local

You should see both your primary address and the local route for the entire /64 block.

Don't forget to adjust your firewall rules. For IPv6, you'll typically need:

ip6tables -A INPUT -d 2001:41d0:2:ad64::/64 -j ACCEPT
ip6tables -A OUTPUT -s 2001:41d0:2:ad64::/64 -j ACCEPT

If remote connections still fail despite correct local configuration:

  1. Verify your ISP isn't filtering the traffic
  2. Check for reverse DNS delegation
  3. Test with simple services like ping6 before moving to TCP