Scott Stephensthe complete anthology

IPv6 Networking Tips for Self-Hosters

November 13, 2025

I recently reworked my networking configuration and came up with a couple of configurations that I don't see widely discussed, and thought might be worth sharing.

Scope

My router is in the Ubiquiti EdgeMax series, and therefore running EdgeOS. EdgeOS by default uses ISC dhcpd for DHCP and dnsmasq for DNS. It can optionally use dnsmasq for both DHCP and DNS, and this is the configuration I use. So these tricks are guaranteed to work on EdgeOS and anything that exposes full control over dnsmasq. EdgeOS is a fork of Vyatta, so there's a pretty good chance it's also applicable to Vyatta/VyOS. On other routing platforms, there may or may not be equivalents.

My WAN configuration is fairly typical of consumer ISPs:

  • I get assigned one public IPv4 address by DHCP
  • I get assigned one IPv6 /60 via DHCPv6-PD.

Within the LAN, I self-host some web apps that I make accessible both in the local network and over the internet, along with the usual consumer devices you would find in a typical home.

The farther you get from that, the less likely this is to be useful to you.

Firewall

Most routers come with an IPv6 firewall that blocks all incoming traffic from the WAN to the LAN. If you want to host something externally accessible, you need to punch a hole in that firewall to let the traffic through.

I recommend something like this:

firewall {
  ipv6-name WANv6_IN {
    rule 50 {
      action accept
      description 'Allow HTTPS to server'
      destination {
        address ::222:15ff:fe3e:68a/::ffff:ffff:ffff:ffff
        port 443
      }
      protocol tcp
    }
  }
}

The key line there is the destination address. Here's the address and mask with full IPv6 addresses, instead of the abbreviated notation:

address: 0000:0000:0000:0000:0222:15ff:fe3e:068a
   mask: 0000:0000:0000:0000:ffff:ffff:ffff:ffff

The netmask has the first 64 bits set to 0, and the second 64 bits set to 1. Which means that it matches any incoming traffic whose last 64 bits matches the last 64 bits of the comparison address. This is generally known as the "host portion" or "interface ID" portion of an IPv6 address. So this will work as long as the host portion of your server's IPv6 address remains stable, even if the network portion changes because your ISP delegates a new prefix.

It seems blatantly obvious when pointed out this way, but when I tried to have Claude configure my firewall for this, it could not wrap its head around using a netmask in this way. First it told me you could only use CIDR notation to match on a prefix, and then after conceding that netmask syntax was supported, told me that it would still only work to match on a prefix. So clearly there's not enough examples of this on the internet. Hence this blog post.

DNS

The second trick is an easy way to get local DNS names working for IPv6. Dnsmasq by default gives you local DNS for IPv4, sourcing the names from those provided in DHCP reservations and in the hostname field of DHCP requests. But if you're using SLAAC for IPv6 assignment, the hosts don't have to send a hostname to the router to get their address. But dnsmasq has a trick up it's sleeve: the ra-names feature. In the words of the dnsmasq manual:

ra-names enables a mode which gives DNS names to dual-stack hosts which do SLAAC for IPv6. Dnsmasq uses the host's IPv4 lease to derive the name, network segment and MAC address and assumes that the host will also have an IPv6 address calculated using the SLAAC algorithm, on the same network segment. The address is pinged, and if a reply is received, an AAAA record is added to the DNS for this IPv6 address. Note that this is only happens for directly-connected networks, (not one doing DHCP via a relay) and it will not work if a host is using privacy extensions.

You enable ra-names on the --dhcp-range option:

For example:

--dhcp-range=::,constructor:eth1,slaac,ra-names,64

The EdgeOS config looks like:

service {
  dns {
    forwarding {
      options dhcp-range=::,constructor:eth1,slaac,ra-names,64
    }
  }
}

The dhcp-range is named like it has a fairly limited function, but it's actually how you configure the core DHCP and router advertisement (RA) features in dnsmasq.

The examples above:

  • Enable SLAAC on the eth1 interface, with a 64 bit network prefix
  • Enable the ra-names features

You may also want to consider ra-stateless instead of slaac, which enables Stateless DHCPv6. That uses SLAAC for address assignment, but also makes a DHCPv6 server available to provide other information. The use case is mainly to provide DNS information to hosts on the network, which was not included in the original specification of router advertisements. However, there are now a widely supported extension to the router advertisement that do include that information.