Skip to main content
OpenWrt has comprehensive IPv6 support built in. Addresses can be obtained via DHCPv6 or SLAAC, distributed to LAN clients through prefix delegation, or tunnelled over IPv4 using several standardised mechanisms.

IPv6 address acquisition methods

MethodProtocol valueDescription
DHCPv6 clientdhcpv6Request address and/or prefix from an upstream DHCPv6 server
SLAACAutomaticStateless address auto-configuration via Router Advertisements
StaticstaticManually configured ip6addr and ip6gw
6in4 tunnel6in4IPv6-in-IPv4 static tunnel to a Hurricane Electric / SixXS broker
6to46to4Automatic 6-to-4 tunnel (RFC 3056); requires a public IPv4 address
6rd6rdIPv6 Rapid Deployment (ISP-provisioned tunnel)
DS-LitedsliteDual-Stack Lite: IPv4-in-IPv6 for ISPs deploying CGN

Key packages

PackageRole
odhcp6cDHCPv6 client — runs on the WAN interface to obtain a prefix
odhcpdDHCPv6 server + Router Advertisement daemon — serves LAN clients
6in4netifd protocol handler for static IPv6-in-IPv4 tunnels
6to4netifd protocol handler for automatic 6to4 tunnels
ds-litenetifd protocol handler for DS-Lite

Enabling DHCPv6 on the WAN interface

Add or modify the wan6 interface in /etc/config/network: 
config interface 'wan6'
    option device  eth0
    option proto   dhcpv6
For ISPs that provision both the address and a delegated prefix in the same DHCPv6 exchange, use reqprefix to specify the desired prefix length: 
config interface 'wan6'
    option device      eth0
    option proto       dhcpv6
    option reqaddress  try
    option reqprefix   auto
OptionValuesDescription
reqaddresstry, force, noneWhether to request a IA_NA (non-temporary address)
reqprefixauto, no, or prefix length (48–64)Whether to request a IA_PD (delegated prefix)
ifaceidIPv6 suffixInterface identifier to append to delegated prefixes

Prefix delegation (PD)

Prefix delegation allows the WAN DHCPv6 client to receive a large prefix (e.g. /56 or /48) from the ISP and sub-delegate smaller prefixes (typically /64) to each LAN interface. odhcpd handles this automatically. Ensure the LAN dhcp section in /etc/config/dhcp references the correct interface: 
config dhcp 'lan'
    option interface  lan
    option start      100
    option limit      150
    option leasetime  12h
    option dhcpv6     server
    option ra         server
    option ra_slaac   1
    list   ra_flags   managed-config
    list   ra_flags   other-config
odhcpd will automatically pick up the delegated prefix from wan6 and announce it in Router Advertisements on lan.

odhcpd — server configuration

odhcpd is configured through the dhcp.odhcpd UCI section in /etc/config/dhcp: 
config odhcpd 'odhcpd'
    option maindhcp   0
    option leasefile  /tmp/odhcpd.leases
    option leasetrigger /usr/sbin/odhcpd-update
    option loglevel   4
OptionDescription
maindhcpSet to 1 if odhcpd handles both DHCPv4 and DHCPv6 (no dnsmasq)
leasefilePath where active leases are written
leasetriggerScript called when leases change
loglevelSyslog level (0 = emergency … 7 = debug)

6in4 static tunnel

For a Hurricane Electric (he.net) or similar broker tunnel: 
config interface 'henet'
    option proto     6in4
    option peeraddr  192.0.2.1
    option ip6addr   2001:db8::2/64
    option ip6prefix 2001:db8:1::/48
    option tunnelid  12345
    option username  'user@example.com'
    option password  'tunnelpassword'
OptionDescription
peeraddrIPv4 address of the tunnel server
ip6addrYour tunnel endpoint IPv6 address
ip6prefixRouted prefix assigned to you
tunnelidBroker tunnel ID (for dynamic endpoint updates)

IPv6 firewall considerations

OpenWrt’s firewall configuration already includes the essential ICMPv6 rules required for IPv6 to function correctly. These are present in the default /etc/config/firewall:
Do not block ICMPv6 on the WAN zone. Neighbour Discovery, Router Advertisements, and Path MTU Discovery all rely on ICMPv6. The default firewall rules allow the required types while rate-limiting them.
Key default rules that must remain active:
Rule nameTrafficWhy it is needed
Allow-DHCPv6UDP port 546 from fe80::/10Allows DHCPv6 replies from the ISP router
Allow-MLDICMPv6 types 130–132, 143Multicast Listener Discovery for IPv6 multicast
Allow-ICMPv6-InputEssential ICMPv6 typesNDP, echo, unreachable, too-big, time-exceeded
Allow-ICMPv6-ForwardEssential ICMPv6 types (forwarded)Allows LAN hosts to receive ICMPv6 from WAN
To add a custom IPv6 firewall rule that blocks all traffic from a specific prefix: 
config rule
    option name    Block-Bad-Prefix
    option src     wan
    option src_ip  2001:db8:bad::/48
    option target  DROP
    option family  ipv6

Verifying IPv6 connectivity

# Check assigned addresses
ip -6 addr show

# Check IPv6 routes
ip -6 route show

# Test connectivity to a well-known IPv6 address
ping6 2606:4700:4700::1111

# Check netifd interface state
ubus call network.interface.wan6 status