DD-WRT IPv6 Setup Guide: Complete Configuration Tutorial

DD-WRT is a powerful open-source firmware replacement for consumer routers, offering advanced networking features including comprehensive IPv6 support. This guide covers everything from prerequisites and version requirements to detailed configuration steps for native IPv6, DHCPv6-PD, tunnel setups, and firewall security.

Table of Contents

• Before You Start: Prerequisites
• DD-WRT Version Requirements
• Understanding DD-WRT IPv6 Architecture
• Configuration Method 1: Native IPv6 from ISP
• Configuration Method 2: DHCPv6 with Prefix Delegation
• Configuration Method 3: 6in4 Tunnel (Hurricane Electric)
• LAN Configuration and Router Advertisements
• IPv6 Firewall Configuration
• DNS Configuration
• Verification and Testing
• Troubleshooting Common Issues
• Advanced Configurations
• Best Practices and Security

---

Before You Start: Prerequisites

Hardware Requirements

DD-WRT IPv6 support depends on your router's flash memory and RAM capacity:

Minimum Requirements:

• 4MB flash memory (for basic IPv6 support)
• 32MB RAM recommended (64MB or more for advanced features)
• Router with active DD-WRT support (check DD-WRT database)

Recommended Routers:

• Netgear Nighthawk series (R7000, R7800, R8000)
• Linksys WRT series (WRT1900AC, WRT3200ACM)
• ASUS RT-series (RT-N66U, RT-AC68U)
• TP-Link Archer series (C7, C9)

Firmware Requirements

Critical: Not all DD-WRT builds include IPv6 support.

Required DD-WRT Build Types:

• Standard build - Includes IPv6 and radvd support
• VoIP build - Includes IPv6 and radvd support
• Big/Mega builds - Include full IPv6 feature set

Builds that DO NOT support IPv6:

• Mini builds
• Micro builds
• Mini-USB builds

Version Recommendations:

• DD-WRT v24-sp2 (build 21061 or later) - Stable with IPv6
• DD-WRT v3.0 (build 30000+) - Latest with improved IPv6 features
• For PPPoE with IPv6: Build 21530 or later required

Checking Your Current Build:

Navigate to: Administration > Commands and run:

uname -a

Or check: Status > Router tab to see your current build number and type.

ISP Requirements

For Native IPv6:

• ISP must provide IPv6 connectivity (contact ISP to verify)
• Modem/ONT must support IPv6
• For cable: DOCSIS 3.0 or newer modem required
• For DSL/Fiber: Modem must be in bridge mode or support IPv6 passthrough

For Tunnel Setup:

• Only requires IPv4 connectivity
• Protocol 41 must not be blocked by ISP
• Static or dynamic public IPv4 address

Knowledge Prerequisites

• Basic networking knowledge (IP addresses, subnets, DHCP)
• SSH/telnet access capability (for advanced configurations)
• Understanding of IPv6 addressing basics
• Backup of current router configuration

---

DD-WRT Version Requirements

Enabling IPv6 in DD-WRT

Before any IPv6 configuration, you must enable IPv6 support:

1. Navigate to: Administration > Management
2. Scroll to "IPv6 Support"
3. Set "IPv6" to Enable
4. Click Apply Settings
5. Wait 30 seconds for the system to load IPv6 modules
6. Important: Do NOT reboot yet

This enables the kernel IPv6 stack and loads necessary modules including:

• ipv6.ko (core IPv6 kernel module)
• ip6_tables.ko (if available - IPv6 firewall)
• sit.ko (for tunnel support)

Verifying IPv6 Support

After enabling IPv6, verify the modules are loaded:

1. Navigate to: Administration > Commands
2. Run the following command:

lsmod | grep ipv6

Expected output should include:

ipv6

To verify IPv6 functionality:

ifconfig | grep inet6

You should see link-local addresses (fe80::) on interfaces.

---

Understanding DD-WRT IPv6 Architecture

DD-WRT handles IPv6 through several components:

Key Components

1. WAN IPv6 Configuration

• Handles IPv6 connection to ISP
• Manages IPv6 address assignment to router's WAN interface
• Supports: Native, Static, DHCPv6, PPPoEv6, 6in4, 6to4, 6rd

2. LAN IPv6 Configuration

• Manages IPv6 prefix for internal network
• Provides addresses to LAN clients
• Controls router advertisement behavior

3. DHCPv6 Client (dhcp6c)

• Requests IPv6 prefix from ISP
• Handles Prefix Delegation (PD)
• Runs on WAN interface

4. Router Advertisement Daemon (radvd)

• Advertises IPv6 prefix to LAN clients
• Enables SLAAC for client autoconfiguration
• Alternative: DNSmasq can handle router advertisements

5. DNSmasq

• Provides DNS services for IPv6
• Can handle DHCPv6 and router advertisements
• Often preferred over radvd for integrated functionality

Configuration Philosophy

DD-WRT offers two approaches for IPv6:

GUI-Based Configuration (Recommended for most users)

• Navigate to Setup > IPv6
• Configure through web interface
• Easier to manage, less error-prone
• Limited to standard configurations

Script-Based Configuration (Advanced users)

• Full control over IPv6 stack
• Custom routing and firewall rules
• Required for complex setups
• Uses startup scripts in Administration > Commands

---

Configuration Method 1: Native IPv6 from ISP

Native IPv6 is the simplest and recommended method when your ISP provides IPv6 connectivity.

Step 1: Enable IPv6 on WAN

1. Navigate to: Setup > IPv6
2. Under "IPv6" section, set:
   • IPv6: Enable
   • IPv6 Type: Native IPv6 from ISP

Step 2: Configure WAN IPv6 Settings

Option A: Automatic Configuration (Most Common)

Leave all fields at their defaults:

• Static DNS 1-3: Leave blank (use ISP's DNS)
• Assign Prefix Length: 64 (or leave default)

Option B: Manual Static IPv6 DNS

If you prefer specific DNS servers:

• Static DNS 1: 2001:4860:4860::8888 (Google)
• Static DNS 2: 2001:4860:4860::8844 (Google backup)
• Static DNS 3: 2606:4700:4700::1111 (Cloudflare)

Step 3: Apply and Verify WAN Connectivity

1. Click Apply Settings
2. Wait 60 seconds for configuration
3. Navigate to: Status > Router
4. Check "WAN" section for IPv6 address

Expected Results:

• WAN should show a global IPv6 address (starts with 2xxx: or 3xxx:)
• Not a link-local address (fe80::)

If no IPv6 address appears:

• Verify ISP provides IPv6 (contact ISP)
• Check modem is in bridge mode or supports IPv6 passthrough
• Ensure PPPoE credentials are correct (if using PPPoE)

Step 4: Configure LAN IPv6

1. Still in Setup > IPv6
2. Scroll to "LAN IPv6 Configuration"
3. Configure as follows:
   • Router Advertisement (radvd): Enable
   • DHCPv6 Server: Disable (unless you need stateful DHCPv6)
   • Announce DNS: Enable

Step 5: Apply Final Settings

1. Click Apply Settings
2. Click Save (do not skip this step)
3. Wait 30 seconds
4. Proceed to verification section

---

Configuration Method 2: DHCPv6 with Prefix Delegation

DHCPv6-PD is used when your ISP delegates an IPv6 prefix to your router, allowing you to subnet your network.

Understanding Prefix Delegation

What is Prefix Delegation?

Prefix Delegation (PD) allows your ISP to assign a block of IPv6 addresses (usually a /56 or /60 prefix) to your router. Your router then assigns addresses from this block to devices on your LAN.

Common Prefix Sizes:

• /48 - 65,536 /64 subnets (rare for residential)
• /56 - 256 /64 subnets (common for fiber ISPs)
• /60 - 16 /64 subnets (common for cable ISPs)
• /64 - Single subnet (insufficient for multiple VLANs)

Step 1: Enable DHCPv6-PD on WAN

1. Navigate to: Setup > IPv6
2. Set configuration:
   • IPv6: Enable
   • IPv6 Type: DHCPv6 with Prefix Delegation

Step 2: Configure DHCPv6 Client Settings

Basic Configuration:

• DHCP6c Custom Config: Leave blank (auto-configuration)
• Request IPv6 Prefix Length: 56 (or 60, depending on ISP)

Advanced Configuration (if basic doesn't work):

If your ISP requires specific DHCPv6 options, you may need custom dhcp6c configuration:

interface vlan2 {
    send ia-pd 0;
    send rapid-commit;
    request domain-name-servers;
    request domain-name;
};

id-assoc pd 0 {
    prefix-interface br0 {
        sla-id 0;
        sla-len 8;
    };
};

Important: Replace vlan2 with your actual WAN interface. Check Status > Router to identify your WAN interface (common: vlan2, eth0, ppp0).

Step 3: Disable Conflicting Services

Critical Configuration: When using DHCPv6-PD with DNSmasq for router advertisements, disable radvd to prevent conflicts.

1. Navigate to: Setup > IPv6
2. Under "LAN IPv6 Configuration":
   • Router Advertisement (radvd): Disable
   • DHCPv6 Server (dhcp6s): Disable
   • DHCPv6 Client (dhcp6c): Disable (on LAN side)

Step 4: Configure DNSmasq for Router Advertisements

1. Navigate to: Services > Services
2. Scroll to "DNSmasq"
3. Ensure DNSmasq is Enable
4. In "Additional DNSmasq Options" field, add:

enable-ra
dhcp-range=::1,::ffff:ffff:ffff:ffff,constructor:br0,ra-names,slaac,64,12h

Explanation:

• enable-ra - Enables DNSmasq's IPv6 Router Advertisement feature
• dhcp-range - Defines IPv6 address range for SLAAC
• constructor:br0 - Automatically detects the prefix on br0 (LAN interface)
• ra-names - Registers SLAAC addresses in DNS
• slaac - Uses SLAAC for address assignment
• 64 - /64 prefix length for LAN
• 12h - Lease time

Step 5: Configure IPv6 DNS

In the same "Additional DNSmasq Options" field, add:

dhcp-option=option6:dns-server,[2001:4860:4860::8888],[2001:4860:4860::8844]
dhcp-option=option6:domain-search,home.local

Replace home.local with your desired local domain name.

Step 6: Apply Settings and Verify

1. Click Save
2. Navigate to: Services > Services
3. Click Apply Settings
4. Wait 90 seconds for DHCPv6 to complete
5. Navigate to: Status > Router
6. Verify:
   • WAN shows IPv6 address
   • "Delegated Prefix" shows your assigned prefix (e.g., 2001:db8:1234::/56)

Troubleshooting DHCPv6-PD

If no prefix is delegated:

1. Check ISP supports prefix delegation (contact ISP)
2. Verify WAN interface in dhcp6c config matches actual interface
3. Try different prefix request lengths (56, 60, 64)
4. Check dhcp6c logs:

Navigate to Administration > Commands and run:

cat /var/log/messages | grep dhcp6c

If prefix is delegated but LAN devices don't get IPv6:

1. Verify DNSmasq is running:

ps | grep dnsmasq

2. Check DNSmasq logs:

killall -s USR1 dnsmasq && cat /var/log/messages | grep dnsmasq

3. Verify router advertisements are being sent (from a LAN client):

radvdump

---

Configuration Method 3: 6in4 Tunnel (Hurricane Electric)

If your ISP doesn't provide native IPv6, you can use a 6in4 tunnel through Hurricane Electric's free tunnel broker service.

Understanding 6in4 Tunnels

What is a 6in4 tunnel?

6in4 (also called 6over4 or protocol 41) encapsulates IPv6 packets inside IPv4 packets, allowing IPv6 connectivity over an IPv4-only network. Hurricane Electric (HE.net) provides free tunnel endpoints worldwide.

Advantages:

• Works with any IPv4 connection
• Free service
• Provides a /64 and /48 prefix
• Low latency (choose nearby endpoint)

Disadvantages:

• Slightly higher latency than native IPv6
• Some networks block protocol 41
• Requires manual setup

Step 1: Create Hurricane Electric Tunnel

1. Visit: https://tunnelbroker.net/
2. Create a free account (no credit card required)
3. Click "Create Regular Tunnel"
4. Enter your public IPv4 address (found at https://ipv4.icanhazip.com/)
5. Select nearest tunnel server location
6. Click "Create Tunnel"

Step 2: Note Your Tunnel Information

After tunnel creation, you'll see:

• Server IPv4 Address: e.g., 216.66.80.30
• Server IPv6 Address: e.g., 2001:470:1f0a:2::1/64
• Client IPv6 Address: e.g., 2001:470:1f0a:2::2/64
• Routed /64: e.g., 2001:470:1f0a:3::/64
• Routed /48: e.g., 2001:470:1f0a::/48 (if requested)

Step 3: Configure DD-WRT for 6in4 Tunnel

GUI Method (Recommended)

1. Navigate to: Setup > IPv6
2. Configure as follows:
   • IPv6: Enable
   • IPv6 Type: 6in4 Tunnel
   • Remote Endpoint IPv4 Address: [Server IPv4 Address from HE.net]
   • Remote Endpoint IPv6 Address: [Server IPv6 Address from HE.net] (without /64)
   • Tunnel MTU: 1480 (recommended) or 1472
   • Assigned /64: [Routed /64 from HE.net]
   • Assigned /48: [Routed /48 from HE.net] (if you requested one)

Example Configuration:

• Remote Endpoint IPv4: 216.66.80.30
• Remote Endpoint IPv6: 2001:470:1f0a:2::1
• Tunnel MTU: 1480
• Assigned /64: 2001:470:1f0a:3::/64
• Assigned /48: 2001:470:1f0a::/48

3. Click Apply Settings

Step 4: Configure LAN for 6in4

1. Still in Setup > IPv6

2. Under "LAN IPv6 Configuration":

   • Router Advertisement (radvd): Enable
   • Announce DNS: Enable

3. Click Apply Settings

4. Click Save

Step 5: Configure radvd for Tunnel Prefix

1. Navigate to: Administration > Commands
2. Add the following script:

#!/bin/sh
cat > /tmp/radvd.conf << EOF
interface br0 {
    AdvSendAdvert on;
    MinRtrAdvInterval 3;
    MaxRtrAdvInterval 10;
    AdvHomeAgentFlag off;
    AdvManagedFlag off;
    AdvOtherConfigFlag on;

    prefix 2001:470:1f0a:3::/64 {
        AdvOnLink on;
        AdvAutonomous on;
        AdvRouterAddr off;
    };

    RDNSS 2001:470:20::2 {
        AdvRDNSSLifetime 300;
    };
};
EOF

killall radvd
radvd -C /tmp/radvd.conf -m stderr

Important: Replace 2001:470:1f0a:3::/64 with your actual routed /64 prefix from HE.net.

3. Click Save Startup to make this permanent

Step 6: Configure Dynamic IPv4 Updates (Optional)

If your ISP provides dynamic IPv4 addresses, configure automatic updates to Hurricane Electric:

1. On HE.net tunnel page, click "Advanced" tab
2. Enable "Update Key" and note the key
3. In DD-WRT, navigate to: Setup > DDNS
4. Configure:
   • DDNS Service: Custom
   • DYNDNS Server: ipv4.tunnelbroker.net
   • Username: [Your HE.net username]
   • Password: [Your update key from HE.net]
   • Hostname: [Your tunnel ID from HE.net URL]

Example URL format: https://[username]:[updatekey]@ipv4.tunnelbroker.net/nic/update?hostname=[tunnelid]

5. Click Apply Settings

Verifying 6in4 Tunnel

1. Navigate to: Administration > Commands
2. Run:

ping6 -c 4 2001:470:20::2

Expected: Successful ping responses from HE.net DNS server

3. Check routing:

ip -6 route show

Expected: Routes via the tunnel interface

---

LAN Configuration and Router Advertisements

Proper LAN configuration ensures your devices receive IPv6 addresses and can access the IPv6 internet.

Understanding Router Advertisements

Router Advertisements (RAs) are ICMPv6 messages that:

• Announce IPv6 prefix to LAN devices
• Provide default gateway information
• Specify DNS servers (with RDNSS option)
• Control address autoconfiguration behavior

DD-WRT offers two options for sending RAs:

1. radvd - Dedicated router advertisement daemon
2. DNSmasq - Integrated DNS/DHCP/RA service

Method 1: Using radvd (Traditional)

Basic radvd Configuration

1. Navigate to: Setup > IPv6
2. Under "LAN IPv6 Configuration":
   • Router Advertisement (radvd): Enable
   • Announce DNS: Enable

This creates a basic radvd.conf automatically.

Advanced radvd Configuration

For fine-grained control, create a custom radvd configuration:

1. Navigate to: Administration > Commands
2. Create custom radvd.conf:

#!/bin/sh
cat > /tmp/radvd.conf << EOF
interface br0 {
    # Send router advertisements
    AdvSendAdvert on;

    # Advertisement intervals
    MinRtrAdvInterval 3;
    MaxRtrAdvInterval 10;

    # Flags
    AdvManagedFlag off;        # M flag: Don't use DHCPv6 for addresses
    AdvOtherConfigFlag on;     # O flag: Use DHCPv6 for other config

    # Prefix configuration
    prefix ::/64 {
        AdvOnLink on;          # Prefix is on-link
        AdvAutonomous on;      # Use SLAAC
        AdvRouterAddr on;      # Include router address
        AdvValidLifetime 86400;    # 24 hours
        AdvPreferredLifetime 14400; # 4 hours
    };

    # DNS servers (RDNSS)
    RDNSS 2001:4860:4860::8888 2001:4860:4860::8844 {
        AdvRDNSSLifetime 300;
    };

    # DNS search domain
    DNSSL home.local {
        AdvDNSSLLifetime 300;
    };
};
EOF

killall radvd
radvd -C /tmp/radvd.conf -m stderr

3. Click Save Startup

Key Configuration Options Explained:

• AdvManagedFlag off - Devices use SLAAC, not DHCPv6 for addresses
• AdvOtherConfigFlag on - Devices can use DHCPv6 for DNS/other config
• AdvAutonomous on - Allow devices to self-configure addresses
• AdvValidLifetime 86400 - How long addresses remain valid
• AdvPreferredLifetime 14400 - How long addresses are preferred (privacy extensions rotate after this)

Method 2: Using DNSmasq (Recommended)

DNSmasq integrates router advertisements with DNS and DHCP services, simplifying configuration.

Configuration Steps

1. Navigate to: Setup > IPv6

2. Disable radvd:

   • Router Advertisement (radvd): Disable

3. Navigate to: Services > Services

4. Ensure DNSmasq is enabled

5. In "Additional DNSmasq Options":

# Enable router advertisements
enable-ra

# SLAAC with DNS names
dhcp-range=::1,::ffff:ffff:ffff:ffff,constructor:br0,ra-names,slaac,64,12h

# IPv6 DNS servers
dhcp-option=option6:dns-server,[2001:4860:4860::8888],[2001:4860:4860::8844]

# DNS search domain
dhcp-option=option6:domain-search,home.local

# RA parameters (optional)
ra-param=br0,high,0,7200

DNSmasq Options Explained:

• enable-ra - Turn on router advertisement functionality
• constructor:br0 - Auto-detect IPv6 prefix on br0 interface
• ra-names - Register SLAAC addresses in DNS (enables local DNS resolution)
• slaac - Use stateless address autoconfiguration
• 64 - Announce /64 prefix
• 12h - Lease/lifetime 12 hours
• ra-param=br0,high,0,7200 - Set RA priority to high, min interval 0, max 7200s

6. Click Save
7. Click Apply Settings

Choosing Between radvd and DNSmasq

Use radvd when:

• You need precise control over RA parameters
• Running multiple VLANs with different RA policies
• Compatibility with older clients

Use DNSmasq when:

• You want integrated DNS/DHCP/RA
• You need DNS names for SLAAC addresses
• Simpler configuration is preferred
• You're using DHCPv6-PD

Do NOT run both simultaneously - they will conflict and cause IPv6 issues.

Verifying Router Advertisements

From a LAN client (Linux/macOS):

# Install radvdump if not present
# Debian/Ubuntu: apt install radvd
# macOS: Available in some package managers

# Capture router advertisements
radvdump

Or using tcpdump:

sudo tcpdump -i eth0 -vvv icmp6 and 'ip6[40] = 134'

Expected output should show:

• Prefix information
• M and O flags
• DNS information (RDNSS)
• Correct prefix from your ISP or tunnel

---

IPv6 Firewall Configuration

Unlike IPv4 where NAT provided implicit security through obscurity, IPv6 devices are globally addressable. Proper firewall configuration is critical.

The Critical Problem: No ip6tables in DD-WRT

Important Security Warning:

Most DD-WRT builds DO NOT include ip6tables (IPv6 firewall) by default. This means enabling IPv6 can expose your LAN devices directly to the internet without firewall protection.

Verification:

Check if ip6tables is available:

1. Navigate to: Administration > Commands
2. Run:

which ip6tables

If no output or "not found", your build lacks IPv6 firewall support.

Security Implications

When you enable IPv6 without ip6tables:

• Every device gets a globally-routable IPv6 address
• No NAT to hide devices behind
• Devices are directly exposed to internet
• Only device-level firewalls provide protection

Critical Recommendation: Only enable IPv6 if:

1. Your DD-WRT build includes ip6tables, OR
2. All devices on your network run local firewalls (Windows Firewall, macOS firewall, Linux iptables)

Basic IPv6 Firewall Setup (if ip6tables available)

If your build includes ip6tables, implement basic security:

1. Navigate to: Administration > Commands
2. Create startup script:

#!/bin/sh

# Flush existing rules
ip6tables -F
ip6tables -X

# Default policies - drop everything
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT ACCEPT

# Allow loopback
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A FORWARD -i lo -o lo -j ACCEPT

# Allow established and related connections
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow essential [ICMPv6](icmpv6-usage) messages
# Destination Unreachable
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 1 -j ACCEPT
ip6tables -A FORWARD -p ipv6-icmp --icmpv6-type 1 -j ACCEPT

# Packet Too Big (critical for PMTU Discovery)
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 2 -j ACCEPT
ip6tables -A FORWARD -p ipv6-icmp --icmpv6-type 2 -j ACCEPT

# Time Exceeded
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 3 -j ACCEPT
ip6tables -A FORWARD -p ipv6-icmp --icmpv6-type 3 -j ACCEPT

# Parameter Problem
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 4 -j ACCEPT
ip6tables -A FORWARD -p ipv6-icmp --icmpv6-type 4 -j ACCEPT

# Echo Request/Reply (ping)
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 128 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 129 -j ACCEPT
ip6tables -A FORWARD -p ipv6-icmp --icmpv6-type 128 -j ACCEPT
ip6tables -A FORWARD -p ipv6-icmp --icmpv6-type 129 -j ACCEPT

# [Neighbor Discovery Protocol (NDP)](neighbor-discovery-protocol-ndp) - link-local only
# Router Solicitation
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 133 -s fe80::/10 -j ACCEPT

# Router Advertisement
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 134 -s fe80::/10 -j ACCEPT

# Neighbor Solicitation
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 135 -s fe80::/10 -j ACCEPT
ip6tables -A FORWARD -p ipv6-icmp --icmpv6-type 135 -j ACCEPT

# Neighbor Advertisement
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 136 -s fe80::/10 -j ACCEPT
ip6tables -A FORWARD -p ipv6-icmp --icmpv6-type 136 -j ACCEPT

# Allow LAN to WAN
ip6tables -A FORWARD -i br0 -o vlan2 -j ACCEPT

# Allow DHCPv6 (if using DHCPv6)
# ip6tables -A INPUT -p udp --dport 546 -j ACCEPT
# ip6tables -A OUTPUT -p udp --dport 547 -j ACCEPT

# Log dropped packets (optional - can fill logs quickly)
# ip6tables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "IP6T-INPUT-DROP: "
# ip6tables -A FORWARD -m limit --limit 5/min -j LOG --log-prefix "IP6T-FORWARD-DROP: "

3. Click Save Startup
4. Click Run Commands to apply immediately

Important: Replace vlan2 with your actual WAN interface (check Status > Router).

Alternative: Disable IPv6 Forwarding

If ip6tables is not available and you can't ensure client-level firewalls, consider disabling IPv6 FORWARD:

# Allow router itself to use IPv6, but not forward to LAN
echo 0 > /proc/sys/net/ipv6/conf/all/forwarding

This allows the DD-WRT router to use IPv6, but prevents LAN devices from getting IPv6 connectivity.

Firewall Security Best Practices

1. Never block all ICMPv6 - IPv6 requires certain ICMPv6 types to function
2. Protect Neighbor Discovery - Only allow NDP from link-local addresses (fe80::/10)
3. Default deny policy - Drop everything, explicitly allow only what's needed
4. Stateful filtering - Track connection state for return traffic
5. Rate limit ICMPv6 - Prevent flood attacks while allowing essential messages
6. Enable device firewalls - All devices should run local firewalls as defense in depth
7. Regular updates - Keep DD-WRT firmware updated for security patches

---

DNS Configuration

Proper DNS configuration ensures devices can resolve both IPv4 and IPv6 addresses.

Understanding IPv6 DNS

IPv6 DNS uses AAAA records (quad-A) instead of A records. Devices need:

1. IPv6-capable DNS servers (can be reached via IPv6)
2. DNS servers that support AAAA record queries
3. Proper DNS server configuration in DD-WRT

Configuring IPv6 DNS Servers

Method 1: Via DNSmasq (Recommended)

1. Navigate to: Services > Services
2. Under "DNSmasq", in "Additional DNSmasq Options":

# IPv6 DNS servers provided to clients
dhcp-option=option6:dns-server,[2001:4860:4860::8888],[2001:4860:4860::8844]

# IPv4 DNS servers for IPv4 clients
dhcp-option=6,8.8.8.8,8.8.4.4

Popular Public IPv6 DNS Servers:

Google Public DNS:

• 2001:4860:4860::8888 (primary)
• 2001:4860:4860::8844 (secondary)

Cloudflare:

• 2606:4700:4700::1111 (primary)
• 2606:4700:4700::1001 (secondary)

Quad9:

• 2620:fe::fe (primary)
• 2620:fe::9 (secondary)

OpenDNS:

• 2620:119:35::35 (primary)
• 2620:119:53::53 (secondary)

Method 2: Via radvd RDNSS

If using radvd, configure DNS via Router Advertisement:

interface br0 {
    AdvSendAdvert on;

    prefix ::/64 {
        AdvOnLink on;
        AdvAutonomous on;
    };

    # Recursive DNS Server option
    RDNSS 2001:4860:4860::8888 2001:4860:4860::8844 {
        AdvRDNSSLifetime 300;
    };

    # DNS Search List option
    DNSSL home.local {
        AdvDNSSLLifetime 300;
    };
};

Note: Some older devices (pre-2012) don't support RDNSS and will require DHCPv6 for DNS.

Method 3: Use ISP's IPv6 DNS

To automatically use your ISP's IPv6 DNS servers:

1. Navigate to: Setup > IPv6
2. Leave "Static DNS" fields blank
3. Ensure "Announce DNS" is enabled in LAN configuration

DD-WRT will forward the DNS servers received from your ISP.

Enabling DNS Forwarding

Ensure DNSmasq forwards both IPv4 and IPv6 queries:

1. Navigate to: Services > Services
2. Under "DNSmasq":
   • DNSmasq: Enable
   • Local DNS: Enable
   • No DNS Rebind: Disable (or configure exceptions)

Verifying DNS Configuration

From a LAN client:

Linux/macOS:

# Check received DNS servers
nmcli device show eth0 | grep DNS

# Or check resolv.conf
cat /etc/resolv.conf

# Test AAAA record resolution
dig AAAA google.com
nslookup -type=AAAA google.com

# Test IPv6 DNS server connectivity
ping6 2001:4860:4860::8888

Windows:

ipconfig /all

nslookup -type=AAAA google.com

Expected results:

• IPv6 DNS servers should be listed
• AAAA queries should return IPv6 addresses
• Ping to IPv6 DNS servers should succeed

---

Verification and Testing

After completing configuration, thoroughly test your IPv6 setup to ensure everything works correctly.

Step 1: Verify Router IPv6 Configuration

1. Navigate to: Status > Router

2. Check "WAN" section:

   • IPv6 Address: Should show global IPv6 address (2xxx::/3xxx:)
   • IPv6 Gateway: Should show gateway address (or N/A for some setups)
   • Delegated Prefix: (DHCPv6-PD only) Should show delegated prefix

3. Check "LAN" section:

   • IPv6 Address: Should show link-local (fe80::) and optionally global address

Step 2: Test Router IPv6 Connectivity

1. Navigate to: Administration > Commands
2. Test basic connectivity:

# Ping Google's IPv6 DNS
ping6 -c 4 2001:4860:4860::8888

# Ping IPv6-only test site
ping6 -c 4 ipv6.google.com

# Check IPv6 routing table
ip -6 route show

# Verify IPv6 interfaces
ifconfig | grep -A 5 inet6

Expected results:

• Successful ping responses
• Routes via WAN interface or tunnel
• Both link-local and global addresses visible

Step 3: Test LAN Client IPv6 Configuration

On a device connected to your LAN:

Linux:

# Show IPv6 addresses
ip -6 addr show

# Show IPv6 routes
ip -6 route show

# Test connectivity
ping6 -c 4 ipv6.google.com

# Test DNS resolution
dig AAAA google.com

macOS:

# Show IPv6 addresses
ifconfig | grep inet6

# Test connectivity
ping6 -c 4 ipv6.google.com

# Test DNS
nslookup -type=AAAA google.com

Windows:

# Show configuration
ipconfig /all

# Test connectivity
ping -6 ipv6.google.com

# Test DNS
nslookup -type=AAAA google.com

Expected Results:

• Global IPv6 address (not just link-local fe80::)
• Default route via router
• Successful pings to IPv6 hosts
• DNS returns AAAA records

Step 4: Comprehensive Online Testing

Visit: https://test-ipv6.run

This comprehensive testing tool runs entirely in your browser and checks:

• IPv4-only connectivity
• IPv6-only connectivity
• Dual-stack operation
• Protocol preference
• IPv4 vs IPv6 latency
• Broken IPv6 detection

What to expect:

• Score 10/10: Perfect dual-stack configuration
• Blue/Green indicators: IPv6 working correctly
• Your IPv6 address displayed: Confirms global connectivity
• Dual-stack test passing: Browser properly handles both protocols
• Low IPv6 latency: Similar to IPv4 (native) or slightly higher (tunnel)

Other Testing Sites:

• test-ipv6.com - Comprehensive connectivity tests
• ipv6-test.com - Speed and connectivity comparison
• ipv6.google.com - Simple connectivity check

Step 5: Test Specific Scenarios

Test IPv6-only website:

# ipv6.google.com is IPv6-only
curl -6 http://ipv6.google.com/
ping6 ipv6.google.com

Test dual-stack website:

# google.com has both A and AAAA records
curl -6 http://google.com/
curl -4 http://google.com/

Check your public IPv6 address:

Visit in browser:

• https://ipv6.icanhazip.com/
• https://api6.ipify.org/

Test from specific interface:

# Force IPv6
curl -6 https://icanhazip.com/

# Force IPv4
curl -4 https://icanhazip.com/

Interpreting Test Results

Success Indicators:

• Global IPv6 address assigned to clients
• Successful ping to 2001:4860:4860::8888
• AAAA record DNS resolution works
• https://test-ipv6.run shows 10/10 score
• Both IPv4 and IPv6 websites load

Failure Indicators:

• Only link-local (fe80::) addresses on clients
• Ping to IPv6 addresses fails
• test-ipv6.run shows "no IPv6 connectivity"
• Broken IPv6 (configured but timing out)

Performance Benchmarking

Compare IPv4 vs IPv6 performance:

1. Visit: https://test-ipv6.run
2. Note latency differences
3. For native IPv6: latency should be similar or better than IPv4
4. For tunnels: expect 10-50ms additional latency (depending on tunnel endpoint distance)

Acceptable latency:

• Native IPv6: Within 5ms of IPv4 latency
• 6in4 tunnel: +10-50ms compared to IPv4 (depends on tunnel server location)
• If IPv6 latency is significantly higher, consider choosing a different tunnel endpoint or checking routing

---

Troubleshooting Common Issues

Issue 1: Router Has IPv6 but LAN Devices Don't

Symptoms:

• DD-WRT router shows IPv6 WAN address
• LAN clients only have link-local (fe80::) addresses
• Clients cannot reach IPv6 internet

Diagnosis:

1. Check if router advertisements are being sent:

# On router
ps | grep radvd
ps | grep dnsmasq

# On client (Linux/macOS)
radvdump

2. Verify IPv6 forwarding is enabled:

# On router
cat /proc/sys/net/ipv6/conf/all/forwarding

Should return 1. If not:

echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

Solutions:

Solution A: radvd not running

1. Navigate to: Setup > IPv6
2. Ensure "Router Advertisement (radvd)" is Enable
3. Apply settings and check:

ps | grep radvd

If still not running, manually start:

killall radvd
radvd -C /tmp/radvd.conf -m stderr

Solution B: Incorrect prefix in radvd

1. Check delegated prefix:

ip -6 addr show br0

2. Ensure radvd.conf uses correct prefix:

cat /tmp/radvd.conf

3. If mismatch, recreate radvd.conf with correct prefix

Solution C: Firewall blocking ICMPv6

# Ensure ICMPv6 is not blocked
ip6tables -L | grep icmpv6

If no rules allow ICMPv6 type 134 (Router Advertisement), add:

ip6tables -I INPUT -p ipv6-icmp --icmpv6-type 134 -j ACCEPT
ip6tables -I FORWARD -p ipv6-icmp --icmpv6-type 134 -j ACCEPT

Solution D: Client not requesting IPv6

Some clients disable IPv6 by default. Check:

Windows:

netsh interface ipv6 show interface

Ensure IPv6 is enabled.

Linux:

cat /proc/sys/net/ipv6/conf/eth0/disable_ipv6

Should return 0. If 1:

sudo sysctl -w net.ipv6.conf.eth0.disable_ipv6=0

Issue 2: DHCPv6-PD Not Receiving Prefix

Symptoms:

• WAN interface has IPv6 address
• No delegated prefix shown in status page
• LAN devices don't get IPv6 addresses

Diagnosis:

1. Check dhcp6c is running:

ps | grep dhcp6c

2. Check dhcp6c logs:

cat /var/log/messages | grep dhcp6c

3. Verify ISP supports prefix delegation (contact ISP)

Solutions:

Solution A: Wrong WAN interface in configuration

1. Identify actual WAN interface:

ip link show | grep -E "vlan|eth|ppp"

Common interfaces: vlan2, eth0, ppp0

2. Update dhcp6c config to use correct interface
3. Restart dhcp6c:

killall dhcp6c
# dhcp6c will auto-restart

Solution B: ISP requires specific DUID

Some ISPs require specific DHCP Unique Identifier (DUID) format:

1. Navigate to: Setup > IPv6
2. Try adding custom dhcp6c config:

interface vlan2 {
    send ia-pd 0;
    send ia-na 0;
    send rapid-commit;
    request domain-name-servers;
    request domain-name;
};

id-assoc pd 0 {
    prefix-interface br0 {
        sla-id 0;
        sla-len 8;
    };
};

id-assoc na 0 {
};

Solution C: Request different prefix length

Try requesting different prefix lengths:

1. Navigate to: Setup > IPv6
2. Change "Request IPv6 Prefix Length" to: 56, 60, or 64
3. Apply and wait 60 seconds
4. Check if prefix is delegated

Solution D: ISP doesn't support prefix delegation

If your ISP only provides a single /64:

• You cannot subnet your network
• All devices must be on same /64
• Consider using a tunnel (Hurricane Electric) for proper prefix delegation

Issue 3: 6in4 Tunnel Not Working

Symptoms:

• Tunnel configured but no IPv6 connectivity
• Router can't ping tunnel endpoint
• No IPv6 routes established

Diagnosis:

1. Test protocol 41 (6in4) connectivity:

# On router
ping -c 4 [HE.net server IPv4]

If this fails, IPv4 connectivity issue.

2. Check if ISP blocks protocol 41:

# Install hping3 if available
hping3 --ipv4 --icmp --data 100 -c 4 [HE.net server IPv4]

3. Verify tunnel interface exists:

ip link show | grep ip6tnl
ifconfig ip6tnl1

Solutions:

Solution A: ISP blocks protocol 41

Unfortunately, if your ISP blocks protocol 41, 6in4 tunnels won't work. Alternatives:

• Use different tunnel type (6to4, but not recommended)
• Request ISP to allow protocol 41
• Switch ISPs
• Use VPN that supports IPv6

Solution B: Incorrect tunnel endpoints

1. Verify endpoints match HE.net tunnel page exactly:

   • Server IPv4 Address
   • Server IPv6 Address
   • Client IPv6 Address

2. Navigate to: Setup > IPv6

3. Double-check all addresses

4. Apply settings

Solution C: MTU issues

6in4 tunnels add overhead. If MTU too high, packets fragment:

1. Navigate to: Setup > IPv6
2. Set "Tunnel MTU" to: 1472 (conservative) or 1480
3. Apply settings

Solution D: Firewall blocking tunnel

# Allow protocol 41
iptables -I INPUT -p 41 -j ACCEPT
iptables -I OUTPUT -p 41 -j ACCEPT

Solution E: Dynamic IP not updating

If you have dynamic IPv4 and it changed:

1. Log into HE.net tunnelbroker.net
2. Click your tunnel
3. Update "Update IPv4 Endpoint" with current IPv4
4. Or configure automatic updates via DDNS

Issue 4: IPv6 Works on Router but Not Through Router

Symptoms:

• Router can ping IPv6 addresses
• LAN clients cannot ping IPv6 addresses
• Router's own IPv6 connectivity works

Diagnosis:

1. Check forwarding:

cat /proc/sys/net/ipv6/conf/all/forwarding

2. Check ip6tables FORWARD chain:

ip6tables -L FORWARD -v

Solutions:

Solution A: IPv6 forwarding disabled

echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

# Make permanent
cat >> /tmp/sysctl.conf << EOF
net.ipv6.conf.all.forwarding=1
EOF
sysctl -p /tmp/sysctl.conf

Solution B: ip6tables blocking forward

# Check FORWARD policy
ip6tables -L FORWARD

# If default policy is DROP, add rules:
ip6tables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -I FORWARD -i br0 -o vlan2 -j ACCEPT

Solution C: No route for LAN prefix

# Check routing
ip -6 route show

# Add route if missing (example)
ip -6 route add 2001:db8:1::/64 dev br0

Issue 5: Broken IPv6 (Configured but Timing Out)

Symptoms:

• Devices have IPv6 addresses
• test-ipv6.run shows "broken IPv6" or score 0
• IPv6 pings timeout
• IPv4 works fine

This is the worst scenario - IPv6 is configured but not functional, causing delays as applications try IPv6 first.

Diagnosis:

1. Test connectivity from router:

ping6 -c 4 2001:4860:4860::8888

If router succeeds but clients fail: routing/forwarding issue If router also fails: upstream connectivity issue

Solutions:

Solution A: ISP IPv6 not actually working

1. Contact ISP to verify IPv6 service is active
2. Check modem/ONT is provisioned for IPv6
3. Reboot modem and router
4. If ISP confirms no IPv6, disable IPv6 or use tunnel

Solution B: Incorrect routing

# Check default IPv6 route
ip -6 route show default

# Should show route via WAN interface/gateway
# If missing, may need to add manually or fix RA/DHCPv6

Solution C: Firewall blocking all traffic

# Temporarily disable ip6tables to test
ip6tables -P INPUT ACCEPT
ip6tables -P FORWARD ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -F

# Test connectivity
# If it works, firewall rules are the issue
# Reconfigure with proper rules

Solution D: MTU/fragmentation issues

# Test with different MTU
ping6 -s 1200 -M do 2001:4860:4860::8888

# If small packets work but large ones fail, MTU issue
# Set lower MTU on WAN interface:
ifconfig vlan2 mtu 1480

Solution E: Disable IPv6 if unfixable

If you cannot resolve broken IPv6:

1. Navigate to: Setup > IPv6
2. Set "IPv6" to Disable
3. Apply settings

This prevents the "broken IPv6" scenario where clients waste time trying IPv6 before falling back to IPv4.

Issue 6: DNS Not Resolving AAAA Records

Symptoms:

• IPv6 connectivity works (can ping IPv6 addresses)
• Cannot reach IPv6 websites by domain name
• dig AAAA google.com returns no results or times out

Diagnosis:

1. Test DNS server directly:

# Test IPv6 DNS resolution
dig @2001:4860:4860::8888 AAAA google.com

# Test reaching IPv6 DNS server
ping6 2001:4860:4860::8888

Solutions:

Solution A: DNS server not IPv6-capable

1. Configure IPv6-capable DNS in DD-WRT
2. Navigate to: Services > Services
3. In DNSmasq "Additional Options":

dhcp-option=option6:dns-server,[2001:4860:4860::8888]

Solution B: DNSmasq not forwarding AAAA queries

1. Navigate to: Services > Services
2. Ensure "Local DNS" is enabled
3. Check "No DNS Rebind" is not blocking legitimate queries

Solution C: Client using wrong DNS

On client, manually set DNS to:

• 2001:4860:4860::8888 (Google)
• 2606:4700:4700::1111 (Cloudflare)

Issue 7: Privacy Extensions Causing Issues

Symptoms:

• Devices frequently change IPv6 addresses
• Services that whitelist by IP fail
• Difficulty troubleshooting due to address changes

Understanding Privacy Extensions:

RFC 4941 privacy extensions generate temporary IPv6 addresses that rotate periodically, preventing tracking. While good for privacy, they can cause issues with access control.

Solutions:

Disable privacy extensions on specific devices:

Linux:

# Temporary
sudo sysctl -w net.ipv6.conf.eth0.use_tempaddr=0

# Permanent
echo "net.ipv6.conf.eth0.use_tempaddr=0" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

Windows:

netsh interface ipv6 set privacy state=disabled

macOS:

# Not recommended to disable on macOS - use static addressing instead

Use static IPv6 addresses for servers:

Instead of disabling privacy extensions globally, assign static addresses to devices that need them (servers, printers, etc.).

---

Advanced Configurations

Multiple VLANs with Separate IPv6 Subnets

If you have multiple VLANs and want separate IPv6 subnets for each:

Requirement: /56 or shorter prefix from ISP (allows 256 /64 subnets)

Configuration:

1. Assign different /64 subnets to each VLAN interface:

# VLAN 1 (br0) - Main LAN
ip -6 addr add 2001:db8:1234:0::1/64 dev br0

# VLAN 2 (br1) - Guest network
ip -6 addr add 2001:db8:1234:1::1/64 dev br1

# VLAN 3 (br2) - IoT devices
ip -6 addr add 2001:db8:1234:2::1/64 dev br2

2. Configure separate radvd instances or DNSmasq ranges for each VLAN

3. Configure ip6tables to control inter-VLAN routing

IPv6 Port Forwarding

Unlike IPv4 NAT port forwarding, IPv6 "port forwarding" is actually firewall rule management since devices have global addresses.

Example: Allow SSH to specific device

# Allow SSH to specific IPv6 address
ip6tables -A FORWARD -d 2001:db8:1234:0::100 -p tcp --dport 22 -j ACCEPT

Example: Allow web server

# Allow HTTP and HTTPS to web server
ip6tables -A FORWARD -d 2001:db8:1234:0::200 -p tcp --dport 80 -j ACCEPT
ip6tables -A FORWARD -d 2001:db8:1234:0::200 -p tcp --dport 443 -j ACCEPT

Monitoring IPv6 Traffic

View active IPv6 connections:

# Show IPv6 connection tracking
cat /proc/net/nf_conntrack | grep ipv6

# Or if available
conntrack -L -f ipv6

Monitor IPv6 traffic in real-time:

# Install if available
tcpdump -i br0 -n ip6

Check IPv6 traffic statistics:

# Show IPv6 interface statistics
ip -6 -s link show

Optimizing IPv6 Performance

1. Adjust MTU for tunnels:

# For 6in4 tunnels, optimal MTU is usually 1472-1480
ifconfig ip6tnl1 mtu 1472

2. Enable TCP window scaling:

# Should be enabled by default, verify:
cat /proc/sys/net/ipv4/tcp_window_scaling

3. Adjust neighbor cache:

# Increase neighbor cache size for busy networks
sysctl -w net.ipv6.neigh.default.gc_thresh1=1024
sysctl -w net.ipv6.neigh.default.gc_thresh2=2048
sysctl -w net.ipv6.neigh.default.gc_thresh3=4096

Logging and Debugging

Enable comprehensive logging:

1. Navigate to: Administration > Commands
2. Add to startup:

#!/bin/sh
# Enable kernel IPv6 debugging (verbose)
echo 7 > /proc/sys/net/ipv6/conf/all/log_martians

# Log dropped IPv6 packets
ip6tables -I INPUT -j LOG --log-prefix "IP6T-INPUT: " --log-level 7
ip6tables -I FORWARD -j LOG --log-prefix "IP6T-FORWARD: " --log-level 7

# Enable DNSmasq logging
killall dnsmasq
dnsmasq --log-queries --log-dhcp

View logs:

# System log
logread | grep -i ipv6

# Or
cat /var/log/messages | grep -i ipv6

# DNSmasq specific
cat /var/log/messages | grep dnsmasq

---

Best Practices and Security

Security Best Practices

1. Enable IPv6 firewall if available

   • Verify ip6tables is present before enabling IPv6
   • Implement default-deny policy
   • Allow only essential ICMPv6 types

2. Ensure client-level firewalls

   • All devices should run local firewalls
   • Windows Firewall, macOS firewall, Linux iptables
   • Configure to allow only necessary inbound connections

3. Don't disable ICMPv6 completely

   • IPv6 requires certain ICMPv6 types
   • At minimum allow: Type 1, 2, 3, 4, 128, 129, 133-137
   • Rate limit to prevent floods

4. Use secure DNS

   • Configure DNS over HTTPS/TLS if supported
   • Use reputable DNS providers (Google, Cloudflare, Quad9)
   • Avoid ISP DNS if privacy is a concern

5. Keep firmware updated

   • Regularly check for DD-WRT updates
   • Security patches often include IPv6 fixes
   • Subscribe to DD-WRT security announcements

6. Monitor for rogue RAs

   • Rogue router advertisements can hijack IPv6 traffic
   • Consider RA Guard if available
   • Monitor for unexpected prefix changes

7. Document your configuration

   • Keep notes on custom scripts and configurations
   • Document firewall rules and their purposes
   • Record prefix delegations and tunnel details

Performance Best Practices

1. Choose nearby tunnel endpoints

   • For Hurricane Electric, select geographically close server
   • Lower latency improves user experience
   • Test multiple endpoints to find best performance

2. Use native IPv6 when available

   • Native always outperforms tunnels
   • Lower overhead, better throughput
   • More reliable than tunnels

3. Optimize MTU settings

   • Native IPv6: Use default MTU (1500)
   • 6in4 tunnels: 1472-1480 recommended
   • Test with ping to verify optimal size

4. Enable rapid commit

   • Reduces DHCPv6 transaction time
   • Configured in dhcp6c or DNSmasq
   • Cuts DHCPv6 from 4 messages to 2

5. Use DNSmasq instead of separate services

   • Integrated DNS/DHCP/RA more efficient
   • Lower memory footprint
   • Simpler configuration management

Reliability Best Practices

1. Save all configurations

   • Always click "Save" after "Apply Settings"
   • Configurations not saved are lost on reboot
   • Export configuration backup regularly

2. Test before saving

   • Use "Apply Settings" to test changes
   • Verify functionality before clicking "Save"
   • Keep backup connection (4G) during major changes

3. Use startup scripts for critical configs

   • Store custom configurations in startup scripts
   • Ensures configuration persists across reboots
   • Keep backup copy of all scripts

4. Monitor prefix delegation

   • ISP-delegated prefixes can change
   • If prefix changes, update any static configurations
   • Consider dynamic DNS for stable access

5. Implement graceful degradation

   • If IPv6 breaks, ensure IPv4 still works
   • Don't configure both as broken simultaneously
   • Test IPv4 fallback scenarios

Maintenance Best Practices

1. Regular testing

   • Weekly: Visit https://test-ipv6.run
   • Check for broken IPv6 scenarios
   • Verify both protocols working

2. Monitor logs periodically

   • Check for dropped packets
   • Look for unusual ICMPv6 traffic
   • Identify potential security issues

3. Review firewall rules

   • Quarterly review of ip6tables rules
   • Remove obsolete rules
   • Ensure rules match current needs

4. Update DNS records

   • If running services, maintain AAAA records
   • Test AAAA record resolution externally
   • Ensure records point to current prefix

5. Plan for prefix changes

   • Some ISPs periodically change delegated prefixes
   • Don't hardcode prefixes in services
   • Use dynamic registration where possible

Troubleshooting Best Practices

1. Isolate the problem layer

   • Test router connectivity first
   • Then test LAN device connectivity
   • Then test application layer (DNS, services)

2. Use systematic approach

   • Document what you've tried
   • Change one thing at a time
   • Revert changes if they don't help

3. Check basics first

   • Is IPv6 enabled in DD-WRT?
   • Is forwarding enabled?
   • Are services running (radvd, dnsmasq)?

4. Use packet captures when stuck

   • tcpdump reveals actual traffic
   • Shows if packets are being sent/received
   • Identifies where packets are dropped

5. Know when to disable IPv6

   • If configuration repeatedly fails
   • If IPv6 is broken and can't be fixed
   • Broken IPv6 worse than no IPv6
   • Disable and use IPv4 until resolved

---

Testing Your Configuration

After completing your DD-WRT IPv6 setup, comprehensive testing is essential.

Recommended Testing Procedure

1. Test router connectivity

   • SSH into DD-WRT
   • Run: ping6 2001:4860:4860::8888
   • Verify: Successful responses

2. Test LAN client addressing

   • Check client has global IPv6 address
   • Verify address is from delegated/configured prefix
   • Ensure default route via router

3. Test end-to-end connectivity

   • From LAN client: ping6 ipv6.google.com
   • Verify: Successful responses

4. Test DNS resolution

   • Run: dig AAAA google.com
   • Verify: Returns IPv6 addresses

5. Comprehensive online test

   • Visit: https://test-ipv6.run
   • Verify: 10/10 score, all tests passing
   • Check: IPv4 and IPv6 both working
   • Confirm: No "broken IPv6" indicators

6. Performance comparison

   • Note IPv4 latency on test-ipv6.run
   • Note IPv6 latency on test-ipv6.run
   • Verify: IPv6 latency acceptable (native: similar to IPv4, tunnel: +10-50ms)

What Good Results Look Like

Perfect Configuration:

• test-ipv6.run score: 10/10
• All connectivity tests: Green/Blue (passing)
• IPv6 latency: Close to IPv4 (native) or +10-50ms (tunnel)
• DNS: Resolves AAAA records
• Protocol preference: IPv6 preferred on dual-stack sites

Acceptable Configuration:

• test-ipv6.run score: 7-9/10
• Minor issues with specific tests
• IPv6 slightly slower but functional
• Dual-stack working

Problem Configuration:

• test-ipv6.run score: 0 with "broken IPv6"
• IPv6 configured but timing out
• This is WORSE than no IPv6 - must be fixed or disabled

---

Conclusion

Configuring IPv6 on DD-WRT provides your network with future-proof addressing, improved performance, and access to IPv6-only resources. While DD-WRT's IPv6 support is powerful, it requires careful configuration due to limitations in some builds (particularly lack of ip6tables).

Key Takeaways:

1. Verify DD-WRT build supports IPv6 - Use Standard or VoIP builds, not Mini/Micro
2. Choose appropriate method - Native IPv6 (if ISP supports), DHCPv6-PD (for prefix delegation), or 6in4 tunnel
3. Configure LAN properly - Use radvd or DNSmasq for router advertisements
4. Security is critical - Check for ip6tables support, ensure client firewalls enabled
5. Test thoroughly - Use https://test-ipv6.run to verify configuration
6. Monitor and maintain - Regular testing prevents broken IPv6 scenarios

Next Steps:

• Test your configuration at https://test-ipv6.run
• Enable IPv6 on specific services (web servers, SSH, etc.)
• Configure IPv6 firewall rules for exposed services
• Consider enabling IPv6 privacy extensions on clients
• Document your configuration for future reference

Additional Resources:

• DD-WRT Wiki: IPv6 Tutorial - https://wiki.dd-wrt.com/wiki/index.php/IPv6
• Hurricane Electric IPv6 Certification - https://ipv6.he.net/certification/
• DD-WRT Forums: IPv6 Section - https://forum.dd-wrt.com/
• Test your IPv6: https://test-ipv6.run

With proper configuration and ongoing maintenance, DD-WRT can provide robust IPv6 connectivity for your home or small business network, ensuring you're ready for the modern internet.