Blog

Running IPv6 when your ISP doesn’t yet support it [solved see comments]

Written by on 2nd July 2012 in technology with 1 Comment

I ran into an issue where a client wanted to run IPv6 internally for testing, but their ISP did not yet support it.  So we decided to use the FE00:: space and carved out a /48 for them to use.  We set each subnet internally to use a different /64, and thought all was well.

Until World IPv6 day that is (June 8th 2012).

Suddenly, websites (such as Google and Bing) take 30+ seconds to load.  I quickly realized that it was because the website supported IPv6, and DNS was returning a v6 address (which we didn’t have a route to).  I found out that there is no way to make Microsoft DNS server not return the v6 address (and only ipv4).  We can’t run a 6to4 tunnel, as we have nothing on the other side to turn it back int IPv6.  We couldn’t run a Teredo relay either for security reasons.

So far I haven’t found a solution to this, until your ISP supports IPv6 there is no good way for us to solve this.  It seems we should disable our “private ipv6″ addresses we are using internally and let them fall back to link-local.  If anyone has a solution or idea please comment.

Posted Under:
Post Written by

I am the owner of Russell Draper & Associates, this is my personal blog where I will post whatever I feel like! I generally have comments disabled, due to spam-bots. If you wish to leave a comment please contact me via RDAIT.

This Article has 1 Comment

  1. Russ says:

    It is finally solved!

    The solution is to define a route to nowhere (out the internet) and set an ipv6 access-list to deny it, AND use the “service resetinbound interface inside” command (resetoutbound is enabled by default).

    Don’t forget to enable ipv6 on your outside interface!

    To sum it up I did:

    interface Ethernet0/0
    ipv6 enable
    ipv6 address 2000::1/64
    exit
    ipv6 route outside ::/0 2000::2
    ipv6 access-list deny_all deny ip any any
    access-group deny_all in interface inside
    service resetinbound in interface inside

    I randomly chose 2000::1 as we have no ipv6 routes at all. Ethernet0/0 is my outside interface. I already had ipv6 defined on my inside interface.


Leave a Reply

You must be logged in to post a comment.