OpenSUSE as a native ipv6 gateway?

There is a lot of documentation about routing ipv6 and most of it is outdated for tunnels or routing with ipv4.
My isp supplies native ipv6
I have installed dhcpcd 6.11.5 from which is working great, it allocates an ipv6 ip address to my wan, and a public subnet to my bridged lan.

For testing to see if the public subnet works, I created an address from my bridge on my wan. I did this just to ping and verify I had the address. It worked fine using ipv6 sites to ping me.


denyinterfaces br0 enp10s0f0 enp10s0f1 enp11s0f0 enp11s0f1 wlp5s0 wlp7s0
waitip 600
# Uncomment this line if you are running dhcpcd for IPv6 only.

# use the interface connected to WAN
interface enp12s0
#iaid 1
ia_na 1
# use the interface connected to your LAN
ia_pd 2 br0/0

I can have radvd.conf apply local ip addresses or public to the lan. This works perfectly. There is also the documentation stating that it can auto generate subnet ipv6 ips from dynamic subnet ip blocks provided by the isp, though not the main concern of my post.


interface br0
    AdvSendAdvert on;
    prefix fc00::1/64
        AdvOnLink on;
        AdvAutonomous on;
        AdvRouterAddr on;
RDNSS fc00::1{};

(yes, I am aware fc00::1 is not a public route-able address, for tayga it works just fine. I have a few public subnets on standby for when I learn to do the routing properly)

I have installed tayga (NAT64)
which does the routing ok, but seems like it was meant to translate ipv4 to ipv6 more than routing direct ipv6 → ipv6.

I am thinking there is a better way to properly setup a router gateway and route public ipv6 ips to the lan without a nat. Much of the documentation I have read has proven wrong as most of it involves routing with ipv4 and back to ipv6.

(feels sloppy to route native ipv6 this way)

tun-device nat64


ipv6-addr 2001:db8:1::2

prefix 2001:db8:1:ffff::/96


data-dir /var/db/tayga

map fc00::1

tayga is working for the most part, I have a subnet lan and can ping6 outside addresses. But this is not how ipv6 was designed. I am unsure of how to properly setup ipv6 routing in my opensuse linux router. I could use public route-able ips with tayga, but this is not correct ipv6 routing. Something direct should exist?

Also I have firewalld which I have recently upgraded to with tumbleweed and am unsure of how it interacts with iptables which has led to more confusion reading iptables tutorials. SuSEfirewall2 was dropped a few weeks ago.

I’m extremely surprised it works seeing that you are using unmodified example from manual that contains documentation-only IPv6 prefix shich should not be routable anywhere in real internet. Most likely your ping6 has absolutely nothing to do with your tayga.conf :slight_smile:

I am unsure of how to properly setup ipv6 routing in my opensuse linux router.

I really do not understand your question. Tayga is designed to connect IPv4 networks over IPv6 backbone. You do not “ping6” on host behind tayga - you use “ping” on native IPv4 hosts.

IPv6 native routing works just the same as IPv4 native routing. You have default gateway or you have host/network specific gateways. Home connections unlikely need more than default gateway via ISP router.

There is also the documentation stating that it can auto generate subnet ipv6 ips from dynamic subnet ip blocks provided by the isp, though not the main concern of my post.

Well, that’s the whole point of IPv6 - each host receives unique IPv6 address from address block allocated to you by your ISP. That automatically solves the “problem” of routing, as each host also receives native IPv6 route pointing to ISP gateway.

Either you misunderstand how IPv6 works or I misunderstood your question. Could you explain in some more details what you are trying to achieve?

Without tayga I am unable to route public ipv6 addresses from my lan to my wan. I should not require or need ipv4 anywhere in that loop. I have a public ipv6 address assigned to my wan, from my isp, and a public ipv6 subnet applied to my lan, also from my isp. How can I route this properly without the use of tayga? Many of the examples I attempted over the last week were very dated and did not function.

I think you misunderstand my documentation-only subnet. This subnet is recommended on many tutorials for use with a nat and is routed similar to As I have a public ipv6 subnet lan, I should not require a nat or tayga to handle the routing. Previously I had used SuSEfirewall2 to route ipv4 and we were all forced to adapt to firewalld recently. I do not understand what ip6tables commands to issue in which to have my public ipv6 lan routed to my public ipv6 wan.

I also don’t know what you are trying to do. And I probably don’t know how to do it.

IPv6 is working fine here. I’m using the router provided by my ISP.

Here’s my understanding of how it works:

My home router is assigned (or “delegated”) a “/60” range of IPv6 addresses. It uses one of those for itself. And then it advertises a “/64” to the LAN. Each computer on the LAN assigns itself an IPv6 address from that “/64” block (checking that this doesn’t cause a conflict). And each computer presumably announces what it has chosen, so that other LAN hosts know how to contact it.

The main router can also be set to assign an IPv6 address to each host. If I turn that on, then my computers get two IPv6 addresses – the one that they have chosen for themselves and the assigned address. That’s of course, with privacy extensions turned off. With privacy extensions turned on, they assign themselves another IPv6 address chosen randomly and used only for 24 hours.

I also do not understand your routing objectives or design.

Some basic questions and concepts…

  • Why your segregation of “public” and “private” addresses? Is this for organization if you are managing a very large number of host addresses?
  • Is there some reason why you would want to deploy an IPv6 DHCP server? There is no need to do so since self-generated addresses should always “just work.” Only reason to use a DHCP server is to manage assignments.
  • A significant diff between IPv6 and IPv4 is that IPv6 addresses are generally publicly accessible (with exceptions).
  • A significant diff between IPv6 and IPv4 is that routing tables should almost always be built automatically and “just work” not needing the special routes sometimes seen in IPv4 networks.
  • Is firewalling security part of your networking objectives? If so, then you need to state those clearly. In that case, then yes you will want to configure your firewall as a “critical node” but still ordinarily should not need to configure NAT or configure routing tables manually.


Because I chose to not post public ip addresses on the internet and it is an example of my config which also works for the public ipv6 address. You get to see the config example of what I am using and may have some insight to flags I could be missing. with the use of a nat (tayga) my ipv6 lan can communicate with the internet. This is not a ‘correct’ usage and I should not need to route ipv6 through a nat.

The ipv6 dhcp server or radvd.conf is working 100% fine. all ‘self generated’ addressed did not work out of the box, nothing routed to nothing. I could not even ping the self generated addresses “fe80::”. dhcp is not the issue of my question. as far as the ipv6 subnet goes, I will have to assign those from my own server as this is what is provided. I get 1 isp specific routable ipv6 address and several others with subnets that I must assign and route myself. The radvd (or dhcp) server is working 100% as intended.

all of the addresses on my lan with current configuration or public ipv6 are not publicly accessible. I would like them to be, and the major issue is that I do not know how to route public wan ipv6 to lan ipv6 with public ips. the assignment of public ip addresses is currently working and of no issue. again I may have a flag I have missed that I should have placed in the config, and so I posted the config.

with a default install of opensuse and firewalld NOTHING has worked. nothing has been routed through my router(opensuse box). I have and get access to the ipv6 addresses without issue as I posted above with my tests. Opensuse at current is not capable of routing the ipv6 wan to the ipv6 lan addresses without use of a nat. I don’t know why, this is the issue I do not understand. I should not require tayga(nat64) to do this routing. I realize this is likely a very simple solution that has been overlooked.

Nope, If it was, this is currently working just fine. And again, the routing tables need manual configuration for anything as NOTHING works. I suspect this has to do with the forced upgrade to firewalld, though I did not do any ipv6 testing with susefirewall2. firewalld’s routing tables are very different than what I had noticed with susefirewall2 which again makes most of the tutorials I have found not helpful. Again, no I do not need a firewall for ipv6, but the routing has in the past ‘automatically’ just worked after inputting the information into the firewall which in the past has handled the routing tables. Currently no default ipv6 routing that should work, is working.

ipv6 is working fine as far as 1 computer(the opensuse router) doing anything online with an ipv6. My problem is that it is not routing ipv6 publicly to the lan. I currently have access to a few ipv6 subnets. each one consists of 18,446,744,073,709,551,616 IPv6 addresses. I will probably use 20 with laptops and cell phones.

I have disabled all of the normal lan routing capabilities of my isp router and have placed an opensuse server with 100% access to the internet. It has both a public ipv4 and ipv6 ip and several subnets. There are several reasons for doing this which are not the criteria of my question.

I am going to draw it out to make 100% clear what is not working

opensuse router → wan ipv6 (working)
opensuse router → requested ipv6 subnet (addresses routed to me and tested as working via online ping from websites when I assigned subnet ips to the wan)
opensuse router → ipv6 subnet assigned to lan (assignment is working)

‘ipv6 internet’ → ‘opensuse router’ → ‘ipv6lan computer’ (not working)
this is the breakdown ‘ipv6 internet’ → ‘opensuse router’ -/- no routing -/- ‘ipv6lan computer’

I installed tayga and managed to get routing somewhat working, but this is a very wrong way to route the ipv6 to the lan.
I would love it if the routing tables just ‘worked’, but they have not.
so my table looks like this
‘ipv6 internet’ → ‘opensuse router’ → ‘opensuse router tayga(nat64)’ → ‘ipv6lan computer’
This also means that my lan works similar to addresses because they are forced to go through a nat.

How do I get ipv6 to properly route from interface enp12s0 (public wan) to interface br0 (my bridged lan consisting of 2x wifi and 4x ethernet).

Because this has not worked ‘out of the box’. I don’t know how to tell enp12s0 to send traffic it receives for ‘br0’s ipv6 subnet’, to br0.
The main reason I don’t know how to route ipv6 is because the routing tables are different with firewalld and I have no idea what to do with them. As well most examples on the internet did not feature such a simple setup wan-ipv6 → opensuse router → lan-ipv6(for which all addresses should be 100% publicly accessible)

You should not need any ip6tables to route anything.

You know, discussion when you say “everything is working” without providing any technical details is not going to lead anywhere. Because if that is working, you should not have issues with routing. And if you have, something is not working, and to tell what, we need details.

‘ipv6 internet’ → ‘opensuse router’ → ‘ipv6lan computer’ (not working)

The obvious first answer is firewall.

I installed tayga and managed to get routing somewhat working, but this is a very wrong way to route the ipv6 to the lan.

Here we agree :slight_smile:

… forced to go through a nat.

How do I get ipv6 to properly route from interface enp12s0 (public wan) to interface br0 (my bridged lan consisting of 2x wifi and 4x ethernet).

Ouch … NAT, bridges, iptables, tayga … really, start with the most simple configuration. Single system with single interface and firewall disabled. Show “ip address” and “ip route” output on this system and explain what exactly does not work ideally pasting actual commands and their output you used to verify it.

If “have access” means “you use addresses from these subnets on your LAN” then the following must be true

  1. Internet must know that traffic for these subnets must be sent to your ISP router.
  2. Your ISP router must know that traffic for these subnets must be sent to your openSUSE box WAN address

Are you sure these are true? The simplest way to verify is to sniff openSUSE box WAN interface while trying to access internal address from outside. If you do not see any traffic, the problem is outside of openSUSE box.

Of course, openSUSE must also have routing enabled, but I assumed this is so obvious that I do not need to mention it. But that is the next step, if preceding does not work, there is nothing you can do. Then the only possibility is indeed to masquerade everything as your openSUSE box WAN address because this is the only one that can have connectivity.

routing tables are different with firewalld

firewalld has absolutely nothing to do with routing. You seem to confuse routing and NAT.

IMO some IPv6 Basics is needed here.

Based on a <very> brief skim of only a few Internet hits,
I’d recommend reading

Some points of emphasis to clear up some misunderstandings…

  • Everywhere autoconfiguration is described, and why it makes DHCP unnecessary and only a voluntary option.
  • The Address Types & Formats page. Besides the address structure (critical to know if you’re subnetting, routing and assigning addresses), you should also pay close attention to the Address Types so you know for instance of the many auto-generated IPv6 addresses you will see on your system, for some odd reason you chose the Link-local address to test routing (it’s the only one that can’t)
  • How headers are used so that you can identify and use them properly yourself which is essential for routing
  • IPv6 subnetting. Ordinarily, there is no need or desire. But, for possible management and consequentially possibly applying special security reasons, you will have to know this first.

Perhaps some additional points of interest

  • Anycast vs Broadcast, but know that for over 99% of all connections, Unicast is the relevant type

If you have further questions, post again,
But first try to establish a base of knowledge.
I’d also expect there should be some decent YouTube(and other provider) videos on the subject

Unfortunately, the best slide deck and presentation I’ve seen (an over 6 hour talk, packed with info) is not available publicly. Here’s hoping one day the presenter will change his mind about publishing openly since AFAIK he doesn’t actually have any reason to hold back.


A brief response to your original post…
You said that your “public IPv6 addresses” either couldn’t connect to, or others couldn’t connect to them.

I’d start with…

  • Did you assign those public IPv6 addresses?
    If you did, then did you make some mistake… like
    physical networking mistake
    Bad address assignment which might include bad header or duplicate hostid?

  • If you’re instead using an autogenerated non-link-local address
    Is there a physical network connection?
    Did you try an IPv6 ping of your router?

  • If your machines are not connected directly to your ISP/Gateway device, then
    Is your router configured for IPv6 forwarding?
    Are your router interfaces configured correctly (actually, should be left with default auto-configured addresses)

Those are just off the top of my head,
I’m sure that within each general category above, there are many more possible actions to take when troubleshooting.

I’ve never heard of an ISP assigning anyone only one IPv6 address, makes no sense with the enormous number of free addresses available. I assume you probably misunderstood what you have. It’s more likely you have something enormous… possibly thousands of addresses. It’s also possible you might be sharing millions of addresses with others in a same address space because the odds of any of you bumping into each other would be tiny.


Posting follow up to help others in the future.

REPORT SUCCESS - Thankyou tsu2 for your assistance, I heavily considered your comments about how ipv6 should work automatically. I did have some previous experience with ipv6/dns and tunnels from about 15 years ago. Hoping no one else has to suffer through outdated tutorials. Some of googles top results are from 2004 which had me draw bad conclusions.

My isp is Rogers( All my internal computers now have public ipv6 addresses which can be remotely pinged or connected to ( ). This is managed only using radvd(2.17) and dhcpcd(6.11.5). Rogers assigns a single reverse dns ip address. I would imagine Rogers has not setup at least 18 quintillion reverse dns for all addresses and probably have a limited pool. The subnet they assigned does not have reverse dns(I am not concerned).


NOTE: dhcpcd did not setup the routes if the subnet address was already assigned or while denyinterfaces was set to my bridge (br0). I initially set denyinterfaces when I noticed dhcpcd looking for dhcp replies on br0 and all other interfaces. dhcpcd no longer does this with the current config(posted)

For those testing in the future, note that the output of dhcpcd can be misleading as it can take 2-5 minutes to get an ipv6 reply. I used combinations of --waitip 6, --inform6, and -t0 flag to not timeout while testing.

denyinterfaces enp10s0f0 enp10s0f1 enp11s0f0 enp11s0f1 wlp5s0 wlp7s0
waitip 600
interface enp12s0
ia_na 1
ia_pd 2 br0/0

dhcpcd output:
The output from dhcpcd is confusing as it shows enp12s0 is routed to “fe80::” (router or isp address) which is also displayed in routing tables. This is the reason I expected to be able to ping “fe80::”.

all: IPv6 kernel autoconf disabled
enp12s0: IPv6 kernel autoconf disabled
all: IPv6 kernel autoconf disabled
br0: IPv6 kernel autoconf disabled
DUID xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
enp12s0: IAID xx:xx:xx:xx
enp12s0: IAID 00:00:00:01
enp12s0: IAID 00:00:00:02
enp12s0: adding address fe80::xxxx:xxx:xxxx:xxxx
br0: IAID xx:xx:xx:xx
br0: adding address fe80::xxxx:xxxx:xxxx:xxxx
enp12s0: soliciting an IPv6 router
enp12s0: rebinding lease of
enp12s0: probing address
br0: soliciting a DHCP lease
enp12s0: rebinding prior DHCPv6 lease
enp12s0: REPLY6 received from fe80::xxxx:xxxx:xxxx:xxxx
enp12s0: adding address 2607:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/128
enp12s0: renew in 79773, rebind in 127637, expire in 362477 seconds
lo: adding reject route to 2607:xxxx:xxxx:xxxx::/64 via ::1
enp12s0: delegated prefix 2607:xxxx:xxxx:xxxx::/64
br0: adding address 2607:xxxx:xxxx:xxxx::1/64
br0: adding route to 2607:xxxx:xxxx:xxxx::/64
lo: deleting reject route to 2607:xxxx:xxxx:xxxx::/64 via ::1
forked to background, child pid 2794


**note “prefix ::/64” as recommended in some tutorials does not work. I am not sure how a dynamic subnet is handled by radvd or why this feature is not working. For now I have placed the appropriate global address I get from dhcpcd and placed it in radvd.conf. I will have to manually update radvd.conf when the dynamic subnet changes.

I am currently not sure of how to tell clients where the ipv6 dns server is. I think the lan clients are likely still using the ipv4 dns declaration from the ipv4 dhcpd.conf(wickedd)

interface br0
    AdvSendAdvert on;
prefix 2607:xxxx:xxxx:xxxx::1/64
        AdvOnLink on;
        AdvAutonomous on;
        AdvRouterAddr on;
        DeprecatePrefix on;



I am not sure if all this is necessary. Many of these flags were added for troubleshooting purposes. This is my configuration at this time. Let me know if I should remove or change any of it.

net.ipv6.conf.enp12s0.accept_ra = 2
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.enp12s0.forwarding = 0
net.ipv6.conf.all.autoconf = 0
net.ipv6.conf.enp12s0.autoconf = 0
net.ipv6.conf.br0.accept_redirects = 4
net.ipv6.conf.br0.forwarding = 1
net.ipv6.conf.default.disable_ipv6 = 0

Congrats, and very cool what you posted.

Seems to me some things like ipv6 forwarding should have been configurable in YaST, but in a way I’m sure you feel you have a better handle on your ipv6 configuration by stating all your ipv6 optionsl in a block statement in your /etc/sysctl

The <special> reverse ip address mapping provided by your ISP is necessary only for deploying a mail server (or, at least I expect that this is consistent with what has always been the case for Ipv4). This mapping is special only because it’s done by the ISP so the ISP can verify the mapping by mail servers.

For all other situations, you should only need to configure reverse zone mappings in your Domain’s own Primary DNS servers (the ones identified by your Domain Registrar). Of course, you need to use or deploy DNS that supports ipv6, and you should be able to test by pointing your own machines directly to those specific DNS so you don’t rely on zone replications working properly (at first. you can test how well your zone is replicating later). You may even want to set up a test DNS in your LAN to create your reverse zone mappings before you make changes to your real public servers.

You configure your DNS client on each machine the same as for ipv4… By configuring in your /etc/resolv.conf.
If you are already using DHCP, you should be able to distribute your ipv6 DNS as part of the network configurations.
Otherwise for testing, use nslookup to over-ride network configurations.


I found a minor bug with my setup. Because I am using dhcpcd now. I thought why have two dhcp clients running wicked for ipv4 and dhcpcd for ipv6.

In yast/System/Network Settings/enp12s0/Edit

If I set this enp12s0 to “No Link and IP Setup”
wicked sets net.ipv6.conf.enp12s0.disable_ipv6=1 at boot and overrides any options placed in sysctl.conf


net.ipv6.conf.enp12s0.accept_ra = 2
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.enp12s0.forwarding = 0
net.ipv6.conf.all.autoconf = 0
net.ipv6.conf.enp12s0.autoconf = 0
net.ipv6.conf.br0.accept_redirects = 4
net.ipv6.conf.br0.forwarding = 1
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.enp12s0.forwarding = 0
net.ipv6.conf.enp12s0.disable_ipv6 = 0

With several attempts I found no method to enable the ipv6 of enp12s0 across reboots while disabling wicked on the interface.
I could just sysctl net.ipv6.conf.enp12s0.disable_ipv6=0 at every reboot and rerun dhcpcd if I wanted. (not great if I remotely reboot, or a power outage while I’m not home)

I will note that all the ipv4 entries of yast/wicked will accept ipv6 without complaint. I’m sure at some point someone might want to fix this to say “ipv4/ipv6” or just “ip”.
For the moment I have entered in wicked a static ip address on enp12s0 as “fe80::1” and netmask of “/128”.

This way wicked does not force ipv6 disabled. I’m not thrilled at having a useless address just so wicked doesn’t mess things up.

The alternative is to lock dhcpcd to ipv6 and use wicked for ipv4. I currently use wicked for the bridge and am not sure how everything would work if I disabled wicked.

You may want to test NetworkManager. Since 1.6 it supports connection sharing for IPv6 and should utilize prefix delegation for it. It also supports bridges and internal forward-only DNS server.

I have found two issues with my setup so far.



resulted in the opensuse router passing ipv6 address requests to the lan. I had three or four quintillion address subnets assigned.


is my new setting. This solves the issue of why my lan had multiple ipv6 addresses(including ones not in my immediate subnet or part of radvd.conf).


The interesting part is the addresses worked the way one would expect a nat to work.
I no longer have tayga installed, maybe it never did what I thought it did.

While testing ipv6 on I get 20/20. But the ipv6 address displayed is the one belonging to my opensuse router wan port(enp12s0). The lan computers have public ipv6 assigned and can be publicly pinged with sites like , and for verification not pinged when an address is not assigned.

Strange that public ipv6 addresses on my lan are masquerading as the opensuse router.

I only found one tutorial explaining how to use ipv6 properly, unfortunately it was designed for iptables that looked like what we had with SuSEfirewall2. The same commands did not work with firewalld.