The premiere source of truth powering network automation. Open and extensible, trusted by thousands.

NetBox is now available as a managed cloud solution! Stop worrying about your tooling and get back to building networks.

Using 6to4 for IPv6 at Home

By stretch | Wednesday, March 17, 2010 at 4:22 a.m. UTC

Earlier this week, we looked at using 6to4 tunnels to establish IPv6 connectivity among sites separated by an IPv4-only transit network. This article extends that concept a bit further to show how you can take advantage of 6to4 tunneling to achieve IPv6 (albeit non-native) access to the public Internet, even from home.

This article discusses configuration of the 6to4 tunnel on an IOS-based access router, however this concept applies to any router or end host which supports 6to4 tunneling and has a global IPv4 address.

Step 1: Find a 6to4 Relay Near You

Like any tunnel, our 6to4 tunnel must have two endpoints. One end will obviously be our local site, but the other must be some point with both IPv4 and IPv6 Internet access. A number of carriers and service providers operate public 6to4 relays for this purpose. In the past, one would have to search for a relay manually. Fortunately, RFC 3068 introduced a well-known anycast address by which to automatically reach the nearest (as determined by BGP) public 6to4 relay.

The 6to4 relay anycast addresses are:

  • IPv4:
  • IPv6: 2002:c058:6301:: (2002::/16 + the IPv4 address in hex)

A simple traceroute will determine the nearest 6to4 relay:

$ traceroute
traceroute to (, 30 hops max, 40 byte packets
 1 (  0.373 ms  2.951 ms  2.794 ms
 2 (  7.020 ms  12.463 ms  12.596 ms
 3 (  12.097 ms  13.054 ms  13.248 ms
 4 (  12.657 ms  12.770 ms  12.878 ms
 5 (  29.782 ms  13.392 ms  29.871 ms
 6 (  13.611 ms  9.034 ms  10.151 ms

I'm lucky enough to have access to a relay just ~11 msec away (round-trip)!

Step 2: Ensure IPv6 Routing is Enabled

Your IPv6 packets won't go far without this:

Router(config)# ipv6 unicast-routing

Step 3: Configure the Tunnel Interface on the Router

Before we can configure the tunnel, we must know the public IPv4 address we'll be using to access the IPv4 Internet. Note that for reliable persistent operation, this must be a static address (versus one assigned via DHCP). In this example we'll be using the IPv4 address

To calculate the 6to4 prefix for the tunnel interface, we convert the 32-bit IPv4 address into hexadecimal and append it to the 2002::/16 IPv6 prefix to get 2002:46AE:B626::/48. The actual address we use for our tunnel interface can be any address within this prefix; for our example, we'll use 2002:46AE:B626::/128.

Now we can configure our tunnel interface:

interface Tunnel0
 description 6to4
 ipv6 address 2002:46AE:B626::/128
 tunnel source
 tunnel mode ipv6ip 6to4

Step 4: Set Up IPv6 Routes

Two IPv6 routes are needed to make this work. First, we need a route for 2002::/16 pointing out our 6to4 tunnel. Second, we need a default route pointing to the 6to4 relay IPv6 anycast address (2002:C058:6301::):

ipv6 route 2002::/16 Tunnel0
ipv6 route ::/0 2002:C058:6301::

Step 5: Number the Inside IPv6 Network(s)

The entire 2002:46AE:B626::/48 prefix (minus the subnet used for the tunnel interface) is available to number the internal IPv6 networks. For example, if we have a collection of internal hosts on VLAN 10, we can assign our VLAN 10 interface the address 2002:46AE:B626:1::1/64. IPv6-enabled hosts on this VLAN should automatically detect the presence of an IPv6 router and assign themselves an IPv6 address from this subnet using address autoconfiguration.

$ ip -6 address list eth0
5: eth0:  mtu 1500 qlen 1000
    inet6 2002:46ae:b626:1:21d:60ff:feb3:184/64 scope global dynamic 
       valid_lft 2591870sec preferred_lft 604670sec
    inet6 fe80::21d:60ff:feb3:184/64 scope link 
       valid_lft forever preferred_lft forever

If desired, one also has the option to manually assign IPv6 addresses to internal hosts, or using DHCPv6.

You may also configure one or two public IPv6 DNS servers on your hosts, but IPv6 DNS information (e.g. AAAA records) can be carried over IPv4 DNS just as well.


At this point you should have IPv6 connectivity to the world. Some sites to test include:

Also try using Wireshark to sniff the traffic to these sites. Locally, it will appear as native IPv6 traffic. Outside the router, it will appear as IPv6-in-IPv4.

Posted in IPv6


March 17, 2010 at 4:46 a.m. UTC

This is awesome! Wow!

Great article

March 17, 2010 at 7:54 a.m. UTC

A question that has raised to me... How come the Tunnel0 interface doesn't have a "tunnel destination" command, only "tunnel source ...". I mean how does the tunnel know where to terminate? Does it always look for as the remote end, so it is not necessary to provide it?

March 17, 2010 at 8:12 a.m. UTC

@ppalias: That's the "magic" behind 6to4. The destination IPv4 address is determined from the next-hop IPv6 address. Our default IPv6 route points to 2002:C058:6301::; because the tunnel mode is 6to4, C058:6301 is converted into the IPv4 address to be used as the tunnel destination.

The theory behind 6to4 is explained more in-depth in the prior article, 6to4 IPv6 Tunneling.

March 17, 2010 at 8:47 a.m. UTC

Thank you Stretch, I understood that ipv4 to ipv6 had this hexadecimal conversion of ipv4 address, but it didn't cross my mind that the reverse was automatically done to find the tunnel destination.

March 17, 2010 at 2:31 p.m. UTC

Very Cool. Thanks

March 24, 2010 at 4:58 a.m. UTC

For those interested, keeps a list of networks that run 6to4 relay servers.

This list is updated once a day.


March 25, 2010 at 10:39 a.m. UTC

I'm going to give this a try sometime soon on my 877W at home. I know google are already running a number of services via ipv6 which is a good way to test

April 28, 2011 at 11:32 a.m. UTC

Hi Stretch,

Quick question for you regarding the above article.

Let’s say I'm trying to access from my home network. My router which services the home network is performing 6to4 tunnelling to the nearest 6to4 relay router via the anycast method detailed in the above article.

Once the traffic has passed through said relay and hits google my return traffic would most likely be returned through a completely different relay, most likely the closet BGP4+ router advertising the 2002::/16 prefix?

I believe this is correct but wanted check.

Thanks mate,


July 27, 2011 at 2:05 p.m. UTC


Just thought this might be interesting. I have been using an openvpn service from on Windows 7 for few months now. I seem to be able to browse to those IPv6 websites you have listed without any configuration on my windows at all. IPv6 browsing just works once I'm connected to the VPN.

Comments have closed for this article due to its age.