IPv6 for Your Homelab: Setup, Subnetting, and Native Connectivity

Networking 2026-03-04 · 5 min read ipv6 networking homelab pfsense opnsense isp subnetting router
By HomeLab Starter Editorial Team — Home lab enthusiasts covering hardware setup, networking, and self-hosted services for home and small office environments.

IPv6 for Your Homelab: Setup, Subnetting, and Native Connectivity

Photo by mostafa mahmoudi on Unsplash

IPv4 addresses have been exhausted for years. IPv6 is how the internet grows from here. If your ISP offers IPv6 (most do now), running native IPv6 in your homelab prepares you for the future, removes double-NAT complexity, and lets you expose services to the internet without port forwarding gymnastics.

This guide assumes you're running pfSense or OPNsense as your router and want native IPv6 connectivity throughout your homelab.

Understanding IPv6 Addresses

IPv6 addresses are 128 bits, written as eight groups of four hex digits:

2001:0db8:85a3:0000:0000:8a2e:0370:7334

Leading zeros within a group can be omitted, and a single consecutive run of zero groups can be replaced with :::

2001:db8:85a3::8a2e:370:7334

For homelab purposes, you need to know three address types:

Link-local (fe80::/10): Automatically configured on every interface. Used for on-link communication only, never routed. Every device has one.

Globally unique addresses (2000::/3): Publicly routable. Your ISP assigns you a prefix (usually /56 or /64), and your devices get addresses within that space.

Unique local addresses (fc00::/7): Like private IPv4 space — routable within your network but not on the internet. Useful if your ISP doesn't offer IPv6 yet.

Getting IPv6 from Your ISP

Most residential ISPs now offer IPv6 through either:

Native dual-stack: Your router's WAN connection gets both an IPv4 address and an IPv6 prefix. This is the cleanest setup.

6rd (IPv6 Rapid Deployment): Your ISP tunnels IPv6 over IPv4 infrastructure. More complex but works where native isn't available.

DS-Lite: IPv4 traffic is tunneled over native IPv6. You get a shared IPv4 address but native IPv6. Common with some European and Japanese ISPs.

Check your ISP's documentation for which they offer. If you're not sure, try the native setup first.

Configuring IPv6 on pfSense/OPNsense

WAN Interface

Navigate to Interfaces → WAN:

Set IPv6 Configuration Type to DHCPv6 (for native dual-stack)
Check "Request only an IPv6 prefix" if your ISP provides a prefix delegation
DHCPv6 Prefix Delegation size: Set this to match what your ISP provides. Most ISPs give /56 or /64. Check your ISP docs.

If your ISP uses SLAAC (stateless address autoconfiguration), set the WAN to SLAAC instead.

LAN Interface

Now configure your LAN to hand out IPv6 addresses:

Navigate to Interfaces → LAN
Set IPv6 Configuration Type to Track Interface
IPv6 Interface: WAN
IPv6 Prefix ID: 0 (for your first subnet; increment for VLANs)

This tells pfSense to take the prefix your ISP delegated to your WAN and assign the first /64 subnet to your LAN.

Router Advertisements (RA)

Enable Router Advertisements so your devices auto-configure:

Services → Router Advertisements (or DHCPv6 Server):

Mode: Assisted (uses both SLAAC and DHCPv6) or Stateless SLAAC (devices configure their own addresses)
DNS servers: Either your router's IPv6 address or your preferred DNS

SLAAC vs. DHCPv6 stateful:

SLAAC: Devices generate their own IPv6 addresses using the prefix + their MAC address. Addresses are stable but you don't control them.
DHCPv6 stateful: You control address assignments, similar to IPv4 DHCP. More control, more complexity.

For most homelabs, Assisted mode (both) is the best default.

Like what you're reading? Subscribe to HomeLab Starter — free weekly guides in your inbox.

Subnetting with a /56 Prefix

If your ISP gives you a /56 prefix (common with residential service), you have 256 /64 subnets to work with. Assign one per VLAN:

Subnet	Use case
Prefix:0::/64	Main LAN
Prefix:1::/64	IoT VLAN
Prefix:2::/64	Servers VLAN
Prefix:3::/64	Guest network
Prefix:10::/64	Homelab experiments

In pfSense, set the "IPv6 Prefix ID" for each VLAN interface to the corresponding hex digit (0, 1, 2, 3, a).

Verifying IPv6 Connectivity

After setup, check connectivity from a client:

# Check your IPv6 address
ip -6 addr show

# Check default route
ip -6 route show default

# Ping an IPv6 address (Google's public DNS)
ping6 2001:4860:4860::8888

# Test a dual-stack hostname
curl -6 https://ipv6.google.com

Or visit https://test-ipv6.com in a browser — it shows whether you have working IPv6 and what your address is.

Firewall Rules for IPv6

pfSense/OPNsense doesn't automatically create IPv6 firewall rules when you create IPv4 rules. You need to create them separately.

The critical rules to allow (at minimum):

ICMPv6 in both directions — essential for IPv6 to function (neighbor discovery, router advertisements)
Your existing traffic rules, duplicated for IPv6

Allow ICMPv6 rule (on LAN, direction: in):

Protocol: IPv6-ICMP
Source: LAN net
Destination: Any
ICMP subtypes: All (or at minimum: Echo Request, Neighbor Solicitation, Neighbor Advertisement)

Block everything else from WAN (this is usually default, but verify):

WAN rules should block inbound IPv6 traffic by default, same as IPv4

Static IPv6 Addresses for Servers

For servers that need a predictable address:

Option 1: DHCPv6 static mapping (like IPv4 DHCP reservations): Services → DHCPv6 Server → IPv6 Static Mappings → Add

Map the server's DUID to a specific IPv6 address within your prefix.

Option 2: Manually set EUI-64 stable addresses: IPv6 SLAAC addresses derived from MAC addresses are long and change if you swap NICs. For important servers, set a manually-chosen stable address in the same /64:

# On Linux
ip -6 addr add 2001:db8:1:0::100/64 dev eth0
# Make permanent in /etc/network/interfaces or NetworkManager

Exposing Services via IPv6

With public IPv6, your services are directly reachable without NAT. This is one of the main benefits: no port forwarding configuration, no CGNAT problems.

To expose a service:

Give the server a stable IPv6 address (static mapping or manually set)
Create a DNS AAAA record: server.yourdomain.com → 2001:db8:1:0::100
Add a firewall rule on WAN allowing traffic to that address on the required port

Unlike IPv4 where your home IP changes, your ISP-assigned IPv6 prefix is usually stable (delegated per-account rather than per-session). Verify with your ISP.

When Native IPv6 Isn't Available

If your ISP doesn't offer IPv6:

Tunnel brokers: Hurricane Electric (HE.net) and ARIN offer free IPv6 tunnels over IPv4. HE.net's tunnel broker is the most popular — you get a /48 prefix (65,536 subnets) for free.

6to4: Automatic tunneling protocol, but largely deprecated due to reliability issues. Avoid.

Teredo: Windows-specific tunneling, useful only as a last resort.

For most homelabs without ISP IPv6 support, HE.net's tunnel broker is the best option — free, stable, and gives you a real globally-routable prefix.

The Practical Takeaway

IPv6 in a homelab isn't hard — the main barrier is unfamiliar address formats. Once you have your ISP's prefix delegated to your router and Router Advertisements configured, your devices auto-configure IPv6 addresses with no per-device setup. Your servers get directly reachable addresses without NAT. Your homelab becomes properly dual-stack.

The firewall rules matter: don't forget to duplicate your IPv4 rules for IPv6, and always allow the essential ICMPv6 types.