Randomizing a pool of IPv6::/64 addresses

Please help, Ubuntu 18.04, netplan, got /64 from Linode, everything works, but i'm trying to randomize outgoing IPv6 addresses from tunnel (lets say tun0) interface (this tunnel uses ULA addresses / I do ip6tables mangle to translate ULA->Public IPv6 without touching NAT). But I get exactly the same address I use for tunnel (fd40::1 -> 2001::1). I can't change client configuration, so I want to do it using server side only.

The question is how to randomize IPv6 /64 (the last ffff:ffff:ffff:ffff)? I have tried using use_tempaddr = 2 in sysctl for all ifaces, but no luck.


:PREROUTING ACCEPT [8588:8482248]
:OUTPUT ACCEPT [3186:306459]
-A PREROUTING -d 2600:2222:2222:2222::/64 -j NOTRACK
-A PREROUTING -s fd40:3333:3333:3333::/64 -j NOTRACK

:PREROUTING ACCEPT [15409:11037888]
:INPUT ACCEPT [11239:9240238]
:FORWARD ACCEPT [4132:1794638]
:OUTPUT ACCEPT [7959:794713]
:POSTROUTING ACCEPT [11702:2518828]
-A PREROUTING -d 2600:2222:2222:2222::/64 -j DNPT --src-pfx 2600:2222:2222:2222::/64 --dst-pfx fd40:3333:3333:3333::/64
-A POSTROUTING -s fd40:3333:3333:3333::/64 -o eth0 -j SNPT --src-pfx fd40:3333:3333:3333::/64 --dst-pfx 2600:2222:2222:2222::/64

This works, If my ULA is fd40:3333:3333:3333::1/128 then I would get public 2600:2222:2222:2222::1/128.

Thank you very much for looking at my question! :) If you have a minute, please give me some directions, I think about dhcpd6, but I hope it is possible not to use it.

Have a good day!

2 Replies

Hey there,

After looking at the information provided I don't think it would be possible to do this without having SLACC(dhcpd6) enabled. From my own personal experience as well as the information provided in this post it seems that Netplan in Ubuntu 18.04 has preferred IPv6 addresses that it will use to create tunnels.

Would you mind providing me with some more information in regards to what you are using this configuration for? I may be able to provide more insight or helpful resources should you need it.


okay, I have thought i should not use ip6tables NAT but it seems like i was misguided.. a lot of holy war on this topic. what i tried to do is to use different ipv6 prefixes from assigned /64 for VPN clients. but it seems like ipv6 in its current state is using /64 blocks for addressing and i can run into issues if i try to divide it for the clients to have a dynamic ipv6. however, i can't make it work as expected even using /64 for one client. ping doesn't work and some other weird problems occur (as i remember i was trying to advertise my prefix w/ dhcpd6 and test ip6tables conf regarding adv/pings), can't tell you exactly as it was 5 months ago. now i'm just using NAT/static single ipv6. Of course, it would be cool to have dynamic prefixes, but i can't find the right configuration for that.

anyway, thx for your reply it was a long wait :) if you know how to do it w/ /56 - please tell me, i will gladly pay for that expertise.


Please enter an answer

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct