6to4 is obsolete

I'm going to leave the rest of this page as-is for the time being, but we've reached the point now that 6to4 isn't strictly necessary anymore. Anyone can get a Tunnelbroker tunnel at this point, Comcast will now give you a native IPv6 prefix with DHCPv6 and Verizon is now giving out IPv6 addresses over LTE. The revolution has already been televised.

Important note!

With the promulgation of RFC 3068, the list that used to be here is no longer necessary. Everyone using 6to4 should now set their default router to 2002:c058:6301:: which is a special magic anycast address for the nearest (in BGP terms, anyhow) Relay Router.

Nick's 6to4 page

IPv6 is the next generation IP protocol (IP being the protocol run on the Internet - IP stands for Internet Protocol, in fact). Among the benefits of IPv6 are a vastly increased address space. In fact, this little document will show you how you can hide 65,536 networks, each with up to 18,446,744,073,709,551,616 hosts behind a single IPv4 address (IPv4 is the protocol used by the Internet today).

6to4 is a transitional scheme. It uses encapsulation, meaning that it "wraps" IPv6 packets inside of an IPv4 shell to move them between networks over the current Internet. During the transition to an IPv6 internet, encapsulation will have to be used to connect "islands" of IPv6 networks together across the vast ocean of IPv4. 6to4 is one such technique.

6to4 uses a special IPv6 prefix: 2002::/16. The IANA has set aside this address space just for 6to4. The 6to4 specification states that the 32 bits after 2002::/16 are the IPv4 address of the gateway machine for the network in question. This is how the packets know to find their way to your network -- the IPv4 address of your gateway is right in them! For example, if your gateway machine's IPv4 address is (it obviously wouldn't be since that address is unroutable, but just for example), your IPv6 prefix would be 2002:c0a8:2c7::/48. Inside of that space, you have 80 bits of address space to do with as you please. Normally each subnet gets a 2^64 netmask, so that leaves 16 bits of site-local network addressing -- or 65,536 subnets.

To set up 6to4, you start with a machine that has both IPv4 and IPv6. I will use FreeBSD as an example, mostly because it's the one I know best. FreeBSD has a special pseudo-device that can be used to set up 6to4 called stf. Make sure you put pseudo-device stf in your kernel configuration. After you have a kernel set up for both IPv4 and IPv6, and you have stf0 available, and your IPv4 configuration is set up, add this to your rc.conf file:

Replace the xs with your machine's IPv4 address, and nn0 with your interface's name.

This setup presumes you have a static IPv4 address. It is possible to use 6to4 with a dynamic address, but this means that your IPv6 prefix will change everytime your IPv4 address does.

Having done this much, you can now exchange packets with anyone else using 6to4 anywhere on the net. But what about folks not using 6to4 - sites on the 6bone or in other IPv6 address spaces? To get to non-6to4 addresses, you need to use a relay router. That is a machine that is set up both for 6to4 and a connection to some other address space. If you set such a machine as your default route, it will pass your packets on to the rest of the IPv6 universe.

Add this line to your rc.conf file to specify your default route (its commented-out form is in /etc/default/rc.conf):

ipv6_defaultrouter="2002:c058:6301::"  # Use this for 6to4 (RFC 3068)
Lastly, you will want to set up a reverse-DNS zone for your 6to4 network. To do this, set up two name servers (a master and a slave) that serve the zone "", where the letters a through h represent the hex digits of your 6to4 zone backwards (this assumes that you're not going to set up multiple networks behind your 6to4 gateway). That is, for the example above of 2002:c0a8:2c7, the reverse zone would be "". The contents of this zone should be PTR records for your hosts just like an in-addr.arpa zone for IPv4, but the left hand side should be the hex digits of the IPv6 address backwards, separated by dots. For example, the 6to4 host will have a ::1 suffix for the 6to4 interface, so a reverse DNS record would look like this:		PTR	6to4.example.com.
With that record inside the above zone, the full record would be		PTR	6to4.example.com.
Lastly, you need to register this zone and its servers with the 6to4 reverse zone authority. Note that when you visit that site, you'll get an SSL certificate warning. This is normal. You need to visit this site using IPv6 from the actual 6to4 zone you're trying to register. Follow the form to set up the nameservers for the zone and that's it!