This text inspired by https://labs.ripe.net/Members/mirjam/ipv6-only-at-microsoft
The idea was that I should use Windows 10 for this test but after Windows 10 Anniversary Update, which destroys DHCPv6 in Windows 10 you will have to stay up with MacOS Sierra 10.12.3.
None of the names or addresses shown is my real setup.
Here is my setup. I created a IPv6-only network with NAT64/DNS64 enabled. I use an internal DNS/DNS64 resolver as forwarder in my Fortigate so I can resolve our Active Directory and other internal recourses.
Im using both SLAAC and DHCPv6 if some equipment cant get address from DHCPv6 but using the O flag for DNS.
config system interface edit "ipv6-only" config ipv6 set ip6-address 2001:db8:101::1/64 set ip6-send-adv enable <- enable RA set ip6-manage-flag enable <- enable M flag set ip6-other-flag enable <- enable O flag config ip6-prefix-list edit 2001:db8:101::/64 set autonomous-flag enable <- enable SLAAC set onlink-flag enable next end end next end
Local DHCPv6 server
config system dhcp6 server edit 1 set domain "our.ad.name" set subnet 2001:db8:101::/64 set interface "ipv6-only" config ip-range edit 1 set start-ip 2001:db8:101::8 set end-ip 2001:db8:101::ff next end set dns-server1 2001:db8:101::1 next end
Set up Fortigate system DNS
config system dns set primary 192.168.100.2 set ip6-primary 201:db8:100::2 end
set always-synthesize-aaaa-record disable is important if you want to use your native IPv6. If its not enabled all DNS-answers will be with the NAT64 prefix 64:ff9b::
config system nat64 set status enable set always-synthesize-aaaa-record disable end
Enable DNS-resolver with DNS64 on IPv6-only Interface
config system dns-server edit "ipv6-only" set mode forward-only next end
After this setup I had to create IPv6 and NAT64 policies and those are not included in this example.
First impression is that it works great and Its only my printer in the normal Office network that doesnt works. Bonjour with L3 isnt the greatest thing
J ( can be fixed with some DNS magic
But everything else works great as long its a DNS RR for the things I connect to. I can map disks on our server as normal and RDP,http/https, SSH, Telnet (ouch!! J ), Office365 things, AppStore, Google things, Twitter, Teamviewer, Swedish newspapers works as normal and some services have IPv4 only and some is dual stacked.
The only thing that is messy is hosts that dont have a DNS RR added but I can solve that with https://[64:ff9b::192.0.2.2] and those are mostly my or other staff at Interlan failure.
So what are you waiting for? Remove IPv4 in your office now and do native IPv6 and NAT64!
More IPv6 stuff
Test if your or other webbserver works ok with IPv6 https://ipv6alizer.se/
Test if your webb works ok with NAT64 https://nat64check.go6lab.si/v6score/
More to read about IPv6 https://dnssecandipv6.se