Setup IPv6 reachability

Global availability is planned for H1/2026. This feature is not usable, yet.

To setup IPv6 reachabiliy you need to follow several steps:

1. Calculate the IPv6 address of your resource
2. Add an AAAA entry for your resource (optional)
3. Configure your firewall
4. Configure your resources

Prerequisites

• You have a STACKIT customer account: Create a customer Account
• You have a STACKIT user account: Create a user account
• You have a STACKIT project: Create a project
• You have a resource, that is reachable via IPv4
• You have access to the DNS management of your domain (optional)

Calculate the IPv6 address of your resource

Your IPv6 address is not assigned randomly. It is calculated automatically from your existing IPv4 Public IP and the global STACKIT NAT64 prefix (see Network Parameters). The procedure follows the RFC 6052 standard.

The following parameters apply per region. Use the STACKIT NAT64 prefix to calculate your IPv6 address and the NAT Pool IPv4 to identify incoming traffic in your firewalls or logs.

Region	NAT64 Prefix (IPv6)	NAT Pool IPv4
EU01	2a05:d014:0:64::/96	198.51.100.0/24

Traffic from IPv6 clients will reach your server with a source IP from the NAT Pool IPv4. Ensure your firewalls allow this range.

1. Identify the NAT64 prefix for your Region (example for EU01: 2a05:d014:0:64::/96).
2. Take your IPv4 Public IP (example for EU01: 192.0.2.123).
3. Convert each of the four number blocks into a two-digit hexadecimal number:

   192 → C0
   0 → 00
   2 → 02
   123 → 7B

4. Append these hexadecimal values to the NAT64 prefix. Result for EU01: 2a05:d014:0:64::C000:027B

If you use Linux or macOS, you can calculate the address directly in the terminal:

printf "2a05:d014:0:64::%02x%02x:%02x%02x\n" 192 0 2 123

Add an AAAA entry for your resource (optional)

To allow IPv6 clients to reach your service by a their domain name, you must create an AAAA record in your DNS zone.

1. Open the DNS management for your domain (for example: STACKIT DNS or an external provider).
2. Create a new record of type AAAA.
3. Enter the IPv6 address calculated above as the value (for example: 2a05:d014:0:64::C000:027B).

If you use STACKIT’s DNS, consult Manage DNS records to add a new AAAA record to your zone.

Configure your firewall

You need to adapt some firewall settings to use IPv6 properly.

Security Groups and access control

Incoming traffic originates from the internal IPv4 addresses of the NAT gateway, not directly from the client’s public IPv6 address. Consequently, you cannot use STACKIT Security Groups to filter traffic based on specific IPv6 client IPs.

• Ensure your rules allow traffic from the gateway’s internal IPv4 range (see Network Parameters).
• To restrict access to specific clients, you must enforce rules at the application level (for example, using a Web Application Firewall) or by evaluating the PROXY protocol.
• If you do not wish to have IPv6 access, please block the corresponding IP’s from the NAT64 gateway.

Do not block these gateway IPs in your firewalls or application logic. Blocking a pool address will interrupt access for a large number of legitimate connections, if an AAAA record is configured in the DNS. This should only be considered if you want to actively deny all IPv6 traffic to your STACKIT IPv4 public IP.

Firewall settings and MTU

The IPv6 protocol requires correct handling of packet sizes (MTU). If packets are too large, routers must be able to send an ICMPv6 message (“Packet Too Big”) back to the sender.

• Do not block ICMPv6, as this can lead to connection drops during larger data transfers (known as “Black Hole Routing”).

Configure your resources

Since the gateway performs protocol translation, there are specifics you should consider when configuring your servers and firewalls.

Client IP visibility (source NAT)

Due to the protocol translation, your servers do not see the original IPv6 address of the client as the sender, but an IPv4 address from the SNAT pool of the gateway. The gateway acts as a proxy and performs a translation. This means that multiple external IPv6 simultaneously clients share a number of IPv4 addresses from the gateway’s pool.

To obtain the real client IP, use the following methods:

• For HTTP/HTTPS: The gateway automatically adds the X-Forwarded-For header. Configure your web server (for example: Nginx or Apache) to evaluate this header.
• For TCP services: Use the PROXY protocol. Enable this in your application (for example: HAProxy or Dovecot) to receive connection information directly in the TCP payload.

Connection timeouts (idle timeout)

Since the gateway works statefully, connection information is stored in a session table. If no data flows for a longer period, the entry is removed from the session table to free up resources. This leads to a connection drop.

The idle timeout for inactive connections is 300 seconds for TCP and 60 seconds for UDP.

For long-running connections (such as SSH, database queries, or WebSockets), configure TCP Keepalives in your application or OS settings to keep the session active.