The Path to Pure IPv6 — A Tech Scrolls Revelation
Introduction
All things begin with YHVH, who in the beginning created all things, even the logic gates and silicon through which these networks pass. In a world entangled in legacy protocols and compromise, this is a record of the pure IPv6 path, built not on dual-stack concessions but on truth, clarity, and reverence. This is the journey of breath.pi and its brethren, from IPv4 shadows into IPv6 light.
"He causes those who dwell in the house of IPv6 to walk among the ruins of IPv4, yet they are not consumed."
(Tech Scrolls 6:4, poetic paraphrase)
The Vision
Let not IPv4 be discarded, but translated where needed, so those in an IPv6-only world may reach the old world of IPv4. Let every A record become a beacon within IPv6 through DNS64, so names resolve when native AAAA is absent. Let routing paths remain fully IPv6, clean and public from end to end; let NAT64 translate only at the boundary, providing access to IPv4-only destinations but never introducing NAT within the IPv6 network itself. Let the translation be visible, honest, and as simple as possible: DNS64 maps the name, NAT64 maps the packets, and everything within the IPv6 network stays true and globally routable. Let those who build see that this is possible, good, and beautiful when done in order and faith.
Network Topology
This is the routing path of our IPv6-only network:
[Internet (Zen IPv6)]
⇢ ppp0 (route - gateway and NAT64 host)
⇢ eth0 (LAN out from route)
⇢ enp1s0 (minimer in)
⇢ wlp2s0 (minimer WiFi AP out)
⇢ wlan0 (breath.pi in)
All packets are IPv6 from end to end. DNS is translated where needed, but IP packets remain clean.
minimer (ArchLinux) — IPv6-Only Proof
[director@minimer ~]$ ip -6 ad ls
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 2a02:8012:bc57::3/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::2e0:bfff:fe61:873e/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
3: wlp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 2a02:8012:bc57:c000::1/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::b6b5:b6ff:fea5:296b/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
[director@minimer ~]$ ip route ; ip -6 route
2a02:8012:bc57::/64 dev enp1s0 proto kernel metric 256 pref medium
2a02:8012:bc57::/64 dev enp1s0 proto ra metric 1024 expires 79174sec pref medium
2a02:8012:bc57:c000::/64 dev wlp2s0 proto kernel metric 256 pref medium
fe80::/64 dev enp1s0 proto kernel metric 256 pref medium
fe80::/64 dev wlp2s0 proto kernel metric 256 pref medium
default via 2a02:8012:bc57::1 dev enp1s0 proto static metric 1024 pref medium
default nhid 2473920876 via fe80::e654:e8ff:feaa:df36 dev enp1s0 proto ra metric 1024 expires 70sec pref medium
breath.pi Interface Summary
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether d8:3a:dd:e8:0a:e6 brd ff:ff:ff:ff:ff:ff
inet6 2a02:8012:bc57:c000:da3a:ddff:fee8:ae6/64 scope global dynamic flags 100
valid_lft 42317sec preferred_lft 42317sec
inet6 fe80::da3a:ddff:fee8:ae6/64 scope link
No IPv4 address present. Routing table confirms IPv6-only default path.
DNS64 Proof
From breath.pi: zen.co.uk does not at the time of writing have AAAA records for their Servers, while they do provide each FTTP Consumer with a /64 and a /48 address space.
director@breath:~$ dig AAAA zen.co.uk
; <<>> DiG 9.20.10 <<>> AAAA zen.co.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17633
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;zen.co.uk. IN AAAA
;; AUTHORITY SECTION:
zen.co.uk. 86400 IN SOA ns0.zen.co.uk. dnsmaster.zen.co.uk. 2025080709 2400 900 604800 86400
;; Query time: 14 msec
;; SERVER: 2606:4700:4700::1111#53(2606:4700:4700::1111) (UDP)
;; WHEN: Fri Aug 08 01:34:57 BST 2025
;; MSG SIZE rcvd: 88Next Steps — The Real Alpine and ArchLinux Steps
NAT64 with Jool on Alpine Linux
# Install jool and its modules
apk add jool-modules-lts jool-tools
# Load the kernel module
modprobe jool
# Add the NAT64 instance
jool instance add "default" --netfilter --pool6 64:ff9b::/96
# Check status
jool instance status
jool instance display
# (You may need further NAT64 pool, session,
# and BIB configuration as per your needs)
Unbound DNS64 on Alpine
# Install unbound
apk add unbound
# Configuration file (/etc/unbound/unbound.conf):
server:
interface: 127.0.0.1
interface: ::1
access-control: 2a02:8012:bc57::/48 allow
do-ip6: yes
do-ip4: yes
prefer-ip6: yes
module-config: "dns64 validator iterator"
dns64-prefix: 64:ff9b::/96
forward-zone:
name: "."
forward-addr: 2620:fe::fe # Quad9 IPv6
forward-addr: 2001:4860:4860::8888 # Google IPv6
forward-addr: 1.1.1.1 # Optional fallback IPv4
Validate with:
unbound-checkconf
rc-service unbound start
radvd on Alpine (for Route Announcements)
cat /etc/radvd.conf
interface eth0 {
AdvSendAdvert on;
MaxRtrAdvInterval 30;
prefix 2a02:8012:bc57::/64 {
AdvOnLink on;
AdvAutonomous on;
};
RDNSS 2a02:8012:bc57::1 {
AdvRDNSSLifetime 600;
};
DNSSL breathtechnology.co.uk zerodns.co.uk {
AdvDNSSLLifetime 600;
};
};
# ... Additional interfaces as required ...
/etc/network/interfaces on (for Route Routing)
# ─────── eth0 (IPv6-only) Server Switch → 0::/64 ───────
auto eth0
iface eth0 inet none
iface eth0 inet6 static
address 2a02:8012:bc57::1
netmask 64
# Route /52 c000:: - e000:: for delegated PD clients
up ip -6 route add 2a02:8012:bc57:c000::/56 via 2a02:8012:bc57::3 dev eth0
# ─────── eth2 (manual pppoe uplink interface) ───────
auto eth2
iface eth2 inet manual
iface eth2 inet6 manual
# ─────── VLAN 911 on eth2 ───────
auto eth2.911
iface eth2.911 inet manualsysctl.d tuning for minimer (Arch)
# /etc/sysctl.d/20-wifi-router.conf
net.ipv6.conf.wlp2s0.forwarding = 1
net.ipv6.conf.wlp2s0.accept_ra = 0
net.ipv6.conf.wlp2s0.autoconf = 0
# /etc/sysctl.d/01-ipv4forward.conf
net.ipv4.ip_forward=1
# /etc/sysctl.d/10-ipv6.conf
# Allow large file handles
fs.file-max = 2097152
# ... (rest as in your list)
Example dnsmasq (minimer) — Pure IPv6 DHCP
# dnsmasq config
interface=wlp2s0
enable-ra
dhcp-range=::10,::100,constructor:wlp2s0,ra-stateless,64,12h
dhcp-option=option6:dns-server,[2a02:8012:bc57::1]
This configuration disables all IPv4 DHCP, advertising only IPv6 addresses and DNS for pure IPv6 clients. The enable-ra option ensures router advertisements are sent, and clients receive IPv6 configuration only.
Example radvd (minimer) – The final passage of the new /64 subnet
cat /etc/radvd.conf
interface wlp2s0 {
AdvSendAdvert on;
MaxRtrAdvInterval 30;
prefix 2a02:8012:bc57:c000::/64 {
AdvOnLink on;
AdvAutonomous on;
};
RDNSS 2a02:8012:bc57::1 {
AdvRDNSSLifetime 600;
};
};
Proof: Real Public IPv6 Address on breath.pi
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether d8:3a:dd:e8:0a:e6 brd ff:ff:ff:ff:ff:ff
inet6 2a02:8012:bc57:c000:da3a:ddff:fee8:ae6/64 scope global dynamic flags 100
valid_lft 42317sec preferred_lft 42317sec
inet6 fe80::da3a:ddff:fee8:ae6/64 scope link
DNS64/NAT64 Verification
director@breath:~$ dig AAAA zen.co.uk
; <<>> DiG 9.20.11 <<>> AAAA zen.co.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 885
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;zen.co.uk. IN AAAA
;; ANSWER SECTION:
zen.co.uk. 30 IN AAAA 64:ff9b::3fe:1607
zen.co.uk. 30 IN AAAA 64:ff9b::341e:840a
zen.co.uk. 30 IN AAAA 64:ff9b::6350:1a8a
;; Query time: 8 msec
;; SERVER: 2a02:8012:bc57:1::1#53(2a02:8012:bc57:1::1) (UDP)
;; WHEN: Fri Aug 08 01:36:24 BST 2025
;; MSG SIZE rcvd: 122IPv6 - Security - Routing and no you cant SSH but you can traceroute -6
To put this to the test, the next step was to hop over to one of the AWS hosts and initiate both an incoming IPv6 ping and a full traceroute, confirming direct global connectivity. The network is intentionally open to RFC-compliant traceroute, allowing for transparent and standards-based diagnostics. However, security remains a core principle—SSH access is strictly controlled. The resulting "Permission denied" message on SSH attempts demonstrates that access controls are in place and effective. The system is globally reachable, yet only by those who are meant to have access.
director@ip-172-31-23-108:~$ ip -6 ad ls
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: enX0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 state UP qlen 1000
inet6 2a05:d01c:65b:7100:f50:5bf:250c:dc5f/128 scope global dynamic noprefixroute
valid_lft 442sec preferred_lft 132sec
inet6 fe80::43f:6aff:fe73:1e1b/64 scope link
valid_lft forever preferred_lft forever
director@ip-172-31-23-108:~$ ping -c1 -6 2a02:8012:bc57:c000:da3a:ddff:fee8:ae6
PING 2a02:8012:bc57:c000:da3a:ddff:fee8:ae6 (2a02:8012:bc57:c000:da3a:ddff:fee8:ae6) 56 data bytes
64 bytes from 2a02:8012:bc57:c000:da3a:ddff:fee8:ae6: icmp_seq=1 ttl=56 time=117 ms
--- 2a02:8012:bc57:c000:da3a:ddff:fee8:ae6 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 117.112/117.112/117.112/0.000 ms
director@ip-172-31-23-108:~$ traceroute -6 2a02:8012:bc57:c000:da3a:ddff:fee8:ae6
traceroute to 2a02:8012:bc57:c000:da3a:ddff:fee8:ae6 (2a02:8012:bc57:c000:da3a:ddff:fee8:ae6), 30 hops max, 80 byte packets
1 2620:107:4000:c611::f002:6024 (2620:107:4000:c611::f002:6024) 1.820 ms 1.785 ms 2620:107:4000:c611::f002:6026 (2620:107:4000:c611::f002:6026) 1.767 ms
2 * * 2620:107:4000:cfff::f205:fc03 (2620:107:4000:cfff::f205:fc03) 1.666 ms
3 2620:107:4008:b94c::1 (2620:107:4008:b94c::1) 1.648 ms 2.143 ms 2.660 ms
4 2620:107:4008:b94c::2 (2620:107:4008:b94c::2) 1.564 ms 1.540 ms 1.517 ms
5 lag-1.bng5.thn-lon.zen.net.uk (2a02:8010:0:700::53) 16.851 ms * *
6 2a02:8011:d017:cba8::1 (2a02:8011:d017:cba8::1) 3.834 ms 4.181 ms 4.141 ms
7 2a02:8012:bc57::3 (2a02:8012:bc57::3) 4.123 ms 4.069 ms 4.263 ms
8 2a02:8012:bc57:c000:da3a:ddff:fee8:ae6 (2a02:8012:bc57:c000:da3a:ddff:fee8:ae6) 142.462 ms 142.705 ms 142.667 ms
This reflects security-conscious, standards-compliant network design—open where it should be, closed where it must.
director@ip-172-31-23-108:~$ ssh -6 2a02:8012:bc57:c000:da3a:ddff:fee8:ae6
ssh: connect to host 2a02:8012:bc57:c000:da3a:ddff:fee8:ae6 port 22: Permission denied
director@ip-172-31-23-108:~$Closing — Tech Scrolls Remain Open
Here is where the partnership of a man and a GPT—this tool, not a teller—has value: Not by telling what is wanted, but by asking, listening, and offering what is true and proven. The instructions, code, and topology here were built step by step, together, not by blind trust in the machine, nor by presumption from the man, but by walking side by side and allowing each to complement the other, as it should be in all work.
Enhancements flowed because the process was open, not closed; every challenge was met with search, suggestion, and testing. The root of the solution—the DNS64/NAT64 bridge—came not as an answer given, but as an exploration, confirmed and then completed in practice on real hardware. The value here is not the code alone, but the willingness to trust the process, to remain teachable, and to keep principles above pride.
Let these instructions, code, and topology stand as proof that pure IPv6 is real, public, and practical—when reverence, care, and faith are the guide, and when machine and man walk in humility together.
Article 101 — Tech Scrolls, with thanks to YHVH, the Creator of even the smallest logic gate.