1. Introduction
This document was written for those who have AT&T Uverse (works for both IP-DSL and also VDSL) and specifically want to set up their network under Linux. More specifically, if you want to statically assign your IPs - especially IPv6 - and you run SysV based Linux distributions, then this is for you.

2. The Residential Gateway

Unfortunately, unless you have a static block of IPs, you'll be relying on NAT at least if you have more than one machine. However, what you can do is give your public IP to a single machine and assign it manually via IP Passthrough mode. The other machines you can either use DHCP via the Residential Gateway (RG) or statically via the network configuration of your systems.

If you do have a static IP block, however, then you obviously don't have to worry about this. I would be quite surprised if you have a static IP block and don't know how to set it up. So to that end, I'll just remark that it is the same set up except you don't have to worry about the extra configurations (by all means you can set up your server to take the regular Uverse IP but it is up to you; you could just assign your machines a static IP from your block and not worry about the below, being the passthrough mode). As for IPv6 and your static IP block:

As far as I am aware, AT&T only gives you an IPv6 block for your dynamically-assigned IP. I don't know if there is a way around this (or if I am mistaken). You still have the other benefits of a static IP block, however.

Now, if you look around on various forums, blogs, etc., it seems everyone says to use DHCPS-fixed and enter the MAC (that's the hardware address) address of the interface to assign the address to. In fairness, they might have a slightly different goal, or the firmware or revision of the RG they have is different, but in July of 2012 (which is when I started to write this), I am currently using manual mode and therefore am directly assigning the IP address(es) to the NIC (network interface card) on my server.

One might ask what the real difference is in the end? It's true that should I need to replace the network card I could always spoof the old MAC address onto the new card. And it is also true that the end result is the same. What I don't like is for static and static like configurations to rely on anything like that. A static configuration is after all to stay the same. True, Uverse single IP account IPs can change but many say and I've witnessed this too, that it only changes if you change the RG itself. Further, since it's possible to have them unblock (i.e. allow) outbound port 25 on your account, which is primarily used by mail servers, I can only think that they intend it to not change that often. And when it does, you can simply update only your system (and any reference to the IP). There is an alternative approach which can simplify it in some ways but that's for another discussion, and it relies more on the travesty known as NAT (network address translation). I know some think it of a security solution but it is unfortunately anything but a security solution. If you want the effect that NAT seems to offer security wise then get a firewall with both ingress and egress filtering (and much more). The truth is NAT is why we're not all on IPv6 and it's also a way ISPs can charge more for a block of IPs (they have the IPs but they conserve them by dynamic assignment and NAT).

But back to the forums and other web pages that show how to do all this. They also say something I really don't like: they say to disable IPv6 (reason: it supposedly does not work). But, if it does not I would say it is down to the other hardware or a configuration problem, because it works fine here. And it also works without having to use router advertisements; indeed, you can statically assign IPv6 IPs to your systems too.

I'm assuming that Uverse is already working and you can log in to your RG. If not, I'll say that for some parts you will need the key on the RG itself (and you can change that if you look around in the RG configuration pages). Otherwise, you just use a web browser and go to the address http://192.168.1.254 which will open in a new browser tab or window.

A few pages of interest :

* Broadband

1. Broadband IPv4 Address
2. Gateway IPv4 Address

The first is the IP you will assign to your server (or whichever machine you want it to be assigned to). The second is important if you want to communicate with the outside network of networks known as "The Internet".

* Home Network

This page has information about your network. You need to find two values on this page under the IPv6 section.

1. Global IPv6 Address
2. Router Advertisement Prefix

The first is actually your IPv6 default gateway (however you do not need the /64 part). The second is the prefix of your IPv6 block of addresses. The number you see after the slash in an IPv6 address is how many bits are available for the network part of the address. Keep in mind that binary is powers of 2 and so 1 bit allows for 2 addresses but 2 allows for 4 addresses. Also keep in mind that an IPv6 IP address is composed of 128 bits. That means the address 2001:db8:aaaa:bbbb:cccc:dddd::/128 allows for no other host addresses because all 128 bits are used up. The address 2001:db8:aaaa:bbbb:cccc:dddd::/127 allows for two hosts: 2001:db8:aaaa:bbbb:cccc:dddd:0000:0000/128 and 2001:db8:aaaa:bbbb:cccc:dddd:0000:0001/128 (equivalent to 2001:db8:aaaa:bbbb:cccc:dddd::/128 and 2001:db8:aaaa:bbbb:cccc:dddd::1/128).

Now, you need to do one or two more things, depending on what your goal is. The first one is we want to enable IP Passthrough mode. Note you will have to restart the router after this and that means you'll have to reconnect and if you want to change some settings you'll have to use that key (or whatever you changed it to) to log in to the router. So either do this step second or not. How you do this step is by clicking on the Firewall tab at the top menu and then clicking on IP Passthrough. Then, in allocation mode set to passthrough. Next, in passthrough mode select manual. Then click save. Then you'll be prompted to reboot the router. Again, you can do that before or after the next step.

The other step is changing firewall settings. I would say only do this IF you know what you're doing and you also are implementing it on the machine that gets the default IP. And as a matter of fact, it won't really hurt to keep the settings the same, EXCEPT for one. That one is something that will cause a problem with incoming SYN requests (i.e. first part of establishing a connection) via IPv6. To do this, click on the Firewall tab at the top of the browser and then click on Firewall Advanced. If you want incoming IPv6 connection attempts and you are properly configured and secured, then Reflexive ACL should be set to "Off". (Alternatively you can keep it on and then set up additional rules in the firewall sections in the RG. I leave that up to you. The main point is to accept connections that are valid and otherwise drop them).

Now, unless you disable routing on the residential gateway (which we're not doing and I'm not even sure if it is possible) then you'll need to use internal IPs. The address of the RG is 192.168.1.254 and therefore your clients will use that as its default gateway for IPv4. Then you can either use DHCP (not going to discuss that but it isn't much different. I don't have enough machines to care about DHCP so you'll either have that setup or not but given I'm also talking servers I assume you at least have one machine that is not assigned by DHCP).

Per RFC 5737 and RFC 3849 I will use the following IPs for documentation purposes:

1. Broadband IPv4 Address - 192.0.2.1
2. Gateway IPv4 Address - 192.0.2.0
3. Global IPv6 Address - 2001:db8:aaaa:bbbb:cccc:dddd::
4. Router Advertisement Prefix - 2001:db8:aaaa:bbbb::/64

In addition you will need to choose an IPv6 IP in the router advertisement block. I will assume that you use the IP 2001:db8:aaaa:bbbb:cccc:dddd::1/128 for your main IPv6 IP.

In both ways of setup, either command line or initscripts I will assume your network interface is eth0.

The # is your prompt (I hope you knew that; if not, maybe you shouldn't be doing this and you should get help from someone else who does know a bit more. Feel free however, to read along if you like). The lines I start with an asterisk (*) are remarks of mine.

First we make sure the ipv6 module is loaded (it won't hurt to try to load it if it is already loaded). Then we need to add the address to your interface. I will assume eth0 is your network interface; substitute as appropriate. Last we add the default route and then test. The -6 says that we are dealing with the inet6 family. It's not usually required. I tend to do it generally though, especially if I want only IPv6 info. In this case it can be skipped but I'm including it for completeness (this is the same as the parameter '-f inet6'). This is how we do all that :

* Load the IPv6 module (if not already loaded) :
# /sbin/modprobe ipv6
* Add the IP address to the interface:
# /sbin/ip -6 addr add 2001:db8:aaaa:bbbb:cccc:dddd::1/128 dev eth0
* Now, lastly, add a route for your new IPv6 IP:
# /sbin/ip route add 2001:db8:aaaa:bbbb:cccc:dddd:: dev eth0

You should now have access to the IPv6 Internet. Try ping6 on a global scope IPv6 IP address (keep in mind the section Security/Firewalling though - you may have it blocked by default currently, in which case ping6 might not work). An example host to ping6: the IPv6 tunnel broker and in particular their end of the tunnel.

If you want the above to stay after a reboot, then you'll also want to do the instructions in this method. You'll probably also want to restart the network afterwards, in order to make sure things look the same (will elaborate on this later).

There are a few files you need to configure. The files and additions are (do NOT replace the files that exist; only update them accordingly! If you do not have a file then you will need to create it.):

# Begin /etc/sysconfig/network
NETWORKING_IPV6=yes
IPV6_DEFAULTGW=2001:db8:aaaa:bbbb:cccc:dddd::
# If you want to act as a router, uncomment next line:
# IPV6FORWARDING="yes"
# End /etc/sysconfig/network

The above enables IPv6 specifying the default gateway and (optionally) IP forwarding. The forwarding related line is ONLY if you want to act as a router, e.g. you have other hosts that will connect through the machine to access IPv6. I should point out this is a nice way to solve the problem of modems or routers that are NOT IPv6 enabled. You disable routing on the router or modem/router and then set your machines default gateway to the server's IP, and let the server do the routing.

# Begin of /etc/sysconfig/network-scripts/ifcfg-eth0
IPV6INIT=yes
IPV6ADDR=2001:db8:aaaa:bbbb:cccc:dddd::1
# If you want, uncomment next line:
# IPV6_DEFAULTDEV="sit1"
# End of /etc/sysconfig/network-scripts/ifcfg-eth0

To test that this all works okay, you simply type in the following command at the root prompt (# is prompt) :

# /sbin/service network restart

If all is good (ip -6 addr ls and ip -6 route ls both show up the correct information, for example), you can move on to the Security/Firewalling section of this document.

Obviously, like all things humans create, there are going to be some problems. IPv6 is certainly no different, and there WILL be issues. Therefore, firewalls are STILL relevant. The addressing scheme changes only one thing with respect to firewalls: the address and headers (the underlying protocols, essentially). Sure, with a larger address range it will take much more time to scan for vulnerable machines, but to just take that as "I don't need a firewall" is foolish and is in many respects relying on security through obscurity: hiding something or hiding behind something, does not mean you aren't vulnerable - temporarily or indefinitely; it simply means you aren't vulnerable or known to be vulnerable for the time being!

Therefore, you DO need to keep security in mind. The questions you must ask yourself, are these (certainly not only these but these are some) :

1. Do I run any IPv6 services? Are you 100% sure?
2. Am I connected to the IPv6 Internet?
3. What would happen if I don't take precautions and do get compromised?

To give you an idea of what or why these are important, read the following answers.

1. Even if you didn't configure a service to run as IPv6 specifically, you should keep in mind that certain programs bind to ALL interfaces and ALL addresses. Therefore, you MAY very well have IPv6 services. When you then reboot or restart the service after you gain IPv6 access, you could be exposing a private service that may otherwise not be visible!
2. Well, you're reading this document, so I assume your goal is to be connected. Security is the responsibility of all netizens, and therefore you SHOULD firewall your system.
3. This is of course more of a rhetorical question, but its something that I would believe many don't think of. Think of legal liabilities, loss of income for your company, whatever it may be: protect your network!

Other than that I can only urge you to learn iptables, ip6tables and firewalling in general. And learn it well - it is your network, after all.

For more information about firewalls, see the many documents out there on the Internet, even possibly the Linux firewall howto at the Linux Document Project here.

So what if you have any trouble after this set up? Well, I have not run in to any, except one. Actually two depending on the scope. The first one is one I documented in the IPv6 Tunnels document from some time ago and the second is more specific to Uverse and the RG some times failing (simply restart the gateway and it should be resolved).

Otherwise, if it is the problem below then there is a simple solution below.

The problem is what happens if a web site (for example) has their primary domain resolving to their IPv6 IP, but somehow forgot to set up the web server, or even just is having trouble with their IPv6 interface? You can a) contact them and they can fix it. But if its a known problem with them, there is a solution. Say for instance, you want to prevent https://xexyl.net from resolving to IPv6. In Firefox, its easy. There's other ways too, of course, but this is a simple one and a nice way to test if that is indeed the problem. Go to the following location (so the place where you'd type a URL in):

about:config

I'm sure you know about it. Now, click on the silly little disclaimer confirm button they have, and then select the filter option (text box). Type 'dns' (w/o quotes) into that text box. You should see the following key: network.dns.ipv4OnlyDomains

So, if you wanted to prevent xexyl.net from resolving via IPv6, simply put in (the value portion of the above key):

xexyl.net

If you wanted to stop xexyl.net and xexyl.com from resolving via IPv6, you can do:

xexyl.net,xexyl.com

(In other words, it's a comma separated list of domains to not use IPv6 for).

See the following files related to IPv6 in /usr/share/doc/initscripts-*/

1. static-routes-ipv6
2. sysconfig.txt
(info about /etc/sysconfig in general - more than just networking related)

File #1 explains how to assign a static route for IPv6.
File #2 has information about /etc/sysconfig/ in general - more than just networking.

This will provide different views and other information, too. There's many sites out with a lot of information on them, these days. See also the Linux Document Project as well as the TCP/IP guide (has information on IPv6) at http://www.tcpipguide.com/

One last thing to remember is there is much more - with configuring the network interfaces, services and everything in between.