# Disable IPv6?



## ikevin8me (Jun 8, 2021)

Is it possible to complete disable IPv6?

I've tried on /etc/rc.conf:


> ipv6_enable="NO"
> ipv6_network_interfaces="none"


... and it seems that it is still active.


----------



## Menelkir (Jun 8, 2021)

Add this:

```
ipv6_activate_all_interfaces="NO"
```


----------



## ikevin8me (Jun 9, 2021)

Well, I just tried "ipv6_activate_all_interfaces" and it didn't work (ie. IPv6 is still activated).


----------



## PMc (Jun 9, 2021)

Some software seems to decide for ipv6 on their own behalf as long as the kernel has it available, so probably the radical solution is to build a custom kernel without.
(I for my part have given up on that and slowly consider approaches to move to ipv6.)


----------



## Deleted member 30996 (Jun 11, 2021)

I don't set up IPv6 during the installation but it still shows active. This stops it from doing anything:

/etc/pf.conf

```
### Block all IPv6
block in quick inet6 all
block out quick inet6 all
```


----------



## smdb01us (Aug 5, 2021)

PMc said:


> Some software seems to decide for ipv6 on their own behalf as long as the kernel has it available, so probably the radical solution is to build a custom kernel without.
> (I for my part have given up on that and slowly consider approaches to move to ipv6.)


That makes sense. The only service that seems to enable IPv6 support on my system is ntpd and I can't figure out yet how to disable it to stop listening for IPv6... or "if" I can disable it at all:


```
netstat -6a
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address          Foreign Address        (state)   
udp6       0      0 fe80::1%lo0.ntp        *.*                   
udp6       0      0 localhost.ntp          *.*                   
udp6       0      0 *.ntp                  *.*
```

A bit annoying, actually.


----------



## astyle (Aug 5, 2021)

Why exactly would you need to disable IPv6? I'm curious about use cases, because I'm not that well-informed.


----------



## memreflect (Aug 5, 2021)

smdb01us said:


> That makes sense. The only service that seems to enable IPv6 support on my system is ntpd and I can't figure out yet how to disable it to stop listening for IPv6... or "if" I can disabled:
> 
> 
> ```
> ...


With output like that, IPv6 is not disabled, but it is effectively useless.

fe80::1 is the link-local address of the loopback interface (see lo(4)), so traffic isn't going anywhere over that interface.  If the existence of this link-local address still bothers you, ifconfig(8) indicates that you can disable automatic generation of IPv6 link-local addresses by setting the sysctl MIB `net.inet6.ip6.auto_linklocal` to 0.

If you add `-n` to the netstat command, you'll likely see that "localhost" resolves to ::1, which is not routable.  It's the IPv6 equivalent of the IPv4 range 127.0.0.0 - 127.255.255.255, except IPv6 only reserves this one address for the local host.  I'm not sure what generates this, so I don't know how to disable it, if it can be disabled.  If setting the sysctl MIB mentioned above to 0 did not work, I'd start looking at other sysctl MIBs.

It might be easier to rebuild the system from source with `WITHOUT_INET6` enabled in src.conf(5) than to figure out how exactly to completely disable IPv6.  Of course, then you would need to rebuild from source again when it's time to update, instead of relying on freebsd-update(8).


----------



## metsuke (Aug 5, 2021)

The following works for my needs to disable ipv6 in /etc/rc.conf:


> ip6addrctl_enable="NO"


----------



## smdb01us (Aug 6, 2021)

memreflect said:


> With output like that, IPv6 is not disabled, but it is effectively useless.
> 
> fe80::1 is the link-local address of the loopback interface (see lo(4)), so traffic isn't going anywhere over that interface.  If the existence of this link-local address still bothers you, ifconfig(8) indicates that you can disable automatic generation of IPv6 link-local addresses by setting the sysctl MIB `net.inet6.ip6.auto_linklocal` to 0.
> 
> ...


Great information, thank you!


----------



## smdb01us (Aug 6, 2021)

astyle said:


> Why exactly would you need to disable IPv6? I'm curious about use cases, because I'm not that well-informed.


Eh, nothing more than I don't have use for it so what have it enabled? The way I see it is one more thing that could go wrong or cause a problem


----------



## astyle (Aug 6, 2021)

smdb01us said:


> Eh, nothing more than I don't have use for it so what have it enabled? The way I see it is one more thing that could go wrong or cause a problem


Y'know, IPv6 and IPv4 are different things that don't get in each other's way.... The worst thing that can happen - you specify a URL on your end, only to discover that the other end is IPv6-only. An empty response would be a sign that you might want to specify a different URL.  I'd suggest keeping things simple. Besides, IPv6 is becoming more common than you'd think - so it's a good thing to have handy.


----------



## PMc (Aug 6, 2021)

astyle said:


> Why exactly would you need to disable IPv6? I'm curious about use cases, because I'm not that well-informed.


Well, I was just hit by one tonight. 
If you have IPv6 enabled, but not working (i.e. there is no v6 address on the outbound interface, or you just don't have public v6 addresses yet), then during recursion the nameserver will create lots of INET6 queries that fail, and will eventually hit this error:
`named[5623]: resolver: debug 3: exceeded max queries [...](querycount=101, maxqueries=100)`
The official recommendation to disable the bogus queries leads just into another intermittent error, also related to IPv6, which is currently unexplained.
Then, with named, you would have a `-4` cmdline switch that should disable v6 just for named. But then there may be other issues with other programs. So, I think there likely is a usecase.


----------



## PMc (Aug 6, 2021)

memreflect said:


> fe80::1 is the link-local address of the loopback interface (see lo(4)), so traffic isn't going anywhere over that interface.  If the existence of this link-local address still bothers you, ifconfig(8) indicates that you can disable automatic generation of IPv6 link-local addresses by setting the sysctl MIB `net.inet6.ip6.auto_linklocal` to 0.


This does work for all interfaces except lo0.


----------

