Bridging IPv4 and IPv6: Native Connectivity for Modern ISP Networks
How SonicOS 8 Handles DS-Lite, v6plus, DHCPv6 Prefix Delegation, and Configurable Interface Identifiers
The IPv6 Transition Problem Nobody Talks About
Most conversations about IPv6 focus on the destination: a fully IPv6 internet where every device has a globally routable address. The operational reality is more complicated.
ISPs that have exhausted their IPv4 address allocation are deploying IPv6-primary access networks now, where the WAN connection to the customer is IPv6-only. The problem this creates is immediate: customers still need to reach the IPv4 internet. Enterprise applications, SaaS (Software as a Service) platforms, cloud services, and a large portion of global web infrastructure remain IPv4-dependent.
The solution is a class of protocols called IPv4-over-IPv6 transition mechanisms. Rather than running parallel networks, these protocols tunnel IPv4 traffic through the IPv6 access network and handle address translation at the ISP edge. SonicOS 8 adds native support for the mechanisms most commonly deployed by service providers today.
SonicOS 8 supports DS-Lite, the "v6plus" Static IP Address Service (Japan), DHCPv6 Prefix Delegation, and a configurable Interface Identifier natively. No additional CPE hardware is required between the ISP modem and the SonicWall firewall.
| SonicOS 8 supports DS-Lite, the "v6plus" Static IP Address Service (Japan), DHCPv6 Prefix Delegation, and a configurable Interface Identifier natively. No additional CPE hardware is required between the ISP modem and the SonicWall firewall. |
"v6plus" Static IP Address Service: Automatic Prefix Update
The Operational Challenge
The "v6plus" Static IP Address Service is an IPv4-over-IPv6 broadband offering deployed by ISPs in Japan. Like DS-Lite, it tunnels IPv4 traffic through an IPv6 access network. The ISP-side endpoint is called the Border Relay (BR), which decapsulates the traffic and routes it to the IPv4 internet.
What distinguishes the "v6plus" Static IP Address Service operationally is a specific provisioning behavior: the customer's WAN IPv6 prefix is periodically reassigned by the ISP. Each reassignment requires the customer's current prefix to be reported to the ISP's provisioning server. Without that notification, the ISP's system loses track of the customer's address and IPv4 connectivity is disrupted until the prefix is reported manually.
| In "v6plus" Static IP Address Service environments, prefix reassignment is not a failure condition. It is a normal part of ISP operations. Firewalls that cannot detect and report a prefix change automatically require manual administrator intervention every time it occurs. |
The Auto Update URL Feature in SonicOS 8
SonicOS 8 introduces the Auto Update URL: a mechanism that monitors the WAN IPv6 prefix and sends an HTTP notification to the ISP's resetting server whenever the prefix changes. The notification is sent under three conditions:
- When the tunnel interface is first brought up
- When the WAN interface's IPv6 address changes, for example when the ISP reassigns the WAN prefix
- At a configurable periodic interval (minimum recommended: 30 minutes)
The ISP provides the resetting server URL, configured in the Advanced tab of the tunnel interface. A real-time status indicator shows the result of the last HTTP request to the resetting server: green for success, yellow for pending, and red for failure.
| Set the Update URL Period to 0 to ensure the notification fires only once, with no unnecessary periodic HTTP traffic between changes. |
The following table summarizes the key details of the "v6plus" Static IP Address Service implementation in SonicOS 8.
"v6plus" Static IP Address Service Detail | Value |
| Service context | Japan ISP deployments |
| ISP-side components | Border Relay (BR) and resetting server |
| Auto Update URL trigger conditions | Tunnel bring-up, WAN address change, configurable periodic interval |
| Status visibility | Real-time indicator on tunnel interface (green, yellow, red) |
| Recommended Update URL Period | 0 (fires immediately on prefix change only) |
DS-Lite: Simplicity by Design
How It Works
DS-Lite (Dual-Stack Lite), defined in RFC 6333, takes a centralized approach to the IPv4-over-IPv6 problem. The idea is to keep the customer-side device as lightweight as possible and push complexity to the ISP infrastructure.
In a DS-Lite deployment, the SonicWall firewall acts as the B4 element: the customer-side tunnel endpoint. It encapsulates outbound IPv4 packets inside IPv6 and forwards them through a softwire tunnel to the ISP's AFTR (Address Family Transition Router). The AFTR decapsulates the IPv4 traffic, applies NAT (Network Address Translation), and routes it to the IPv4 internet. Inbound IPv4 responses follow the reverse path.
| No IPv4 NAT configuration is required on the firewall. There are no port range allocations or shared address tables to manage. The firewall's only responsibility is to establish the softwire tunnel to the ISP-provided AFTR address. |
Configuration in SonicOS 8
DS-Lite is configured on the WAN interface. Once the AFTR IPv6 address is entered, the firewall establishes the softwire tunnel automatically. The firewall then:
- Encapsulates all outbound IPv4 traffic in IPv6 and forwards it through the softwire to the AFTR
- Receives and decapsulates inbound IPv6-encapsulated IPv4 traffic from the AFTR
- Presents internal devices with a functional IPv4 connection, with no local NAT configuration required
NAT state lives centrally at the ISP AFTR. AFTR infrastructure is typically highly available, making this trade-off acceptable for most enterprise and SMB deployments.
DS-Lite Detail | Value |
| Standard | RFC 6333 (Dual-Stack Lite) |
| Firewall role | B4 element (customer-side tunnel endpoint) |
| ISP-side component required | AFTR (Address Family Transition Router) |
| IPv4 NAT on firewall | Not required |
| Configuration requirement | AFTR IPv6 address only |
DHCPv6 Prefix Delegation
What It Solves
DHCPv6 Prefix Delegation (PD) enables the firewall to receive a block of IPv6 addresses from an upstream ISP router and automatically distribute sub-prefixes to downstream LAN interfaces. This is a core requirement for IPoE (IPv6 over Ethernet) deployments, a provisioning model increasingly common in modern ISP networks that delivers IPv6 connectivity directly over Ethernet without PPPoE overhead.
How It Works in SonicOS 8
The ISP router sends a delegated prefix to the SonicWall firewall using DHCPv6. SonicOS 8 receives this prefix and automatically subdivides it into sub-prefixes, assigning one to each downstream LAN interface. The firewall then sends Router Advertisements on each LAN interface so that downstream devices receive their IPv6 addressing automatically.
This eliminates the need for manual static IPv6 address assignment across LAN segments. As ISPs rotate or renew the delegated prefix, the firewall updates its LAN sub-prefixes and Router Advertisement messages accordingly.
DHCPv6 PD Detail | Value |
| Prefix source | ISP router via DHCPv6 |
| LAN distribution | Automatic sub-prefix assignment per LAN interface |
| Downstream device addressing | Via Router Advertisement (no manual configuration) |
Configurable Interface Identifier
What It Solves
The Interface Identifier is the host portion of an IPv6 address: the last 64 bits that uniquely identify a device within a subnet. SonicOS previously generated this value automatically using EUI-64, derived from the interface's MAC (Media Access Control) address. Some ISPs require the WAN IPv6 Interface Identifier to match a specific value, making the auto-generated value non-compliant with their provisioning system.
SonicOS 8 adds a configurable Interface Identifier field in the WAN interface IPv6 settings. Administrators can enter any required value directly, overriding the EUI-64 default.
Interface Identifier Detail | Value |
| Default behavior (pre-SonicOS 8) | EUI-64 auto-generated from interface MAC address |
| New behavior in SonicOS 8 | Manual override field in WAN interface IPv6 settings |
| Configuration location | WAN Interface > IPv6 tab > Interface Identifier field |
DS-Lite vs. "v6plus" Static IP Address Service: How to Choose
The choice between DS-Lite and the "v6plus" Static IP Address Service is determined by your ISP, not by the firewall or administrator. Each mechanism requires specific infrastructure on the ISP side. DS-Lite requires an AFTR; the "v6plus" service requires a Border Relay and a resetting server.
Dimension | DS-Lite | "v6plus" Static IP Address Service |
| ISP-side requirement | AFTR (Address Family Transition Router) | Border Relay and resetting server |
| IPv4 NAT location | Centralized at ISP AFTR | Centralized at ISP Border Relay |
| Prefix reassignment handling | Not applicable | Auto Update URL in SonicOS 8 |
| Firewall configuration complexity | Low. AFTR address only. | Low. BR and resetting server URL. |
| Primary ISP context | Various IPv6-primary ISPs | Japan ISP deployments |
SonicOS 8 supports both mechanisms simultaneously on separate WAN interfaces. In a dual-ISP scenario where one provider uses DS-Lite and another uses the "v6plus" Static IP Address Service, both connections can participate in SD-WAN path selection with automatic failover.
Use Cases
Service Provider and ISP-Deployed Environments in Japan
Organizations operating in Japan where "v6plus" Static IP Address Service is the ISP access model can now deploy SonicWall firewalls without an intermediate CPE device. The Auto Update URL handles prefix reassignment automatically, removing the single most common operational burden in these deployments.
Multi-ISP and SD-WAN Deployments
Organizations using multiple WAN connections from different ISP types can use SonicWall natively with each. A DS-Lite connection and a connection using the "v6plus" Static IP Address Service can both be active simultaneously and participate in SD-WAN path selection. This is relevant for branch deployments in markets where IPv6-primary access is the available option.
Enterprise IPv6 Readiness
For organizations planning their IPv6 transition, DHCPv6 Prefix Delegation and the configurable Interface Identifier support clean, standards-compliant IPv6 address management. LAN segments receive their IPv6 addressing automatically from the delegated prefix, without manual static assignment. ISP-specific Interface Identifier requirements are met without workarounds.
Looking Ahead
IPv6-primary access networks are an operational reality for ISPs that have exhausted IPv4 address capacity. DS-Lite and the "v6plus" Static IP Address Service are the mechanisms those ISPs use today to maintain IPv4 connectivity for their customers while building out IPv6-native services. DHCPv6 Prefix Delegation and configurable Interface Identifiers are the tools required to operate cleanly in these environments.
SonicOS 8 ensures that SonicWall Gen 7 and Gen 8 firewalls work natively in all of these scenarios, without workarounds and without additional hardware. As IPv6 adoption continues to accelerate, native support for these transition mechanisms is a baseline requirement for enterprise network connectivity.
Resources
Resource | Where to Find It |
| IPv6 Configuration Guide (v6plus) | https://www.sonicwall.com/support/technical-documentation/docs/sonicos8-system/Content/Interfaces/interfaces-configuring-v6plus.htm |
| DS-Lite Knowledge Base Article | https://www.sonicwall.com/de-de/support/knowledge-base/sonicos-8-ipv6-tunnel-interfaces-ds-lite/kA1VN000001IqE50AK |
| SonicWall Support | https://www.sonicwall.com/support |
Share This Article
An Article By
An Article By
Georgy Thadathil
Georgy Thadathil