AT&T Fiber IPv6 with multiple Prefixes on UniFi

This keeps coming up in forums year after year:

• UDM IPV6 Setup for AT&T Fiber’s Prefix Delegation (Ubiquiti Community)
• Any progress on better AT&T IPv6 support? (Reddit r/Ubiquiti)

If you have AT&T Fiber and a UniFi gateway, you have probably hit the same thing: IPv6 works “a little”, but not in a way that is useful for segmented networks.

The Core Problem Link to heading

On AT&T IPv6, the residential gateway (RG) receives a /60, but in IP Passthrough mode it usually delegates only one /64 to your downstream router, even if that router requests a larger prefix.

In practice, this means:

• The RG keeps lower parts of the allocation for itself.
• Your UniFi gateway gets one delegated /64.
• Additional VLANs/networks do not each receive their own clean delegated /64 from normal UI-driven configuration.

That is why “IPv6 works on one LAN but not all VLANs” is such a common complaint.

What att-ipv6 Does Link to heading

The att-ipv6 on-boot script from unifi-utilities works around this by running dhcpcd directly on the UniFi host and requesting multiple IA_PD delegations, then wiring those delegated prefixes into selected bridge interfaces (br0, br100, etc.).

High-level behavior:

• Installs and manages dhcpcd5 for PD handling.
• Generates persistent config in /data/att-ipv6.
• Creates dnsmasq RA/DHCPv6 config for selected VLAN bridges.
• Preserves firewall/routing behavior, while bypassing much of UniFi’s native IPv6 UI logic.

Tradeoff: once this is active, most IPv6 settings in the UniFi UI are no longer the source of truth.

UniFiOS 5.x Notes Link to heading

Recent updates in the script matter for UniFiOS 5.x:

• Firmware detection now explicitly supports changing persistent data paths.
• dnsmasq drop-in placement now checks for /run/dnsmasq.dhcp.conf.d first, which matches newer UniFi Network releases (post-9.3.29, commonly seen on UniFiOS 5.x).
• It emits a warning if odhcp6c is still running, because native DHCPv6 plus att-ipv6 at the same time will conflict.

Minimal Setup Flow Link to heading

1. Install the on-boot-script framework from unifi-utilities.
2. Put AT&T RG into IP Passthrough mode.
3. In UniFi UI, disable IPv6 on the AT&T WAN and on each LAN/VLAN network.
4. Add IPv6 WAN Local firewall allowances for:
   • DHCPv6 server/client UDP ports (547 -> 546)
   • ICMPv6 Router Advertisements (type 134)
5. Install and run 10-att-ipv6.sh from att-ipv6.
6. Customize VLAN bridges, DNS domain, and IPv6 DNS servers in the script-generated config under /data/att-ipv6.
7. Validate with ip -6 r and journalctl -u dhcpcd.

For exact commands and examples, use the upstream README:

• unifi-utilities/att-ipv6 README

Alternatives Link to heading

There are other approaches if you want to avoid the RG as the IPv6 delegation bottleneck entirely.

One example is bypass/masquerade-style ONT approaches such as:

• Masquerade as the ATT Inc BGW320-500/505 with the WAS-110

These can provide more direct control, but they are significantly more advanced and come with higher operational risk.

Closing Link to heading

If your goal is “stable IPv6 across multiple VLANs on AT&T Fiber with UniFi”, the att-ipv6 script remains the most practical middle ground for many setups today, especially with the UniFiOS 5.x compatibility updates.