How to Set a Static IPv6 Address Without Disabling Privacy Extensions
🔍 WiseChecker

How to Set a Static IPv6 Address Without Disabling Privacy Extensions

by

Quick fix: Set an IPv6 address manually via netsh interface ipv6 add address “Ethernet” fe80::abcd:1 type=anycast for a stable address, while keeping privacy extensions enabled with netsh interface ipv6 set privacy state=enabled. The anycast type ensures the static address coexists with the privacy-generated temporary addresses.

Your IPv6 setup uses SLAAC (router advertisements) by default, which generates a privacy-extension temporary address and a stable address derived from your MAC. For specific use cases — running a local server, configuring strict firewall rules, mapping DNS records to a specific IP — you want a known fixed IPv6 address. The trick is keeping it without disabling the privacy extensions that protect your other outbound connections.

Symptom: You want a static IPv6 address while keeping privacy extensions active for outbound traffic.
Affects: Windows 11 (any edition) with IPv6 connectivity.
Fix time: 15 minutes.

ADVERTISEMENT

What IPv6 privacy extensions do

Privacy extensions (RFC 4941) generate temporary random IPv6 addresses for outbound connections, so external services can’t track you by a stable IPv6 address derived from your MAC. By default, Windows generates a new temporary address every few hours, uses it for outgoing connections, and keeps the stable (MAC-derived or random-stable) address for incoming connections only.

Adding a manual static address adds to this set rather than replacing it. Outbound traffic continues to use the privacy address; the static address is bound to the interface and can receive inbound connections directed to it.

Method 1: Add a static IPv6 address coexisting with privacy

  1. Open elevated PowerShell.
  2. List your interfaces and their current IPv6 addresses:

    Get-NetIPAddress -AddressFamily IPv6 | Select-Object InterfaceAlias, IPAddress, PrefixLength, PrefixOrigin
  3. Identify the interface (e.g., Ethernet or Wi-Fi) and its prefix (often a /64 starting with 2001:db8:abcd:dead::).
  4. Choose an unused address within the /64. Avoid the router’s address (usually ::1) and any DHCPv6 reserved ranges.
  5. Add the static address as anycast type (which doesn’t conflict with privacy):

    netsh interface ipv6 add address “Ethernet” 2001:db8:abcd:dead::5 type=anycast
  6. Verify with Get-NetIPAddress -AddressFamily IPv6 — the new address appears with PrefixOrigin Manual.
  7. Confirm privacy is still enabled:

    netsh interface ipv6 show privacy

    State should read enabled.

The static address can now receive inbound connections. Outbound traffic still uses the privacy-rotated address.

ADVERTISEMENT

Method 2: Configure via Settings (Graphical)

For users who prefer the GUI:

  1. Open Settings → Network & internet. Click your connection (Ethernet or Wi-Fi).
  2. Click the network name and find IP assignment. Click Edit.
  3. Change to Manual. Toggle IPv6 on.
  4. Enter the static address, prefix length (usually 64), gateway (your router’s IPv6), and DNS (e.g., Google’s 2001:4860:4860::8888).
  5. Save.
  6. This sets the address as Manual type, which Windows treats as a primary static. Privacy extensions remain enabled by default; verify with netsh interface ipv6 show privacy.

Note: the Settings UI changes IPv6 from auto-config (SLAAC) to manual entirely. If you want both your router-assigned addresses AND a static, use Method 1 (PowerShell + anycast type).

Method 3: Lock the privacy interval and rotation policy

For users who want to control how often privacy addresses rotate:

  1. Open elevated PowerShell.
  2. Set the privacy interval:

    netsh interface ipv6 set privacy state=enabled maxdadattempts=3 maxvalidlifetime=24h maxpreferredlifetime=12h regeneratetime=2h
  3. This means: addresses live up to 24 hours, are preferred for 12 hours, regenerate after 2 hours of use, with retry on duplicate address detection.
  4. For most users, defaults are fine; tune only if you have specific privacy or stability needs.

Tuning the rotation can balance privacy against connection stability — longer rotation means less privacy but fewer interrupted long-lived connections.

How to verify the fix worked

  • Run Get-NetIPAddress -AddressFamily IPv6 — you see your static address plus privacy-generated temporary addresses.
  • Connect to your static address from another device using ssh -6 user@2001:db8:abcd:dead::5 — works.
  • Initiate an outbound HTTPS connection. Check the source IP in your router’s logs — it’s a privacy address, not your static.
  • Wait a few hours and recheck — the privacy address has rotated, but your static remains.

If none of these work

If the static address doesn’t persist after reboot, your network adapter is using DHCPv6 stateful assignment which conflicts with manual addresses — check the router’s DHCPv6 settings and switch to SLAAC if you want manual addresses to coexist. For Wi-Fi networks where your router doesn’t advertise the /64 you need, you can’t pick a static within an unannounced prefix — coordinate with your router admin or use a different network. For ISPs that rotate your IPv6 prefix periodically (some consumer connections do this for “privacy”), a static address is meaningless across rotations; consider a dynamic DNS service that updates as the prefix changes.

Bottom line: Anycast-type IPv6 addresses coexist with privacy extensions. Add via netsh, keep privacy enabled, and you get both stability and protection. The Settings UI takes a binary all-or-nothing approach; PowerShell gives the nuance.

ADVERTISEMENT

← Back to WiseChecker HomeMore in Windows & PC

🔍 Recommended for You