How IPv6 AnyIP Works: /64 Math, NDP, and Why Your Proxy Can Use Billions of Addresses

Part of our IPv6 proxy management guide series.

Every MeshProx server advertises an IPv6 range like 2001:db8:abcd:1234::/64. Operators ask: *"Can I really use more than one address?"* and *"Why doesn't my provider give me 18 quintillion NIC configs?"*

Short answer: providers route the prefix to your machine. Your kernel and proxy stack bind outbound sockets to addresses inside that prefix on demand. You do not need to manually add 10,000 addresses to ip addr.

/64 in plain numbers

Per CIDR references, a /64 splits a 128-bit IPv6 address into:

• First 64 bits — network prefix (assigned by your host)
• Last 64 bits — interface identifier (you choose)

2⁶⁴ ≈ 18.4 quintillion possible host values. Real fleets use thousands to millions — still a rounding error in the address space.

What the VPS actually configures

When you run ip -6 addr you usually see one global address on /64. That does not mean the other addresses are invalid — it means only one is installed on the interface for NDP (Neighbor Discovery).

Outbound proxy traffic needs two kernel capabilities:

1. Non-local bind

net.ipv6.ip_nonlocal_bind=1 allows processes to bind to IPv6 addresses not currently listed on the interface. Documented in open-source IPv6 proxy pool projects and production daemons.

2. Local subnet route

A route like:

ip -6 route add local 2001:db8:abcd:1234::/64 dev eth0

tells the kernel: *"Any packet destined to an address in this /64 is local."* Combined with non-local bind, your proxy can emit traffic from ...::1, ...::beef, ...:random without pre-creating each address.

MeshProx's agent configures this during install/preflight on supported hosts.

NDP and why it matters

IPv6 uses Neighbor Discovery instead of ARP. When traffic returns to an address in your /64, the network asks: *"Who has this address?"*

If only ::1 is on the interface, naive setups drop replies to other addresses. Solutions:

• NDP proxy (ndppd or net.ipv6.conf.*.proxy_ndp) — host answers on behalf of the subnet
• Explicit /128 adds — labor-intensive; does not scale to thousands

Community Hetzner/Proxmox threads (example) repeat the same lesson: routed /64 requires NDP proxy or equivalent when guests bind many addresses.

MeshProx bundles this into the agent install so operators skip manual ndppd.conf editing.

Static vs rotating in practice

| Mode | Behavior | Best for | |------|----------|----------| | Static | Fixed IPv6 per proxy port | Partner allowlists, long sessions | | Rotating | New random IPv6 from /64 per connection | High churn, spread load | | Sticky | Same IPv6 for N minutes | Cart/session workflows |

Rotating does not change your ASN or /64 prefix — targets still see hosting/datacenter network identity. It changes the host portion, useful for per-IP rate limits inside the same prefix.

Limits that still apply

Research and operator reports agree on practical ceilings:

• CPU/RAM — each listening port and connection consumes resources; 40k ports is an upper bound before tuning
• Provider fair use — bandwidth and connection policies on your VPS plan
• /64-level blocks — if a WAF flags your prefix, rotating inside the /64 will not help; provision a new VPS
• IPv4-only destinations — MeshProx falls back to the server's IPv4 when no AAAA exists

DIY scripts vs control plane

Tools like http-proxy-ipv6-pool and NyxProxy demonstrate the same kernel tricks on a single box. MeshProx adds:

• Multi-server pools and failover
• Zero-downtime rotation with credential export
• Heartbeats, smoke tests, remote updates
• Panel + REST API for automation

Verify on your server

After MeshProx install:

1. Generate a rotating SOCKS5 proxy
2. Curl an IPv6 echo service through it twice
3. Confirm the full IPv6 exit changes between requests while the /64 prefix stays constant

That is AnyIP working as designed — quintillions of theoretical addresses, dozens of practical ports, one managed fleet.