How to Disable IPv6 in Mac OS X
Some Mac users may wish to disable IPv6 networking support on their machines. This may be desirable to avoid certain networking conflicts, or to increase security for users in higher threat environments, since IPv6 has been found by researchers to be potentially vulnerable to man-in-the-middle and other network attacks.
Though most users don’t use IPv6 directly, disabling IPv6 is not without consequences, and thus should only be done by users who know what they’re doing and why they’re doing it. Some of the core Mac OS X system services, like the discovery service Bonjour, use IPv6. Accordingly, disabling IPv6 may render AirDrop sharing unusable, certain print services will become unavailable, and some other convenient Mac features may turn inoperable as well. This makes it impractical to disable for many.
Mac OS X offers a few ways to turn off IPv6, and we’ll cover a simple method using the command line, as well as demonstrating how to turn IPv6 back on if you decide you need to. Users can also check to see if IPv6 is actively used through System Preferences, which Mac OS X defaults to putting into an automatic state.
Disable IPv6 in Mac OS X through Terminal
Launch Terminal, found within the /Applications/Utilities/ directory, and use the following commands appropriate to your situation. Note that many modern Macs only have wi-fi cards, rendering the ethernet option unnecessary. If the Mac has both wi-fi and ethernet networking, you’ll probably want to disable IPv6 for both interfaces.
Turning off IPv6 support for ethernet:
networksetup -setv6off Ethernet
Disabling IPv6 for wireless:
networksetup -setv6off Wi-Fi
You can also combine both of those commands into a single string to disable both wireless and ethernet, just use the following syntax:
networksetup -setv6off Ethernet && networksetup -setv6off Wi-Fi
Be sure to enter that string onto a single line to issue the command properly.
Re-Enabling IPv6 for Wi-Fi & Ethernet in Mac OS X
Of course, reversing the above change is also possible, and you can re-enable IPV6 support with the following command strings entered into the terminal:
networksetup -setv6automatic Wi-Fi
networksetup -setv6automatic Ethernet
You can also place this into a single command to re-enable IPv6 for Wi-Fi and ethernet like so:
networksetup -setv6automatic Wi-Fi && networksetup -setv6automatic Ethernet
This simply places IPv6 back into the ‘automatic’ configuration state which is default in OS X, if the server you are connecting to does not support IPv6 it won’t be used. Re-enabling IPv6 should return all Bonjour services to their regularly functioning state, including the ever-useful AirDrop file transfer feature.
Those interested can learn more about IPv6 at Wikipedia.
Thanks to @glennzw on Twitter for the tip idea and heads up about the vulnerabilities, don’t forget to follow @osxdaily on Twitter too!
iMac27:~ magatst$ networksetup -setv6off Wi-Fi
Wi-Fi is not a recognized network service.
** Error: The parameters were not valid.
iMac27:~ magatst$
High Sierra 10.13.6 doesn’t allow you to disable IPV6 from the GUI (only allows you to disable IPV4 that way). If you have an extra NIC that you are bridging to a VM, be certain to disable IPV4 _and_ IPV6 so that macOS can’t receive any packets by accident. (It can still receive non-IP traffic though, but hopefully all of the other computers on your physical network segment are trusted _and_ fully secure from being used as an IP attack proxy.)
TY! That solved a lot of problems with our bluetooth and Wifi hotspot. Couldn’t find out why till disabling IPv6 in MacOs.
Great job!
In my case, I had to run:
networksetup -setv6off “Thunderbolt Ethernet”
just a heads up. You can type in:
networksetup -listallnetworkservices
to list all your network services
I enjoyed reading your article. After using the terminal command to disable ipv6 for my Wifi connection, I noticed that it will stay disabled for a week or so, however it is not permanent, at least in my scenario. It will not take long before my ipv6 is somehow re-enabled. Is this normal behavior, or possible due to an intrusion? I’ll add that the reason that I’m disabling it in the first place is due to legitimate security concerns- my computer has been hacked numerous times over the last few years, identity stolen, etc. I’m grateful for any information that anyone can provide. Thanks!
first issue I’ve had is with services on internet saying they suport ipv6 but failing to implement this correctly. Ensures a broken connection. So, ipv6 has been turned off.
second issue is that Safari caches this. I think OSx uses it’s own name resolution, which explains why hitting an address with Chrome or Firefox works, but with Safari hangs and times out. This is with El Capitan 10.11.3. So not much has changed over these years.
DISABLE IPv6 unless you know what you are doing. It is inherently vulnerable and should never have been released to the public or imposed on home users with easy to use, graphical tools to secure it. It’s bad enough that we distribute vulnerable routers to everyone’s home network that allows them to be man-in-the-middle’d but now we’re providing them with vulnerable routing as well. Wow, whatever happened to watching out for your fellow man. Yes the information is there if you have the experience to decipher the README’s on the internet but those take time and a level of experience most SOHO and home users DO NOT HAVE. Quit giving bad advice. Disable IPv6 NOW!!!
So: why don’t you take some time and share your technical concerns with us. Give us your reasons for this statement — “It is inherently vulnerable and should never have been released to the public or imposed on home users with easy to use, graphical tools to secure it”, and some references to substantiate what you are saying.
It bypasses NAT and traditional filtering and allows your devices to directly access the internet and reveal your LAN. Unless you are disabling the protocol, or hardware firewalling it, you are vulnerable to discovery.
Stop disabling IPv6. Fix your broken networks instead.
I think this is bad advice. In every case that turning off IPv6 is applicable, either supporting it on the network or using security protocols (TLS, VPN) are preferable. All these clever little hacks are basically equally applicable to IPv4–so turning IPv6 off in anything but a fixed networking environment where RAGuard or whatever is not available just means hobbling your system. And, when IPv6 is finally supported in your environment, you’ll have to turn this back on again.
So in summary: just don’t do it. It’s not worthwhile.
I agree.
Just because there are tools to exploit weaknesses in IPv6 implementations doesn’t mean you shouldn’t use it. IPv4 has it’s own share of weaknesses. WiFi is open to abuse. I don’t see people recommending disabling either of those
Don’t disable IPv6.
I must agree with Sebby and John. As a network engineer, do NOT turn off IPv6.
The addresses in IPv4 are running out and you will need to move to IPv6 sooner than later. It is simply not an option to just turn off IPv6 and ignore it.
There are ‘security’ issues in IPv4 as well, but that doesn’t mean turn off the protocol. We have features and functions in place to mitigate the security holes and those should be implemented rather than turning off IPv6.
I would recommend that this article be removed and replaced with one detailing how to secure IPv6 on a Mac instead.
Well Charles, do you have any recommendations on how to secure IPv6 on a Mac?
I think most people using NAT now though, so disabling IP6 should not affect anyone but those behind the NAT?
Charles, I had to turn of ipv6 on my Windows 7 machine, at least temporarily. Facebook and Google products stalled or stopped functioning altogether. A restart of Chrome or IE sometimes temporarily fixed. Maybe my home network is broken but for now I am much happier.
As a network engineer, I *DO* turn off ipv6. First; it’s not important that the internet is running out of ipv4, as all of your nat devices are connected using a single address, which you already have.
IPV6 is a security vulnerability (in regards to privacy). IPV6 is not subject to NAT. Unless you are IP firewalling out all ipv6 except what addresses interest you, your individual and IoT devices are directly accessing the internet and revealing your location and data about your LAN. If you don’t need ipv6, there’s no reason to use it.
I will use IPV6 only when I don’t have a choice (when ISPs no longer provide an ipv4 address). Right now I do.
Sometimes an interface with ipv6 is behaving in funky ways. I have an issue this moment that I am writing with a Mac on the network. I am sure the ipv6 is causing the problem, I have seen it before. I can open Wireshark and find out what’s going on, or just disable ipv6 and get on with it. I think I’ll take option 2 today :-)
I agree. I keep getting an error that my hostname is already in use… even though I am the only computer with this name. I’ve read that it’s an issue is ipv6. So I’m turning it off to see if it fixes the problem.
Reluctantly I’ve disabled ipv6 for an issue regarding too many ntpd calls in os x (>ML). Even the security update related isn’t useful. See also MikeV99 at mac-forums. With LittleSnitch or similars I’ve seen problem solved, turning off.
There’s an error in this usage, as it pertains to OSX Mavericks, at least. For the “Ethernet” argument you must specify “Ethernet 1” or “Ethernet 2” and so forth. You can view a list of available network services by issuing the following command:
# networksetup -listallnetworkservices
in my case, this shows:
An asterisk (*) denotes that a network service is disabled.
Bluetooth DUN
BitFORCE SHA256 SC
Ethernet 1
Ethernet 2
FireWire
Wi-Fi
Bluetooth PAN
VPN (Cisco IPSec)
in my case, the command line option is issued like this:
# networksetup -setv6off Ethernet\ 1
and the same for
# networksetup -setv6off Ethernet\ 2
note the use of \ to include the space.
Interesting that IPv6 has security problems, but most Mac users are not impacted by this