That gave a really nice overview for someone who hasn’t had to dabble in IPV6 yet, thanks!
Very useful, but I don’t understand concept 1, “Don’t pick numbers”.
If I’m right, it’s basically saying don’t do stuff manually, just let the computer do it. I kind of disagree with this. All of my fixed devices have a fixed IP that I manually assigned and derived from the original v4 schema I also have. For example 192.168.x.y becomes prefix::y
Am I misunderstanding something?
Ipv6 requires fundamental rethinking about how addressing is done. If you’re trying to apply v4 concepts to V6 you likely end up running into something they intentionally designed out.
A unique local address is an address space where you could do that. It’s the equivalent to RFC1918 eg. 172/192/10. So you could statically assign fd0::x, and that is expected, but not required generally.
I wouldn’t give each device a static unique global address unless they need to be accessed via wan without domain consistently. You lose device privacy really quickly that way because every device gets a unique globally routable address. It’s fine for internet facing services but most Linux, Windows, and mobile implementations are using ipv6 privacy extensions by default to ensure you get a random GUA every day.
My network is dual stack and I connect mostly over ipv6 to all my internal clients using internal DNS. If my internal DNS is ever down I can fall back to ipv4 or it’s basically the one box on my network with an easy to remember ULA.
Each year I seem to think “this will be the year I set up IPv6 in my homelab” - but then I never get around to it.
If I have to run both v4 and v6 concurrently, there isn’t much incentive/motivation for me to use v6 locally.
Maybe I’ll get around to it when there’s a net benefit for me for my use case, or when I’m forced to.
Am I just imagining it to be more complicated than it actually is?
My router runs pfsense and I have 6 VLANs each with its own subnet - Management, Trusted, IoT, Cameras, Guest, and Web Facing Servers.
It’s honestly super simple to set up. Outside of your ISP config it’s almost all autoconfig. 100% of the complication (at least for me) comes from knowing ipv4 first for 20 years and then trying to incorrectly map those concepts to V6.
As soon as I “let go” it was fine.
There’s not a huge net benefit you’re right. I mostly wanted to learn and I hope to be at the front edge of disabling ipv4 in the near distant future.
The benefit is being able to easily access devices from the internet. The same address works on the LAN and WAN. There’s no port forwarding, so multiple devices can have the same port open. You also don’t need to mess with a VPN if your IPv4 connection uses CGNAT.
Yeah dropping Nat is the biggest net benefit I agree but I think the avg person won’t really find that much value in it when Nat works ok
And the average person is going to be using it without knowing. And never complain or anything.
Yea, prolly already using it.
NAT works fine until you get stuck on CGNAT and can’t host anything on IPv4 without using a VPN.
I thankfully have never had the misfortune of cgnat
Meh, nothing a VPN and a 3 bucks a month VPS can’t solve…
yells at cloud in IPv4
An issue I had the last time I tried to set up IPv6 up was pihole didn’t work as well as I would have preferred. I assumed I just didn’t set up things correctly and it’s looking like that is the case based on the OP.
It kept resolving ad domains with their IPv6 address.
That’s the reason I killed IPv6 on my network.
Who cares if it access them over ipv6. Their still blocked.
If ad domains can be resolved to their IPv6 addresses, it means that they are not blocked. Your device connects to the IPv6 address and serves the ad.
I can’t remember what the problem was but my window to rollback was closing so I reverted back to IPv4 only and pushed it to another day.
Thanks, I’ll give it a go!
I suppose it’ll be easy since my whole stack uses IPv4, so I’ll be simply adding another interface on without service disruptions.
If you happen to torrent a fair bit (especially public trackers) then ipv6 can make a huge difference, there’s loads of ipv6 only seeders and leechers I’m suddenly reaching.
I made the plunge about a year ago. Spectrum assigns me a prefix but routing was spotty at best. In the end after all the troubleshooting pointed to the problem being the ISP I gave up and stuck with what works, IPv4.
Its a mind shift cause so use to NAT and ipv4. But it is not they hard. I’m glad I learned it, but the beginning was tuff.
On one hand you definitely don’t want to be assigning manual/static IPv6 to all your devices because if your prefix ever changes you’ll have to update it everywhere. IPv6 doesn’t really have a concept of private address space (with a few exceptions).
On the other hand most modern IPv6 stacks support dynamic protocols like SLAAC while also assigning a static suffix to the published prefix (e.g. You want :0:0:1234:1 to go to your server, and SLAAC gets the prefix 200x::5678/64 your server would assign itself 200x::5678:0:0:1234:1).DHCPv6 fixes a lot of these headaches for managed networks by allowing you to reserve specific IPv6 for a given DUID.
IMO, your network, do what you want.
I have two jump Raspberry PIs that I have static suffixes so I always know where they are without relying on DNS or whatever.Edit: I apparently misremembered how I had these setup. I use a custom interface up script to take the SLAAC prefix and append the custom suffix to it as a secondary IP.IPv6 does have private spaces. Any prefix beginning with fd is ‘private,’ and (IIRC) there’s a formula to generate the next 40 bits of prefix to minimize the chance of intersections. i.e., you can generate your own internal /48 functionally equivalent to 192.168/16 or 10/8
Don’t know if you can use that with SLAAAC, but it works if you run a dhcpv6 and makes ipv6 feel a lot like ipv4. You have to NAT everything inside &c, but if you already have a functioning internal IPv4 network, IPv6 is just a matter of figuring out which config options need to be changed (eg, dhcp6.name-servers for option domain-name-servers)
I’m really appreciating your use of
&c
.Are you in the nineteenth century by any chance?
Yes, ULA are one of the exceptions I mentioned. It covers fc00::/7 which is fc00 to fdff, though I believe most use just the top half. I use one for an intermediate network between my edge router and my primary firewall to not consume one of my limited /64 networks.
I haven’t played with IPV6 NAT much. I know its use is a bit discouraged as NAT was always designed as a stopgap measure for IPV4 exhaustion. It might be a good option if you need additional space and your ISP doesn’t support additional prefixes. Just keep in mind that if you use these in DNS, they won’t be accessible externally.
Yeah, my ISP “supports” IPv6, but assigns a /128 to users. It seems to wipe out most of the desirable features of IPv6, and has probably given me a distorted view of its philosophy. OTOH, it did force me to learn how to do DNS views, so names can have the ULA address inside and the global address outside the house, which is pretty cool.
The downside with ULA is that ipv4 is given preference, which is annoying on dual stack networks. I believe there is a draft RFC to change this but it will take a while for it to be approved and longer still for OSes to change their behaviour. I workaround it by using one of the unused (but not ULA) prefixes.
if your prefix ever changes you’ll have to update it everywhere
I mean that’s a good point but I’m paying money to not have my prefix changed. If I were to do it the intended way using DNS, how would I set up the DNS to be prefix agnostic? How would I reference devices in the firewall?
Its a bit complicated and depends on your ISPs support level.
If your ISP supports basic IPv6 they will likely use SLAAC or DHCPv6 to advertise the /64 that any directly connected devices, like your router, can use (/64 being the default size for a single LAN segment, even between point-to-point connections). If you have devices behind that router that want to use IPv6, you will need additional prefixes. The most common method nowadays is to use Prefix Delegation (DHCPv6-PD) where your router will ask the upstream router for an additional routeable prefix which you will use on another interface of the router. The RFC for prefix delegation recommends a /48, but many ISPs are not delegating that much. I only get half of a /60 from my ISP’s modem.
If the ISP just provides you a static routeable prefix, then you would just assign that to your router’s interface and enable SLAAC/DHCPv6 to give out that prefix. This would only need to be configured in a single device and is why they don’t recommend hard coding servers and workstations with IPV6 addresses.
Keep in mind that your router will also need a firewall as all of these IPv6 prefixes are routeable and public. While IPV6 space is quite like finding a needle in a haystack, you could still find yourself having a bad day if you treat it like private IPV4 space.
The end result though is that you would setup DNS so that devices register their IPv6 addresses and it just works. There’s also the MDNS protocol that supports IPv6 which will do segment-local resolution for device names.
I think there’s some misunderstanding
I get how IPv6 works, I got a /48 from my ISP. The problem is that I have some 15 devices here that I have to refer to in DNS and either I have to change their static IPs or I have to change their IPs in DNS if the prefix ever changes (it shouldn’t, because I pay for them to not do that). My laptop, phone and desktop do not get a static IPv6 and use the privacy extension. Is that not how you’re supposed to do it?
I don’t understand it either. On one hand people say don’t remember addresses, use DNS and on the other DNS relies on static addresses but then every device is “supposed” to have random addresses via SLAAC or privacy addresses. It just doesn’t seem to tie together very well, but if you use them like IPv4 addresses you’re apparently doing it wrong.
Not sure if you know privacy extension is mostly for outbound traffic. When you go to a website it well use privacy ipv6. Can still use management ipv6 for local connections. For max privacy every device should have it enabled as there are ways to trace if some devices do not have it enabled on your network.
I don’t think you understand. I know privacy extension is for outbound and not inbound, but what use is it on a server?
From reading one device can ruin the privacy extension use. Don’t know if a server would be they bad since it isn’t going to sites.
Caring about IP allocation is something that’s hard to let go. They’re saying that the IPv6 address space is so astronomically large that we need a radical change of mindset to deal with it. Allocate names based on MAC and leave it at that. Ignore the IPs. If you fixate on maintaining specific IPs and prefixes you just complicate your own life for no benefit.
I agree with this but I would say the prefix is the only thing you should focus on.
It’s important that ISPs don’t regularly rotate your PD and it’s part of the rfc recommendations that they don’t. And the remainder of the prefix is your vlan space that is as important for VLAN routing as always.
This seems counter to Concept 6 in the OP.
for residential internet, the globally routable prefix can change
Do you mean that ISPs don’t regularly rotate your PD in practice? I’d actually prefer that they did to maintain a semblance of privacy.
Your prefix can change yes but the recommendation is that it shouldn’t in practice. You’ll find ISPs doing it right will extend your PD lease infinitely unless you release it for a long enough period of time. Similar to ipv4.
The privacy is similar to ipv4 also. All your traffic on ipv4 looks like it’s coming from your WAN IP… Your PD is in this sense equivalent (though not literally equivalent for all the pedants reading) to your WAN IP.
This is an old post about ipv6, but it inspired me to go looking, and I wanted to share my findings.
-
for globally routeable IPv6 addresses, probably do let it happen automatically, either direct from the ISP, through the router by prefix delegation, or your own implementation of prefix delegation.
-
for devices you want to access, internally, create a ULA within the fd00::/8 space, and assign numbers (and names) however you like. Translate all your 192.168.x.y IPv4 addresses to fd00::x:y and go. Only limitation is you won’t be able to access those devices, using the ULA, from outside your network.
-
you can do both of these on the same subnet, and devices pick up both addresses then use the global address for internet and the ULA for intranet.
That means you can do dhcp, dynamic DNS, private domains, and all the stuff you know about IPv4 for IPv6, and still do all the stateless autoconfig that “they” want. Some devices, like my android phone, never played well with dhcpd6, but immediately preferred IPv6 as soon as I let them SLAAC.
If the prefix assigned by the ISP doesn’t change, then device SLAAC address shouldn’t change, either, because they’re calculated from MAC, so if you need to access some internal devices from the internet, you have to mark that address, but (IMO) marking the full address is not that much worse than marking the prefix and remembering the device number.
-
The guide mentions:
Your ISP will give you the first 64 bits, and your host machine will have the last 64 bits.
This isn’t correct. While some ISPs do give you the first 64 bit (a /64 prefix), this isn’t recommended and not terribly common either. An ISP should give its users prefixes with less than 64 bit. Typically a residential user will get a /56 and commercial users usually get a /48. With such a prefix the user can then generate multiple /64 networks which can be used on the local network as desired.
I literally wrote like a week ago for a guide like this
This is awesome and answers so many questions. I kept trying to force IPv6 addresses to my machines and they kept not doing it! I also didn’t know they would have multiple addresses.
This is useful. Thanks
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters CGNAT Carrier-Grade NAT DNS Domain Name Service/System IP Internet Protocol IoT Internet of Things for device controllers NAT Network Address Translation VPN Virtual Private Network VPS Virtual Private Server (opposed to shared hosting)
7 acronyms in this thread; the most compressed thread commented on today has 13 acronyms.
[Thread #814 for this sub, first seen 18th Jun 2024, 11:05] [FAQ] [Full list] [Contact] [Source code]