Let's Talk IPV6

BlueLineSwinger

[H]ard|Gawd
Joined
Dec 1, 2011
Messages
1,244
My ISP hands out /64 ipv6... Unfortunately it's dynamic and changed often. Pretty much a completely broken implementation. Luckily ipv4 is behind a double NAT, so absolutely no way to setup any sort of port forwarding. Was wanting to setup ipv6 on my home network but wasn't sure how easy it'd be to work around a constantly changing ip range.

I don't know that I'd call their IPv6 broken. It's certainly the minimal offering. It kinda sucks that they're always changing up the subnet address, but that's not really an issue if all you need is for your nodes to be set up with IPv6 addressing.

If you're looking to access a LAN node from the outside via IPv6, a dynamic DNS setup should work. A quick search on "dynamic dns provider ipv6" brings up a number of results (none of which I personally have any experience with). Just make sure your firewall is properly set up.
 

Ready4Dis

2[H]4U
Joined
Nov 4, 2015
Messages
2,499
I don't know that I'd call their IPv6 broken. It's certainly the minimal offering. It kinda sucks that they're always changing up the subnet address, but that's not really an issue if all you need is for your nodes to be set up with IPv6 addressing.

If you're looking to access a LAN node from the outside via IPv6, a dynamic DNS setup should work. A quick search on "dynamic dns provider ipv6" brings up a number of results (none of which I personally have any experience with). Just make sure your firewall is properly set up.
Yeah, forgot the other half of the issue is their modem doesn't broadcast the right subnet either. I would have to write a web scraper to constantly poll the modems admin page for changes. It's a poor implementation. I still haven't had any success even if I set an IP manually of being able to ping a box from the outside world. Maybe one day if I get bored enough I'll look into it more, but it's satellite internet and mostly useless to anyways.
 

Zarathustra[H]

Extremely [H]
Joined
Oct 29, 2000
Messages
34,928
To your question: when will IPv4 stop working? Perhaps never. Its just to embedded in the Internet. You'll NAT your way there for as long as you like - or at least the next 10 years.

To come back to this two years later, I guess my real question (and it might not be an answerable one) is:

How long until there start being things I want to do on the internet that just won't work with IPV4.

Essentially, when will major players, service providers and websites start shifting to IPV6 only, and abandoning IPV4 users.

I still have IPV6 disabled at the interface level on my router on both the LAN and WAN sides, because I don't fully understand how to firewall it properly, and don't want to risk having a gap in the firewalls until I have the time to properly read up on it.

My thought process is that at some point I'll have the time to read up on, and become comfortable with IPV6, enough such that I can configure my nine different VLAN's to work properly and all my firewall rules between them to block things properly, but that hasn't happened yet.

That, and the transition would require that I have downtime, and I abhor downtime....

Quite frankly, at this rate it may never happen, unless it absolutely has to, In other words, when things stop working because I am still on IPV4 only.

My gut is still telling me to - when I am finally forced to make the switch - to try to construct something like what I already know, and just set up NAT66. This way I'll be able to keep my WAN and my LAN completely independent of each other the way I like it.

I also HATE the idea of having to use DNS or hostnames to find machines on my local network instead of just memorizing all the IP addresses like I have always done it.
 

pendragon1

Extremely [H]
Joined
Oct 7, 2000
Messages
42,727
1661479567491.png
 
  • Like
Reactions: pek
like this

ComputerBox34

[H]F Junkie
Joined
Nov 12, 2003
Messages
13,538
To come back to this two years later, I guess my real question (and it might not be an answerable one) is:

How long until there start being things I want to do on the internet that just won't work with IPV4.
It depends....in the US? Perhaps never. You can still go aws.amazon.com, sign up for an account, and spin up a server with an "elastic" IPv4 address for a very low amount of money.

In Asia? Likely within the next 10 years, a large portion of Asian hosted websites will be IPv6 only simply because they have a much smaller pool of IPv4 space and a lot more people. If American Technology companies want to continue courting that market, they will also need to get themselves IPv6 ready to reach these consumers.
Essentially, when will major players, service providers and websites start shifting to IPV6 only, and abandoning IPV4 users.
When IPv4 address space trades at such high prices on the secondary market, that it's financially unaffordable or impractical to continue buying IPv4 space to support new customers. At this point, the major American providers already have more than enough space to sustain themselves for many years so I don't see this happening anytime soon. Even if it does, there is trickery they can do with CG-NAT to stretch the IP's out even further.

As mentioned above, Asia is a different story.
I still have IPV6 disabled at the interface level on my router on both the LAN and WAN sides, because I don't fully understand how to firewall it properly, and don't want to risk having a gap in the firewalls until I have the time to properly read up on it.

My thought process is that at some point I'll have the time to read up on, and become comfortable with IPV6, enough such that I can configure my nine different VLAN's to work properly and all my firewall rules between them to block things properly, but that hasn't happened yet.
IPv6 has been around for over 10 years at this point. The major firewall manufacturers have the sense to include automatic rules that block traffic originating from "outside" IPv6 addresses to "inside" IPv6 addresses. This functionality should work out of the box.

Side Note: Keep in mind that there is a difference between a pure router and a firewall. Using a firewall that has the capability to route is the ideal use case for people with home/small networks - you get a device that is capable of blocking a decent amount of traffic from outside to in while also providing basic static routing to the outside world. Pure routers are designed to...route...with support for advanced routing protocols and large tables to move packets as fast as possible. Most people use the two terms interchangeably but there are significant technical differences when you look under the hood in terms of the actual capabilities of the device that make themselves incredibly relevant when you operate networks at scale.

There are some curveballs that exist in IPv6 setups vs. IPv4. The biggest are:
  • Address acquisition for hosts does not necessarily run on DHCPv6 but relies on a protocol called SLAAC. Android/Google devices still do not support DHCPv6 and may very well never use DHCPv6 due to an interpretation of RFC standards from their technical fellows. (Plenty of documentation and drama around this in their bug tracker - https://issuetracker.google.com/issues/36949085)
  • You do not determine the subnets your network uses....at least not the first few Hextets. Your ISP assigns a prefix (usually a /56) to your firewall which then breaks it down to /64's - enough for 256 different subnets (if I did my math right)
  • Subnetting in IPv6 is a tad different - standard practice is to use /64 for everything even for simple point to point links or very small subnets. For all intents and purposes, it's the replacement for the /24 in IPv4 world.
  • ARP is a think of the past and has been replaced by NDP. Your "link local" address on any interface also plays a much larger role in connecting yourself to an IPv6 network, negotiating an IP address with the other clients in the same VLAN and ultimately acquiring a list of DNS servers, next hop (default gateway), and an IP address.
  • As most people know, due to the absolute insane number of IP addresses, there is no NAT. College campuses back in the day used to operate IPv4 with no NAT as they could go out and get /16's and /12's with relative ease. Only difference is that you don't have the "dummy" security a typical NAT setup provides and a firewall just has to act as an actual firewall and filter inbound traffic originating from unknown sources.
Comcast has been deploying IPv6 for almost 10 years now as well as many of the other major broadband providers around the country. Verizon FiOS FINALLY started deploying it earlier this year and is continueing to light up IPv6 up and down the east coast every day. (https://www.dslreports.com/forum/r32136440-Networking-IPv6-working) The change is transparent to "normies" and most don't even notice it's been enabled.

I have it fully enabled on my PFSense firewall and it was relatively straight forward once you understand the basic concepts and different of IPv4. No issues thus far and roughly 20% of my internet traffic has been flowing via IPv6.
That, and the transition would require that I have downtime, and I abhor downtime....
No...it doesn't. You can run IPv4 and IPv6 in a "dual stack" configuration. No downtime needed for the IPv4 side of things
Quite frankly, at this rate it may never happen, unless it absolutely has to, In other words, when things stop working because I am still on IPV4 only.

My gut is still telling me to - when I am finally forced to make the switch - to try to construct something like what I already know, and just set up NAT66. This way I'll be able to keep my WAN and my LAN completely independent of each other the way I like it.
The reality is that the vast majority of users will move to IPv6 and not realize it because they just use routers managed by their ISP's. They won't notice any difference in the functionality of the internet.

Setting up NAT66 is just adding a step of complexity for you. While you can do it...there is absolutely no point. There is absolutely nothing wrong with using firewalls as....well what firewalls were meant to be....a stateful filter for packets and not a dummy device that hides a "private" network behind a single IP address.
I also HATE the idea of having to use DNS or hostnames to find machines on my local network instead of just memorizing all the IP addresses like I have always done it.
This is what DNS was designed to do. DNS has reached mass adoption and there are no "normies" out there manually typing in IP addresses to reach their favorite websites. There are things you can do to make IPv6 addresses more memoizable but since I have DNS fully implemented on my internal network, I really don't care anymore. The only places where you may consider not using DNS or DHCP reservations, for that matter, are networks not connected to the internet and where you don't want a DHCP or DNS server being a single point of failure. At this juncture, however, there are plenty of ways to mitigate that and it's just much easier to use DHCP and DNS as intended as it makes managing the address space on your local network, at scale, much easier.
 
Last edited:

Zarathustra[H]

Extremely [H]
Joined
Oct 29, 2000
Messages
34,928
It depends....in the US? Perhaps never. You can still go aws.amazon.com, sign up for an account, and spin up a server with an "elastic" IPv4 address for a very low amount of money.

In Asia? Likely within the next 10 years, a large portion of Asian hosted websites will be IPv6 only simply because they have a much smaller pool of IPv4 space and a lot more people. If American Technology companies want to continue courting that market, they will also need to get themselves IPv6 ready to reach these consumers.

When IPv4 address space trades at such high prices on the secondary market, that it's financially unaffordable or impractical to continue buying IPv4 space to support new customers. At this point, the major American providers already have more than enough space to sustain themselves for many years so I don't see this happening anytime soon. Even if it does, there is trickery they can do with CG-NAT to stretch the IP's out even further.

As mentioned above, Asia is a different story.

IPv6 has been around for over 10 years at this point. The major firewall manufacturers have the sense to include automatic rules that block traffic originating from "outside" IPv6 addresses to "inside" IPv6 addresses. This functionality should work out of the box.

Side Note: Keep in mind that there is a difference between a pure router and a firewall. Using a firewall that has the capability to route is the ideal use case for people with home/small networks - you get a device that is capable of blocking a decent amount of traffic from outside to in while also providing basic static routing to the outside world. Pure routers are designed to...route...with support for advanced routing protocols and large tables to move packets as fast as possible. Most people use the two terms interchangeably but there are significant technical differences when you look under the hood in terms of the actual capabilities of the device that make themselves incredibly relevant when you operate networks at scale.

There are some curveballs that exist in IPv6 setups vs. IPv4. The biggest are:
  • Address acquisition for hosts does not necessarily run on DHCPv6 but relies on a protocol called SLAAC. Android/Google devices still do not support DHCPv6 and may very well never use DHCPv6 due to an interpretation of RFC standards from their technical fellows. (Plenty of documentation and drama around this in their bug tracker - https://issuetracker.google.com/issues/36949085)
  • You do not determine the subnets your network uses....at least not the first few Hextets. Your ISP assigns a prefix (usually a /56) to your firewall which then breaks it down to /64's - enough for 256 different subnets (if I did my math right)
  • Subnetting in IPv6 is a tad different - standard practice is to use /64 for everything even for simple point to point links or very small subnets. For all intents and purposes, it's the replacement for the /24 in IPv4 world.
  • ARP is a think of the past and has been replaced by NDP. Your "link local" address on any interface also plays a much larger role in connecting yourself to an IPv6 network, negotiating an IP address with the other clients in the same VLAN and ultimately acquiring a list of DNS servers, next hop (default gateway), and an IP address.
  • As most people know, due to the absolute insane number of IP addresses, there is no NAT. College campuses back in the day used to operate IPv4 with no NAT as they could go out and get /16's and /12's with relative ease. Only difference is that you don't have the "dummy" security a typical NAT setup provides and a firewall just has to act as an actual firewall and filter inbound traffic originating from unknown sources.
Comcast has been deploying IPv6 for almost 10 years now as well as many of the other major broadband providers around the country. Verizon FiOS FINALLY started deploying it earlier this year and is continueing to light up IPv6 up and down the east coast every day. (https://www.dslreports.com/forum/r32136440-Networking-IPv6-working) The change is transparent to "normies" and most don't even notice it's been enabled.

I have it fully enabled on my PFSense firewall and it was relatively straight forward once you understand the basic concepts and different of IPv4. No issues thus far and roughly 20% of my internet traffic has been flowing via IPv6.

No...it doesn't. You can run IPv4 and IPv6 in a "dual stack" configuration. No downtime needed for the IPv4 side of things

The reality is that the vast majority of users will move to IPv6 and not realize it because they just use routers managed by their ISP's. They won't notice any difference in the functionality of the internet.

Setting up NAT66 is just adding a step of complexity for you. While you can do it...there is absolutely no point. There is absolutely nothing wrong with using firewalls as....well what firewalls were meant to be....a stateful filter for packets and not a dummy device that hides a "private" network behind a single IP address.

This is what DNS was designed to do. DNS has reached mass adoption and there are no "normies" out there manually typing in IP addresses to reach their favorite websites. There are things you can do to make IPv6 addresses more memoizable but since I have DNS fully implemented on my internal network, I really don't care anymore. The only places where you may consider not using DNS or DHCP reservations, for that matter, are networks not connected to the internet and where you don't want a DHCP or DNS server being a single point of failure. At this juncture, however, there are plenty of ways to mitigate that and it's just much easier to use DHCP and DNS as intended as it makes managing the address space on your local network, at scale, much easier.

I think what I have to do is build up a level of comfort with SLAAC and that my internal network depends on the global IPV6 address.

I have become very happy with the concept of my local network being completely independent of anything outside it. As long as I stay within one of the private address blocks, I can give my local machines any IP address I want and the outside world absolutely does not matter. The WAN IP address or address range can change, and it does not matter. The WAN can completely go down, and it does not matter. My internal network stays the same. It gives me a lot of flexibility.

After all, most of my newtwork traffic never leaves the house. it is a minority of it that goes out over the WAN..

In my case I currently have 9 separate VLAN's, each set up with it's own /24 block inside the 10.0.0.0/8 block.

VLAN1 uses 10.0.1.0/24
VLAN2 uses 10.0.2.0/24
VLAN3 uses 10.0.3.0/24

etc. etc.

When I spin up a new machine in any of those I never have to even think about what is going on on the WAN side. I just make sure an IP address isn't in use (I mostly have all of this in my head, but I also keep a list, in case I forget), and set up a new static IP of my choosing. I don't even use DHCP for anything other than mobile devices over wifi. Everything else gets hardwired via wired ethernet, and gets a static IP address configured on the local machine.

It also bothers me to use DNS to map to hosts on the local network, or to even use hostnames at all. I feel like I should be in control and know all of my servers by IP address. That's how I've been doing it to date, and that's what I'm comfortable with.

I know that my Unifi server is 10.0.1.24, that my MythTV backend is 10.0.1.19, that the color printer is 10.0.1.16, the black and white printer is 10.0.1.15, the main switch is 10.0.1.2, etc. etc. etc. I have my entire network in my head. The concept of complicating things by adding another abstraction layer like DNS really annoys me.

Maybe this is a 90's way of thinking about networks, but what can I say. I'm a 90's kind of guy. I like having manual control over everything and not being dependent on any system that isn't strictly necessary or anything I don't control, like my ISP. My local network is mine, and it is completely separate and independent from the outside internet, unless I instruct a packet to traverse the router and head out to the WAN. I don't view them (the greater internet and my local network) as being part of the same thing. I view them as independent and partitioned things that are connected via a bridge. The whole outside world could die, but my network will still be my network. I feel like IPV6 is forcing me to change this mindset, and quite honestly, I hate it. I hate that every machine on my network will become independently addressable by the outside world. I like the obfuscation of a single IP facing the outside world, and no one knows what, if anything at all, is behind it.

Essentially, I North Korea my local network. Now IPV6 wants me to treat my local network as if it is a part of the greater internet and free trade it, and I am not liking that at all.

So where everything used to be simple and local and fully within my control, now I am going to be dependent on my ISP via SLAAC, and have to set up abstraction layers to keep track of things. It really feels like a step in a every wrong direction.

Also, being forced to dual stack things is a bloody nightmare. It's enough work to stay on top of one set of firewall rules. Now having to maintain two separate sets? What a bloody nightmare.
 
Last edited:
  • Like
Reactions: Meeho
like this

pek

prairie dog
Joined
Nov 7, 2005
Messages
2,459
Like computerbox34 said, firewalls today don't make a distinction between ipv4 rules and ipv6 rules (thank god), you don't have to make separate rules or separate virtual firewalls (with all their routing pita's), it's just a rule the has both address types. If you have a firewall between you ad the great unwashed, you've isolated yourself, the firewall blocks by default, and on the odd chance is doesn't, just make "any, any, all, all, deny" the last rule (do NOT make it the first rule), I always do that on any firewall I set up, work or home, it's habit by now.
 

Zarathustra[H]

Extremely [H]
Joined
Oct 29, 2000
Messages
34,928
Like computerbox34 said, firewalls today don't make a distinction between ipv4 rules and ipv6 rules (thank god), you don't have to make separate rules or separate virtual firewalls (with all their routing pita's), it's just a rule the has both address types. If you have a firewall between you ad the great unwashed, you've isolated yourself, the firewall blocks by default, and on the odd chance is doesn't, just make "any, any, all, all, deny" the last rule (do NOT make it the first rule), I always do that on any firewall I set up, work or home, it's habit by now.

Hmm. So in the rule I'd need to list BOTH the IPV4 and IPV6 addresses it applies to? I guess that's a little bit better, but still more addresses to keep track of when doing this shit.

How would this work in the case where

Do you have to firewall off the automatically generated link-local addresses as well or are they automatically local only? I haven't wrapped my brain around how this works quite yet.

Also, how do you keep track of your firewall rules when SLAAC could change them at any moment, or - as the problem Ready4Dis has, when his ISP changes the block on him?

Does a change in the block, result in a change in the address, and if I have written my rules against a specific address, it is now different, and breaks?

Or can you somehow write the rules against only the last /64 portion of the address and have the rest of it be a wildcard?

Still, seems way more complicated to manage than the status quo, even with the complications of NAT.
 

Zarathustra[H]

Extremely [H]
Joined
Oct 29, 2000
Messages
34,928
Hmm. So in the rule I'd need to list BOTH the IPV4 and IPV6 addresses it applies to? I guess that's a little bit better, but still more addresses to keep track of when doing this shit.

So I am trying to figure out how to do this in pfsense:

The dropdowns allow me to select the protocol for my rule as IPv4 + IPV6 but I still just have the one source and one destination field to enter the affected address:

1661546397255.png

Do I have to create an alieas, and then in that alias list, list both the IPV4 and IPV6 addresses?

And how do I even structure it, such that it still works when the block changes or the SLAAC assigns a different address?

How do I even use static IP's on my local network anymore if IP's are doled out by the ISP via SLAAC?

Does this mean I can't use static IP's on my local network without paing my ISP for "business internet" that includes static IP's?

I guess I could play around with it a little bit, by enabling IPV6 only on my WAN, and then creating a new VLAN, and enabling IPV6 only on that LAN, giving me some space to experiment without tanking my current setup, but as of right now IPV6 is still making very little sense to me, and it is making me pretty angry that I am being forced into dealing with this shit.
 
Last edited:

BlueLineSwinger

[H]ard|Gawd
Joined
Dec 1, 2011
Messages
1,244
So I am trying to figure out how to do this in pfsense:

The dropdowns allow me to select the protocol for my rule as IPv4 + IPV6 but I still just have the one source and one destination field to enter the affected address:

View attachment 504131
Do I have to create an alieas, and then in that alias list, list both the IPV4 and IPV6 addresses?

And how do I even structure it, such that it still works when the block changes or the SLAAC assigns a different address?

How do I even use static IP's on my local network anymore if IP's are doled out by the ISP via SLAAC?

Does this mean I can't use static IP's on my local network without paing my ISP for "business internet" that includes static IP's?

I guess I could play around with it a little bit, by enabling IPV6 only on my WAN, and then creating a new VLAN, and enabling IPV6 only on that LAN, giving me some space to experiment without tanking my current setup, but as of right now IPV6 is still making very little sense to me, and it is making me pretty angry that I am being forced into dealing with this shit.

Yeah, these are all valid concerns/shortcomings regarding IPv6/SLAAC. IIRC I and others addressed them previously in this thread. I'm not familiar enough with current pfSense to offer specific guidance there.

There's no way to dynamically update any firewall if the ISP changes out the IPv6 block they issue from under you...

In theory, if the firewall can accept a hostname instead of an IP address (oh, you'd hate that I bet, I kinda cringe at the thought as well), then it resolves the above issue...

However, I'm not aware of any mechanism that enables a host to update it's AAAA record on the DNS server when forced to update its IPv6 address in a SLAAC setup. So, back to square one.

Personally, I haven't bothered with setting up any IPv6 firewall rules for specific LAN hosts. Everything incoming is blocked, excepting ICMPv6, and DHCPv6 to the router itself. There are online IPv6 firewall scanners you can use to verify your setup. If I need to allow external access to a local host I stick with IPv4 for now.
 

ComputerBox34

[H]F Junkie
Joined
Nov 12, 2003
Messages
13,538
Hmm. So in the rule I'd need to list BOTH the IPV4 and IPV6 addresses it applies to? I guess that's a little bit better, but still more addresses to keep track of when doing this shit.

How would this work in the case where

Do you have to firewall off the automatically generated link-local addresses as well or are they automatically local only? I haven't wrapped my brain around how this works quite yet.
Link local addresses (any address in the fe80::/10 range) are non-routable addresses. Applying firewall rules to this range could potentially interfere with their intended function, which is to establish connectivity to all IPv6 neighbors on a network via NDP for SLAAC address negotiation. No firewall rules should be necessary.
Also, how do you keep track of your firewall rules when SLAAC could change them at any moment, or - as the problem Ready4Dis has, when his ISP changes the block on him?

Does a change in the block, result in a change in the address, and if I have written my rules against a specific address, it is now different, and breaks?

Or can you somehow write the rules against only the last /64 portion of the address and have the rest of it be a wildcard?

Still, seems way more complicated to manage than the status quo, even with the complications of NAT.
The ISP only controls a certain portion of your IPv6 address. (usually the first 4 hextets) Trying to create firewall rules that only apply to individual hosts that use SLAAC to acquire IP addresses will not work for the reason you have stated - they constantly change and (IMO) defeats the purpose of SLAAC. If you want to hand out specific IPv6 addresses for crazy per host firewall rules, you would need to utilize DHCPv6 with static assignments and create rules that can be crafted using REGEX expressions if your firewall supports it.

In PFSense, I have made my DUID permanent and enabled an option that will NEVER send a dhcpv6 "release" on the WAN interface. Theoretically, I should be able to maintain my block with Verizon forever as long as they don't decide to re-IP their entire network.
So I am trying to figure out how to do this in pfsense:

The dropdowns allow me to select the protocol for my rule as IPv4 + IPV6 but I still just have the one source and one destination field to enter the affected address:

View attachment 504131
Do I have to create an alieas, and then in that alias list, list both the IPV4 and IPV6 addresses?
PFSense is a firewall. It blocks all traffic by default unless you have an "allow any any" rule somewhere. The way this rule is written, you would be inserting another rule that effectively blocks ALL network traffic in BOTH directions. By default, your rules should look like this:

1661554427625.png

(ignore the first 2 lines)
And how do I even structure it, such that it still works when the block changes or the SLAAC assigns a different address?

How do I even use static IP's on my local network anymore if IP's are doled out by the ISP via SLAAC?
SLAAC is a protocol that is negotiated between IPv6 capable hosts on the same VLAN and has nothing to do with your ISP for address assignment on your internal VLANs. Your ISP merely assigns a "prefix" that your firewall/router will take and inject into SLAAC and say "Hey! This is our subnet! This is the next hop!" (and some other misc. information that is configurable information). This is called a "RA" or "Router Advertisement". You can configure how PFSense handles and sends Router Advertisements here:
1661554749609.png


There are multiple RA modes - if you click the blue "i," it explains the differences.
1661554842504.png


In your situation, I would recommend "Managed." Keep in mind that that will break devices that don't support DHCPv6 (ie. Android)
Does this mean I can't use static IP's on my local network without paing my ISP for "business internet" that includes static IP's?
I would recommend using DHCPv6 with reservations. The last few hextets will always stay the same while the first 4 can change.

IPv6 is superior here IMO because there are things you can configure to maintain your IPv6 subnet that you get from your ISP forever as I outlined above. Keep in mind that static IP's were never really offered to home customers for IPv4 either. For business plans, I imagine you can get your own dedicated IPv6 prefix just like you can get your own static IPv4 addresses/subnets depending on ISP.
I guess I could play around with it a little bit, by enabling IPV6 only on my WAN, and then creating a new VLAN, and enabling IPV6 only on that LAN, giving me some space to experiment without tanking my current setup, but as of right now IPV6 is still making very little sense to me, and it is making me pretty angry that I am being forced into dealing with this shit.
No one is forcing you to do anything. :) If you are in the US, you can still operate on IPv4 only and not notice a thing.

Who is your ISP? If you use PFsense, there is ton of info out there for best configuration practices for each ISP and other good information, especially on Netgate's forum. For example, I think Comcast uses /60 delegated prefixes while Verizon FiOS is using /56.
 

pek

prairie dog
Joined
Nov 7, 2005
Messages
2,459
Sorry, haven't delved into PFsense, just PaloAlto, cisco & fortigate, so I can't help you without training up on PFsense. As ComputerBox34 said, the link-local addresses are just for neighbor discovery (the mechanism that ipv6 uses for auto-discovery) and shouldn't be used for routing. IPv4 will be around for quite a while, you have plenty of time to learn ipv6. I just looked at my pihole stats, looks like about 20% of my dns lookups (AAAA) are ipv6, I don't use ipv6 on my internal lan and my isp doesn't do ipv6, yet (no ipv6 ip on the wan side of my router).
 

Eulogy

2[H]4U
Joined
Nov 9, 2005
Messages
2,814
Who is your ISP? If you use PFsense, there is ton of info out there for best configuration practices for each ISP and other good information, especially on Netgate's forum. For example, I think Comcast uses /60 delegated prefixes while Verizon FiOS is using /56.
Comcast tends to hand out /64 prefixes (at least for myself and my friends that have setup ipv6 at home, on comcast).
 

Zarathustra[H]

Extremely [H]
Joined
Oct 29, 2000
Messages
34,928
Well, having done some more reading, I think I am fine putting this off for now.

Maybe if google gets their heads out of their asses and start supporting DHCPv6 in Android, I'll make the transition, but until that time I am happy to stay on IPV4.

The overwhelming majority of my network traffic is local anyway, and for that IPV4 will continue to work just fine forever.

If stuff starts breaking, or if they CG-NAT me such that I can no longer port forward inbound traffic, I'll probably keep a "block all" rule both inbound and outbound on IPV6 and carve out holes for specific clients/servers that need IPV6 on a case by case basis, leaving everything else blocked.
 

Eulogy

2[H]4U
Joined
Nov 9, 2005
Messages
2,814
I don't understand hating on DNS, forcing memorizing IPs, or hesitating on jumping on decades old tech stacks... but, it sounds like you found your own path forward. I ran dual stack ipv6 for a few years, and, now most of my systems are ipv6 only. Not dealing with any NAT and other BS alone has been worth it (recall, too, that NAT is a hacky protocol simply there to battle against IP exhaustion and was intended to be temporary during the transition to ipv6. Oh, how optimistic folks were).
 

ComputerBox34

[H]F Junkie
Joined
Nov 12, 2003
Messages
13,538
I don't understand hating on DNS, forcing memorizing IPs, or hesitating on jumping on decades old tech stacks... but, it sounds like you found your own path forward. I ran dual stack ipv6 for a few years, and, now most of my systems are ipv6 only. Not dealing with any NAT and other BS alone has been worth it (recall, too, that NAT is a hacky protocol simply there to battle against IP exhaustion and was intended to be temporary during the transition to ipv6. Oh, how optimistic folks were).
How are you handling 6to4 for websites like Amazon that don't do IPv6?
 

Eulogy

2[H]4U
Joined
Nov 9, 2005
Messages
2,814
NAT64 -- works for TCP, UDP, and ICMP only though (+ WAN still have an ipv4 interface). Sites and services that aren't reachable via ipv6 are the only reason I have a handful of things still dual stacked.
 

BlueLineSwinger

[H]ard|Gawd
Joined
Dec 1, 2011
Messages
1,244
Comcast tends to hand out /64 prefixes (at least for myself and my friends that have setup ipv6 at home, on comcast).

Unless your region is weird and non-standard for them, Comcast will hand out a /60 (consumer) or /56 (business) IPv6 block if the router requests it. This can then be parted out by the router as /64 subnets to its various VLANs/interfaces.


NAT64 -- works for TCP, UDP, and ICMP only though (+ WAN still have an ipv4 interface). Sites and services that aren't reachable via ipv6 are the only reason I have a handful of things still dual stacked.

I thought about trying this, but it seems to me like it's just trading one NAT headache for another even less mature one.
 

Eulogy

2[H]4U
Joined
Nov 9, 2005
Messages
2,814
Unless your region is weird and non-standard for them, Comcast will hand out a /60 (consumer) or /56 (business) IPv6 block if the router requests it. This can then be parted out by the router as /64 subnets to its various VLANs/interfaces.




I thought about trying this, but it seems to me like it's just trading one NAT headache for another even less mature one.
Hm, when I do a request from them, and set a prefix hint of ::/0, they hand me a /64. I'll have to play around with it more and see if I just have something configured elsewhere.

It was certainly "fun" to play with, and it does work, but, only minimally. For now, just going dual stack seems the best bet until everyone gets on board with ipv6.
 

BlueLineSwinger

[H]ard|Gawd
Joined
Dec 1, 2011
Messages
1,244
Hm, when I do a request from them, and set a prefix hint of ::/0, they hand me a /64. I'll have to play around with it more and see if I just have something configured elsewhere.

It was certainly "fun" to play with, and it does work, but, only minimally. For now, just going dual stack seems the best bet until everyone gets on board with ipv6.

Not sure what router you're using. I'm more familiar with setting up the Edgerouter for IPv6. The following is what I have, FWIW, maybe it'll help:

Code:
interfaces {
    ethernet eth0 {
        description Local
        duplex auto
        speed auto
        vif 10 {
            *snip*
        }
        vif 19 {
            *snip*
        }
        vif 21 {
           *snip*
        }
        vif 25 {
            *snip*
        }
        vif 29 {
            *snip*
        }
        vif 99 {
            *snip*
        }
        vif 915 {
            *snip*
        }
    }
    ethernet eth1 {
        address dhcp
        description eth1
        disable
        duplex auto
        firewall {
            in {
            }
            local {
            }
        }
        speed auto
    }
    ethernet eth2 {
        address dhcp
        description WAN
        dhcpv6-options {
        }
        dhcpv6-pd {
            pd 1 {
                interface eth0.10 {
                    host-address ::1
                    no-dns
                    prefix-id :0
                    service slaac
                }
                interface eth0.19 {
                    host-address ::1
                    no-dns
                    prefix-id :4
                    service slaac
                }
                interface eth0.21 {
                    host-address ::1
                    no-dns
                    prefix-id :2
                    service slaac
                }
                interface eth0.25 {
                    host-address ::1
                    no-dns
                    prefix-id :5
                    service slaac
                }
                interface eth0.29 {
                    host-address ::1
                    no-dns
                    prefix-id :3
                    service slaac
                }
                interface eth0.99 {
                    host-address ::1
                    no-dns
                    prefix-id :1
                    service slaac
                }
                prefix-length 60
            }
            rapid-commit enable
        }
        duplex auto
        firewall {
            *snip*
        }
        speed auto
    }
    loopback lo {
    }
}

efh0 is the LAN, eth2 is WAN. each vif on eth0 is a VLAN (eth1 is unused). There is a specific option prefix-length on the WAN interface. It seems counter-intuitive, but the prefix hints/etc. for each LAN VLAN are also specified on the WAN (I don't know if this is some Edgerouter/VyOS quirk, or extends deeper into Linux, I'm guessing the latter).
 

Zarathustra[H]

Extremely [H]
Joined
Oct 29, 2000
Messages
34,928
(recall, too, that NAT is a hacky protocol simply there to battle against IP exhaustion and was intended to be temporary during the transition to ipv6. Oh, how optimistic folks were).

I think people overstate the problems with NAT, and completely dismiss the benefits of it.

No, it's not a matter of security, anyone who relies on NAT as a form of security is deluding themselves, but it IS a matter of flexibility.

I guess I take exception with the fact that my local network is "a part of the internet" that should be one to one addressable with the greater internet.

I see my network as my network, as having nothing to do with the internet. The overwhelming majority of traffic on my network is local only, and doesn't care about the outside world or even if it exists at all.

NAT offers a ton of flexibility. As long as I just use the predefined private IP addressees, I can do whatever the hell I want with my local configurations, and don't have to care about the internet, and that's how I like it.

As soon as I have to have and use externally defined globally unique addresses assigned by an ISP, my network feels less like my network. It feels like it is just an extension of the internet, and I have a great deal of reservations when it comes to that.

My local network is mine, it's purpose is not solely as a way to access the internet, it is separate from the internet, and retains the ability to occasionally access it via a bridge that I have defined, and that's the way I like it. I PREFER NAT and really don't ever want to see it go away.

My local network is not the internet, and should not have to be 1:1 addressable with anything outside of my network, ever.
 
  • Like
Reactions: pek
like this
Top