except for nor using it at all, of course.
So I want to make my homelab IPv6 ready, because I have too much free time, i guess. There are two decisions that I’m currently unsure about:
- ULA or not. Do you have local only addresses or do your clients communicate using the global IPv6 address? Does not using ULAs work without a static IP from the ISP?
- DHCPv6 or is SLAAC enough?
For each question both options seem to be possible and I’m interested in your experience
Cheers
You must log in or register to comment.
I use both ULA and global addresses. Servers set a token to make the last 64bits predictable, which simplifies dyndns. For some critical internal communication, I hard code the ULA address in my hosts file, for everything else, I rely on DNS (with global addresses). No DHCPv6.
I usually just disable IPv4 on my VMs, unless there is a specific need for IPv4. Most container networks are single stack as well. I have a squid proxy that services can use to access IPv4 http/https destinations if really necessary (combined with some additional filter rules); ideally I would like to have 464xlat/a nat64 gateway, but I never bothered to set that up yet. I will likely do that when I buy a new router (end of year?). I expect all my devices to support CLAT by then, so that will be the end of IPv4 on my network.
Every discussion I have seen on the subject says that docker ipv6 is pretty busted from a security perspective and you have to implement a bunch of workarounds.
I don’t have to time both to migrate to podman (and maybe have to run dual stacks for what isn’t available) AND migrate to ipv6. But apparently the way podman does it is also kind of a hacky way (I am far from a networking expert) so I will sit with my pretty decent, secure, and working ipv4 lol
My provider doesn’t provide IPv6, but I rented a server in a data center, bought a subnet, and tunneled it home via WireGuard. So the scheme is roughly: VPS (fd00:1::/64) <-> (fd00:1::/64) Home router (realv6/64) <-> Home network
Router configuration:
/etc/sysctl.d/10-ipv6-privacy.conf
net.ipv6.conf.all.use_tempaddr = 0 net.ipv6.conf.default.use_tempaddr = 0 net.ipv6.conf.all.forwarding = 1 net.ipv6.conf.default.forwarding = 1/etc/radvd.conf
interface br0 { AdvSendAdvert on; MinRtrAdvInterval 3; MaxRtrAdvInterval 30; AdvManagedFlag on; # M=1 → Address via DHCPv6 AdvOtherConfigFlag on; # O=1 → Additional options via DHCPv6 # SLAAC is still possible for Android prefix realv6::/64 { AdvOnLink on; AdvAutonomous on; # Allow SLAAC }; RDNSS realv6::1 { AdvRDNSSLifetime 1800; }; DNSSL home.lan { AdvDNSSLLifetime 1800; }; };/etc/kea/kea-dhcp6.conf
{ "Dhcp6": { "interfaces-config": { "interfaces": [ "br0" ] }, "lease-database": { "type": "memfile", "persist": true, "lfc-interval": 86400, "name": "/var/lib/kea/dhcp6.leases" }, "renew-timer": 21600, "rebind-timer": 43200, "preferred-lifetime": 43200, "valid-lifetime": 86400, "subnet6": [ { "id": 1, "subnet": "realv6::/64", "interface": "br0", "pools": [ { "pool": "realv6::1000 - realv6::ffff" } ], "option-data": [ { "name": "dns-servers", "data": "realv6::1" }, { "name": "domain-search", "data": "home.lan" } ] } ], "loggers": [ { "name": "kea-dhcp6", "output-options": [ { "output": "stdout" } ], "severity": "WARN" } ] } }And of course, iptables is necessary. Something like: /etc/iptables/ip6tables.rules
# Generated by ip6tables-save v1.6.0 on Thu Sep 8 13:29:11 2016 *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] #BASE INPUT -A INPUT -i eno1 -j DROP -A OUTPUT -o eno1 -j DROP -A INPUT -i lo -j ACCEPT -A INPUT -i br0 -j ACCEPT -A INPUT -p ipv6-icmp -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eno1 -j DROP -A FORWARD -i br0 -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -p ipv6-icmp -j ACCEPT COMMITDisabled. IPv6 is slow af whenever I have it on. As soon as I disable it, my bandwidth goes full speed.
I’m not sure what they were thinking with that technology but it’s dead in the water and we need to find a better protocol. It’s also terribly difficult to memorize. The numbering scheme is worse than the Xbox naming scheme.
Haha this is bait right?
Just static IP, since I have a static subnet delegated by my provider, on a shitty cable modem.
I can’t get IPv6 in any worthwhile form from my ISP. IMHO IPv6 isn’t any more useful than IPv4 if you only have ULA. And NAT is not as well supported since it wasn’t intended to even be really necessary for example. So even if you are starting from scratch or just using it internally, there are some disadvantages to implementing it over just sticking with IPv6. But if your ISP actually provides IPv6 it might be worth it as long as your devices all support it. But otherwise you’re going to need to set up IPv4 in addition, anyway, so you’re just going to create problems for no good reason, IMHO.
Dual stack setups are not an issue unless your router doesn’t support it or your ISP sucks.
I don’t use IPv6 on my lab. They been screaming to the bleachers since like 2010 that IPv6 is right around the corner due to lack of addresses, and I’ve still seen no real reason to want to adopt for it.
My current provider doesn’t even support it… so why should I?
I have been ipv6 only for a few years due to my ISP and it made a few ipv4-only people very angry when they couldn’t access my websites
In fact when I was in college taking classes on IPv6 we were told it would be everywhere next year.
This was 1994. Lol
Personally I don’t like it because it’s too overengineered for me. They should have added 2 bytes to IPv4 and called it a day. That means we would have had the address space of 65536 internets. Really plenty. IPv6 has too much space.
My current provider doesn’t even support it…
In what kind of godforsaken backwater do ISPs that don’t support IPv6 still exist!?
There are a few ISPs in North America that support ipv6, but many many don’t. As much as I detest the recent push toward “5G Internet to the Home”, it at least does increase adoption of IPv6 since (from what I understand) basically all mobile carriers are v6-only and do CGNAT for v4 support.
I don’t know if that translates to the 5G-at-home offering but it wouldn’t surprise me since most customers don’t care what address scheme is being used as long as Netflix works.
T-Mobile doesn’t even have CGNAT, it’s single-stack IPv6. IPv4 gets routed via NAT64.
deleted by creator
The largest of the 3 carriers in Canada.
Bell.
Does not support ipv6.
I didn’t know that Canada was basically Mordor…
Switzerland, we have the best and worst of both worlds. 25GBit Fiber home connections for less than 100 USD per month and ISPs that only support IPv4.
Which fiber provider doesn’t support IPv6? I thought it was only Swisscom mobile and its subsidiary’s which don’t support it (though from what I heard, even that is in testing now)
Small former Gemeinschaftsanntenne in my town and surrounding villages, I don’t wanna dox myself so can’t tell you the name. They probably have anywhere between 10-20k customers only. But afaik they are just one of many IPv4 only ISPs in Switzerland.
Small former Gemeinschaftsanntenne in my town and surrounding villages,
Ah, I see, that really does sound like a few places I know in Graubünden that wouldn’t be all too unfair to call “godforsaken backwater” (when it comes to the internet), despite all their charm. 😉
Yea that was similar to my response when I figured I would look into it a few years back. No ipv6 and no ip address rotation unless its offline for more than 24h, which makes thing simple
Blocked by my ISP. So I have it all blocked.
Same here, my ISP is IPv4 only so I have it disabled on my router.
deleted by creator
Stock Asus or Merlin?
Don’t use ULA, those are non internet routable addresses so they will never use v6 for internet things. Use the range assigned from your ISP.
SLAAC. Because Android has one ass of a dev who refuses to include DHCPv6You can use both at the same time and it is useful to have ULA if your ISP changes your assigned prefix.
This is what I do. I haven’t seen a reason to change it as of yet.
ISP issues a prefix that I delegate.
Also delegate an ULA prefix, intended for stake local addresses but d actually just use ipv4 for those (also had difficulty getting ipv6 to work with microk8s and multus due to inexperience).
SLAAC.
I use IPv6 local only. Everything else is IPv4. Reason being, my commercial VPN does not support IPv6 and I have reservations about leakage. My ISP already ships with IPv4 & IPv6.
My setup is a pile of kludges built on top of each other over the last two decades.
I started with ULAs distributed through DHCP, connected to named, which allows hosts do declare their own name and let me access local services as though I had a real domain.
My ISP eventually started supporting IPV6, but only assigned /128, so the ULAs got NAT-6ed out to the real world.
I eventually learned how to request prefix delegation from the ISP and set up SLAAC.
So now, my PIv6 clients have a) their link-local address, b) the ULA, c) a “privacy” SLAAC, and d) a unique SLAAC. All my internal services still refer to the ULAs.
I don’t think I’d recommend this system for someone setting up from scratch. The easiest thing would be to go with SLAAC, if you can get prefix delegation, and set your DNS/pihole to send the unique-SLAAC address of any servers you run.
My ISP eventually started supporting IPV6, but only assigned /128
This is hilarious to me.
“We’ve got 7.9 septillion addresses to play with in each of our v6/32 LIR allocations… if we follow the standard and give each customer a whole network prefix, that caps us at 4 billion customers per LIR! Nonsense, let’s just give every household a single v6 address.”
It’s like these people don’t understand what IPv6 is for.
I use ULA for my WireGuard tunnels, otherwise it’s all public IPv6 (mostly lightly firewalled).
I’m fine with SLAAC, even for servers. I just manually update my DNS with the server addresses when I set them up.
For me, every subnet (except internal only ones) have a global IPv6 prefix, including my Wireguard tunnels. I’ve got a mix of statically assigned and SLAAC. I think I’ve setup DHCPv6 too but it either doesn’t work or nothing uses it.
The only systems with ip6v in my network are Wi-Fi devices and my public-facing reverse proxy. I use a prefix delegated by my ISP.
All of my non-public servers have ipv4 only.
SLAAC with ISP-provided prefix. Everything that wants an IPv6 address gets one and I’ve got my firewall set to block pretty much all in-bound traffic other than SSH. It’s nice being able to SSH directly to something rather than using a jump host or VPN.
I also use ULA because NFS mounts over IPv6 on the global addresses would hang/timeout every time the SLAAC address rotated which is frequent due to privacy extensions.
