except for nor using it at all, of course.

So I want to make my homelab IPv6 ready, because I have too much free time, i guess. There are two decisions that I’m currently unsure about:

  1. ULA or not. Do you have local only addresses or do your clients communicate using the global IPv6 address? Does not using ULAs work without a static IP from the ISP?
  2. DHCPv6 or is SLAAC enough?

For each question both options seem to be possible and I’m interested in your experience

Cheers

  • nitrolife@hikki.teamEnglish
    3·
    13 hours ago

    My provider doesn’t provide IPv6, but I rented a server in a data center, bought a subnet, and tunneled it home via WireGuard. So the scheme is roughly: VPS (fd00:1::/64) <-> (fd00:1::/64) Home router (realv6/64) <-> Home network

    Router configuration:

    /etc/sysctl.d/10-ipv6-privacy.conf

    net.ipv6.conf.all.use_tempaddr = 0
net.ipv6.conf.default.use_tempaddr = 0
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.default.forwarding = 1

    /etc/radvd.conf

    interface br0 {
    AdvSendAdvert on;
    MinRtrAdvInterval 3;
    MaxRtrAdvInterval 30;

    AdvManagedFlag on;      # M=1 → Address via DHCPv6
    AdvOtherConfigFlag on;  # O=1 → Additional options via DHCPv6

    # SLAAC is still possible for Android
    prefix realv6::/64 {
        AdvOnLink on;
        AdvAutonomous on;   # Allow SLAAC
    };

    RDNSS realv6::1 {
        AdvRDNSSLifetime 1800;
    };
    DNSSL home.lan {
        AdvDNSSLLifetime 1800;
    };
};

    /etc/kea/kea-dhcp6.conf

    {
  "Dhcp6": {
    "interfaces-config": {
      "interfaces": [ "br0" ]
    },

    "lease-database": {
      "type": "memfile",
      "persist": true,
      "lfc-interval": 86400,
      "name": "/var/lib/kea/dhcp6.leases"
    },

    "renew-timer": 21600,
    "rebind-timer": 43200,
    "preferred-lifetime": 43200,
    "valid-lifetime": 86400,

    "subnet6": [
      {
        "id": 1,
        "subnet": "realv6::/64",
        "interface": "br0",
        "pools": [
          { "pool": "realv6::1000 - realv6::ffff" }
        ],
        "option-data": [
          { "name": "dns-servers",   "data": "realv6::1" },
          { "name": "domain-search", "data": "home.lan" }
        ]
      }
    ],

    "loggers": [
      {
        "name": "kea-dhcp6",
        "output-options": [
          { "output": "stdout" }
        ],
        "severity": "WARN"
      }
    ]
  }
}

    And of course, iptables is necessary. Something like: /etc/iptables/ip6tables.rules

    # Generated by ip6tables-save v1.6.0 on Thu Sep  8 13:29:11 2016
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
#BASE INPUT
-A INPUT -i eno1 -j DROP
-A OUTPUT -o eno1 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eno1 -j DROP
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p ipv6-icmp -j ACCEPT
COMMIT