Selfhosted @lemmy.world mao @lemmy.sdf.org 5 mo. ago

A Short IPv6 Guide for Home IPv4 Admins

gist.github.com A Short IPv6 Guide for Home IPv4 Admins

A Short IPv6 Guide for Home IPv4 Admins. GitHub Gist: instantly share code, notes, and snippets.

Programming @programming.dev mao @lemmy.sdf.org 5 mo. ago

gist.github.com /timothyham/dd003dbad5614b425a8325ec820fd785

43 comments

That gave a really nice overview for someone who hasn't had to dabble in IPV6 yet, thanks!
Very useful, but I don't understand concept 1, "Don't pick numbers".

If I'm right, it's basically saying don't do stuff manually, just let the computer do it. I kind of disagree with this. All of my fixed devices have a fixed IP that I manually assigned and derived from the original v4 schema I also have. For example 192.168.x.y becomes prefix::y

Am I misunderstanding something?
- Ipv6 requires fundamental rethinking about how addressing is done. If you're trying to apply v4 concepts to V6 you likely end up running into something they intentionally designed out.
  
  A unique local address is an address space where you could do that. It's the equivalent to RFC1918 eg. 172/192/10. So you could statically assign fd0::x, and that is expected, but not required generally.
  
  I wouldn't give each device a static unique global address unless they need to be accessed via wan without domain consistently. You lose device privacy really quickly that way because every device gets a unique globally routable address. It's fine for internet facing services but most Linux, Windows, and mobile implementations are using ipv6 privacy extensions by default to ensure you get a random GUA every day.
  
  My network is dual stack and I connect mostly over ipv6 to all my internal clients using internal DNS. If my internal DNS is ever down I can fall back to ipv4 or it's basically the one box on my network with an easy to remember ULA.
  
  Each year I seem to think “this will be the year I set up IPv6 in my homelab” - but then I never get around to it.
  
  If I have to run both v4 and v6 concurrently, there isn’t much incentive/motivation for me to use v6 locally.
  
  Maybe I’ll get around to it when there’s a net benefit for me for my use case, or when I’m forced to.
  
  Am I just imagining it to be more complicated than it actually is?
  
  My router runs pfsense and I have 6 VLANs each with its own subnet - Management, Trusted, IoT, Cameras, Guest, and Web Facing Servers.
- On one hand you definitely don't want to be assigning manual/static IPv6 to all your devices because if your prefix ever changes you'll have to update it everywhere. IPv6 doesn't really have a concept of private address space (with a few exceptions). On the other hand most modern IPv6 stacks support dynamic protocols like SLAAC while also assigning a static suffix to the published prefix (e.g. You want :0:0:1234:1 to go to your server, and SLAAC gets the prefix 200x::5678/64 your server would assign itself 200x::5678:0:0:1234:1).
  
  DHCPv6 fixes a lot of these headaches for managed networks by allowing you to reserve specific IPv6 for a given DUID.
  
  IMO, your network, do what you want. ~~I have two jump Raspberry PIs that I have static suffixes so I always know where they are without relying on DNS or whatever.~~ Edit: I apparently misremembered how I had these setup. I use a custom interface up script to take the SLAAC prefix and append the custom suffix to it as a secondary IP.
  
  IPv6 does have private spaces. Any prefix beginning with fd is 'private,' and (IIRC) there's a formula to generate the next 40 bits of prefix to minimize the chance of intersections. i.e., you can generate your own internal /48 functionally equivalent to 192.168/16 or 10/8
  
  Don't know if you can use that with SLAAAC, but it works if you run a dhcpv6 and makes ipv6 feel a lot like ipv4. You have to NAT everything inside &c, but if you already have a functioning internal IPv4 network, IPv6 is just a matter of figuring out which config options need to be changed (eg, dhcp6.name-servers for option domain-name-servers)
  
  if your prefix ever changes you’ll have to update it everywhere
  
  I mean that's a good point but I'm paying money to not have my prefix changed. If I were to do it the intended way using DNS, how would I set up the DNS to be prefix agnostic? How would I reference devices in the firewall?
- Caring about IP allocation is something that's hard to let go. They're saying that the IPv6 address space is so astronomically large that we need a radical change of mindset to deal with it. Allocate names based on MAC and leave it at that. Ignore the IPs. If you fixate on maintaining specific IPs and prefixes you just complicate your own life for no benefit.
  
  I agree with this but I would say the prefix is the only thing you should focus on.
  
  It's important that ISPs don't regularly rotate your PD and it's part of the rfc recommendations that they don't. And the remainder of the prefix is your vlan space that is as important for VLAN routing as always.
- This is an old post about ipv6, but it inspired me to go looking, and I wanted to share my findings.
  
  for globally routeable IPv6 addresses, probably do let it happen automatically, either direct from the ISP, through the router by prefix delegation, or your own implementation of prefix delegation.
  
  for devices you want to access, internally, create a ULA within the fd00::/8 space, and assign numbers (and names) however you like. Translate all your 192.168.x.y IPv4 addresses to fd00::x:y and go. Only limitation is you won't be able to access those devices, using the ULA, from outside your network.
  
  you can do both of these on the same subnet, and devices pick up both addresses then use the global address for internet and the ULA for intranet.
  
  That means you can do dhcp, dynamic DNS, private domains, and all the stuff you know about IPv4 for IPv6, and still do all the stateless autoconfig that "they" want. Some devices, like my android phone, never played well with dhcpd6, but immediately preferred IPv6 as soon as I let them SLAAC.
  
  If the prefix assigned by the ISP doesn't change, then device SLAAC address shouldn't change, either, because they're calculated from MAC, so if you need to access some internal devices from the internet, you have to mark that address, but (IMO) marking the full address is not that much worse than marking the prefix and remembering the device number.
The guide mentions:

Your ISP will give you the first 64 bits, and your host machine will have the last 64 bits.

This isn't correct. While some ISPs do give you the first 64 bit (a /64 prefix), this isn't recommended and not terribly common either. An ISP should give its users prefixes with less than 64 bit. Typically a residential user will get a /56 and commercial users usually get a /48. With such a prefix the user can then generate multiple /64 networks which can be used on the local network as desired.
I literally wrote like a week ago for a guide like this

This is awesome and answers so many questions. I kept trying to force IPv6 addresses to my machines and they kept not doing it! I also didn't know they would have multiple addresses.
This is useful. Thanks

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters	More Letters
CGNAT	Carrier-Grade NAT
DNS	Domain Name Service/System
IP	Internet Protocol
IoT	Internet of Things for device controllers
NAT	Network Address Translation
VPN	Virtual Private Network
VPS	Virtual Private Server (opposed to shared hosting)

7 acronyms in this thread; the most compressed thread commented on today has 13 acronyms.

[Thread #814 for this sub, first seen 18th Jun 2024, 11:05] [FAQ] [Full list] [Contact] [Source code]

You've viewed 43 comments.