Very useful, but I don’t understand concept 1, “Don’t pick numbers”.
If I’m right, it’s basically saying don’t do stuff manually, just let the computer do it. I kind of disagree with this. All of my fixed devices have a fixed IP that I manually assigned and derived from the original v4 schema I also have. For example 192.168.x.y becomes prefix::y
Ipv6 requires fundamental rethinking about how addressing is done. If you’re trying to apply v4 concepts to V6 you likely end up running into something they intentionally designed out.
A unique local address is an address space where you could do that. It’s the equivalent to RFC1918 eg. 172/192/10.
So you could statically assign fd0::x, and that is expected, but not required generally.
I wouldn’t give each device a static unique global address unless they need to be accessed via wan without domain consistently. You lose device privacy really quickly that way because every device gets a unique globally routable address. It’s fine for internet facing services but most Linux, Windows, and mobile implementations are using ipv6 privacy extensions by default to ensure you get a random GUA every day.
My network is dual stack and I connect mostly over ipv6 to all my internal clients using internal DNS. If my internal DNS is ever down I can fall back to ipv4 or it’s basically the one box on my network with an easy to remember ULA.
If you happen to torrent a fair bit (especially public trackers) then ipv6 can make a huge difference, there’s loads of ipv6 only seeders and leechers I’m suddenly reaching.
It’s honestly super simple to set up. Outside of your ISP config it’s almost all autoconfig. 100% of the complication (at least for me) comes from knowing ipv4 first for 20 years and then trying to incorrectly map those concepts to V6.
As soon as I “let go” it was fine.
There’s not a huge net benefit you’re right. I mostly wanted to learn and I hope to be at the front edge of disabling ipv4 in the near distant future.
The benefit is being able to easily access devices from the internet. The same address works on the LAN and WAN. There’s no port forwarding, so multiple devices can have the same port open. You also don’t need to mess with a VPN if your IPv4 connection uses CGNAT.
An issue I had the last time I tried to set up IPv6 up was pihole didn’t work as well as I would have preferred. I assumed I just didn’t set up things correctly and it’s looking like that is the case based on the OP.
It kept resolving ad domains with their IPv6 address.
On one hand you definitely don’t want to be assigning manual/static IPv6 to all your devices because if your prefix ever changes you’ll have to update it everywhere. IPv6 doesn’t really have a concept of private address space (with a few exceptions). On the other hand most modern IPv6 stacks support dynamic protocols like SLAAC while also assigning a static suffix to the published prefix (e.g. You want :0:0:1234:1 to go to your server, and SLAAC gets the prefix 200x::5678/64 your server would assign itself 200x::5678:0:0:1234:1).
DHCPv6 fixes a lot of these headaches for managed networks by allowing you to reserve specific IPv6 for a given DUID.
IMO, your network, do what you want. I have two jump Raspberry PIs that I have static suffixes so I always know where they are without relying on DNS or whatever.
if your prefix ever changes you’ll have to update it everywhere
I mean that’s a good point but I’m paying money to not have my prefix changed. If I were to do it the intended way using DNS, how would I set up the DNS to be prefix agnostic? How would I reference devices in the firewall?
Its a bit complicated and depends on your ISPs support level.
If your ISP supports basic IPv6 they will likely use SLAAC or DHCPv6 to advertise the /64 that any directly connected devices, like your router, can use (/64 being the default size for a single LAN segment, even between point-to-point connections). If you have devices behind that router that want to use IPv6, you will need additional prefixes. The most common method nowadays is to use Prefix Delegation (DHCPv6-PD) where your router will ask the upstream router for an additional routeable prefix which you will use on another interface of the router. The RFC for prefix delegation recommends a /48, but many ISPs are not delegating that much. I only get half of a /60 from my ISP’s modem.
If the ISP just provides you a static routeable prefix, then you would just assign that to your router’s interface and enable SLAAC/DHCPv6 to give out that prefix. This would only need to be configured in a single device and is why they don’t recommend hard coding servers and workstations with IPV6 addresses.
Keep in mind that your router will also need a firewall as all of these IPv6 prefixes are routeable and public. While IPV6 space is quite like finding a needle in a haystack, you could still find yourself having a bad day if you treat it like private IPV4 space.
The end result though is that you would setup DNS so that devices register their IPv6 addresses and it just works. There’s also the MDNS protocol that supports IPv6 which will do segment-local resolution for device names.
I get how IPv6 works, I got a /48 from my ISP. The problem is that I have some 15 devices here that I have to refer to in DNS and either I have to change their static IPs or I have to change their IPs in DNS if the prefix ever changes (it shouldn’t, because I pay for them to not do that). My laptop, phone and desktop do not get a static IPv6 and use the privacy extension. Is that not how you’re supposed to do it?
I don’t understand it either. On one hand people say don’t remember addresses, use DNS and on the other DNS relies on static addresses but then every device is “supposed” to have random addresses via SLAAC or privacy addresses. It just doesn’t seem to tie together very well, but if you use them like IPv4 addresses you’re apparently doing it wrong.
Not sure if you know privacy extension is mostly for outbound traffic. When you go to a website it well use privacy ipv6. Can still use management ipv6 for local connections.
For max privacy every device should have it enabled as there are ways to trace if some devices do not have it enabled on your network.
IPv6 does have private spaces. Any prefix beginning with fd is ‘private,’ and (IIRC) there’s a formula to generate the next 40 bits of prefix to minimize the chance of intersections. i.e., you can generate your own internal /48 functionally equivalent to 192.168/16 or 10/8
Don’t know if you can use that with SLAAAC, but it works if you run a dhcpv6 and makes ipv6 feel a lot like ipv4. You have to NAT everything inside &c, but if you already have a functioning internal IPv4 network, IPv6 is just a matter of figuring out which config options need to be changed (eg, dhcp6.name-servers for option domain-name-servers)
Yes, ULA are one of the exceptions I mentioned. It covers fc00::/7 which is fc00 to fdff, though I believe most use just the top half. I use one for an intermediate network between my edge router and my primary firewall to not consume one of my limited /64 networks.
I haven’t played with IPV6 NAT much. I know its use is a bit discouraged as NAT was always designed as a stopgap measure for IPV4 exhaustion. It might be a good option if you need additional space and your ISP doesn’t support additional prefixes. Just keep in mind that if you use these in DNS, they won’t be accessible externally.
Yeah, my ISP “supports” IPv6, but assigns a /128 to users. It seems to wipe out most of the desirable features of IPv6, and has probably given me a distorted view of its philosophy. OTOH, it did force me to learn how to do DNS views, so names can have the ULA address inside and the global address outside the house, which is pretty cool.
Caring about IP allocation is something that’s hard to let go. They’re saying that the IPv6 address space is so astronomically large that we need a radical change of mindset to deal with it. Allocate names based on MAC and leave it at that. Ignore the IPs. If you fixate on maintaining specific IPs and prefixes you just complicate your own life for no benefit.
I agree with this but I would say the prefix is the only thing you should focus on.
It’s important that ISPs don’t regularly rotate your PD and it’s part of the rfc recommendations that they don’t. And the remainder of the prefix is your vlan space that is as important for VLAN routing as always.
This is an old post about ipv6, but it inspired me to go looking, and I wanted to share my findings.
for globally routeable IPv6 addresses, probably do let it happen automatically, either direct from the ISP, through the router by prefix delegation, or your own implementation of prefix delegation.
for devices you want to access, internally, create a ULA within the fd00::/8 space, and assign numbers (and names) however you like. Translate all your 192.168.x.y IPv4 addresses to fd00::x:y and go. Only limitation is you won’t be able to access those devices, using the ULA, from outside your network.
you can do both of these on the same subnet, and devices pick up both addresses then use the global address for internet and the ULA for intranet.
That means you can do dhcp, dynamic DNS, private domains, and all the stuff you know about IPv4 for IPv6, and still do all the stateless autoconfig that “they” want. Some devices, like my android phone, never played well with dhcpd6, but immediately preferred IPv6 as soon as I let them SLAAC.
If the prefix assigned by the ISP doesn’t change, then device SLAAC address shouldn’t change, either, because they’re calculated from MAC, so if you need to access some internal devices from the internet, you have to mark that address, but (IMO) marking the full address is not that much worse than marking the prefix and remembering the device number.
Very useful, but I don’t understand concept 1, “Don’t pick numbers”.
If I’m right, it’s basically saying don’t do stuff manually, just let the computer do it. I kind of disagree with this. All of my fixed devices have a fixed IP that I manually assigned and derived from the original v4 schema I also have. For example 192.168.x.y becomes prefix::y
Am I misunderstanding something?
Ipv6 requires fundamental rethinking about how addressing is done. If you’re trying to apply v4 concepts to V6 you likely end up running into something they intentionally designed out.
A unique local address is an address space where you could do that. It’s the equivalent to RFC1918 eg. 172/192/10. So you could statically assign fd0::x, and that is expected, but not required generally.
I wouldn’t give each device a static unique global address unless they need to be accessed via wan without domain consistently. You lose device privacy really quickly that way because every device gets a unique globally routable address. It’s fine for internet facing services but most Linux, Windows, and mobile implementations are using ipv6 privacy extensions by default to ensure you get a random GUA every day.
My network is dual stack and I connect mostly over ipv6 to all my internal clients using internal DNS. If my internal DNS is ever down I can fall back to ipv4 or it’s basically the one box on my network with an easy to remember ULA.
Each year I seem to think “this will be the year I set up IPv6 in my homelab” - but then I never get around to it.
If I have to run both v4 and v6 concurrently, there isn’t much incentive/motivation for me to use v6 locally.
Maybe I’ll get around to it when there’s a net benefit for me for my use case, or when I’m forced to.
Am I just imagining it to be more complicated than it actually is?
My router runs pfsense and I have 6 VLANs each with its own subnet - Management, Trusted, IoT, Cameras, Guest, and Web Facing Servers.
If you happen to torrent a fair bit (especially public trackers) then ipv6 can make a huge difference, there’s loads of ipv6 only seeders and leechers I’m suddenly reaching.
It’s honestly super simple to set up. Outside of your ISP config it’s almost all autoconfig. 100% of the complication (at least for me) comes from knowing ipv4 first for 20 years and then trying to incorrectly map those concepts to V6.
As soon as I “let go” it was fine.
There’s not a huge net benefit you’re right. I mostly wanted to learn and I hope to be at the front edge of disabling ipv4 in the near distant future.
The benefit is being able to easily access devices from the internet. The same address works on the LAN and WAN. There’s no port forwarding, so multiple devices can have the same port open. You also don’t need to mess with a VPN if your IPv4 connection uses CGNAT.
Yeah dropping Nat is the biggest net benefit I agree but I think the avg person won’t really find that much value in it when Nat works ok
And the average person is going to be using it without knowing. And never complain or anything.
NAT works fine until you get stuck on CGNAT and can’t host anything on IPv4 without using a VPN.
I thankfully have never had the misfortune of cgnat
Yet.
As IPv4 blocks get scarcer and ISP’s get more customers, they’ll all eventually have to move to IPv4 CGNAT.
And that’s completely fine for most people.
If you’re not one of those people, then IPv6 is your saviour.
An issue I had the last time I tried to set up IPv6 up was pihole didn’t work as well as I would have preferred. I assumed I just didn’t set up things correctly and it’s looking like that is the case based on the OP.
It kept resolving ad domains with their IPv6 address.
Who cares if it access them over ipv6. Their still blocked.
On one hand you definitely don’t want to be assigning manual/static IPv6 to all your devices because if your prefix ever changes you’ll have to update it everywhere. IPv6 doesn’t really have a concept of private address space (with a few exceptions). On the other hand most modern IPv6 stacks support dynamic protocols like SLAAC while also assigning a static suffix to the published prefix (e.g. You want :0:0:1234:1 to go to your server, and SLAAC gets the prefix 200x::5678/64 your server would assign itself 200x::5678:0:0:1234:1).
DHCPv6 fixes a lot of these headaches for managed networks by allowing you to reserve specific IPv6 for a given DUID.
IMO, your network, do what you want. I have two jump Raspberry PIs that I have static suffixes so I always know where they are without relying on DNS or whatever.
I mean that’s a good point but I’m paying money to not have my prefix changed. If I were to do it the intended way using DNS, how would I set up the DNS to be prefix agnostic? How would I reference devices in the firewall?
Its a bit complicated and depends on your ISPs support level.
If your ISP supports basic IPv6 they will likely use SLAAC or DHCPv6 to advertise the /64 that any directly connected devices, like your router, can use (/64 being the default size for a single LAN segment, even between point-to-point connections). If you have devices behind that router that want to use IPv6, you will need additional prefixes. The most common method nowadays is to use Prefix Delegation (DHCPv6-PD) where your router will ask the upstream router for an additional routeable prefix which you will use on another interface of the router. The RFC for prefix delegation recommends a /48, but many ISPs are not delegating that much. I only get half of a /60 from my ISP’s modem.
If the ISP just provides you a static routeable prefix, then you would just assign that to your router’s interface and enable SLAAC/DHCPv6 to give out that prefix. This would only need to be configured in a single device and is why they don’t recommend hard coding servers and workstations with IPV6 addresses.
Keep in mind that your router will also need a firewall as all of these IPv6 prefixes are routeable and public. While IPV6 space is quite like finding a needle in a haystack, you could still find yourself having a bad day if you treat it like private IPV4 space.
The end result though is that you would setup DNS so that devices register their IPv6 addresses and it just works. There’s also the MDNS protocol that supports IPv6 which will do segment-local resolution for device names.
I think there’s some misunderstanding
I get how IPv6 works, I got a /48 from my ISP. The problem is that I have some 15 devices here that I have to refer to in DNS and either I have to change their static IPs or I have to change their IPs in DNS if the prefix ever changes (it shouldn’t, because I pay for them to not do that). My laptop, phone and desktop do not get a static IPv6 and use the privacy extension. Is that not how you’re supposed to do it?
I don’t understand it either. On one hand people say don’t remember addresses, use DNS and on the other DNS relies on static addresses but then every device is “supposed” to have random addresses via SLAAC or privacy addresses. It just doesn’t seem to tie together very well, but if you use them like IPv4 addresses you’re apparently doing it wrong.
Not sure if you know privacy extension is mostly for outbound traffic. When you go to a website it well use privacy ipv6. Can still use management ipv6 for local connections. For max privacy every device should have it enabled as there are ways to trace if some devices do not have it enabled on your network.
I don’t think you understand. I know privacy extension is for outbound and not inbound, but what use is it on a server?
IPv6 does have private spaces. Any prefix beginning with fd is ‘private,’ and (IIRC) there’s a formula to generate the next 40 bits of prefix to minimize the chance of intersections. i.e., you can generate your own internal /48 functionally equivalent to 192.168/16 or 10/8
Don’t know if you can use that with SLAAAC, but it works if you run a dhcpv6 and makes ipv6 feel a lot like ipv4. You have to NAT everything inside &c, but if you already have a functioning internal IPv4 network, IPv6 is just a matter of figuring out which config options need to be changed (eg, dhcp6.name-servers for option domain-name-servers)
Yes, ULA are one of the exceptions I mentioned. It covers fc00::/7 which is fc00 to fdff, though I believe most use just the top half. I use one for an intermediate network between my edge router and my primary firewall to not consume one of my limited /64 networks.
I haven’t played with IPV6 NAT much. I know its use is a bit discouraged as NAT was always designed as a stopgap measure for IPV4 exhaustion. It might be a good option if you need additional space and your ISP doesn’t support additional prefixes. Just keep in mind that if you use these in DNS, they won’t be accessible externally.
Yeah, my ISP “supports” IPv6, but assigns a /128 to users. It seems to wipe out most of the desirable features of IPv6, and has probably given me a distorted view of its philosophy. OTOH, it did force me to learn how to do DNS views, so names can have the ULA address inside and the global address outside the house, which is pretty cool.
Caring about IP allocation is something that’s hard to let go. They’re saying that the IPv6 address space is so astronomically large that we need a radical change of mindset to deal with it. Allocate names based on MAC and leave it at that. Ignore the IPs. If you fixate on maintaining specific IPs and prefixes you just complicate your own life for no benefit.
I agree with this but I would say the prefix is the only thing you should focus on.
It’s important that ISPs don’t regularly rotate your PD and it’s part of the rfc recommendations that they don’t. And the remainder of the prefix is your vlan space that is as important for VLAN routing as always.
This seems counter to Concept 6 in the OP.
Do you mean that ISPs don’t regularly rotate your PD in practice? I’d actually prefer that they did to maintain a semblance of privacy.
This is an old post about ipv6, but it inspired me to go looking, and I wanted to share my findings.
for globally routeable IPv6 addresses, probably do let it happen automatically, either direct from the ISP, through the router by prefix delegation, or your own implementation of prefix delegation.
for devices you want to access, internally, create a ULA within the fd00::/8 space, and assign numbers (and names) however you like. Translate all your 192.168.x.y IPv4 addresses to fd00::x:y and go. Only limitation is you won’t be able to access those devices, using the ULA, from outside your network.
you can do both of these on the same subnet, and devices pick up both addresses then use the global address for internet and the ULA for intranet.
That means you can do dhcp, dynamic DNS, private domains, and all the stuff you know about IPv4 for IPv6, and still do all the stateless autoconfig that “they” want. Some devices, like my android phone, never played well with dhcpd6, but immediately preferred IPv6 as soon as I let them SLAAC.
If the prefix assigned by the ISP doesn’t change, then device SLAAC address shouldn’t change, either, because they’re calculated from MAC, so if you need to access some internal devices from the internet, you have to mark that address, but (IMO) marking the full address is not that much worse than marking the prefix and remembering the device number.