Comment

Comment on IPv6 & Opnsense & Not Exposing Machine-Specific IPv6s to Corpos

InnerScientist@lemmy.world ⁨1⁩ ⁨week⁩ ago

Use ULA addresses for hosts inside your LAN, they are static, cannot be used to reach outside your LAN and use IPv6. Then give your server/VPN endpoint a real ipv6, that’s your VPN endpoint. This doesn’t require any nat and can be easily changed to GUA when you want to.

CGnat is a “solution” for running out of ipv4 addresses, it has the same problems as any other nat but the problems are even more noticeable because the out-facing ipv4 address changes more often than the typical home nat configuration and tricks like FTP- and other helpers don’t work as well.

Ipv6 would not only avoid the issues of cgnat, it would avoid cgnat entirely because you don’t need to Nat when you have enough ips.

source

Sort:hotnew top

glizzyguzzler@piefed.blahaj.zone ⁨1⁩ ⁨week⁩ ago
Thanks for taking the time to go into detail on this, it helps because I just haven’t been able to put acronyms to actionable meaning from just reading blogs and posts.

How do things outside the LAN talk to things inside the LAN that have ULA addresses (which I’m assuming are equivalent of 10.0.0.0/16 idea)? Will devices that are given ULA addresses be NAT’d just like IPv4 or will they not be able to talk to the outside world on IPv6?

source
- InnerScientist@lemmy.world ⁨1⁩ ⁨week⁩ ago
  
  is kludging NAT for IPv6 not a better solution versus ULA addresses?
  
  There are very few hosts that allow only ipv6 (though there are many who only do ipv4). Ipv6 would improve internet stability and long-term communication when you’re not using a nat but that isn’t what you’re trying to build.
  
  Or is the clear answer just use IPv6 as intended and let the devices handle their privacy with IPv6 privacy extensions?
  
  It’s my clear answer at least.
  
  You can also use ULA addresses for now and later add GUA ipv6 addresses. ULAs are meant to be used when you only have a dynamic ipv6 prefix so that internal devices can have ipv6 internet (GUA) while also having a static ipv6 address(ULA).
  
  source
  - glizzyguzzler@piefed.blahaj.zone ⁨1⁩ ⁨week⁩ ago
    I got it, ULA for everything that doesn’t care, 1 GUA for the server. When everything else starts to care about the lack of IPv6 or has routing issues, convert the ULA to GUA and rock n roll.
    
    Thanks for providing a sane way to approach it slowly and methodically!
    
    source
- rezifon@lemmy.world ⁨1⁩ ⁨week⁩ ago
  
  How do things outside the LAN talk to things inside the LAN that have ULA addresses. . .?
  
  One big conceptual difference between IPv4 and IPv6 is the notion that any single host on the network is expected to have multiple, simultaneously-useful IPv6 addresses and this is totally normal and fine.
  
  Any IPv6-enabled host is necessarily going to have a link-local address which can only be used to communicate with other hosts on the local network/subnet.
  
  If your ISP offers IPv6 connectivity, or if you’ve set up an IPv6 tunnel from an IPv6 tunnel provider then a host on your network will also have a globally-routable IPv6 address which was assigned from your router via DHCPv6 or (more commonly) self-assigned using SLAAC (Stateless Address Autoconfiguration) which is an IPv6 way for machines to self-assign addresses is a sane, interoperable way without requiring a setup and operation of a service like DHCP(v6). Many IPv6 networks do not need to use run a DHCPv6 server at all and rely solely on SLAAC host self-assignments and local IPv6 router discovery protocols to find DNS servers and eligible gateways to other networks and the internet at large.
  
  The block of IPv6 addresses used for your local machines is delegated by your ISP or tunnel provider. It can be static or dynamic and the underlying protocols will handle if that network range changes. IPv6 generally is tolerant of a host’s public IP addresses changing at any time without disrupting connections or services.
  
  With privacy extensions (enabled by default on all mainstream operating systems) a host on your network might have additional publicly-routable addresses which rotate frequently for privacy. Outbound traffic for the host will prefer these more private addresses for new connections. These addresses are ephemeral and change frequently.
  
  In rare cases you might set up ULA addresses which are static and usable on your internal networks but will not be routed to the internet. They can be used for hosting services on your local network which need to potentially span multiple subnets/VLANs and in particular are useful for internal resources like name servers which cannot rely on DNS lookups for address resolution. Most networks will not use ULA addresses and normal use cases do not require them.
  
  At any given moment, an IPv6-enabled host will have multiple active addresses all used for different types of traffic and it’s important to break any assumptions you have carried over from IPv4 about the relationship between IP addresses and hosts on the network. Your host might be using a link local address to talk to another machine on a shared internal subnet while also using temporary, globally-routable IP privacy address to talk to a server on the internet. Multiple addresses can be in use at the same time to reach different endpoints in the world.
  
  source
  - glizzyguzzler@piefed.blahaj.zone ⁨1⁩ ⁨week⁩ ago
    Thanks for writing this up, really highlights the effective differences.
    
    So for the internal delegation I’d SLAAC it and let things “just work” or DHCPv6 if I cared to specify IPv6s (which I will need to to have a static IPv6 address for a server to be reached at). Thanks again!
    
    source
    Markaos@discuss.tchncs.de ⁨1⁩ ⁨week⁩ ago
    Hey, just a tiny note: static and dynamic addresses aren’t mutually exclusive. You can let SLAAC do its thing AND also set a static address on your server. Remember, IPv6 works best when you aren’t afraid of adding more addresses.
    
    source
    -> View More Comments