Posted by mahirsaid 3 days ago
This has worked for me well for a couple years. I do use a VLAN to keep the IPv6-only network separate (homelab) from video streamers in the household.
In my pf.conf:
# IPv6 tunnel
block in log on $tun6_if all
block in quick on $tun6_if inet6 from fd00::/8 to any
antispoof quick for $tun6_if
# allowed icmp6
pass in quick log on $tun6_if inet6 proto icmp6 icmp6-type {
unreach, toobig, timex, paramprob, echoreq
}
# MSS clamping 60 bytes less than HE 1480
# 20 byte IPv4 tcp header + 40 byte IPv6 ip header
match on $tun6_if all scrub (random-id max-mss 1420)
# DNS64/NAT64
module-config: "dns64 validator iterator"
dns64-prefix: 64:ff9b::/96
# NAT64
pass in inet6 from any to $nat64_prefix af-to inet from ($ext_if)If someone can't understand "it's longer" then what is wrong with them?
And using hex instead of decimal for magic computer numbers should be more intuitive, not less.
Also structure-wise the first half is the subnet and the second half is the host. That's much more intuitive than IPv4.
> absolutely no benefit to the non-network engineer
If you do anything peer to peer at all, calls or file transfers or games, there's a benefit. And the typical benefit grows over time as more and more ISPs install CGNAT.
How? Why is using hex any more intuitive than binary or a md5 hash for anyone who doesn’t do networking for a living?
>If you do anything peer to peer at all, calls or file transfers or games, there's a benefit. And the typical benefit grows over time as more and more ISPs install CGNAT.
Again how? I’ve been doing all of those without issue for nearly 30 years. What measurable benefit does the user see that hasn’t been a solved problem since Windows XP?
Will my teams calls suddenly stop saying “poor network connection” on my 1000/1000 rock solid fibre connection? Will torrents suddenly find more seeds and peers? Will my games… have lower latency? Because I can’t think of another way anything networking related could be solved that wasn’t decades ago.
When you say benefit, it should probably be noticeable or measurable in some way that doesn’t involve dashboards and millions of dollars in rack mounted gear.
Things being able to connect, and not having to manually port forward (when that's even an option).
Hole punching is super unreliable with CGNAT.
> Will my teams calls suddenly stop saying “poor network connection” on my 1000/1000 rock solid fibre connection?
I don't know how Teams relays data, but for some services yes that could happen if IPv4 can't make a direct connection.
> Will torrents suddenly find more seeds and peers?
Yes. In a typical torrent an annoyingly small fraction of seeds and peers can receive connections. If you're IPv4-only behind CGNAT, you can't connect to them and they can't connect to you. IPv6 opens up a lot more links.
> Will my games… have lower latency?
It depends on how the game is designed. But some games will have lower latency because they can connect people directly instead of with relays.
Well, what is the address range for 192.168.0.0/27? That's also non-intuitive for a layman as well.
In the end, IP addresses are made for computers, not humans.
And... just FYI,
>Will torrents suddenly find more seeds and peers?
Suggests to me you have absolutely never tried out torrenting under CGNAT. It's painful.
Not a single seeder can _actively_ send the data to you, your client must seek them by itself and it's not uncommon to have only 1-4 seeders connected!
This only applies to /64 blocks, which are by no means standard. For instance, tunnelbroker.net will give you a /48 for free. This means IPv6 addresses are essentially free by the billions, but it's difficult to figure out how big of a block they belong to from the outside.
I have north of 500 IPs I have some relation to. No way I would be bothered to remember them. Typing? Do you type IPv4s all day long? And it's still copy-paste 99% of times.
> for absolutely no benefit to the non-network engineer
Non-network engineer should work with names. And non-engineers don't 'work' with IPs at all. Look at your granpa - he's typing 'bbc' into the search form in the browser to get to bbc.com.
> nobody in their right mind can intuitively understand IPV6 addresses
And 99% of so called engineers can't understand even IPv4. So this is a moot point.
It's easy to tell someone to connect to something like 203.0.113.88. Many of us here, and also normal folks, have been saying dotted-octets like that for decades, now, and there's a familiar patter to the way that addresses like this flow off of the tongue.
It's hard to tell someone to connect to 2601:3c7:4f80:1a01:4d2:3b7a:9c10:6f5e. It's literally difficult to say, like saying it is intended to be some kind of test. And on the other end? Sure, we "all" "learned" hexadecimal at some point in school, but regular humans don't use hex so it sounds like missile launch codes (at best) or some kind of sadistic prank (at worst) to them. It reeks of phonic unfamiliarity and disdain.
(This is the part where the DNS folks invariably show up to announce that I'm holding it wrong. And I love DNS; I do. But I'm really not interested in maintaining public DNS for the dynamic addresses at home on my LAN.)
(After that, it becomes time for the would-be abbreviators to appear and tell me that the address for this computer is wrong, somehow, as if I ever had an active part in selecting the address to begin with.)
If you would like your IPv6 addresses to be more human-friendly, you could use DHCPv6 (in addition to/instead of SLAAC) and end up with addresses like 2001:db8:3c7:4f80::123. Sure, it's 5 groups of e.g. 3-4 hex digits rather than 4 groups of up to 3 digits, but I think it's much easier than your example. You might set your router to use <prefix>::1 and/or fe80::1 (see OpenWRT's ipv6 suffix/ip6ifaceid option).
DNS servers (that you might occasionally have to type into config by hand) tend to have "nice" IPv6 addresses, e.g. Quad9 apparently uses 2620:fe::fe [1].
> But I'm really not interested in maintaining public DNS for the dynamic addresses at home on my LAN.
I think dnsmasq can these days create AAAA records for local machines whose hostnames it learns via e.g. DHCP.
If you have a public server on the internet and your provider gives you a random-looking address using all 128 bits (and no /64 prefix for example) perhaps using (public) DNS is fine.
Opinions my own.
[1] https://quad9.net.
Ok, I'll bite. Why exactly do you not have the ability to select the address?
As a general rule, if you care about an IPv6 address enough that you have to type it in somewhere, you should be assigning it manually, and if you're doing that you can make it a lot friendlier than 2601:3c7:4f80:1a01:4d2:3b7a:9c10:6f5e. The whole second half of the address can be shortened to ::<digit>, where the length of <digit> scales logarithmically to the number of memorable addresses you want in that network.
My network at home uses ULA addresses for everything, and I just use my phone number in the first half, so the address of my router at home is e.g. fd21:2555:1212::1, my NAS is fd21:2555:1212::a, etc. The global (GUA) address is something like 2601:abc:def:1201::a, which isn't that bad.
Hell, if you don't care about the potential of conflicts if you ever merge networks with someone else, you can just use fd00:: as your ULA prefix, and your router can be fd00::1, your NAS box can be fd00::2, etc. Shorter than IPv4 addresses!
I never said I don't have the ability. I may; I may not. I myself don't know that one way or the other. It's big ball of mystery to me.
What I did say was I didn't have a hand in that long address; ie, I was not involved in making it that way. I don't know by what mechanism (if any) the long address came to be. I don't know if it was assigned, or selected, or a product of /dev/random, or if it was a combination of these things.
I only know that I didn't choose it, and that the way that it is simply sucks.
> As a general rule, if you care about an IPv6 address enough that you have to type it in somewhere, you should be assigning it manually
Perhaps. But that's a twist that we didn't have with the defacto norm that we landed on in IPV4 world some decades ago, wherein: A LAN address was dynamic by default, assigned via a local DHCP server, and presented as a dotted octet. The WAN address was also dynamic, and assigned by someone else's DHCP server, and presented as a dotted octet. The two addresses were never related to eachother.
And in that world: If I wanted to run a local service for someone else (on the internet) to use right now -- today (maybe not tomorrow or next week, but definitely right now), then all I needed to relay to them was the simple dotted octet that identified my WAN interface.
That part was easy with IPV4.
> and if you're doing that you can make it a lot friendlier than 2601:3c7:4f80:1a01:4d2:3b7a:9c10:6f5e. The whole second half of the address can be shortened to ::<digit>, where the length of <digit> scales logarithmically to the number of memorable addresses you want in that network.
Maybe my occipital lobe is just broken somehow, but it's hard to look at an address like that and quickly discern where the second half of that address even begins. Why am I looking for a half of it, anyway? (From whence is that "half" delineation deduced?)
But, sure. Half of it, for whatever reason that it is half. So 2001:3c7:4f80:1a01::3 can be one system on the LAN and 2001:3c7:4f80:1a01::4 can be another? And these are complete, unique, world-routable addresses that someone else on the world can connect to with the appropriate firewall rules in-place?
But the first half is assigned by my ISP and changed at their whim, right? I can't reliably connect from 2001:3c7:4f80:1a01::3 to 2001:3c7:4f80:1a01::4 even if those two computers are right next to eachother on my LAN because tomorrow, the first "half" might change -- correct?
I don't like the idea of my LAN's addressing being dictated by whatever ISP I'm using at the moment. (Spectrum is down, switch to hotspot as backup, and oh lol: the LAN is all different now. IPV4, as-implemented, never did that to me.)
> Hell, if you don't care about the potential of conflicts if you ever merge networks with someone else, you can just use fd00:: as your ULA prefix, and your router can be fd00::1, your NAS box can be fd00::2, etc. Shorter than IPv4 addresses!
I don't even know what ULA means.
But it sounds like ULA means something like RFC 1819 10.x.x.x private addresses, wherein: A person can do whatever they want, and it never touches the Internet so it's fine.
That sounds great, in concept. But now we're back to using private, non-routable addresses? Isn't that the same thing we were seeking to avoid?
How does fd00::3 then communicate with the greater internet? NAT?
edit: And then, how is fd00::3 superior to 10.3 [10.0.0.3] on the LAN?
Then either you must be one of the precious few people who owns a /24 or something for their house and gives each device a global IPv4 address, or you’re forgetting the part where you have to go to your router and pick a random port to forward, and open it up. Otherwise you don’t just “have” an independent WAN address on each host in your network, like you do with a typical IPv6 setup.
> So 2001:3c7:4f80:1a01::3 can be one system on the LAN and 2001:3c7:4f80:1a01::4? And these are complete, unique, world-routable addresses that someone else on the world can connect to with the appropriate firewall rules in-place?
yes
> But the first half is assigned by my ISP and changed at their whim, right?
like your IPv4 WAN address does, yes
(About ULA)> That sounds great, in concept. But now we're back to using private, non-routable addresses?
like IPv4 yes. But in IPv6 you can have both, a ULA (like rfc1918 addresses) and a GUA (an actual routable address) on the same subnet. It’s fine. Use the ULA for your LAN use cases where you need to use a LAN IP address (bonus, it stays the same even if your ISP changes your prefix) and use the GUA for the rare occasion where you need someone on the other side of the world to talk to one of your hosts. You’re gonna have to poke a firewall rule anyway, so you just pick a decent GUA address while you’re at it ($global_prefix::1, etc.) You can do whatever you want, it’s your prefix (until your ISP changes it.)
> How does fd00::3 then communicate with the greater internet? NAT?
no need, it just has another address for global traffic. Typically one of the really long random ones, that’s what they’re for. (They even change for every external service you talk to.). The whole purpose of the long impenetrable fully-populated 128-bit address, is basically only necessary for privacy (I.e. you intentionally want the address to be meaningless.) For anything where you’re persisting an IP somewhere, just pick a better address for it. $prefix::1, whatever. It’s a single ifconfig command even on macOS, ditto Linux. (Windows I have no experience with but I’m sure that too.) Trivial to persist across reboots, etc.
The ISP changing the prefix is a real problem though, and is far too difficult to rely on persisted global addresses for that reason. Using a ULA anywhere you need to configure an IP address locally is the only sane option, and for global addresses it’s simply a huge pain in the ass if you ever get a different prefix.
> edit: And then, how is fd00::3 superior to 10.3 [10.0.0.3] on the LAN?
Which can be fine if you have a /solid/ transition plan to move networks wholesale from v4 to v6. They absolutely failed on this point and almost purposefully refused to carry over any familiar mechanisms to make dual stack easier to manage.
It's a University protocol that escaped into commercial usage based mostly on false fears of global routing table size becoming unmanageable or impossible to store in RAM. The results are absolutely predictable.
(Needing to dedicate time for it is, to some extent, either a failure of the protocol or at least a contributor to the lack of adoption.)
- How to ensure there are no collisions in address space? Translates to, how to pick safe addresses, is there a system?
- How do I route from an external network resource to an internal network resource? Translates to, can you provide syntax on how to connect to an smb share? Set up a web service that works without WireGuard or equivalent?
- How does one segment networks, configure a vlan, set up a firewall?
- Easiest is to use your devices’ public (“global unicast”) addresses and allow traffic on your firewall. This is how IP was meant to be used; no NAPT in sight. If you like, you can use ULAs locally and then do NPTv6 for internet-facing access. But I’d recommend against that to start.
Regarding the services, there’s not really anything IPv6 specific. Whether v4 or v6, you shouldn’t be exposing SMB to the internet. Whether v4 or v6, you can put any IP-based service behind Wireguard or any other tunneling solution. There’s nothing specific to v6 there; just use v6 addresses in your config, and you’ll be good to go.
- Basically the same way as with v4; IP (whether v4 or v6) have mostly the same semantics in their layer (layer 3). The only thing is that you’ll want to allow certain kinds of ICMPv6 traffic, assuming your firewall vendor doesn’t do that out of the box. When it comes to VLANs, that’s layer 2, so your layer 3 protocol doesn’t play any role there.
Network segmentation is way more fun with v6 because you have enough address space to make nice hierarchical topologies.
- Use global/public addresses on all your devices (using something like prefix delegation) or use NAT.
- Same as IPv4. Prefix delegation will let your ISP assign you multiple networks, and then most routers will break these up into /64 networks for each of your VLANs.
- Open holes through firewalls, point DNS at the address, and it should just work, the joys of actually having public addresses.
- Same way as with IPv4 mostly. The only real difference is because SLAAC assumes a /64 you probably want your networks to be at least that big.
But come on! It is a legitimate question, do you just scramble keys when picking an address?
> the joys of actually having public addresses.
If your ISP gives you a static IPv6. Unfortunately in Germany none of the ISP for private users does (last I checked).
No. Your ISP or tunnel broker gives you a network prefix. Then you configure SLAAC to use that prefix and hand out addresses within it. Job done.
For example, the prefix might look like 2001:470:e904::/48. Your computers can use any addresses you want as long as they start with that prefix. Since you don’t want to manually hand out addresses to every computer, you configure a router to hand out addresses via SLAAC. Your computers will use SLAAC to discover the prefix from the router, then fill in the bottom 64 bits of the address with a random number. They then ask the local network if anyone is using that full address. If not then they are done and have a working address. If somehow someone is using that address then they try again with a different random number. Servers that want a fixed address will just use their network card’s MAC address (or anything similar, if you want) instead of a random number. The protocol is the same either way.
Notice that this actually gives you some bits of your own to play with, if you want. The full address is 128 bits long. The first 48 were used by the prefix and the bottom 64 by the individual devices, leaving 16 bits in the middle. You could tell your router that the prefix for SLAAC is 2001:470:e904:42::/64, for example, and then use the other subnets for other purposes. Maybe 2001:470:e904:beef::/64 is a special subnet just for your meat freezer and associated monitoring equipment. I don't know, you get to make these things up for yourself. Maybe you manage a corporate network that has a separate VLAN for phones than for normal PCs, and a third VLAN for the guest WiFi. You can give them each a different prefix by embedding the VLAN id into the prefix you advertise via SLAAC.
There’s also DHCPv6 if you want even more control over which addresses are handed out, or you want to subdivide your network even more finely. Or if ISPs ever start handing out smaller prefixes.
> If your ISP gives you a static IPv6. Unfortunately in Germany none of the ISP for private users does (last I checked).
Sure, that’s true. But they probably don’t hand out static addresses for IPv4 either. Not without paying extra, that’s for sure. Either way if you want some static identifier for your computer(s) then the solution is the same: DNS.
Of course if you _are_ running a corporate network with a bunch of VLANS like that then you should actually get your own prefix from your RIR rather than from your ISP. Then you purchase IP transit services from your ISP rather than consumer internet access. You can then advertise your prefix(es) via BGP. Again, this is exactly what you would do for IPv4. Same software, same configuration, just longer addresses. The main advantage of this extra work is that you can keep your addresses static even if you move to an entirely different ISP. You can also use the same addresses over multiple connections to multiple ISPs for better redundancy.
I did give the answer: SLAAC.
> If your ISP gives you a static IPv6. Unfortunately in Germany none of the ISP for private users does (last I checked).
Weird, here in the UK all the ones I've had have given me a static /56. Still, the same answer for that (DDNS) exist as for dynamic IPv4 addresses, you still get the advantage of not having to deal with NAT.
Reasons given: the security policies say ipv6 is not safe enough.
It does not "disable" DHCPv6. It does not support DHCPv6. Android (really Lorenzo Colitti) in/famously WONTFIX adding DHCPv6 client support:
* https://issuetracker.google.com/issues/36949085
Of course after over a decade of denying that Android needs some kind of DHCP in IPv6, it seems that Android may finally be getting some kind of solution:
* https://android-developers.googleblog.com/2025/09/simplifyin...
* Via: https://blog.ipspace.net/2025/09/android-dhcpv6-prefix-deleg...
Hopefully, having admitted (?) the error of their ways with being SLAAC-only they'll also add 'regular' DHCPv6 in addition to DHCPv6-PD.
I have used these on my network and office to move to IPv6-only for Android.
What about lack of DHCPv6 prevents you from using IPv6 on Android?
Works great for me.
Use MAC as the key for firewall and monitoring. Then you don't have multiple rules per device.
Your v6 subnet prefix is no different than whatever WAN-side v4 your NAT had. "Accidental semi-randomization" of the WAN side IP is not something one could reliably count on. Many ISPs just hand over a static-like IP, that is, even when it's supposed to be random the pool of IPs is so constrained that it's usually the same simply through the IP lease surviving power cycling. And that was before CGNAT.
If your concern is being identifiable through your IP then counting on whatever v4 artifact is the wrong move. Use a VPN with randomised exit nodes.
One of the biggest changes from IPv4 when I enabled IPv6 a while back was that it’s fine and normal to have multiple addresses per interface now. ULAs are not globally routable, so I think of them as LAN addresses. Another option that comes to mind is mDNS, but I think support for that is not as widely accepted.
Global addresses can change, just as your home dynamic IPv4 probably did from time to time.
I said the same thing for 6-6-16 too.
I have some services on IPv6 only, but it rarely convinces anyone that they need IPv6 connectivity …