The question above for the most part, been reading up on it. Also want to it for learning purposes.
Depends on how you define “worth it”. Most selfhosting is done not for worth, but for a hobby.
Hobbies are often worthwhile. Maybe not financially, but often psychologically.
Some times not financially or psychologically, and they also make my wife mad when I fat finger some config.
Definitely dual stack if you do. The real benefit of IPv6 is that, supposedly, each of your internal devices can have its own address and be directly accessible, but I don’t think anyone actually wants all of their internal network exposed to the internet. My ISP provides IPv6, but only a single /128 address, so everything still goes through NAT.
Setting it up was definitely a learning process - SLAAC vs DHCP; isc’s dhcpd uses all different keywords for 6 vs 4, you have to run 6 and 4 in separate processes. It’s definitely doable, but I think the main benefit is the knowledge you gain.
Your ISP is doing it wrong, which I guess you already know. I get a /64 net via DHCPv6 for my LAN which is pretty standard.
+1 to dual stack. Too much of the internet is v4 only, missing AAAA, or various other issues. I’ve also had weird issues where a Google/Nest speaker device would fail 50% of the time and other streaming devices act slow/funky. Now I know that means the V6 net is busted and usually I have to manually release/renew. Happens once every few months, but not in a predictable interval.
Security is different, but not worse IMO. It’s just a firewall and router instead of a NAT being added in. A misconfigured firewall or enabling UPnP is still a bad idea with potentially worse consequences.
Privacy OTOH is worse. It used to be that each device included a hardware MAC as part of a statelessly generated address. They fixed that on most devices. Still, each device in your house may end up with a long lived (at least as long as your WAN lease time) unique IP that is exposed to whatever sites you visit. So instead of a unique IP per household with IPv4 and NAT, it’s per network device. Tracking sites can differentiate multiple devices in the house across sites.
This has me thinking I need to investigate more on how often my device IPv6 (or WAN lease subnet) addresses change.
I get a fat /48 network, just in case I need one septillion, two hundred and eight sextillion, nine hundred and twenty-five quintillion, eight hundred and nineteen quadrillion, six hundred and fourteen trillion, six hundred and twenty-nine billion, one hundred and seventy-four million, seven hundred and six thousand and one hundred and seventy-six individual IPs.
IPV6 is pretty wild, we could effectively give every service connecting to every client, in every direction, for every single individual bit its own dedicated address without getting anywhere near using that address space.
Just wait until IoT takes off and every key on your keyboard has a unique address
And the biggest disadvantage of IPv6 is that each of your internal devices has its own address and can be directly accessible from outside. So you need to completely rethink how you do security.
And can be identified/tracked individually by outside entities. In IPv4, a website sees both my device and my kid’s device as the same IP. In IPv6 they’re different so this just provides more ways for them to track you.
That’s the reason for rcf 4941. It randomises the host part of your IPv6 address.
First of all they use much more than the device IP to identify individual devices. IPv4 is no longer all that useful for identification with things like CGNAT being common.
But with IPv6 they’ll see my device IP, then they’ll see the same device with completely different IP, then again. Same for my kid’s device. But again, all of the above applies. It is a concern, but there are much better ways of tracking you anyways.
Isn’t that what tburkhol addressed in their first paragraph? Or are you suggesting further steps than just putting those devices behind NAT? I am not at all trying to be snarky, I actually want to know more about this.
You don’t need to use nat on ipv6. Most routers are based on Linux and there you have conntrack.
With that you can configure by default outgoing only connections just like nat and poke holes in the firewall for the ports you want specifically.
Also windows and I think Linux use ipv6 privacy extensions by default. That means that while you can assign a fixed address and run services, it will assign random ip addresses within your (usually) /64 allocation for outgoing connections. So people can’t identify you and try to connect back to your ip with a port scanner etc.
All the benefits of nat with none of the drawbacks.
There’s a bunch of advantages. IPv6 can be useful since your devices can have the same IP both internally and externally. No dealing with port forwarding. No split horizon DNS (where you have different DNS entries for internal vs external). No NAT. No DHCP required for client systems (can just use SLAAC to auto-generate addresses). Much simpler routing. It’s a bit faster. Proper QoS.
I used to use Comcast, who actually have very good IPv6 support. They were the first major US ISP to roll out IPv6 to everyone, around 10 years ago. Unfortunately my current ISP doesn’t have IPv6, but they’re aiming to roll it out this year.
How does that work, having the same IP internally and externally?
A good ISP that supports IPv6 will give you a /64 range. That’s a huge number of IPs, 2^64. Easily enough for every device on your network to have a lot of public IPs. If you use Docker or VMs, you could give each one a public IPv6 address.
When every device on your network can have a public IP, there’s no longer a reason to have private IPs. Instead, you’d use firewall rules for internal-only stuff (ie allow access only if the source IP is in your IPv6 range).
This is how the internet used to work in the old days - universities would have a large IP range, and every computer on campus would have a public IP.
Of course, you’d still have a firewall on your router (and probably on your computers too) that blocks incoming connections for things you don’t want to expose publicly.
A good isp would give you something bigger than a /64 - /56 or /48. something that you can subnet.
wouldn’t /64 still leave you with 64 bits for you to do whatever? Ipv6 has a 128 bit address. If you can do subnets with a small usable portion of 32 bits, then you certainly can with a full 64 bits
The smallest recommended IPv6 subnet is /64. The biggest issue you will encounter is that SLAAC will refuse to work on anything smaller, and it just so happens that Android still doesn’t support DHCPv6 and will be left without a valid address.
Android still doesn’t support DHCPv6 and will be left without a valid address.
RFC 7934 explains their reasoning, though it’s not exactly an ironclad argument.
til. Thanks
old post, but I so wonder why you got downwoted for saying it like it is. a good isp will give you a /56, the minimum best practice. a great isp will give you a /48 you’r router will also participate in the wan /64, but that is just the uplink, and not something that will be used on the lan. https://www.ripe.net/publications/docs/ripe-690/#4--size-of-end-user-prefix-assignment---48---56-or-something-else-
Good point - I should have said “at least a /64 range”.
For LAN, no. If you have a router NAT’ting traffic and providing DHCP service there’s really no need for ipv6. Almost every ipv6 enabled service provides both 6 and 4 usually and NAT figures it out, and many still provide only 4, meaning you can’t just get rid of ipv4 entirely.
If your ISP has modernized and is actually providing an ipv6 address, I suppose there’s probably a tiny benefit of being able to go ipv6>ipv6 when routing, bust most all devices nowadays can handle NAT translation from ipv4 to ipv6 and vice versa with no routing penalty. I don’t know if there are any ISP’s out there who can provide static ipv6 addresses without a NAT router to your entire LAN though.
If you’re buying a vps or something ipv6 is easier to get a static address for.
That of course leaves the last good reason: why not? If you’re doing homelab hosting stuff why not experiment with ipv6 and fully modernize your network. They suck to type in but it’s fun to know your stuff is brand new and using the “best”.
I have currently an issue with a WebRTC SFU not working behind a IPv6 to IPv4 translation, at least I suspect that is the cause.
Dual-Stack is usually no problem, but going IPv6-only is a pain, because a suprising amount of services are v4 only. Even NAT64/DNS64 doesn’t help everywhere.
I’ll buck the trend and say “yes, for a home LAN, it is the bees’ knees”. I don’t do it now because my country (and hence my ISP) does not do IPv6, but for most places it’s worth doing.
It depends on how your ISP does it. When I did it before, my ISP gave me a /56, which is pretty sensible and I think fairly common. If you get smaller than a /64, (a) your ISP is run by doofuses, but (b) it’s going to be a pain and maybe not worth it.
A /56 was much bigger than I needed. I actually only used 2 /64s, so a /63 would have been fine, but network configuration is fun (I think), so maybe you can get creative and think about different ways of allocating your network.
I had 1 /64 for statically-assigned, publicly reachable servers. And then I had a separate /64 for SLAAC (dynamic) allocated personal devices (laptops, phones, etc.) which were not publicly-reachable (firewalled essentially to act like a NAT). (Sidenote, if you are going to use IPv6, I recommend turning on RFC7217 on your devices for privacy reasons. I think these days it’s probably turned on by default for Windows, Android, iOS, etc., but it’s worth double-checking)
The big benefit to using IPv6 is that all of your home machines can be (if you want them to be) reachable inside your network or outside your network using exactly the same IP address, which means you can just give them a fixed AAAA and access them from anywhere in the world you like. If you’re into that sort of thing, of course. It’s a lot of fun.
The server I have with ovh has ipv6 setup, but only 1 of my VMS on it has an address. It’s a lot harder to get your head around then it looks, no NAT. Firewall everything
yes, ill admit i didnt do it myself until recently when I didnt want to do yet-another-nat-entry and decided to join modern networking.
should have done it years ago.
What were the biggest pains? What was surprisingly easier than expected?
worrying my head off about security because in the old days IPv6 had some issues esp with bascially putting every device on your network on the public internet with no firewall.
learned that years ago hardware makers started defaulting to blocking all traffic from the outside when ipv6 is enabled. Once I felt comfortable just turning it on I found it pretty easy to grasp esp when the addresses stopped liking like random junk to my eyes.
Once I knew how things worked actually exposing a specific system or port set to the internet was super easy, much easier than NAT + firewall.
with my ISP. v6 unexpectedly brought a new level of privacy we had not had before. When you geolocate the IPs they show up in ISP datacenters all over the country. One day it looks like we are in VA, the next we are coming out of Seattle. We have yet to notice any speed or routing issues. IPv4 and IPv6 play well together though once you turn on v6 you might find yourself turning it on for more vlans than you planned because you want the features!
Thanks! That was really insightful. I guess I’ll give it a try some day, for now everything runs in ipv4 and that runs well haha!
don’t touch it till you need/want to. I had a system I wanted to expose to the internet on a vlan buried in my network, so ipv6 looked like the quicker of the 2 options. turned out to be right.
The possibility to have your packets passed through a shorter route compared to IPv4 packets is worth it imo. I have 280 ms ping to the US and I can cut it down to ~250ms by routing my traffic via certain countries with vpn. I really hope widespread IPv6 deployment would optimize global internet routing so my latency would improve even if just a few ms so I don’t need to use VPN to override my route manually.
Maybe a silly question: any ideas why there are shorter routes using IPv6?
- Fewer hops usually required when using IPv6, which means shorter latency.
- Simplified header means less processing time needed to process IPv6 packets, which might improve latency on each hop.
- It also supports multicast, but I’m not sure if it can be used to improve routing and latency.
Thanks! Is there something about the larger area space which means there are fewer hops?
I suspect it’s more like the workaround used by network operators to scale up IPv4 to serve billions of users necessitate more and more layer of nodes to route your packets through.
There’s a pretty interesting series on the topic at Tall Paul Tech’s YouTube channel (here’s the most recent: https://youtu.be/WFso88w2SiM). He goes into quite a bit of detail over the course of a few videos about how he handled everything and highlights some of the trials and tribulations with the isp. It’s not a guide per se, but definitely stuff worth thinking through.
Here is an alternative Piped link(s): https://piped.video/WFso88w2SiM
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I’m open-source, check me out at GitHub.
Absolutely. I use ipv6 so I can directly reach all my servers. For public facing things I put it on an ipv4 address but for my own internal stuff, ipv6.
I’m lazy and don’t want to remember more than three digits in an IP address or secure all my devices like they’re publicly routable so I’m sticking with IPv4
Same, so I use DNS and a firewall.
DNS
You mean like
~/.ssh/config?
You could assign short addresses like fd00::1
The number of short IPv6 addresses is smaller than the number of IPv4 addresses, so that’s defeating the entire purpose of IPv6. Sooner or later you have to start using the long addresses.
At home? No! Or use fd00::1:1 or fd00::1:1:1
Setup mDNS and you don’t have to remember IP addresses anymore.
ssh orangeboats@orangeboats-router.localis thousand times better to memorise.
I tried converting my internal and external self hosted setup to IPv6 only, like it’s the trend nowadays. But halfway through it I couldn’t really see the point
There aren’t many benefits from using IPv6 on LAN, as far as I can tell, unless you need more addresses than are available in the private address ranges.
And that point you’re not in a home, you’re in a data center lmao
I mean, if you have around 17 million containers running services, maybe.
@BaldProphet
What’s the smallest container around? How much RAM would that take?edit: FROM scratch let’s you run bare binaries on Docker.
Would be very interesting to see how far that could get. What sort of payload/task would be interesting for all those containers?
@Sandbag @bdonvrIt’s definitely an interesting hypothetical. Some homelabs that I’ve seen run crazy enterprise gear and are certainly capable of running thousands of very small containers, while others are running repurposed consumer equipment or SBCs like Raspberry Pis with less computing power and RAM.
Of course, in a self-hosted or homelab environment, there would be little utility to running that many network or web services. It would be a neat experiment, though. Seems like the kind of thing that Linus Tech Tips would attempt.
Doesn’t need to be a “traditional” container. Modulo noisy-neighbour issues, wasm sandboxing could potentially offer an order of magnitude better density (depending on what you’re running; this might be more suited to specific tasks than providing a substrate for a general-purpose conpute service).
You’re asking if you should use it, while my ISP was working on it in 2017 and then it all got canned when they got bought out :( .
