this post was submitted on 13 Jul 2023
103 points (95.6% liked)

Selfhosted

40041 readers
1286 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

The question above for the most part, been reading up on it. Also want to it for learning purposes.

top 50 comments
sorted by: hot top controversial new old
[–] tburkhol@lemmy.world 36 points 1 year ago (7 children)

Definitely dual stack if you do. The real benefit of IPv6 is that, supposedly, each of your internal devices can have its own address and be directly accessible, but I don't think anyone actually wants all of their internal network exposed to the internet. My ISP provides IPv6, but only a single /128 address, so everything still goes through NAT.

Setting it up was definitely a learning process - SLAAC vs DHCP; isc's dhcpd uses all different keywords for 6 vs 4, you have to run 6 and 4 in separate processes. It's definitely doable, but I think the main benefit is the knowledge you gain.

[–] designatedhacker@lemm.ee 13 points 1 year ago (1 children)

Your ISP is doing it wrong, which I guess you already know. I get a /64 net via DHCPv6 for my LAN which is pretty standard.

+1 to dual stack. Too much of the internet is v4 only, missing AAAA, or various other issues. I've also had weird issues where a Google/Nest speaker device would fail 50% of the time and other streaming devices act slow/funky. Now I know that means the V6 net is busted and usually I have to manually release/renew. Happens once every few months, but not in a predictable interval.

Security is different, but not worse IMO. It's just a firewall and router instead of a NAT being added in. A misconfigured firewall or enabling UPnP is still a bad idea with potentially worse consequences.

Privacy OTOH is worse. It used to be that each device included a hardware MAC as part of a statelessly generated address. They fixed that on most devices. Still, each device in your house may end up with a long lived (at least as long as your WAN lease time) unique IP that is exposed to whatever sites you visit. So instead of a unique IP per household with IPv4 and NAT, it's per network device. Tracking sites can differentiate multiple devices in the house across sites.

This has me thinking I need to investigate more on how often my device IPv6 (or WAN lease subnet) addresses change.

[–] Faceman2K23@discuss.tchncs.de 9 points 1 year ago (1 children)

I get a fat /48 network, just in case I need one septillion, two hundred and eight sextillion, nine hundred and twenty-five quintillion, eight hundred and nineteen quadrillion, six hundred and fourteen trillion, six hundred and twenty-nine billion, one hundred and seventy-four million, seven hundred and six thousand and one hundred and seventy-six individual IPs.

IPV6 is pretty wild, we could effectively give every service connecting to every client, in every direction, for every single individual bit its own dedicated address without getting anywhere near using that address space.

[–] aBundleOfFerrets@sh.itjust.works 2 points 6 months ago

Just wait until IoT takes off and every key on your keyboard has a unique address

load more comments (6 replies)
[–] dan@upvote.au 16 points 1 year ago* (last edited 1 year ago) (2 children)

There's a bunch of advantages. IPv6 can be useful since your devices can have the same IP both internally and externally. No dealing with port forwarding. No split horizon DNS (where you have different DNS entries for internal vs external). No NAT. No DHCP required for client systems (can just use SLAAC to auto-generate addresses). Much simpler routing. It's a bit faster. Proper QoS.

I used to use Comcast, who actually have very good IPv6 support. They were the first major US ISP to roll out IPv6 to everyone, around 10 years ago. Unfortunately my current ISP doesn't have IPv6, but they're aiming to roll it out this year.

[–] outcide@lemmy.world 4 points 1 year ago (1 children)

How does that work, having the same IP internally and externally?

[–] dan@upvote.au 7 points 1 year ago* (last edited 1 year ago) (8 children)

A good ISP that supports IPv6 will give you a /64 range. That's a huge number of IPs, 2^64. Easily enough for every device on your network to have a lot of public IPs. If you use Docker or VMs, you could give each one a public IPv6 address.

When every device on your network can have a public IP, there's no longer a reason to have private IPs. Instead, you'd use firewall rules for internal-only stuff (ie allow access only if the source IP is in your IPv6 range).

This is how the internet used to work in the old days - universities would have a large IP range, and every computer on campus would have a public IP.

Of course, you'd still have a firewall on your router (and probably on your computers too) that blocks incoming connections for things you don't want to expose publicly.

load more comments (8 replies)
load more comments (1 replies)
[–] Faceman2K23@discuss.tchncs.de 9 points 1 year ago (1 children)

It's good to learn, because it will become more common as time moves on, particularly if you get into the datacenter/cloud/ISP industry. It's less important for the general home user, but it is important to understand how it works and how to use it safely.

Just treating it like IPV4 with more address space is dangerous though. you need to think differently about security and firewalls as it is as if every device has its own dedicated WAN address and could be open to the internet without you knowing.

[–] npmstart_pray@lemmy.fmhy.ml 5 points 1 year ago (2 children)

Indeed it is good to learn: ipv6.he.net/certification is a free course everybody should take the first 2-3 levels of.
The login credentials you create for that website will allow you to login to their sister site tunnelbroker.net and claim a /48 delegation for your DDNS tunnel, also free, to promote the changeover to v6 from v4, especially for people with dynamic WAN IPS from their ISP and no IPv6.

load more comments (2 replies)
[–] SheeEttin@lemmy.world 9 points 1 year ago (1 children)

Depends on how you define "worth it". Most selfhosting is done not for worth, but for a hobby.

[–] Zorque@kbin.social 6 points 1 year ago (1 children)

Hobbies are often worthwhile. Maybe not financially, but often psychologically.

load more comments (1 replies)
[–] dud3@feddit.de 7 points 1 year ago

Dual-Stack is usually no problem, but going IPv6-only is a pain, because a suprising amount of services are v4 only. Even NAT64/DNS64 doesn't help everywhere.

[–] preasket@lemy.lol 6 points 1 year ago (2 children)

There’s another question: will we ever actually run out of IPv4 addresses, so that cloud providers and ISPs no longer offer them?

[–] dan@upvote.au 15 points 1 year ago* (last edited 1 year ago) (1 children)

That's already happened, which is why some ISPs use CGNAT. CGNAT is "carrier-grade NAT" which means the internet provider does NAT on their network.

Only having CGNAT with no IPv6 is a pain since you can't do any port forwarding. It's double-NAT which slows things down a bit (you use NAT on your network, then your ISP uses NAT on their network).

Some cloud providers also have IPv6-only servers for cheaper. IPv4 address are still available but the price to acquire them is significantly higher than it used to be.

[–] preasket@lemy.lol 2 points 1 year ago (5 children)

Ah, I never encountered that. I see. Is it mostly in remote areas?

I'm all for IPv6, it's just that there's always something extra you have to do to set it up.

[–] porksandwich9113@lemmy.world 6 points 1 year ago (1 children)

It's really common in cellular connections as well as smaller regional ISPs. I work for a rural fiber co-op with about 50,000 members/customers and we do CGNAT for all our members by default because we only have about 36,000 IPs allocated to us. We also have full ipv6 support as well with every customer getting a /56.

To get a big enough block for all our enterprise/business/residential customers to do 1:1 NAT for ipv4 would probably require an entire /16 which costs somewhere in the neighborhood of 2 million dollars last I checked. And even then we would eventually run out because we are constantly expanding to cover rural areas that have been ignored for decades by the big ISPs. Right now if a member needs a static or routable we just charge 10$ a month, and we have enough in reserve for all our members to operating like this likely until the entire internet abandons ipv4.

[–] innercitadel@lemmy.nz 2 points 1 year ago (1 children)

Why do some ISPs charge a monthly fee and others a one off fee? I paid one off with my ISP several years ago for my static IPv4.

[–] porksandwich9113@lemmy.world 4 points 1 year ago (2 children)

Honestly I don't have a good answer for that. The ones who charge a one time fee are honestly being pretty generous (depending on the price you paid) considering there are yearly dues to ARIN/RIPE/APNIC/etc for IP allocations depending on their aggregate block size as well as the fact that IPs are generally very valuable right now, and go up in value depending on the block size.

If they have a legacy registration they also don't have to pay those dues, though the downside is they don't get the newer features like RPKI without signing a LRSA/RSA (and therefor paying those dues) and getting their routes certified. Usually doesn't cause an issue as not many peers drop unvalidated BGP prefixes on IPv4.

That being said, if your ISP has been in the game for decades, they probably have owned their blocks for decades and got them for pennies on the dollar when ARIN and other registries were handing out IP addresses like candy. I know the last /24 my company had to buy cost us somewhere in the neighborhood of $14,000 when it was all said and done, and that was just for 256 IPs.

Eventually IPv4 addresses will become so prohibitively expensive, that is what will eventually push mass IPv6 adoption on the ASN side of things.

load more comments (2 replies)
[–] orangeboats@lemmy.world 4 points 1 year ago* (last edited 1 year ago)

Living in the APNIC region, we are kinda notorious for being the first region to run out of IPv4 addresses.

The top 3 mobile ISPs in my country here have been doing CGNAT since at least 2014. Cable ISPs are limiting public IPv4 according to plans since at least 2017, i.e. if the download speed of your plan is below 200Mbps , you get CGNATed.

We are severely out of IPv4 addresses.

[–] splendoruranium@infosec.pub 3 points 1 year ago

You've very likely already encountered it if you have a device with a SIM card! Most any mobile provider routes via a CGNAT - it's exceedingly rare for phones to have public IPs.

[–] dan@upvote.au 2 points 1 year ago* (last edited 1 year ago)

Not sure which country you're in, but CGNAT is pretty common in some European countries. ARIN had a larger stockpile of IPv4 addresses than APNIC and RIPE, so CGNAT is less common in the USA and Canada. The US is also generally further ahead in terms of IPv6 rollout compared to other countries. One of the largest ISPs, Comcast, has been IPv6-enabled for over 10 years.

load more comments (1 replies)
[–] BaldProphet@kbin.social 4 points 1 year ago (1 children)

There aren't many benefits from using IPv6 on LAN, as far as I can tell, unless you need more addresses than are available in the private address ranges.

[–] bdonvr@thelemmy.club 9 points 1 year ago (1 children)

And that point you're not in a home, you're in a data center lmao

[–] BaldProphet@kbin.social 3 points 1 year ago (5 children)

I mean, if you have around 17 million containers running services, maybe.

load more comments (5 replies)
[–] mhzawadi@lemmy.horwood.cloud 2 points 1 year ago

The server I have with ovh has ipv6 setup, but only 1 of my VMS on it has an address. It's a lot harder to get your head around then it looks, no NAT. Firewall everything

load more comments
view more: next ›