this post was submitted on 16 Aug 2025
27 points (90.9% liked)

Selfhosted

50550 readers
383 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
27
IPv6 & Opnsense & Not Exposing Machine-Specific IPv6s to Corpos (piefed.blahaj.zone)
submitted 19 hours ago by glizzyguzzler@piefed.blahaj.zone to c/selfhosted@lemmy.world
31 comments fedilink hide all child comments
 

I have had IPv6 off for a long time now, but it feels like now is time to actually try. I'm planning on setting the WAN side to DHCPv6 and the LAN side to Static IPv6 to match the IPv4 settings. https://docs.opnsense.org/manual/ipv6.html (I see people say "talk to your ISP about dynamic or static and what block size" but I would rather collapse into a singularity than contact my ISP unforced, so I shan't do that)

I've tried to read about IPv6 but I just don't have enough knowledge-ground to stand on to make sense of it in an actionable way.

From what I have read and (mildly) understood, I think I know that IPv6 addresses are directly identifying; no longer does everything on the internet see the IPv4 of your router only - now things see your specific device's IPv6 that's a... subset? of the router's IPv6 range (not single IP) assigned. https://superuser.com/a/1735921 People describe it as a different way to network, which I guess means no matter what I read I'm still not sure what to do.

I want IPv6 to work exactly like IPv4: router has WAN IPv4 address and masquerades for every device in the network. I don't want Google knowing exactly which computer contacted them from inside my LAN, I want them to put in the work to finger print my device with various ways that are likely illegal in the EU.

How do I prevent that IPv6 privacy issue, or did I misunderstand how IPv6 works?

you are viewing a single comment's thread
view the rest of the comments
[–] Mordikan@kbin.earth 4 points 17 hours ago (1 children)

I've mentioned this elsewhere, but to fair, even without you providing Google an IPv6 address, they still know exactly which computer contacted them from inside your LAN. Even in GDPR territory they can do that.

[–] glizzyguzzler@piefed.blahaj.zone 1 points 16 hours ago (1 children)

I know, but when you get captcha’d all of the time you feel like you’re kinda winning (but not really of course). I don’t want them to just have a nice fingerprint of my devices without having to try at all. I see others have mentioned “IPv6 privacy extensions” that let the devices cycle the multitude of IPv6 address space to keep a semblance of privacy - that seems to be the “default” solution

[–] Mordikan@kbin.earth 1 points 7 hours ago (1 children)

I think the idea of an IP address (IPv6 or not) providing anyone a semblance of privacy is wishful thinking in this age. Google ad revenue in the EU is estimated to be lower because the power in GPDR areas isn't in PII obfuscation, its in the consent model. Positive opt-in to Legitimate Vendor Interest makes tracking difficult, not whether your IP is generic. You have to remember companies like Google are still able to monetize off of users in mobile CG-NAT environments in the US/EU. Given the roughly 150 other metrics Google (or any publisher/SSP would have access to), removing one doesn't really stem the tide.

What's also interesting is how IPs become anonymized. For IPv4, the industry standard I kid you not is to take the 4th octet and mark it zero. That's it. It just assumes carriers use /24 CIDRs like someone's home network might. The funny part is what if that was 50.50.0.0/22? A publisher could in practice replace one user's IP with another user's IP which means that they still would be passing PII unanonymized which could violate GDPR.

IPv6 uses the same basic system. 2001:db8:85a3:8d3:1319:8a2e:370:7348 becomes 2001:db8:85a3::. You just truncate at the 64th bit. Rolling through available host bits doesn't really matter then. IPv6/IPv4 really aren't ever used for Google user syncing.

[–] glizzyguzzler@piefed.blahaj.zone 1 points 3 hours ago

I do appreciate you taking the time to write that up! Is the 50.50.0.0/22 crossing US and EU IPv4 allocations? From searching it looks like it’s around the boundary between US and Germany allocations. Interesting, I had no idea IP anonymization existed or was applied in such a haphazard way