Selfhosted

50526 readers

473 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago

MODERATORS

HybridSarcasm@lemmy.world

HybridSarcasm@lemmy.hybridsarcasm.xyz

IPv6 & Opnsense & Not Exposing Machine-Specific IPv6s to Corpos (piefed.blahaj.zone)

submitted 14 hours ago by glizzyguzzler@piefed.blahaj.zone to c/selfhosted@lemmy.world

24 comments fedilink hide all child comments

I have had IPv6 off for a long time now, but it feels like now is time to actually try. I'm planning on setting the WAN side to DHCPv6 and the LAN side to Static IPv6 to match the IPv4 settings. https://docs.opnsense.org/manual/ipv6.html (I see people say "talk to your ISP about dynamic or static and what block size" but I would rather collapse into a singularity than contact my ISP unforced, so I shan't do that)

I've tried to read about IPv6 but I just don't have enough knowledge-ground to stand on to make sense of it in an actionable way.

From what I have read and (mildly) understood, I think I know that IPv6 addresses are directly identifying; no longer does everything on the internet see the IPv4 of your router only - now things see your specific device's IPv6 that's a... subset? of the router's IPv6 range (not single IP) assigned. https://superuser.com/a/1735921 People describe it as a different way to network, which I guess means no matter what I read I'm still not sure what to do.

I want IPv6 to work exactly like IPv4: router has WAN IPv4 address and masquerades for every device in the network. I don't want Google knowing exactly which computer contacted them from inside my LAN, I want them to put in the work to finger print my device with various ways that are likely illegal in the EU.

How do I prevent that IPv6 privacy issue, or did I misunderstand how IPv6 works?

you are viewing a single comment's thread
view the rest of the comments

[–] Overspark@feddit.nl 2 points 11 hours ago* (last edited 11 hours ago) (1 children)

NAT is not a firewall and it's not that great for privacy either, it's not hard to fingerprint individual devices behind NAT. There are zero cases where NAT is better than the alternatives, except when you're out of public IP's, which isn't an issue with IPv6.

So you're much better off by not trying to reinvent the wheel and using IPv6 the way it was intended. Use privacy extensions for privacy. Use proper firewall rules for security. Revel in the fact that NAT isn't fucking up your inbound connections. Do not under any circumstances force the horrible kludge that is NAT into your IPv6 network.

[–] glizzyguzzler@piefed.blahaj.zone 1 points 11 hours ago (1 children)

I gather people talk like NAT is a rung of hell, but I guess it works because I never think of it. Maybe it becomes shittastic at multiple NATs? With one router it seems straight forward to have port forwarding.

I do not understand why I want better inbound connections - but maybe if I get hit with a cgnat then I’ll understand?

[–] Overspark@feddit.nl 4 points 10 hours ago (1 children)

Yeah multiple NAT is a lot worse, but normal NAT has a lot of corner cases too that most people just don't run into that often. For example if two computers behind NAT want to listen on the same port, that just doesn't work.

NAT is a "good enough" solution that tricked a whole generation of people growing up with it into thinking it's a good thing. While in reality the best case is that you don't run into issues and the worst case is that performance is horrible and you can't do the things you want to do. The only people that benefit from it are lazy ISPs, not their users.

[–] glizzyguzzler@piefed.blahaj.zone 1 points 10 hours ago (1 children)

I see now that a limitation I just understood for IPv4 (expose one port from one device only on the router) isn’t a thing for IPv6 working without NAT, every device on a LAN can be given a world wide routable address and expose the same port. Interesting, in my home I don’t think I’d ever run into that, but I can see issues like that pile up quick in big deployments.

Thanks for taking the time to explain all of this in detail!

[–] Overspark@feddit.nl 2 points 4 hours ago

You're welcome, great to see how you're taking all the comments on board!

There are more subtle problems with NAT as well. Say that PC-A opens a connection from port 1234 (to something on the internet), and PC-B opens a connection from port 1234 too. Now the router has to translate the PC-B connection to coming from port 1235 to distinguish them from each other. But if PC-C then wants to open a listening port on 1235 it won't work because the port is already in use, even though you can't see anything using that port!

NAT is full of ridiculous corner cases like that, which normal users aren't very likely to notice. But once you start self-hosting things or trying to get something like older multiplayer games working the problems pile up fast if you're unlucky.