this post was submitted on 16 Aug 2025
27 points (90.9% liked)

Selfhosted

50550 readers
709 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
27
IPv6 & Opnsense & Not Exposing Machine-Specific IPv6s to Corpos (piefed.blahaj.zone)
submitted 18 hours ago by glizzyguzzler@piefed.blahaj.zone to c/selfhosted@lemmy.world
30 comments fedilink hide all child comments
 

I have had IPv6 off for a long time now, but it feels like now is time to actually try. I'm planning on setting the WAN side to DHCPv6 and the LAN side to Static IPv6 to match the IPv4 settings. https://docs.opnsense.org/manual/ipv6.html (I see people say "talk to your ISP about dynamic or static and what block size" but I would rather collapse into a singularity than contact my ISP unforced, so I shan't do that)

I've tried to read about IPv6 but I just don't have enough knowledge-ground to stand on to make sense of it in an actionable way.

From what I have read and (mildly) understood, I think I know that IPv6 addresses are directly identifying; no longer does everything on the internet see the IPv4 of your router only - now things see your specific device's IPv6 that's a... subset? of the router's IPv6 range (not single IP) assigned. https://superuser.com/a/1735921 People describe it as a different way to network, which I guess means no matter what I read I'm still not sure what to do.

I want IPv6 to work exactly like IPv4: router has WAN IPv4 address and masquerades for every device in the network. I don't want Google knowing exactly which computer contacted them from inside my LAN, I want them to put in the work to finger print my device with various ways that are likely illegal in the EU.

How do I prevent that IPv6 privacy issue, or did I misunderstand how IPv6 works?

top 30 comments
sorted by: hot top controversial new old
[–] thelittleblackbird@lemmy.world 1 points 5 hours ago (1 children)

Hi,

Welcome to the ipv6 fantastic hell and it's sequel about dual stack and 6to4 and 4to6 half cooked solutions.

First of all, I would not care a lot the ip addresses, not even google can extract a lot of info from the ip and ipv6 will cycle the subnet work part (via your isp) making tracking extremely difficult. On to of that you can select your dhcp6 daemon to give an address validity as low as minutes (but not practical), 24h validity should be enough. 1h validity only in severe paranoia mode.

It is important to make sure that your lan track the Wan interface for correctly updating the prefix renewal.

Try not to make a nat for ipv6 but firewall most of the stuff you don't like, ipv6 comes wit great advantages that will dissappear if you nat the connections. And a tip, there are a lot of ipv6 icmp messages that shouldn't be blocked in your firewall because it really improves your performance. If you nat it they will be out.

[–] glizzyguzzler@piefed.blahaj.zone 1 points 2 hours ago

Good to know, didn’t know IPv6 can come with efficiency gains. Makes sense since the designers had a beat to think about why IPv4 sucks. I’ll avoid NAT IPv6

[–] ryannathans@aussie.zone 14 points 17 hours ago* (last edited 17 hours ago) (1 children)

Use ipv6 privacy addresses and temporary addresses and you can stop thinking about it (the default on most os)

[–] glizzyguzzler@piefed.blahaj.zone 2 points 15 hours ago (1 children)

I see, I saw someone else mention “IPv6 privacy extensions”. So basically it’s up to the individual devices to handle privacy instead of the router doing it for them in IPv6 land

[–] ryannathans@aussie.zone 1 points 17 minutes ago

Yes most IPv6 devices are responsible for giving themselves addresses with SLAAC. Some networks use DHCPv6 but they should only be used where SLAAC is not possible

[–] bw42@lemmy.world 10 points 17 hours ago (1 children)

Normal setup for IPv6 is to use public IPs everywhere, and use the firewall to block traffic to your internal systems.

https://desantolo.com/2021/02/ipv6-lan-network-address-translation-nat-on-opnsense/

This article has instructions for configuring NAT6 outbound in OPNSense. It makes the IPv6 work similar to IPv4. Local DHCP routed through single external IPv6 address.

[–] glizzyguzzler@piefed.blahaj.zone 3 points 16 hours ago

Thank you for the guide! It’s very straightforward and looks hella easy to implement. From reading it I would not have guessed it would do what I wished

[–] InnerScientist@lemmy.world 9 points 17 hours ago (1 children)

Either use ipv6 privacy extension (enabled by default, so this can just be called ipv6) or don't enable ipv6.

That way you have working ipv6 or wait until you come to your senses. Using nat6 ipv6 isn't worth it.

[–] glizzyguzzler@piefed.blahaj.zone 2 points 16 hours ago (2 children)

I see people say “not worth it” but never expound on what exactly makes it not worth it?

Most I get is a vibe (using a metaphor) “python-like judging where people prefer to do it in a ‘pythonic’ way” but of course that’s silly. There must be more to it, but I never seen interoperability issues called out

[–] InnerScientist@lemmy.world 5 points 15 hours ago* (last edited 15 hours ago) (1 children)

Most (all?) advantage of ipv6 when compared to ipv4 don't work behind Nat. Thus there's no reason to use it.

Either Nat with ipv4 or don't Nat with ipv6.

Why did you want to use ipv6 when you don't want what it represents? (End to end communication/IPs)

[–] glizzyguzzler@piefed.blahaj.zone 2 points 15 hours ago (1 children)

Mobile devices are largely IPv6-only now, messing with VPN to home. The IPv6-to-4 conversion seems to be shoddy for my mobile carrier.

Not here for what it represents, just want it to work.

I haven’t run into NAT issues that I’ve noticed, would IPv6 avoid issues with cgnat that people complain about? (If/when it happens in the future)

[–] InnerScientist@lemmy.world 3 points 14 hours ago (1 children)

Use ULA addresses for hosts inside your LAN, they are static, cannot be used to reach outside your LAN and use IPv6. Then give your server/VPN endpoint a real ipv6, that's your VPN endpoint. This doesn't require any nat and can be easily changed to GUA when you want to.

CGnat is a "solution" for running out of ipv4 addresses, it has the same problems as any other nat but the problems are even more noticeable because the out-facing ipv4 address changes more often than the typical home nat configuration and tricks like FTP- and other helpers don't work as well.

Ipv6 would not only avoid the issues of cgnat, it would avoid cgnat entirely because you don't need to Nat when you have enough ips.

[–] glizzyguzzler@piefed.blahaj.zone 2 points 14 hours ago* (last edited 14 hours ago) (2 children)

Thanks for taking the time to go into detail on this, it helps because I just haven’t been able to put acronyms to actionable meaning from just reading blogs and posts.

How do things outside the LAN talk to things inside the LAN that have ULA addresses (which I’m assuming are equivalent of 10.0.0.0/16 idea)? Will devices that are given ULA addresses be NAT’d just like IPv4 or will they not be able to talk to the outside world on IPv6?

Edit: I am getting more what you said; you answered this: the ULA addresses will not be able to talk to the outside world on IPv6 so those devices will be IPv4-only to websites that use IPv6 too. Follow-on Q would then be, is kludging NAT for IPv6 not a better solution versus ULA addresses? Or is the clear answer just use IPv6 as intended and let the devices handle their privacy with IPv6 privacy extensions?

[–] rezifon@lemmy.world 1 points 8 hours ago (1 children)

How do things outside the LAN talk to things inside the LAN that have ULA addresses. . .?

One big conceptual difference between IPv4 and IPv6 is the notion that any single host on the network is expected to have multiple, simultaneously-useful IPv6 addresses and this is totally normal and fine.

Any IPv6-enabled host is necessarily going to have a link-local address which can only be used to communicate with other hosts on the local network/subnet.

If your ISP offers IPv6 connectivity, or if you've set up an IPv6 tunnel from an IPv6 tunnel provider then a host on your network will also have a globally-routable IPv6 address which was assigned from your router via DHCPv6 or (more commonly) self-assigned using SLAAC (Stateless Address Autoconfiguration) which is an IPv6 way for machines to self-assign addresses is a sane, interoperable way without requiring a setup and operation of a service like DHCP(v6). Many IPv6 networks do not need to use run a DHCPv6 server at all and rely solely on SLAAC host self-assignments and local IPv6 router discovery protocols to find DNS servers and eligible gateways to other networks and the internet at large.

The block of IPv6 addresses used for your local machines is delegated by your ISP or tunnel provider. It can be static or dynamic and the underlying protocols will handle if that network range changes. IPv6 generally is tolerant of a host's public IP addresses changing at any time without disrupting connections or services.

With privacy extensions (enabled by default on all mainstream operating systems) a host on your network might have additional publicly-routable addresses which rotate frequently for privacy. Outbound traffic for the host will prefer these more private addresses for new connections. These addresses are ephemeral and change frequently.

In rare cases you might set up ULA addresses which are static and usable on your internal networks but will not be routed to the internet. They can be used for hosting services on your local network which need to potentially span multiple subnets/VLANs and in particular are useful for internal resources like name servers which cannot rely on DNS lookups for address resolution. Most networks will not use ULA addresses and normal use cases do not require them.

At any given moment, an IPv6-enabled host will have multiple active addresses all used for different types of traffic and it's important to break any assumptions you have carried over from IPv4 about the relationship between IP addresses and hosts on the network. Your host might be using a link local address to talk to another machine on a shared internal subnet while also using temporary, globally-routable IP privacy address to talk to a server on the internet. Multiple addresses can be in use at the same time to reach different endpoints in the world.

[–] glizzyguzzler@piefed.blahaj.zone 1 points 3 hours ago (1 children)

Thanks for writing this up, really highlights the effective differences.

So for the internal delegation I’d SLAAC it and let things “just work” or DHCPv6 if I cared to specify IPv6s (which I will need to to have a static IPv6 address for a server to be reached at). Thanks again!

[–] Markaos@discuss.tchncs.de 1 points 1 hour ago

Hey, just a tiny note: static and dynamic addresses aren't mutually exclusive. You can let SLAAC do its thing AND also set a static address on your server. Remember, IPv6 works best when you aren't afraid of adding more addresses.

[–] InnerScientist@lemmy.world 2 points 12 hours ago* (last edited 12 hours ago) (1 children)

is kludging NAT for IPv6 not a better solution versus ULA addresses?

There are very few hosts that allow only ipv6 (though there are many who only do ipv4). Ipv6 would improve internet stability and long-term communication when you're not using a nat but that isn't what you're trying to build. Seeing as you're not getting any advantage anyway I recommend ULA because it won't get in the way of possible future migration to GUA ipv6 (globally unicast address) and still run over the ipv6 network while also avoiding Nat.

Or is the clear answer just use IPv6 as intended and let the devices handle their privacy with IPv6 privacy extensions?

It's my clear answer at least.

If you don't want that you can use ULA addresses for now and later add GUA ipv6 addresses. ULAs are meant to be used when you only have a dynamic ipv6 prefix so that internal devices can have ipv6 internet (GUA) while also having a static ipv6 address(ULA).

[–] glizzyguzzler@piefed.blahaj.zone 1 points 3 hours ago

I got it, ULA for everything that doesn’t care, 1 GUA for the server. When everything else starts to care about the lack of IPv6 or has routing issues, convert the ULA to GUA and rock n roll.

Thanks for providing a sane way to approach it slowly and methodically!

[–] Overspark@feddit.nl 2 points 16 hours ago* (last edited 16 hours ago) (1 children)

NAT is not a firewall and it's not that great for privacy either, it's not hard to fingerprint individual devices behind NAT. There are zero cases where NAT is better than the alternatives, except when you're out of public IP's, which isn't an issue with IPv6.

So you're much better off by not trying to reinvent the wheel and using IPv6 the way it was intended. Use privacy extensions for privacy. Use proper firewall rules for security. Revel in the fact that NAT isn't fucking up your inbound connections. Do not under any circumstances force the horrible kludge that is NAT into your IPv6 network.

[–] glizzyguzzler@piefed.blahaj.zone 1 points 15 hours ago (1 children)

I gather people talk like NAT is a rung of hell, but I guess it works because I never think of it. Maybe it becomes shittastic at multiple NATs? With one router it seems straight forward to have port forwarding.

I do not understand why I want better inbound connections - but maybe if I get hit with a cgnat then I’ll understand?

[–] Overspark@feddit.nl 4 points 15 hours ago (1 children)

Yeah multiple NAT is a lot worse, but normal NAT has a lot of corner cases too that most people just don't run into that often. For example if two computers behind NAT want to listen on the same port, that just doesn't work.

NAT is a "good enough" solution that tricked a whole generation of people growing up with it into thinking it's a good thing. While in reality the best case is that you don't run into issues and the worst case is that performance is horrible and you can't do the things you want to do. The only people that benefit from it are lazy ISPs, not their users.

[–] glizzyguzzler@piefed.blahaj.zone 1 points 14 hours ago (1 children)

I see now that a limitation I just understood for IPv4 (expose one port from one device only on the router) isn’t a thing for IPv6 working without NAT, every device on a LAN can be given a world wide routable address and expose the same port. Interesting, in my home I don’t think I’d ever run into that, but I can see issues like that pile up quick in big deployments.

Thanks for taking the time to explain all of this in detail!

[–] Overspark@feddit.nl 2 points 9 hours ago

You're welcome, great to see how you're taking all the comments on board!

There are more subtle problems with NAT as well. Say that PC-A opens a connection from port 1234 (to something on the internet), and PC-B opens a connection from port 1234 too. Now the router has to translate the PC-B connection to coming from port 1235 to distinguish them from each other. But if PC-C then wants to open a listening port on 1235 it won't work because the port is already in use, even though you can't see anything using that port!

NAT is full of ridiculous corner cases like that, which normal users aren't very likely to notice. But once you start self-hosting things or trying to get something like older multiplayer games working the problems pile up fast if you're unlucky.

[–] Mordikan@kbin.earth 4 points 17 hours ago (1 children)

I've mentioned this elsewhere, but to fair, even without you providing Google an IPv6 address, they still know exactly which computer contacted them from inside your LAN. Even in GDPR territory they can do that.

[–] glizzyguzzler@piefed.blahaj.zone 1 points 15 hours ago (1 children)

I know, but when you get captcha’d all of the time you feel like you’re kinda winning (but not really of course). I don’t want them to just have a nice fingerprint of my devices without having to try at all. I see others have mentioned “IPv6 privacy extensions” that let the devices cycle the multitude of IPv6 address space to keep a semblance of privacy - that seems to be the “default” solution

[–] Mordikan@kbin.earth 1 points 7 hours ago (1 children)

I think the idea of an IP address (IPv6 or not) providing anyone a semblance of privacy is wishful thinking in this age. Google ad revenue in the EU is estimated to be lower because the power in GPDR areas isn't in PII obfuscation, its in the consent model. Positive opt-in to Legitimate Vendor Interest makes tracking difficult, not whether your IP is generic. You have to remember companies like Google are still able to monetize off of users in mobile CG-NAT environments in the US/EU. Given the roughly 150 other metrics Google (or any publisher/SSP would have access to), removing one doesn't really stem the tide.

What's also interesting is how IPs become anonymized. For IPv4, the industry standard I kid you not is to take the 4th octet and mark it zero. That's it. It just assumes carriers use /24 CIDRs like someone's home network might. The funny part is what if that was 50.50.0.0/22? A publisher could in practice replace one user's IP with another user's IP which means that they still would be passing PII unanonymized which could violate GDPR.

IPv6 uses the same basic system. 2001:db8:85a3:8d3:1319:8a2e:370:7348 becomes 2001:db8:85a3::. You just truncate at the 64th bit. Rolling through available host bits doesn't really matter then. IPv6/IPv4 really aren't ever used for Google user syncing.

[–] glizzyguzzler@piefed.blahaj.zone 1 points 3 hours ago

I do appreciate you taking the time to write that up! Is the 50.50.0.0/22 crossing US and EU IPv4 allocations? From searching it looks like it’s around the boundary between US and Germany allocations. Interesting, I had no idea IP anonymization existed or was applied in such a haphazard way

[–] frongt@lemmy.zip 5 points 18 hours ago (1 children)

It would be easiest to just change the client addresses frequently. You should be able to configure that in your addressing system.

[–] cmnybo@discuss.tchncs.de 11 points 18 hours ago (1 children)

The setting to look for is "IPv6 privacy extensions". That prevents your IP address from being tied to your MAC address. It should be enabled by default on any modern operating system. It can be set to either permanent or temporary.

IPv6 allows you to have multiple addresses on the same device. You can have a temporary address for all outbound connections and a fixed address for inbound connections.

[–] glizzyguzzler@piefed.blahaj.zone 2 points 15 hours ago

I had never picked up on this, thank you for name dropping what to look for!