this post was submitted on 21 Jul 2023
16 points (100.0% liked)

IPv6

333 readers
1 users here now

IPv6 Discussions

founded 2 years ago
MODERATORS
apearson@lemmy.world
unquietwiki@programming.dev
16
I thought this was a pretty good explanation for why ipv6 makes things easier on a home lan (www.youtube.com)
submitted 2 years ago by iwasgodonce@lemmy.world to c/ipv6@lemmy.world
10 comments fedilink hide all child comments
top 8 comments
sorted by: hot top controversial new old
[–] madamada@lemmy.world 1 points 2 years ago

I think the best way to do this is to setup a Wireguard VPN server on the router itself or on a machine in the LAN. The router firewall will block everything inbound(tcp/udp) except to the inbound VPN udp/IP/port.

Then on the client side you setup a Wireguard client that connects to your Wireguard server remotely and access the LAN resources from there.

[–] oshitwaddup@lemmy.antemeridiem.xyz 1 points 2 years ago (3 children)

Could this be less secure, especially for devices you don't want to be publicly accessible? Or are you just supposed to make sure to have good firewall settings?

[–] slazer2au@lemmy.world 7 points 2 years ago (1 children)

Most modern routers will act as a statefull firewall for IPv6.

What that means in you need traffic generated from the LAN in order for the traffic to be permitted back from the internet. You can not start a session with something in a home.

To give an example, I have a server with an address of 2001:db8:10::1 and you are coming from 2001:db8:20::1 I will allow it because my firewall is set up for it. But a home firewall will not allow a new connection from my web server to your home device.

[–] oshitwaddup@lemmy.antemeridiem.xyz 2 points 2 years ago (2 children)

I'm not sure i understand. If the traffic needs to be generated from the lan, does that mean that when i'm away from home the server needs to regularly try to ping my device so that my device can send it traffic?

[–] orangeboats@lemmy.world 3 points 2 years ago

Much like how you need to setup port forwarding for your servers back in the IPv4 days, you need to setup firewall rules for IPv6 servers.

"If a packet is arriving in server IP:Port, simply accept it"

[–] slazer2au@lemmy.world 3 points 2 years ago

That would be one way, but your phone would drop the unsolicited traffic.

This is why people recommend using a VPN when away from your home for anything self hosted. Your VPN connection will bring you into the trusted LAN so you can talk unsolicited.

[–] alvvayson@lemmy.world 2 points 2 years ago

Not a network expert, but I have the same question.

I would like to limit access to my internal network to only trusted devices, so something like a VPN is needed anyway.

And I don't want to expose my internal setup through DNS either.

Still though, IPv6 is better. But I don't feel easy doing what this guy is doing.

[–] orangeboats@lemmy.world 2 points 2 years ago* (last edited 2 years ago)

Firewalls in sensible routers will drop new incoming IPv6 packets by default anways, unless you initiated the connection first.

So in effect it's just like NAT (people on the Internet can't see you without an initial connection), but without the internal IP:Port → external IP:Port translation and all the disadvantages associated with it.

But some router manufacturers treat IPv6 as a second-class citizen, which could be a problem.

load more comments
view more: next ›