Return to Level1Techs.com

IPV6 for a Normie Home User? Is it worth it?

Hello everyone, good day!

I have seen some Youtube Videos about IPV6. In theory, it has some advantages from IPV4. But I am a normie home user :sob: with a PFsense box, and got me thinking.

Is there any benefit for a home user to switch to IPV6? :thinking:
Should I prepare for future adoption now? :thinking:
What security benefits will it bring me? :thinking:

Note:
-I live outside the US and my ISP is still on IPV4.

I wanted to open the discussion. Thanks for the support.

I don’t think ipv6 makes sense right now for internal networking at home.

If your isp supports it, then sure, use it for your devices that connect to the internet, but don’t just throw out ipv4, use both in that case.

I just don’t see any real world advantages for v6 in a small network, when your isp does not support v6. If you had a network with thousands of devices then yes, it would make sense.

I wouldn’t discourage you if you wanted to do it for fun or for a learning experience though, setting it up won’t do any harm, it just costs time.

4 Likes

:scream: I was not aware I could use both at the same time! Great! Thanks.

2 Likes

No. imho

If your ISP supports it, I would terminate IPv6 at my router. This way you get the best of both worlds. Most ISPs only give one IPv4 per account with residential service. But they give you more than one with IPv6. With IPv6 to the router, allowing more than one device to internet if you needed to is possible with NAT.

I’m interested in this topic as well. As someone who’s used IPv4 since the early 90’s and it’s familiar and comfortable to me. I find IPv6 to be strange and uncomfortable because I’m not so familiar with it.

Now I’m sure I’ve collected some misconceptions in my attempts to learn more so if someone can help correct me, this is what I’ve picked up on:

Each device gets its own unique (in the world) IP direct to the internet meaning that NAT and a normal firewall setup somewhat out of the picture. One of the things that makes IPv4 comfortable to me is that my firewall decides where traffic comes and goes (to some extent) and I can control which ports to go to specific machines. By default my firewall blocks all incoming connections unless I decide to open up a port. With IPv6, the risks would seem to be much greater and more difficult to manage as I would think it would be very easy to expose vulnerabilities in your devices out on the internet.

Is this accurate or am I way off base here?

I’d be interested in learning how to set up an IPv6 network securely for a home environment. At least for learning purposes. I’ve got a pfSense router so it supports it.

That’s a pretty big misconception. v6 traffic has to go through your firewall to get from the scary internet into your local network. All the UDP/TCP rules that you set for v4 are of course available for v6.

Assigning a globally routed v6 address to a host, does not mean that host is accessible without first being routed passed your firewall. And you don’t have to assign a globally routed address if you don’t want. There are of course non-routed v6 address ranges that mirror the functionality of the familiar v4 local ranges. And just like with v4, if you want those hosts with only local v6 addresses to be able to reach out, you can SNAT them at a router with a global address and the router will take of the return traffic for you, just like v4.

3 Likes

I, myself, was curious about this. My ISP does not as yet support residential IPv6 service. In this situation, there are some alternatives. I set up an account with Hurricane Electric (IIRC). They assigned a block of publicly facing IPv6 addresses to me and I configured a tunnel between them and my pfSense box. I then spent more time than I am comfortable to admit, learning how the IPv6 address space (types of addresses, types of address allocation and subnetting) works. Finally, after a weekend long ordeal, I was able to connect to the outside world without the archaic, outmoded and mouldy IPv4 protocol.

What did I gain for my trouble?
A lot more latency!

Obviously, if my ISP supported IPv6 natively and there was no need to tunnel all of my traffic, latency would not be an issue. But, at this stage of the game, where we effectively have two Internets (one IPv4 and one IPv6) running in parallel, there is no reason for the casual user to prefer one protocol over the other. Also, be aware that virtually nothing that you know about IPv4 networking is transferrable, apart from general concepts. IPv6 is an altogether different beast. It was definitely an interesting learning experience, if this is the sort of thing that trips your trigger and I did learn a lot, but I can’t say as I would recommend this sort of experiment, unless you have too much free time on your hands and you are in need of a new hobby.

What resources did you use for learning how to set it up? Anything to recommend?

Well, the best source of information would be the RFC’s, but they can sometimes be rather impenetrable … and there are seemingly dozens of them which deal with IPv6. Additionally, I watched the odd youtube vid and did some duckduckgo-ing. Honestly, it’s been just over a year since I performed this little experiment, so I can’t say as I can recall any particularly good sources of information … apart from the RFC’s, of course.

If you are already familiar with IPv4 networking concepts, you’ll probably only need to focus on IPv6 subnetting and address allocation. You might start with an article like this one, which will help you narrow your reading list:

Part 2:

Have fun!

1 Like

There’s probably no clear reason to do it, other to get comfortable with it. IPv6 is the future. Switching now will give you more experience once it’s coming wide spread.

Additionally, i think, the move to IPv6 is also a move away from trying to know IP Adresses. Ideally your Network should be set up in a way, that you, as a human, only have to know hostnames. If you dig through all the big stuff, you internal home addresses start to look much more reasonable.
::1 is localhost
fe80::12 is a device on your network
fc00::23 is a device on a different subnet

That’s about all of the IPv6 Patterns you’ll ever need as plain Addresses. Ideally you should let your Router manage all of this for you. The days of micromanaging IP’s are over. You give Names to stuff and your Gateway worrys about the rest.

And there is some security in IPV4 because of NATS. True IPv6 allows every device ever made in human existance to be identifiable.

This doesn’t mean you have to do it like that.
You are free to give out IPv6 Adresses in your Internal Network however you please and still use a NAT router to hide them from the actual Internet.

Just because we now HAVE enough Adresses for every grain of sand to be connected to the Internet, doesn’t mean we have to use it like that.

Plus Security through obscurity never is a good idea. IPv4 or 6, securing your devices from external access is required with both.

1 Like

If you want IPv6 to work you need to run dual stack.

This should be relatively automatic if your ISP supports it. It should mostly auto configure.

“terminating it at the router” will mean only your router can use IPv6. Given that NAT isn’t really a deployment scenario for IPV6, that means that your internal clients can’t reach the IPV6 internet.

The short version:

  • if you have IPv6, enable it. Assuming you’re setting up an IPv6 firewall, be sure to allow ICMP messages for fragmentation and other routing decisions to work (can’t remember specific types off the top of my head)
  • if you don’t have IPv6, leave it enabled anyway
  • if you have IPv6 and try to cripple it in various ways, expect more frequent “weird internet problems” due to sites and operating systems attempting to connect with ipv6 in preference to ipv4 and failing.

NAT is bran-damaged (in general, but definitely now) in an IPv6 world. What you want to do is just set up a firewall rule-set to allow inbound sessions with established state and block connection requests inbound.

You don’t need NAT to do that and NAT defeats the entire purpose of IPv6, and breaks/weakens encrypted transport due to the hacks to make VPNs etc. work around it. The only way to make ipsec work through nat is with nat-traversal hacks, for example.

Yes, NAT weakens security over “doing things properly”.

DONT
DO
NAT

Unless you’re doing say, NAT64 to enable IPv6 only machines to reach the ipv4 internet.

1 Like

This would only work if my ISP would give me more than one IPv6 Adress.
After their support told me that “they don’t sell fixed IPv6 Addresses to private households, because there aren’t that many”, i gave up.

So, with a single public IPv6 Adress, how should i do this properly?

IPv6 needs to die in a fire, whoever thought : was an acceptable character between the address need to be shot having to hit shift is fucking stupid for typing ip addresses and makes things take 1000x longer

Should have done , instead imo (I get you could change this all pretty easily with just a front end change but it kills me still

1 Like

I’ve been thinking this since the day i first typed a IP Adress, 4 or 6. Having “,” on the numpad, but using “.” or “:” in IP Adresses never made sense to me. To the point, where i remap “,” to “.” on my Numpad. I I’ll just remap it.

But, again, afaik the intent is, that you basically never use the actual Adress, but hostnames instead. So the amount of times you’d have to type the v6 Address should be very few.

Never dig in splunk logs, examine packet capture? I get that you can just have your local DNS map everything to even SSH wouldnt require it but, for whatever reason I always type the IP address when i do almost everything even for IPv4 minus browsing the web.

OP sorry for slight derail, but yeah if you want just dual stack it at home if you get IPv6 from your ISP. I also dont like the default everything gets its own IP makes tracking super easy(everything has its own public IP).

Are you sure they only allocate a single address, and it isn’t a router issue with your equipment to do with prefix allocation? Sounds like you should get another ISP, as they do not support IPv6 properly, if that is the case.

IETF suggests a minimum subnet mask of a /64, even for link addressing and at least a /56 for say, a home user xDSL, which would give you 256 IPv6 subnets.

Even a /56 is considered stingy to be honest. Several ISPs out there allocate a /48, which is the suggestion for a campus IIRC.

Not doing sensible allocations like the above breaks a lot of IPV6 features (e.g., privacy, automatic configuration, etc.)

No one should be getting less than a /64… if your ISP is doing that, they’re run by fuckwits.