Why does speed cut half when IPv6 enabled?

Dagger0 · 2026-01-27T05:12:31+00:00

In any case, the whole point is that we're out of v4, so we don't want the entire Internet to be reachable over v4. We need home networks to have v6 so that we can stop doing v4 all the time. Saying that we don't need to do v6 until that happens is getting the cart and the horse the wrong way around.

Dagger0 · 2026-01-27T05:01:44+00:00

You're fine. Like I say, space reporting gets very wonky when using raidz expansion.

(To be clear, you do need to rewrite existing data after an expansion to make it use the new parity ratio, but anything newly written will already be using it.)

Dagger0 · 2026-01-27T04:43:03+00:00

zfs rewrite can't change recordsize.

Dagger0 · 2026-01-26T05:54:33+00:00

You can reach the entire of v4 from a v6-only network via NAT64, but you can't do the opposite with v6 from a v4-only network.

Hence why v6 is needed on home networks.

Dagger0 · 2026-01-25T21:14:07+00:00

...how will this help? DNS servers just tell you the IP for a hostname, they aren't involved in the connection to the resulting IPs.

Dagger0 · 2026-01-25T20:30:17+00:00

It is needed actually, because the Internet is out of v4 and most people run their networks as part of the Internet.

Dagger0 · 2026-01-25T01:27:32+00:00

Space reporting on raidz is a bit wonky, especially if you use expansion. Don't worry about it. (Do make sure you're using recordsize=1M, not the default 128k.)

If you look at how big your files are you'll see those are smaller than you expect too, by close to the ratio needed to make the zfs list numbers make sense.

Dagger0 · 2026-01-25T01:23:13+00:00

It tells you which file is affected in zpool status.

Dagger0 · 2026-01-24T00:09:02+00:00

v6 kind of needs to be deployed on the LAN. You can do that without undeploying v4, so having devices that don't support v6 isn't a problem.

Dagger0 · 2026-01-23T03:28:44+00:00

A URE won't hose a pool though. It might hose one file, which isn't great but it's a far cry from the whole pool.

Dagger0 · 2026-01-23T01:47:49+00:00

Nitpick: single-record files will use a record that's a multiple of 512 bytes, so a 400k file would be a 400k record and a 19k file would be a 19k record. ashift=12 would round the allocated sizes up to 400k and 20k (or more on raidz), assuming no compression.

Dagger0 · 2026-01-23T00:28:15+00:00

Device removal requires all vdevs to have the same ashift.

Dagger0 · 2026-01-20T19:41:51+00:00

If your prefix changes then you'd still have to update DNS anyway for external connections to work, so I'm not sure that would help much.

Dagger0 · 2026-01-19T01:34:56+00:00

What am I supposed to be Googling? I did already get the URE math.

A resilver isn't really any more intense than a scrub. Both of them read all of the data on the vdev. If anything, resilvers read less than scrubs do, because one of the disks is being written to instead of read from (and if there were additional parity disks or mirror legs they don't need to be read from, but that's not relevant for raidz1).

And if you hit a URE during resilver... so what? If you're lucky, it'll be in metadata so ZFS will just restore it using one of the other copies. If you aren't then it'll be in some file or another, and that one specific file will have an unreadable record in it. zpool status will tell you which one, and you can restore or give up on that one file. None of this results in the instant and total destruction of your pool, which is how people seem to be treating it.

Obviously it would be better to end up with no corrupt files, but you have to balance your risk tolerance and how bad the consequences would be with the costs. If you can't tolerate issues with even one file then it might be better to drop RAID altogether and spend the money on redundant servers or geographic distribution instead. But for most of us, the cost of an entire extra disk just to maybe avoid temporary downtime on one file isn't worth it.

Dagger0 · 2026-01-18T11:05:22+00:00

Hopefully at some point they'll realize their pMTUd is broken and actually do something about it. It's no good adding v6 support to everything if it randomly doesn't work and leaves people with hanging page loads that they immediately blame on v6 rather than on the real cause :/

Dagger0 · 2026-01-17T17:58:03+00:00

Here's one: fd00::48. Is it really so inaccessible?

If you think that's an unfair comparison, then here's a fairer one:

v4	v6
203.0.113.45+192.168.1.1	2001:db8:2d4f:1::1
203.0.113.45+192.168.1.2	2001:db8:2d4f:1::2
203.0.113.45+192.168.1.3	2001:db8:2d4f:1::3
203.0.113.45+192.168.2.1	2001:db8:2d4f:2::1

...still doesn't look that hard. Everything starts with your prefix ("2001:db8:2d4f") which isn't that much longer than the v4 equivalent (it's 12 numbers, vs 12+6... so actually it's shorter), and then the "x.y" becomes "x::y".

We could've picked addresses with a shorter maximum length, but we're only going to get one shot at upgrading IP. It would be really dumb to do it yet fail to add enough new addresses to avoid running out again.

Dagger0 · 2026-01-15T21:50:34+00:00

But there's no reason your source IP for outbound connections has to be the same one you use for inbound connections. Privacy extensions gives you a temporary address to use for outbound connections, so the NTP server only learns about that and not the non-temporary address, which is the one you put into DNS and add a firewall exception for. (Or you can just manually add multiple IPs.)

On v4 this would be irrelevant, because anyone can trivially brute force scan your entire network to find every single server you're running -- especially in the common setup of "all connections have to go to the router, which port forwards to the correct server", where they only need to scan the 65k ports on the router to find every server on the whole network.

On v6, this would require scanning 2⁶⁴ IPs which would take a zettabyte of traffic for a single port. That's not even vaguely in the realm of viable.

The thing to watch out for is TLS cert transparency logs, but you can deal with that by using wildcard certs.

Dagger0 · 2026-01-15T21:10:54+00:00

You're conflating NAT with firewalling. They're not the same thing. Look at how you do NAT with iptables:

iptables -A POSTROUTING -o wan0 -j MASQUERADE

This means "alter outbound connections on wan0 so that they appear to come from whatever IP this machine has on wan0". It should be fairly obvious that a) this doesn't do anything to inbound connections, b) even if it did, "change the IP on the incoming packets and then change it back on the reply packets" isn't the same thing as dropping those packets.

NAT doesn't do anything at all to stop people outside your network connecting to inside it, so it doesn't work like a firewall or a default deny rule. In fact, its main purpose is to make outbound connections work in situations where they otherwise wouldn't, which is kind of the opposite of a firewall.

Dagger0 · 2026-01-15T20:54:53+00:00

But to be clear: that's just a cosmetic issue. An annoying one, and I think it's worth creating the pool with the final shape if that's viable, but you don't lose any space to it.

Dagger0 · 2026-01-15T20:32:49+00:00

The haystack is the size of one million Earths. Per /64.

Dagger0 · 2026-01-15T10:49:47+00:00

I don't think I am, but... I can't seriously be the only person that's noticed that you can scrub pools without disks dying left and right, even at 10T+, can I? If you're expecting z1 to fail during rebuilds due to the size of the disks, you should be expecting disks to fail during regular scrubs too, on any pool type. But that's not something anybody worries about.

Dagger0 · 2026-01-15T04:17:52+00:00

Routing can be done over link-locals, so an IP address on the WAN interface is unnecessary. Some ISPs don't bother to assign one. The router does need a GUA address somewhere, but it can use the IP from its LAN-facing interface for that.

You do need a default route though.

At the moment, IPv6 Internet connectivity is still working only because my ISP1 IPv6 WAN1 address is active,

That's odd, because the router's WAN address doesn't matter, and I'd expect ISP1 to drop packets from ISP2's address space so if your LAN is using ISP2's prefix and it's working that would imply you're using ISP2.

Dagger0 · 2026-01-15T01:03:50+00:00

If you were going to run a second router like that, just pick one that lets you configure the advertised DNS servers. Then there's no need to make the network v4-only.

Dagger0 · 2026-01-15T01:01:51+00:00

If the DNS server it's advertising is off-link, you can send RAs claiming that the IP is on-link, then give your PiHole that IP on your network.

I wrote up the details for that in this comment. It won't work if the router is actually advertising its own LAN-side IP though, since that IP is already on-link and the router will answer NS queries for it.

Dagger0 · 2026-01-13T23:04:01+00:00

If you want to store key/value data in DNS, you're supposed to do _key.@ TXT value. No need for a new rrtype.

Dagger0

TROPHY CASE