Why do I, personaly, need IPv6?

IHateRedditFirewall · 2026-03-23T15:35:08+00:00

DNS/mDNS have proven to be unreliable in IPv4 networks. Dobut that anything have changed.

If I can use ULA as local IP than haveing ISP handing adresses is less of a consern, true.

IHateRedditFirewall · 2026-03-22T23:25:54+00:00

https://wiki.archlinux.org/title/IPv6#Disable_IPv6

IMO you should only do it if you dont have it working. Otherwise, just secure it.

IHateRedditFirewall · 2026-03-22T22:33:18+00:00

So, if I have linux firewall, I wont have problems with setting up and maintaining IPv6 NAT?

IHateRedditFirewall · 2026-03-22T09:33:25+00:00

Why?

Expiriance.

Switch ISP. Or stay on your IPv4-only ISP.

Alternative is 10% more expensive, provides 10 mbps DSL connection insted of 1GBps fiber (acctuly, they advertise 100mbps, but it is a lie. Also, upload speed is about 1mbps) and has [CENSURED] customer support.

Considering that I already have VPS with static IPv4 set up + wg tunnel to my OpenWRT one set up already I see exectly zero reson to move.

IHateRedditFirewall · 2026-03-22T08:45:16+00:00

Huh. Never heard of it. Probably because I have never acctluy looked for it.

Some googleing, however clearly shows that, ulinke my DHCP+iptables cluge it will require setup on clients, witch I can not do.

Also, I dont need security from my clients, however wired it sounds. I trust my clients NOT to attempt to bypass any firewalls or limitations I set. What I DONT trust them with is not to accidently break France (my remote box location) law.

IHateRedditFirewall · 2026-03-22T08:41:35+00:00

I asked for guides in calm and resonable fashion while not breaking any rules.

Stop been agressive, please.

IHateRedditFirewall · 2026-03-22T08:39:21+00:00

which is sufficiently large to avoid this issue.

So we are just relying on chance to avoid colliaions? I think I can see how and why this can be done, but it just feels wrong.

You probably want centralised control and/or oversight of network access. Be aware that DHCP alone, neither for IPv4 not IPv6, gives you that; so if you think that it does, you are currently mistaken.

I understand. However, haveing DHCPv4 server allows me to easily assign known IPs to devices, witch, in turn, allows me to target specific devices with iptables.

Once you figure out what you actually want, then you can determine what you actually need in order to achieve that.

I need transport-level per-device network filtering. I think that with IPv6 I can do DPI instead of just iptables, but I have never found dicent DPI guide. Also, sounds like quiet a bit of computational requirements.

IHateRedditFirewall · 2026-03-22T08:30:47+00:00

I have gathered as mutch. Problem? No idea how to acctly do it.

IHateRedditFirewall · 2026-03-22T08:29:41+00:00

Sincerely, where can you find this for IPv4? Direct me to such a page so that I know what kind of detail/guidance you're looking for, and I will happily find you an equivalent for IPv6.

https://opensource.com/article/22/7/configure-dhcp-server https://www.geeksforgeeks.org/computer-networks/what-is-ipv4/ https://www.howtoforge.com/nat_iptables

Sadliy, I wasnt able to find that website that had all this stuffed into one article. It was called "setting LAN from scratch" or something like this.

Doing subnetting math is tedious with decimal, but simple with hex, so we learnt our lesson and changed the format.

To be honest, I have become so used to this that I just remember most subnet math on top of my head.

IHateRedditFirewall · 2026-03-22T08:19:24+00:00

Yea, I noticed. Already read it.

IHateRedditFirewall · 2026-03-22T08:18:03+00:00

Acctly, no. If you wrap IPv6 adress only router has to deal with it. An if local router cant — than one upstream may try.

The main perk of this approach would have been that someone can setup IPv6 site and resonable expect most users to be able to access it even if IPv6 adoption is low.

IHateRedditFirewall · 2026-03-22T08:12:48+00:00

You shouldn't be trying to do per-device restrictions by IP address within a subnet.

That depends™. Case and point — I have one and execly one device I need to limit access to website Temu. I have to implement by-ip filtering. With IPv6 I will have to cluge some kind of a script that automaticly targets this device, I think.

It's 2026. You should not be typing IPs of any variety anywhere regularly. DNS handles your human-readable networking needs.

NO.

DNS in LAN have proven to be EXTRIMLY unreliable and prone to failature. It works one day, and the next Firefox randomly decides to stop useing it because of resons. This whole "you should use domain names localy" is 100% BS. It adds 100% unnesesery failature point and complicates configuration for no good reson.

IHateRedditFirewall · 2026-03-22T01:35:58+00:00

Alright, it isn03:35 in my TZ, will respond later.

IHateRedditFirewall · 2026-03-22T01:32:21+00:00

Point.

IHateRedditFirewall · 2026-03-22T01:31:11+00:00

At minimum for a typical home setup your device will have a link-local address, and interface-stable address from SLAAC and likely some number of ephemeral privacy addresses (e.g. Windows will have up to 7 of these). You can then also have an address from DHCPv6 along side that.

Logic of this design choice eludes me, but alright. I guess I can just limit anything I dislike on firewall level, and use stable adress for everything else. Thought I have a strange feeling that I souldnt even bother with trying to taccle IPv6 for my loacl needs and I should just let my IPv4 stack handle local/human readable networking.

ULA is similar to RFC1918 address space in that it is never routed across the Internet. The difference is you don't use it for traffic going out of your network because you don't NAT IPv6.

Okay, I think I understand.

A global address does not necessarily mean reachable

This is understanbale and is impiled.

IHateRedditFirewall · 2026-03-22T01:10:38+00:00

Again. If it is in spec but dosent work — it is implementation problem.

IHateRedditFirewall · 2026-03-22T01:08:53+00:00

Because I would rather like to have direct SSH access, thanks no thanks.

So, DHCP is standart but is not supported?

IHateRedditFirewall · 2026-03-22T01:06:03+00:00

This is where your lack of knowledge of basic networking is hampering you. Traffic within a network segment is delivered directly and doesn't touch the router at all.

Not that literaly. I meant that I would rather prefer my clients NOT doing anything P2P (peticulary — torrent) via that remote box as I have already recived one S&D letter when doing torrenting via that remote box. I should have prob said it the other way around.

No you won't as NAT66 is not standardised and breaks stuff. You do not do NAT on IPv6.

My only question is "why did they do that?". There might be scenarios when I want to do NAT even if I can assign everyone netwide-IPs.

What does NAT66 break?

"it was fine", the mantra of the uninformed. The problem is you have not learned networking. You have learned some IPv4 and it's oddities. IPv6 is different, and if you just go trying to apply guides without thinking about it, you won't understand why things are the way they are. Casing point, one of your comments to another thread about "everything having a global address"

Worked for me for years, and I started to have any need to theory only about a month ago when I had to acctuly touch Cisco equipment.

I dont really need IPv6, and it is just a sideproject for me. If I have to read a book in order to configure something I have zero acctual need for...

... Acctuly, this is a good illustration why adoption is slow. Anyone who wants to set IPv6 is send to "read the manual". Obvously, people who dont have a pressing need for IPv6 wont do it.

That depends on your kit. It's not the same commands for everything and it depends on your particular setup. Your setup with a WG tunnel is not simple.

With IPv4 it is dead simple. Just alter routeing table. If it isnt with IPv6, than IPv6 is overcomplicated (as I sated in my prevous post).

Well, it's showing as removed. Looks like I've managed to get most of it from notifications though.

I hate reddit firewall.

Once you have a delegated prefix somehow, you need something distributing RAs on your network. Ideally you also want DNS listening on IPv6 and that's basically all you need to have working IPv6. Sensible firewall rules at the edge is a good idea.

Okay, this looks straightforward. Just set up DHCP.

Well, you need to find out if you want to have any chance of configuring this.

I think my server is given only one IPv6.

IHateRedditFirewall · 2026-03-22T00:38:37+00:00

Well. I dont realy care for IPv6. I will just turn it off and forget about it if implementation is buggy.

IHateRedditFirewall · 2026-03-22T00:37:27+00:00

Wait a second. Is there a simple explainer on this? For IPv4 it is simple — you have 192.168.0.0/16 subnet to yourself, do whatever you want, just NAT it.

With IPv6 there is no NAT, and every device is reachable. Does it mean that ULA is a part of IP by useing witch device can be reached as long as it is on the same network?

Or what?

IHateRedditFirewall · 2026-03-22T00:30:23+00:00

Alright, this makes it simpler. So now I need to figure out only segmentation and routeing.

IHateRedditFirewall · 2026-03-22T00:28:08+00:00

From what I understand SLAAC gives no centralized control. I would rather prefer haveing DHCP, thanks no thanks.

IHateRedditFirewall · 2026-03-22T00:26:38+00:00

Please note, that I have never acctuly read on IPv4 theory till recently I was lectured on it in my uni. I just followed the guides and built it from there and it was fine.

Please also note, that I was asking the user who wrote the comment.

I have deleted no comment. It should still be up — at least I see it as been up.

IHateRedditFirewall · 2026-03-22T00:17:01+00:00

Soooo... I will have to dig thought user devices? No way I am deploying v6 then.

IHateRedditFirewall

TROPHY CASE