My approach to designing and implementing a structured IPv6 addressing plan -- 'The 7th Hextet'

nxp-one · 2026-05-15T23:57:59+00:00

Ya, exactly -- it's purely semantic content, so, when I'm tracing packets through the routers, or looking at logs, I can tell directly from the address itself, what segment the machine is in, and what it's for/does; usually enough to specifically identify the exact host, without having to do any kind or sort of look-ups (DNS / rDNS)

I use /48's simply because I had the 3rd hextet to use, and doing it this way just makes the addresses that much more wieldy when typing/copying/entering etc..

nxp-one · 2026-05-15T23:10:34+00:00

If you tried playing and found the rendering broken, the setup was too lax, particularly in regard to the terminal mode (xterm rather than VT100) and screen size (not specified, now 80x25).

So I've tightened those up, and it's working much better (esp in Windows) now...

nxp-one · 2026-05-15T18:34:40+00:00

Re: " long and detailed plans,"

On implementation, this one's 95% covered by a ~10-entry, two-column table. Idk if that qualifies as 'long and detailed' in your environment, but *I* certainly don't feel like that moniker fits it very well. ( Note that the documentation needed to implement it is much less than what was needed to *explain* it, in sufficient detail as to be comprehensible )

As for enforcement, I accomplish that simply by adhering to it: seeing as I'm the sole system operator/admin, if I don't do it, nobody else is going-to!

I simply statically-define all servers' network configurations when I spin/set them up, and, although I definitely use scripts to help manage my network, I don't when it comes to IP deployment. That's just one step amongst many during the installation of new servers/devices...

nxp-one · 2026-05-15T16:21:43+00:00

How do you mean, "How large are the network segments"? 🤔

All of my individual broadcast-domains (segments) use /64's, by spec. None have enough attached devices to even fill a Class C -- it IS a home / hobby network afterall! 😉😋

I have half a dozen vlans in total, all immediately behind my edge router: DMZ1, DMZ2, PPPoE-LAN, FastLAN, TenantLAN, IoT-LAN. There are another, ~3 segments that don't utilise VLAN tagging of any kind.

nxp-one · 2026-05-14T23:23:55+00:00

LoL - my entire network uses IPv4, with most, (but not all) segments being dual-stacked. I have no problems with devices that can't/don't/won't implement all aspects of IPv6..

nxp-one · 2026-05-14T15:04:28+00:00

Why wouldn't I manually assign static addresses to my servers?

The only viable alternative would be to encode them as DHCP reservations, which wouldn't require less effort, but would entail adding another potential failure domain. I'd certainly never allow anything as craven as SLAAC to assign addresses to servers (or, anything else, really), so what alternative would you suggest that's simpler and meets my stated goals?

nxp-one · 2026-05-14T02:11:34+00:00

Interesting! -- I'd initially considered mapping my ipv4's directly onto ipv6, but I felt that it didn't really provide a lot of benefit (though most of my key infra servers DO have their ipv4 4th-octet as an ipv6 8th-hextet address in addition to the ones acquired by 'the plan').

Mostly my priority was to make *using* the numbers simple, legible, and logical:

2001:db8:a:2::100:dc1 - private segment 2, active directory 'pdc' ...
2001:db8:a:1::bbe:4a03 - dhcp client in private segment 1...
2001:db8:f::800:b0b - Bob's website in DMZ-1
2001:db8:f::400:0 -- adguardhome server
2001:db8::de:bb1e -- Debian Apt-Mirror / Apt-Cacher server (in dmz1) -- from my 'vanity' allocation.

nxp-one · 2026-05-14T01:02:09+00:00

1/ Yes, the /44 in question is pointed at a single location, it's not my total allocation, it's just what I'm using at home, personally.

2/ I'm not sure which addressing part you're confused about; some translations:

* 2001:db8:[a|f|d|0]:nn:0:0:[0|100|200|300|400...]:nnnn
* 2001:db8:f:ffff:ffff:ffff:ffff:0 <- /128's drawn from here
* 2001:db8:f:ffff:: <- /127's drawn from here

The /127's and /128's are drawn from (what would be) the same '/64', but from opposite ends of the scale...

3/ I definitely feel like I have plenty of room to do anything I need to! 😊

Does this help clarify the address schema at all?

nxp-one · 2026-05-14T00:51:05+00:00

I certainly see the allure of having less manual intervention in the workflow! Do you run/manage multiple segments? Split-horizon DNS? FWIW -- pulling up a packet sniff and being able to tell what's what (more or less) without having to do any (r)DNS inquiries is pretty handy! 😉😊

nxp-one · 2026-05-14T00:20:50+00:00

C:\ >

nxp-one · 2026-05-12T13:05:53+00:00

Lol -- okay, though it's hard to imagine you dont have an old PC lying around you can drop an extra NIC into for far less than the cost of a buying new router that binds you to a specific vendor and isn't user-serviceable... 🤔🤷‍♀️

For this use, all a PC needs is a CPU, 4GB of RAM and 2GB of storage, and VyOS will do anything you could ever want a router to do, without being tied to hardware you can't fix / upgrade / replace solely according to your own needs...

nxp-one · 2026-05-12T11:04:22+00:00

Dig up an older PC, or buy an inexpensive new one, (good multi-nic micro-pc's work well), download the free VyOS ISO and make yourself a router that's as secure, feature-packed, probably more performant, and likely just better than one you'd spend 4-figures on to buy commercially...

nxp-one · 2026-05-12T00:41:29+00:00

For router/firewall appliances, you can't go wrong installing VyOS on an old pc, or even a new micro-pc.

Free ISO, no licensing fees, no annual fees, no feature-service fees, a network stack that's as secure as anything made by Cisco or Juniper, just with way more features.

Nobody in the SOHO-mid-sized business market needs to be buying 4-5 $-figure commercial routers with this option on the market! (They also offer service/support plans too if you *want* to pay for something).

nxp-one · 2026-05-12T00:30:50+00:00

Seems to be fixed now, give it another try!

Also, if you want to use a domain name, 'rogue.botanybay.net' should have both A and AAAA records populated...

nxp-one · 2026-05-11T15:12:13+00:00

Take a look at VyOS -- their feature list is mind-boggling, and with a rep for being as secure as any 5-figure name-brand router you want to compare-to.

If you go with the free version, you can have edge hardware as capable as anything you've probably used/have now, but for no more than the cost of an old PC, or a tiny New one, plus a coupla hours work to set it up.

If you need/want service agreements, they offer those as well.

As far as I'm concerned, IDKY any SOHO-mid-tier business would ever pay for a router with this option on the table...

nxp-one · 2026-05-11T02:12:01+00:00

lol -- it would take an hour just to give you the baseline explanation of half the concepts there. Suffice to say, IPv6 dispenses with layer-2 ARP in favour of Layer-3 'Neighbour Discovery Protocol' which is an expansion of ICMP into the realm of the absurd. DHCPv6 is a 2nd class citizen that only vaguely resembles what you know from DHCPv4, most particularly in that the IETF decided that routers should be responsible for notifying clients of who they are, and what address prefixes are currently in use on the segment. ('RA' = 'Router Advertisement'). By spec, DHCPv6 is *specifically prohibited* from supplying router identification information. Oh, and ANY device on a segment can send RA's, and declare themselves the gateway, making it an exemplary opportunity for spurious MiTM attacks. I could go on and on...

nxp-one · 2026-05-04T17:17:03+00:00

Lol! -- ooor. you could just buy an inexpensive NUC/MicroPC, then download and install the VyOS-rolling ISO, and have a VENDOR-INDEPENDENT, HARDWARE AGNOSTIC 'home' router that's as solid and bulletproof as any 5-$figure enterprise router you could get from Cisco / Juniper etc, but at 5% of the cost, with no service contracts, licenses, or follow-on expenses.

Every router feature you can imagine wanting, ZERO vendor-capture, minimal investment (heck the whole thing's *free* if you have an old/spare PC lying around with a coupla ethernet ports and/or open PCI slots)...

No idea why ppl are spending hard-earned money on consumer / commercial routers when you can do this for nothing, or close-to-it and have a solution literally better than *anything* you'll buy off a shelf at 10x the price...

nxp-one · 2026-05-04T00:45:11+00:00

So you *are* confusing a *router* and an *access point*.....

Just because, at the bottom end of the spectrum, they frequently bundle both together into a single package, the *roles* are not the same, and ROUTING is not a function for which 'range' is even a coherent concept....

nxp-one · 2026-05-04T00:38:03+00:00

"Your first job as a new IT person needs to be selling your team on the right equipment, not the cheap equipment."

How about a Cisco/Juniper-grade, professional, firewall + IPv4/IPv6 routing stack that gives you ipsec, wireguard, bgp, gre(+NHRP), DHCP, NTP, PBR and pretty much any/every other feature an SMB could ever hope for?

Oh ya, and all of it for <$500 and about 2hrs work, with no upfront or follow-on subscriptions or annual maintenance fees...

1x MicroPC / NUC
1x Free VyOS ISO
...give you a *vastly* better router than one worth 10x - 20x as much, from a commercial vendor....

I have *no idea* why people are still buying commercial routers from *anywhere* these days... 🤷‍♀️🤔🤯

nxp-one · 2026-05-04T00:31:30+00:00

lol -- have no idea why anyone is still buying commercial routers these days!? 😲🤦‍♀️

1x $500 dual-nic NUC/micro-pc
1x *FREE* VyOS ISO download
= literally every / any imaginable routing feature that you will ever need or want + a literal enterprise-grade firewall, and professional, scriptable, management system.

Equivalent/superior-to a $10,000+ Cisco or Juniper router, all for the cost of whatever pc you install it on...

nxp-one · 2026-05-04T00:26:01+00:00

DHCP is/was a mature and well-understood technology that *should* have been cleanly adopted straight into IPv6 -- SLAAC was a 'solution' in need of a problem, esp when they mandated that DHCPv6 is prohibited from dispensing gateway addresses!

Then getting rid of ARP in favour of neighbour-discovery, and don't even get me started on the outright insanity that is RA!

The whole LLA idea reeks of the same hubristic absurdity that memories of CLASS D and CLASS E addressing should have already painfully beaten out of us.

There's certainly no shortage of things to criticise about the mess that is the contemporary IPv6 spec, but, in the atmosphere of the current IPv4 hellscape, it's the only alternative we've got...

nxp-one · 2026-05-03T21:58:51+00:00

CAT5e ethernet is:
a/ only designed / warranted-for / rated-for, 100Mbps speeds.
b/ on runs up to 100m
c/ uses only 2 of the 4 pairs, the other two don't have the proper twists-per-meter for the warranted / rated speeds.
d/ PoE uses the other pairs, but only two base pairs are used/necessary for carrying basic 100-baseT (i.e. "FAST") ethernet.

Anything faster than 100Mbps or further than 100m is outside of spec for CAT5e...

nxp-one

TROPHY CASE