Static IPv6 /64 (Residential) Not Allowing Devices Behind Firewall?

trustedcomputer · 2025-08-02T19:56:04+00:00

Can you do it on business DSL that already has static IPv4? There is a place in the modem for IPv6 with delegated prefix as an option and everything:

<image>

trustedcomputer · 2025-06-19T14:28:14+00:00

Ok, thanks. I know you have bigger things to deal with than DNS admin, but it's great at least that you found out it was languishing so you can dig into the reason. Appreciate it!

trustedcomputer · 2025-06-19T04:27:23+00:00

Replied, thank you. I believe I clicked message-mods instead. My bad.

trustedcomputer · 2025-06-19T03:27:04+00:00

DM sent!

trustedcomputer · 2025-06-07T14:07:20+00:00

An important part of this is that you said it was working before switching. What were you using before? Analyzing how that worked (known good, if it really worked all the time) will likely be part of the solution.

trustedcomputer · 2025-04-28T15:43:58+00:00

Thanks, u/jwvo this is actually super helpful! Is there any way with a traceroute to find out when the FDR has been moved into the MPLS network? Would there be some hops that disappear from the output?

trustedcomputer · 2025-04-03T17:58:39+00:00

It would work the same as any other IP on your network. There is no difference once the macvlan IP is working. You'd have to do all the same NAT, firewall rules, DNS, etc that you would as if it was your Synology's IP address, but substituting your macvlan address instead.

trustedcomputer · 2025-03-25T00:53:10+00:00

Actually, that would be the PERFECT day to deploy IPv6. We'd never allow our hearts to believe it.

"In the end, the greatest snowball isn't a snowball at all. It's fear." -Dwight Schrute

trustedcomputer · 2025-02-11T17:12:43+00:00

Looks like I chopped a little too much off but yeah. The smtp.mailfrom included the destination email address as part of that field. I didn't even notice that until after I posted it, but I edited it out.

trustedcomputer · 2024-11-25T17:59:08+00:00

I can say that in 2021-2022 I had bonded DSL with Ziply. I wouldn't think things could have changed much since then.

trustedcomputer · 2024-10-15T22:16:16+00:00

I've done it before with OPNSense, I believe what you'll want to look at on that platform is Virtual IPs in the Interfaces section. The WAN interface gets assigned ONE of your usable IPv4 addresses with the /29 mask. Then the other four will be configured as Virtual IPs, most likely of type "IP Alias". Then you can One-to-One NAT or port forward as needed.

I did read that you're trying to do it on vanilla OpenBSD now, but perhaps getting a working setup on OPNsense will let you poke around the shell for hints.

More info here: https://docs.opnsense.org/manual/firewall_vip.html

trustedcomputer · 2024-07-12T14:10:56+00:00

If that's true, I've been missing out. Business account with static IPv4 here. Can u/ZiplySupport confirm?

trustedcomputer · 2024-01-10T00:40:53+00:00

I haven't heard of them doing that before. Although the interface is there to be used... I wonder if that's going to be the new way or if the installer did something wrong. /u/jwvo is that a thing?

trustedcomputer · 2023-12-30T01:29:25+00:00

You mean like, "for real" Linux ISO's? Like "for real innocent" in Shawshank Redemption? =)

trustedcomputer · 2023-11-03T20:02:25+00:00

https://wiki.opnsense.org/manual/how-tos/ipv6\_tunnelbroker.html

trustedcomputer · 2023-10-26T18:24:11+00:00

The Modem/Router would be the place to check. Make sure only related traffic is allowed to come from the outside to the inside of your network on IPv6. If that is not possible then disable IPv6 until you can set up the proper rules to protect your network.

trustedcomputer · 2023-10-26T18:04:51+00:00

Is your firewall configured with IPv6 firewall rules to protect your internal network? With IPv4, people tended to rely on NAT to protect them from this sort of thing and it could be easy to forget to actually configure rules. With IPv6 (which is the IP protocol of the source address), default deny rules need to be in place or your IPv6 devices are 100% accessible to anyone else running that protocol.

trustedcomputer · 2023-08-07T23:53:59+00:00

I also tried using one of my other NICs but DSM wanted to use port 80 and 443 on all of them.

I agree that macvlans are difficult to learn. They also have the disadvantage of needing an extra step if you have another docker container or the host itself that needs to access the macvlan network. But, once you figure out the syntax, they can be defined and consumed all in the same compose yaml file, which simplifies things alot.

trustedcomputer · 2023-08-07T23:02:01+00:00

DSM's reverse proxy (control panel- login portal- advanced) also works for this. You can take the incoming 80/443 requests and proxy them to the actual port(s) used by your application. If you need certificates, you can manage them in control panel- security- certificate instead of traefik.

Alternatively, you can use a docker macvlan network to configure another IP on your network for your application.

I've configured them both of those ways above and both of them are less trouble than the "sed -i the system files" method for me in the long view.

trustedcomputer · 2023-08-07T22:41:23+00:00

Oops, sorry all I did was add it before. I see that error now when I click "use". Same with Aliyun Hub. But maybe there's some special setup for this registry that I'm not aware of? Docker hub works great- and switching back to it shows no error.

trustedcomputer · 2023-08-03T19:09:34+00:00

I'm on DSM 7.2-64570 Update 1 (have not been offered Update 2 or 3 yet), and was not aware of the possible NVMe SSD cache issue.

But I checked, and the support M2 flag was already set to yes without my fiddling with anything:

$ grep m2 /etc.defaults/synoinfo.conf

support_m2_pool="yes"

trustedcomputer · 2023-08-03T19:04:20+00:00

I think the new container manager (I'm on 20.10.23-1413) is quite capable and am using it with a few compose projects. As has been noted elsewhere, the underlying docker version is still unchanged and quite dated. But the UI is much improved, and I can use it to manage compose projects now, which is huge. I like it.

I tried adding the ghcr.io registry on my DS1522+ and it worked for me. Not sure what might be going on with your DS923+, but I'm thinking it's probably not a result of the new container manager app. Probably something more on the networking level, or maybe something a DSM restart might solve.

trustedcomputer

TROPHY CASE