Ramblings of an aging IT geek
← Ramblings of an aging IT geek
networking

getting ipv6 working at home, only a decade late

Notes on finally enabling a working IPv6 setup behind a UK consumer ISP, the prefix delegation that actually matters, and the firewall mistake that briefly exposed everything.

John Mylchreest
John Mylchreest
2020-07-12 · 4 min read

A bundle of network cables behind a rack, neatly nowhere near as tidy as it looks

I have been meaning to get IPv6 working properly at home for, conservatively, ten years. The excuse was always the same: it works without it, so why bother. The honest reason was that the few times I tried, my ISP handed me something half-broken and I gave up before tea. This week I finally sat down and did it properly, and the surprising part is how little of it was actually hard once I stopped fighting the wrong layer.

The thing that had been tripping me up was conflating two separate gifts the ISP gives you. One is a /128 or /64 on the WAN link itself, which gets the router online over v6 and feels like success. The other, the one that actually matters, is the delegated prefix: a /56 or /64 they route to you for your internal networks. For years I had the first and not the second, so the router could ping the v6 internet and nothing behind it could. That is not IPv6 at home. That is IPv6 at the router, which is useless.

A datacentre aisle, included here mostly because my cupboard does not photograph this well

Once I asked for prefix delegation explicitly and the router started requesting a /56 over DHCPv6-PD, addresses appeared on the LAN. Clients picked up globally routable addresses via SLAAC within seconds. I tested the obvious way and it just worked, which after a decade of intending to do this was almost anticlimactic.

$ ping6 -c1 ipv6.google.com
PING ipv6.google.com(lhr...1e100.net) 56 data bytes
64 bytes from lhr...1e100.net: icmp_seq=1 ttl=118 time=8.74 ms

Then I made the mistake that everyone makes the first time, and I will write it down so I remember the shape of it. With IPv4 and NAT, a host with no port forward is invisible from outside by accident. Nothing reaches it because there is no public address to reach. With IPv6 there is no NAT hiding anything. Every host has a globally routable address, and if your firewall default is permissive, every host is reachable from the entire internet the moment it gets an address. I had a permissive default left over from testing, and for about an hour my NAS was answering on its v6 address to anyone who asked. Nothing bad happened, but nothing good was stopping it either.

The fix is the rule you already know from any real firewall: default deny inbound, allow established and related, open only what you mean to open. The difference is that with v6 you have to mean it, because the accidental safety of NAT is gone. That is a feature, not a bug, but it is a feature that will bite you if you carry IPv4 habits across unexamined.

So it is done. Ten years late, an hour of actual work, and one self-inflicted scare. The internet was right that I should have done this ages ago. It usually is.