Given there's been a bit of talk about IPv6 around here recently, I gave it a really good shot at implementing this past week. I spent 3 days getting up to speed, reading loads and trying various different things. But I am now back to IPv4 only because I just can't get IPv6 to do what I want and no amount of searching has made me think what I want to do is even possible.
Some background about the IPv4 network I run at home: I run opnsense on a Proxmox server. I have a few services publicly available using port forwarding. I run several VLANs for IoT, VoIP, Cameras etc. I use a bunch of firewall rules that are specific client devices on the network. So for example I have a rule that blocks youtube from the kids tablets and the TV. I have a special rule around DNS for the wife as she doesn't want to use the pihole blocking features. These rules are made possible because the DHCP server is set to give them a fixed IP and I can create a firewall alias and rule based on that.
None of these things on my existing network are particularly difficult to configure, they run really well.
What I want from IPv6 is:
- All devices to use IPv6 including android devices.
- To have the same firewall rules configured and not have them be easily bypassed.
- To use privacy addresses as I don't want to make every device uniquely trackable over the internet.
- To be able to cope with changes to the ISP provided /48 prefix seamlessly.
- Have internal DNS make accessing intranet devices easy.
- To ensure the privacy of individual devices on my network by avoiding individual device tracking.
What I've tried:
- Using DHCPv6, but this excludes android devices. So that's out.
- Using a NAT (to avoid tracking of individual devices) and fd00/8 addresses, but this is pointless as those addresses are lower priority than IPv4 (FFS!)
- SLACC just seems a non-starter.
Additional: I don't think I have a problem with "thinking about it all wrong for IPv6". I may have a skill issue, hence this question.
As far as I can tell to achieve requirement 1) you must use SLAAC. SLAAC without privacy extensions doesn't allow for 6).
Changes to external ISP prefix assignment impacts MY INTERNAL NETWORK (this just seems insane). And as far as I can tell there's no easy way around this, especially if I have static addresses configured for servers which would (if using SLAAC) have to be manually configured.
I can't see how DNS would be updated either, either Unbound running on Opnsense, or to the pihole. If I go for SLAAC with privacy extensions and I keep paying for a static IP (v4 & v6) to my ISP then I can't implement any firewall rules for specific devices as devices will change their IP regularly. And its even worse if I don't pay for a static IPv6 prefix.
I don't think anything I'm trying to do is particularly strange or unusual but 26 years after its introduction I don't see that IPv6 can meet these requirements. And one of the leading firewall routers, especially in the homelab doesn't have answers to these questions either.
Can you suggest a way to meet all 6 requirements I have with IPv6?
I don't have a good answer for you.
DHCPv6 is pretty well the only good way to have a prefix delegated by your ISP and have it chopped up and deployed in an automated fashion through multiple layers of an edge network. I'm also a real fan of the audit trail in the logs that results from a stateful transaction.
Some background info if you haven't run into it though is described by this google issue tracker id: https://issuetracker.google.com/issues/36949085. The summary is that one guy at google is obstructing DHCPv6 being implemented on android.
I've built out a bunch of IPv6 networks that implement DHCPv6 on the edge. I personally use a whole lot of android devices and none of them get IPv6 addresses, pretty well everything else does. I'm mostly cool with it at this point, eventually the guy who is obstructing IPv6 at google will move on.