Back

@litchralee_v6 @sep @timbray I've been meaning to go this route (purchased, non-routed GUA for stable LAN addressing). The thing that's tripped me up here is outbound address selection on clients with multiple GUA. I run opnsense at the moment, and from what I've gathered it doesn't support NPTv6 for stateless prefix translation onto your ISP-provided PD prefix. So, what are folks doing here if/when clients select the non-routed GUA prefix for outbound?

Or do you only statically assign addresses from the non-routed GUA range to e.g. fixed devices (local DNS servers), and only add the non-routed GUA as an additional on-link prefix without also doing SLAAC for it for all clients?

@hugo @litchralee_v6 @timbray i use only real routed gua addresses. Since using a different gua internally also mixes up dns views that i despise. I want the same address and only one dns view for a given service.
Access is controlled in the firewall, not by using a non routed ip space.
All isp around here use stable prefixes so the isp gua is reliable. If i was on a unreliable isp i would rather do dynamic dns then use a internal only prefix. imho even a tunneled stable prefix is better.

@sep @hugo @timbray Do I understand the last part to mean you would use DDNS and NPTv6 so that the globally-accessible machine or service always has a consistent address no matter what network it's attached to?

In that case, I agree. My answer with the GUA was more geared towards internal-only services that never get accessed from the Internet. But since NPTv6 can -- IMO, should -- be used with GUA prefixes, I think it's still applicable if you had globally-accessible services and a bad ISP.

@litchralee_v6 @hugo @timbray
Not at all. NAT needs to die, preferably yesterday.
I would have used DDNS to update the dns of the GUA if the prefix changed. Ofcourse change to a proper isp that follows best practice would be prefered.

@sep @litchralee_v6 @timbray yea, so my use case was for "first leg" services, specifically an internal DNS server, where you need to still "bootstrap" into that by IP before other services can be reached over DNS and could be handled by DDNS. I do historically run a local/internal DNS zone (int.), with the intention of providing a stable prefix to reach the internal auth+recursive DNS servers.

But, I do suppose that there isn't anything really pinning me to that, and just shifting to DDNS with a public zone should cover a chunk of the use case.

I don't currently have this running, but I know folks with some other self hosted infra that expects static assignments, e.g. k8s podCIDRs and service addresses and such, that would still benefit from a stable GUA prefix and where NPTv6 would still potentially be helpful.

@kitten_tech @litchralee_v6 @hugo @timbray
dhcp-pd have a week lifetime. Never had that long an outage. And if i had i would have statically configured the lan addresses so the local dns still would have worked with the normau gua addresses. I have networks like this allready so it is only lazyness for those lans that use the dhcp-pd pool

@sep @litchralee_v6 @hugo @timbray Hrm, OK. One of my networks is mainly offline and just gets Internet access via random public wifis when it can (or mobile data with my phone acting as a wifi provider, most often), which I do on IPv4 with a 192.168 LAN and a NAT router with the wifi interface on, so I'm still not sure what I'd do to IPv6 it. Not that I've been paying attention to whether any of those wifi networks I connect to have IPv6 anyway!

@sep @litchralee_v6 @hugo @timbray guessing I'd have to bridge the wifi rather than route as I doubt any random public wifi will delegate an entire prefix to my router anyway

@kitten_tech @litchralee_v6 @hugo @timbray
Bridging wifi is tricky. A given random hotspot may not support WDS/MESH, only some vendor spesific bridging protocol. Would probably need to use arp/nd proxy since wifi only deal with 1 client mac address by default.

This randomly accessed roaming network is probably a real and valid usecase for #IPv6 ULA and NPTv6. With DDNS you could even update public dns with the current public ip of any services you want accesible via internet.

@litchralee_v6 @sep @timbray short lifetimes is an interesting one; you've got me curious now.

@jollyrogue @sep @timbray My linked post has a link to someone who is selling /44 subnets.

https://chaos.social/@cr/111805093462604493

I haven't bought it myself yet, but they seem to also issue the LOA necessary to advertise a route on BGP, which could be handy.

@sep
Also the thing about dual stack isn't true. The solution is to advertise your private network with only AAAA records. My http proxy, NFS server, samba server, router and all my managed switches have AAAA records only if they support ipv6 (I think some of the 8 port switches don't). The devices have IPv4 on them but the names aren't connected to the IPv4 addresses. But the addresses so advertised are ULA because I can't rely on ATT to give me a static GUA assignment.
@timbray

@sep
"Best practices" in the US is maximize rent extraction at all costs. Which means anything the customer would potentially want above the absolute bare minimum should cause them to have to buy a crazy expensive higher tier of service. We have whole industries devoted to f*cking the customer here.
@timbray