ipv4 only no more
For a while, two months or so, I have been running my home network ipv4 only. Lots of construction in my area and upgrades to my ISPs (Spectrum/Formally Time Warner) gear that caused my prefix to change 3 times in a week. So, I bailed on ipv6.
That has settled down and I'm thinking about going back to a dual stack.
I'll get this out of the way right now. ipv4 only is not a problem for me. I experience no penalty from my ipv4 only setup. However, a combination of available time during the holidays and being able to take the network down (repeatably) and not disrupt work from home and virtual school has me thinking. Yes, ipv6 is the way forward but I may just stay ipv4. We'll see...
So, first question: I have decent (as decent as Charter/Spectrum can be) native service. I can get a /56. But it's, obviously, dynamic. Would it be better to use the native service or use a HE tunnel and the static /48 they provide? I understand that it would generally be recommended to use native service when available. Lot's of threads that, more or less, draw that conclusion. But that introduces a level of brittleness to the network. Particularly given my attachment to using a Pi-Hole. I'll need to add that I have a few VLANs and the Pi-Hole lives in a VLAN all it's own. I do it this way. Point hosts to the Pi-Hole. Pi-Hole forwards to unbound. Pi-Hole can do reverse lookups. My Pi-Hole logs are nice and clean, everything by hostname.
Second question: When I setup dhcp6 (I would like to do static reservations) can I provide no ipv6 dns server? Can I put "no address" ("::") as the dns server in my dhcp6 config and just have everything use ipv4 only for dns. I haven't yet tried that yet, maybe someone has and can save me a minute if it just doesn't work as desired. If that works, I don't have to worry about prefix changes breaking dns resolution.
Third question: I am intending to set this up with radvd in managed mode and do leases with dhcp6. No auto via SLAAC. Would like to have everything registered in DNS. So, yes i should just try it and see what happens. Again, maybe someone can save me a few minutes of head scratching and share what devices will only get a ipv6 address with slaac? I have:
A bunch of Apple iphones, ipads and macbooks. These are not a problem as far as I can see.
Apple TVs? (gen4 and 4k)
Sonos PLAY:5, PLAY:1, Connect (the one that is still supported) and BEAM?
LG smart TV and a TCL Roku TV? The LG TV I can just disable ipv6, not sure about the TCL/Roku TV.
My IoT devices and printers will just live on VLANS that are IPv4 only. Same for my infrastructure devices. My APs (unifi), unifi controller and switches will only get an ipv4.
To be perfectly clear, the reason I care about this is to be able to reverse lookup everything from the pi-hole and keep the logs understandable.
Fourth question: I try to force everything (more or less) to use the Pi-Hole? Can't redirect ipv6 dns on devices that don't listen to dhcp and want to use some hard coded dns server. I'm left to just block ipv6 dns that isn't going to the pi-hole. Sonos, I'm talking about you! How do others handle this?
Last question: I am hesitant to ask this one. There will be some strong opinions. Is this worth it? Why not just stay ipv4 only?
I'm motivated to go back to dual stack because it feels more proper. Done right. I'm that way, I like things to be done right even when it's not, strictly speaking, required.
Look, it's a home network. I could just throw everything on LAN, totally flat network, and it would be fine. I make every effort to not buy devices that I know I will have to be concerned about. No "smart home" stuff. I can get up off the couch and turn the lights on and off. I don't think I have any sketchy stuff.
Sorry that this rambling and probably not very clear on some points that it should be. Set me straight on the things I need to be set straight on. I'm wearing big boy pants, I can deal with well intended advice or criticisms.
Thanks for any experiences you can share!
JKnott last edited by
So, first question: I have decent (as decent as Charter/Spectrum can be) native service. I can get a /56. But it's, obviously, dynamic.
There is a setting "Do not allow PD/Address release". Have you selected it?
Yes, I have checked that setting.
Thanks for bringing it up. I can see how that would catch some people out.
For a long time (year+) my prefix was stable. It was only when they started moving stuff around because of all the construction and the need to add capacity for 1000's of new apartments and condo's that things became unstable.
Do I think it will remain stable moving forward? I don't. It's Spectrum. Lot's and lots of people working and doing school from home. They had a 6 hour scheduled maintenance outage in the middle of the day. They, plainly put, suck. Question is, as it relates to using native ipv6, how to best configure things to make those disruptions less disruptive or to just not use it at all...
2.5.0 have the ability to forward ipv6 dns requests
Personally I am a big fan of HE tunnel - you can get a /48.. Its free, its STATIC... Once you request and get your /48 - that won't change. Or it hasn't changed for me in the like 10 years I have mine. If you decide to go to with some other ISP.. You still can have your same /48, be it your new isp has ipv6 or not, etc.
Its easier to setup to be honest, no worried about tracking anything for what your interfaces IP will be. Its just your /48 and you can do with it what you want.. If you want to hand it out via dhcpv6 or auto on your network - that is fully up to you.
Added beni is you set the PTRs for any IPv6 addresses you want. Does your ISP allow that?
The only possible draw back is you might add a few ms to your latency having to go through a tunnel to whatever the closes pop is, and depending on the peering for your ISP, etc. this could add some ms.. But it shouldn't be more than a few, its not going to be in the 100s of ms, etc. So in the big picture the benefits sure out way what your ISP is providing - unless they are going to give you a static /X ipv6 block routed to you ;)
Also from my experience - even the largest isp really don't get how they should actually setup ipv6.. Using their deployment could for sure come with pain and changes and issues..
If you want to play with IPv6 on your network - my opinion is HE is the way to do it.. Unless your isp deployment is rock solid, and they don't go changing space on when ever the wind blows..
@johnpoz Thanks John. I do agree. I'm leaning to HE or just staying ipv4 only.
There is no explanation for what ISPs do other than complete disregard for their customers. Rate increases and the same old crappy service. I look forward to the day, someday, when more states will allow more community internet service. Stop giving these companies monopoly control by disallowing competition.
Another slight benefit to /48 from HE being static.. Is you can use whatever prefix out of your /48 you want on any of your networks.
So I match up the 3rd octet and host address of the IPv4 network with the IPv6 prefix.
That is more difficult to do when your tracking and just limited by the /64 that are sub of whatever PD they hand you.
@johnpoz @kiokoman Thanks! I do like the idea of coordinating the two addresses. Kinda like having your vlan id and ipv4 addresses match. vlan 10 is 192.168.10.0/24. A little thing that makes it cleaner.
I'm going to have to give this a good think ;) Probably should consider flattening things a bit. I have a lot of subnets/vlans because it seemed more "professional". I then violate the segregation left and right to keep the family happy.
Kinda like having your vlan id and ipv4 addresses match
Yeah this is a very common practice for sure ;) And do it both at work when you can and for sure at home..
How many vlans do you have? I could/should prob create some more vlans for my iot stuff - that is pretty lumped together with different types of devices in the same vlan... My alexa's and lighting stuff and thermostat, etc are all in the same vlan. I did break out the rokus on their own vs putting them in with the other iot devices..
But that was more an attempt to keep my wifi ssids limited.. If I ever get around to setting up dynamic vlans based on mac for the iot devices then yeah I would segment the stuff better.
I tested it that it could be done.. But then upon thinking about it more - it would still leave me with multiple ssids.. Enterprise for my stuff. psk for iot stuff and psk for guests.. So it would only allow me to go down to 3 vs the 4 I currently have.. So wasn't really worth the extra effort to just split the few types of iot stuff I have, etc.
I wonder if the average forum user realizes what a good resource they have here? Sure, there is the occasional FOSS forum drama but mostly you get questions answered by actual professionals. For free. Nice!
How many vlans do you have?
I have 8 subnets/vlans.
LAN (default vlan): Switchs, APs and controller
Home: iPhones, iPads, Macbooks
Media: LG TV, Roku TV, Apple TVs, Sonos Speakers
Server: Synology and QNAP NAS
Printer: HP printers
IoT: Kindles and Bike Computers
I have 3 SSIDS
Freeside: Enterprise Radius assigned VLAN
Chiba: PSK Radius assigned VLAN by MAC address
I put everything I could on Freeside, including one of my printers that supports WPA2 Enterprise EAP-TLS. Lots of fun with Apple Configurator for the others.
Chiba gets the kindles, bike computers and Roku TV. Before anyone has a fit, no you can't get on this network by MAC address only. They are only used to do VLAN assignments. You still have to know the pre shared key. Unifi is kinda misleading with this, they call it 'RADUIS MAC AUTHENTICATION". I tested this and found that you have to have a user in Radius that matches the MAC address and the PSK. Radius shows it as a successful logon if you have no password or the wrong password but the AP doesn't connect you in that case. Maybe you could do this on an open network or do something in Radius to make it a MAC bypass. That is a terrible idea.
Sprawl is the guest network.
Everything that is stationary is on a wired connection with the exception of the Roku TV and one Apple TV.
One printer (an all-in-one) is on a cart and connects to Freeside (didn't know it supported Enterprise EAP-TLS until recently, never bothered to look when I bought it) :)
I violate the F out of the L2 segregation using avahi (mDNS/Bonjour) and udpbroadcastrelay (SSDP, for the Sonos). I'd post up all my firewall rules but that would just serve to make me look dumber than I already do. They get the job done but are not nearly as locked down as they could be.
There is a lot that could be improved. We're probably going to move late spring/early summer and that will be the time to get some gear that is quieter and more energy efficient. A Netgate appliance and new switch(s). Get rid of my unifi stuff and replace them with Ruckus APs if I can find some for a decent price used. Put bigger drives in my Synology and retire the QNAP. There's always something...