Homelab IPv6 - dynamic DNS and subnetting basics

NickyDoes · Jul 24, 2024, 3:51 PM

I'm embarking on IPv6 in my home lab. It's a typical lab: home LAN devices & traffic, and a few servers with public access. I've been reading & watching IPv6 material. No, I haven't read the IETF RFCs.

I get the basics of IPv6 addressing, but I'm having trouble translating some concepts from IPv4 to IPv6. I have a /56 prefix delegated. I'm looking to understand homelab IPv6 from end-to-end. My understanding is that I do not have to remember or copy/paste whole IPv6 addresses (this will be awesome).

For servers:
Do I set up a dynamic DNS record to point to a home lab server directly? If so, how is the server addressed - dynamic e.g. via SLAAC, static, or some other method?

For home devices like phones, PCs, TVs on a separate subnet? If so, do I then just create firewall rules for the subnet?

johnpoz · Jul 24, 2024, 3:59 PM

@NickyDoes if you were delegated a /56 you would create your /64 prefixes you want to use on your different local segments from that.

if you want to access your servers on ipv6 via some fqdn, then yes you would have to setup dns to resolve that fqdn to their IPv6 address, this could be dynamic dns, this could be just a AAAA record you created in the dns for that IPv6 address.

Yes IPv6 isn't behind a nat, so your firewall rules would need to allow whatever IPv6 address behind pfsense to be accessed by who you want to access it there is no port forwarding, etc.

Bob.Dig · Jul 24, 2024, 4:11 PM

@NickyDoes said in Homelab IPv6 - dynamic DNS and subnetting basics:

Do I set up a dynamic DNS record to point to a home lab server directly? If so, how is the server addressed - dynamic e.g. via SLAAC, static, or some other method?

Probably yes.
I would use DHCPv6 for a server behind dynamic IPv6.
DDNS might be troublesome. At least I wish we had support for DHCPv6-hosts and the usual DDNS-Clients in pfSense.

keyser · Jul 24, 2024, 4:39 PM

@NickyDoes IPv6 gets quite tricky when it comes to pfSense. Like with IPv4 there is no support for automatic client DNS nameregistration in IPv6, so either you have to register all clients/servers manually (SLAAC clients and Static IP clients) or in some products the DHCPv6 server can register its clients in DNS - but not on pfSense though (so manually it is….).

Also - IPv6 on most/all clients use something called privacy extensions, so if you use SLAAC you cannot create pr. Client outbound firewall rules. You have to allow og deny everything equally for the intire subnet.
With privacy extensions clients will pick a new random IPv6 address every day for oubound connections.

You could experiment with the new MAC address based firewall rules though…