I have had IPv6 off for a long time now, but it feels like now is time to actually try. I’m planning on setting the WAN side to DHCPv6 and the LAN side to Static IPv6 to match the IPv4 settings. https://docs.opnsense.org/manual/ipv6.html
(I see people say “talk to your ISP about dynamic or static and what block size” but I would rather collapse into a singularity than contact my ISP unforced, so I shan’t do that)
I’ve tried to read about IPv6 but I just don’t have enough knowledge-ground to stand on to make sense of it in an actionable way.
From what I have read and (mildly) understood, I think I know that IPv6 addresses are directly identifying; no longer does everything on the internet see the IPv4 of your router only - now things see your specific device’s IPv6 that’s a… subset? of the router’s IPv6 range (not single IP) assigned. https://superuser.com/a/1735921 People describe it as a different way to network, which I guess means no matter what I read I’m still not sure what to do.
I want IPv6 to work exactly like IPv4: router has WAN IPv4 address and masquerades for every device in the network. I don’t want Google knowing exactly which computer contacted them from inside my LAN, I want them to put in the work to finger print my device with various ways that are likely illegal in the EU.
How do I prevent that IPv6 privacy issue, or did I misunderstand how IPv6 works?
Use ULA addresses for hosts inside your LAN, they are static, cannot be used to reach outside your LAN and use IPv6. Then give your server/VPN endpoint a real ipv6, that’s your VPN endpoint. This doesn’t require any nat and can be easily changed to GUA when you want to.
CGnat is a “solution” for running out of ipv4 addresses, it has the same problems as any other nat but the problems are even more noticeable because the out-facing ipv4 address changes more often than the typical home nat configuration and tricks like FTP- and other helpers don’t work as well.
Ipv6 would not only avoid the issues of cgnat, it would avoid cgnat entirely because you don’t need to Nat when you have enough ips.
Thanks for taking the time to go into detail on this, it helps because I just haven’t been able to put acronyms to actionable meaning from just reading blogs and posts.
How do things outside the LAN talk to things inside the LAN that have ULA addresses (which I’m assuming are equivalent of 10.0.0.0/16 idea)? Will devices that are given ULA addresses be NAT’d just like IPv4 or will they not be able to talk to the outside world on IPv6?
Edit: I am getting more what you said; you answered this: the ULA addresses will not be able to talk to the outside world on IPv6 so those devices will be IPv4-only to websites that use IPv6 too. Follow-on Q would then be, is kludging NAT for IPv6 not a better solution versus ULA addresses? Or is the clear answer just use IPv6 as intended and let the devices handle their privacy with IPv6 privacy extensions?