@chronicledmonocle@sugar_in_your_tea This is why I love yggdrasil. Thanks to having a VPS running it that all of my hosts globally can connect to, I can just use IPv6 for everything and reverse proxy using those IPv6 addresses where I need to. Once hosts are connected and on my private yggdrasil network, I stop caring about CGNAT or IPv4 at all other than to maybe create public IPv4 access to a service.
IPv6 doesn’t help anything if you’re behind CGNAT, you can have internal-only IPv6. There are good reasons to not have every household directly accessible to the outside world, so I’m sympathetic to that, but they also seem to love charging extra for it.
CGNAT only applies to IPv4. You cannot NAT IPv6 effectively. It’s not designed to be NATed. While there IS provisions for private IPv6 addressing, nobody actually does it because it’s pointless.
Network Prefix Translation isn’t the same thing. That’s used for things like MultiWAN so that your IPv6 subnet from another WAN during a failover event can still communicate by chopping off the first half and replacing the subnet with the one from the secondary WAN. It is not NAT like in IPv4 and doesn’t have all of the pitfalls and gotchas. You still have direct communications without the need for things like port forwarding or 1:1 NAT translations.
I’m a Network Engineer of over a decade and a half. I live and breath this shit. Lol.
Yes, it’s not the same, but it can be used to bridge private addresses onto a public network, which is basically what NAT is trying to achieve. If you’re running an ISP and don’t want customers to be directly accessible from the internet, it seems reasonable. In an ISP setup, you would issue private net addresses and just not do the translation if the customer doesn’t pay.
Yes, you can achieve the same thing another way, but I could see them deciding to issue private net addresses so customers don’t expect public routing without paying, whereas issuing regular public IPv6 addresses makes it clear that the block is entirely artificial.
I guess you already know about the options, but for others:
Find the cheapest VPS out there and have a Wireguard tunnel between it and your home network. Run ddclient or similar on the VPS in case the public IP changes.
Yup, that’s what I did. I even have my TLS servers running on my LAN as well, so once my ISP no longer puts me behind CGNAT, I just need to change my DNS settings and set up some port forwards on my router.
Fortunately there’s a million companies that offer VPS with a static IP address for only few bucks a month. I set one up to run a wireguard VPN server which all my devices and home servers connect to as clients. I also configured everything to use a split tunnel to save bandwidth.
Normally when you’re on a VPN all the network traffic to and from your device is going through the connection to the VPN server, e.g. browsing the internet, online games, etc. It can cause issues with other online services and uses bandwidth (cheap as it is) many VPS provider charges for.
A split tunnel tells the VPN client to only send certain traffic through the tunnel. My wireguard setup assigns IP addresses for the VPN interfaces in the subnet 192.168.2.x, so only traffic addressed to IPs on that subnet get sent through the tunnel. In wireguard it’s a single line in the config file:
Ixury for people that can have public IPs! :)
Yup, CGNAT blows.
It’s why IPv6 is important, but many didn’t listen.
@chronicledmonocle @sugar_in_your_tea This is why I love yggdrasil. Thanks to having a VPS running it that all of my hosts globally can connect to, I can just use IPv6 for everything and reverse proxy using those IPv6 addresses where I need to. Once hosts are connected and on my private yggdrasil network, I stop caring about CGNAT or IPv4 at all other than to maybe create public IPv4 access to a service.
IPv6 doesn’t help anything if you’re behind CGNAT, you can have internal-only IPv6. There are good reasons to not have every household directly accessible to the outside world, so I’m sympathetic to that, but they also seem to love charging extra for it.
CGNAT only applies to IPv4. You cannot NAT IPv6 effectively. It’s not designed to be NATed. While there IS provisions for private IPv6 addressing, nobody actually does it because it’s pointless.
Sure, but NPTv6 exists, and I wouldn’t put it past an ISP to do something like that.
Network Prefix Translation isn’t the same thing. That’s used for things like MultiWAN so that your IPv6 subnet from another WAN during a failover event can still communicate by chopping off the first half and replacing the subnet with the one from the secondary WAN. It is not NAT like in IPv4 and doesn’t have all of the pitfalls and gotchas. You still have direct communications without the need for things like port forwarding or 1:1 NAT translations.
I’m a Network Engineer of over a decade and a half. I live and breath this shit. Lol.
Yes, it’s not the same, but it can be used to bridge private addresses onto a public network, which is basically what NAT is trying to achieve. If you’re running an ISP and don’t want customers to be directly accessible from the internet, it seems reasonable. In an ISP setup, you would issue private net addresses and just not do the translation if the customer doesn’t pay.
Yes, you can achieve the same thing another way, but I could see them deciding to issue private net addresses so customers don’t expect public routing without paying, whereas issuing regular public IPv6 addresses makes it clear that the block is entirely artificial.
Just because you can doesn’t mean anyone does. I’ve never seen an ISP hand out “private” IPv6 addresses. Ever.
If you’re doing NAT on IPv6, you’re doing it wrong and stupid. Plain and simple.
Yeah, there are workarounds… And who knows, maybe its just safer than public ip… But definitely require some external fixture.
I guess you already know about the options, but for others:
Find the cheapest VPS out there and have a Wireguard tunnel between it and your home network. Run ddclient or similar on the VPS in case the public IP changes.
Wireguard or ssh tunnel with port forwards, both works.
Yup, that’s what I did. I even have my TLS servers running on my LAN as well, so once my ISP no longer puts me behind CGNAT, I just need to change my DNS settings and set up some port forwards on my router.
I’m in the same situation.
Fortunately there’s a million companies that offer VPS with a static IP address for only few bucks a month. I set one up to run a wireguard VPN server which all my devices and home servers connect to as clients. I also configured everything to use a split tunnel to save bandwidth.
It’s an added layer of security too.
Can you detail the split tunnel part?
Normally when you’re on a VPN all the network traffic to and from your device is going through the connection to the VPN server, e.g. browsing the internet, online games, etc. It can cause issues with other online services and uses bandwidth (cheap as it is) many VPS provider charges for.
A split tunnel tells the VPN client to only send certain traffic through the tunnel. My wireguard setup assigns IP addresses for the VPN interfaces in the subnet 192.168.2.x, so only traffic addressed to IPs on that subnet get sent through the tunnel. In wireguard it’s a single line in the config file:
I am doing split tunnel since years without knowing :)
Thanks, I learned something new.