I’m surprised home many technically knowledgeable people on Internet forums still think IPv6 is some niche, unreliable thing.
In my direct experience, in the USA, at least Spectrum, AT&T, and Xfinity (Comcast) still run IPv4, of course, but they also have IPv6 working and on by default on their home internet offerings.
All mainstream computer and mobile OSes support it by default and will prefer to connect with it over IPv4.
‘Everyone’ in many areas is using it. For many of us, our parents are using Facebook and watching Netflix over it. Over 50% of Google’s American traffic is over it. It just works.
My problem with IPv6 is that my ISP (Xfinity) won't give me a static prefix, so every now and again it changes.
Unlike IPv4, my LAN addresses include the prefix, so every time they change it, all my LAN addresses change.
Combined with the lack of DHCP6 support in many devices, this means reverse DNS lookups from IP to hostname can't be done, making identifying devices by their IP essentially impossible.
I think you’re conflating multiple things there. There’s nothing magical about IPv4 that gives your LAN addresses stability when your ISP changes your IP prefix. That’s provided by your router doing network address translation. You send a packet from your address which is 192.168.0.42 (a local address), and your router changes the bytes in the packet so that it comes from X.Y.Z.W (your router’s public address). If you really wanted it to your router could do the same thing for IPv6.
IPv6 also has local addresses, but a lot more of them. Anything starting with fd00::/8 is a local address with 40 bits available as the network number. So you can set up your local network with the prefix fdXX:XXXX:XXXX::/48 (where the Xs are chosen randomly) as the prefix and still have 16 bits left over for different subnets if you want. These addresses do not change when your ISP changes your public prefix.
And if you want to add reverse dns for SLAAC addresses then just have your router listen for ICMPv6 Neighbor Announcement addresses and use them to update your DNS server as appropriate. Or configure your servers to use stable addresses based on their MAC address rather than random addresses (which are better for privacy), and then just configure the DNS as you add and remove servers.
My ISP will route as many /64s to me as I want (I think I get a /48 by default, I guess if I want more than 64k subnets I’d have to justify it)
So I don’t have the changing ip issue. I do however have an issue if I want to change ISP as it’s a whole mess of rules to update rather than a couple of dns entries and two dst nat rule (one per public IP)
I believe the idea in v6 if you have multiple prefixes on the same network - including a local fc00::/7 one for local services. Layers and layers of things to break.
For example, I recently attended the IETF meeting in Montreal, which offers a by default v6-only network. My Mac worked fine, but my son's school-issued Chromebook had glitchy behavior until I switched to the network that provided v4.
Myeah... I've had weird issues on my network that I could only resolve by disabling IPv6. Granted, it's probably my fault, but if everything still works fine with ipv4 that's fine to me. One day I will get into it and learn how it work and maybe I'll get it figured out... One day...
For consumer traffic, your probably right. In data centers, cloud computing, and various enterprise networking solutions, IPv4 is still king. I'm sure IPv6 would work fine in all these use cases, but as long as many large tech companies are not exhausting the CIDR ranges they own (or can opt for using private ranges) there is no impetus to rework existing network infrastructure.
Corporate laptop won’t work (their version of windows seems to require an ipv4 adddess on an interface, not sure if that’s a windows thing or a them thing)
Doesn’t remove the need for nat - my wired IsP might be able to bgp with me, but my backup 5g won’t, and when I want to choose which to send my traffic through with PBR that means natting.
My router doesn’t support 64, so I have to use my isp’s which is speed constrained compared with native 4. Ok that’s on my setup. Haven’t tested my 5g provider and where 64 occurs, I’d hope in their network, but how do I configure my dns64.
Still need to provide v4 at the edge and thus 46 nat so I can reach internal v6 only servers from v4 only locations
Perhaps lost of that is because my router doesn’t do 64, but again that just shows that v4 is still essential. I haven’t found a single service that’s v6 only, so if I have to run a v4 network (even if only as far as a 64 natting device) why bother running two networks, double the opportunity for misconfiguration and thus security holes. Enabling dual v6 on my IoShit network would allow more escape routes for bad traffic, meaning another set of firewall rules to manage. Things like SLACC make it harder to work out what devices are on the network, many end user devices are user hostile now and keeping control of them on v4 alone is less work than in v4 and v6.
> Doesn’t remove the need for nat - my wired IsP might be able to bgp with me, but my backup 5g won’t, and when I want to choose which to send my traffic through with PBR that means natting.
Yes, it does. You just have each of your routers (wired and 5G) advertise the /64 prefix delegated by each of your ISPs. Your hosts will self-assign a v6 address from each prefix.
To control which link the traffic uses, you just assign router priority in the router advertisement (these are all standard settings in radvd.conf).
> Things like SLACC make it harder to work out what devices are on the network
Again, not true. If you really don’t trust your devices, then DHCP isn’t going to save you. Malicious hosts absolutely can self assign an unused v4 address, and you’ll be none the wiser if you just look at your DHCP leases.
For example, I recently attended the IETF meeting in Montreal--practically the epicenter of v6 thinking--which offers a by default v6-only network. My Mac worked fine, but my son's school-issued Chromebook had glitchy behavior until I switched to the network that provided v4.
I had working IPv6 in the past, but currently I seem to have no working IPv6. Using Xfinity. I have access to some servers at a friend's place in another city, pretty sure he also doesn't have IPv6. Maybe some phone calls would sort it out, but when "everything" still works (with IPv4), it's hard to care.
That is really bizarre, because I have Comcast and I find their IPv6 support excellent. The only complaints I have are that I wish you could get bigger than a /60 prefix (a /56 would be nice), and that I wish it was feasible to get a static prefix as a residential customer. Granted you said you don't really care to fix it, but if that ever changes I do think you could get them to fix it pretty easily. IPv6 is one of the things they generally do right.
> Groups of zeros can be omitted with two colons, but only once in an address (i.e. 2000:1::1, but not 2000::1::1 as that is ambiguous)
Can someone explain why it's ambiguous?
On the subject, IPv6 is one of the strangest inventions on the internet. Its utility and practically are obvious no matter how you look at it except... just one thing.
Network-related things are generally easy to remember and then type from memory: IPv4, domain names, standard port numbers. Back in the day it was the phone numbers, again, easy to remember and dial when you need it. IPv6 is just too long and requires copy/paste all the time. This is the only real reason in my opinion, why IPv6 is doomed to be second-grade citizen for (probably) a few more decades.
I finally clicked when I worked out it was 2^64 subnets . You have a common prefix of you /48, which isn’t much longer than an ipv4 address - especially as it seems everything is 2001::/16, which means you basically have to remember a 32 bit network prefix just like 12.45.67.8/32.
That becomes 2001:0c2d:4308::/48 instead
After that you just need to remember the subnet number and the host number. If you remember 12.45.67.8 maps to 192.168.13.7 you might have
2001:0c2d:4308:13::7
So subnet “13” and host “7”
It’s not much different to remebering 12.45.67.8>192.168.13.7
IPv4 isn't perfect, but it was designed to solve a specific set of problems.
IPv6 was designed by political process. Go around the room to each engineer and solve for their pet peeve to in turn rally enough support to move the proposal forward. As a bunch of computer people realized how hard politics were they swore never to do it again and made the address size so laughably large that it was "solved" once and for all.
I firmly believe that if they had adopted any other strategy where addresses could be meaningfully understood and worked with by the least skilled network operators, we would have had "IPv6" adoption 10 years ago.
My personal preference would have been to open up class E space (240-255.*) and claw back the 6 /8s Amazon is hoarding, be smarter about allocations going forward, and make fees logarithmic based on the number of addresses you hold.
Only if by "political process" you mean a bunch of people got together (physically and virtually) and debated the options and chose what they thought was best. The criteria for choosing IPng were documented:
> I firmly believe that if they had adopted any other strategy where addresses could be meaningfully understood and worked with by the least skilled network operators, we would have had "IPv6" adoption 10 years ago.
The primary reason for IPng was >32 bits of address space. The only way to make them shorter is to have fewer bits, which completely defeats the purpose of the endeavour.
There was no way to move from 32-bits to >32-bits without every network stack of every device element (host, gateway, firewall, application, etc) getting new code. Anything that changed the type and size of sockaddr->sa_family (plus things like new DNS resource record types: A is 32-bit only; see addrinfo->ai_family) would require new code.
This is a lot of basically sharpshooting, but I will address your last point:
> There was no way to move from 32-bits to >32-bits without every network stack of every device element (host, gateway, firewall, application, etc) getting new code. Anything that changed the type and size of sockaddr->sa_family (plus things like new DNS resource record types: A is 32-bit only; see addrinfo->ai_family) would require new code.
That is simply not true. We had one bit left (the reserved/"evil" bit) in IPv4 headers that could have been used to flag that the first N bytes of the payload were an additional IPv4.1 header indicating additional routing information. Packets would continue to transit existing networks and "4.1" capable boxes at edges could read the additional information to make further routing decisions inside of a network. It would have effectively used IPv4 as the core transport network and each connected network (think ASN) having a handful of routed /32s.
Overlay networks are widely deployed and have very minor technical issues.
But that would have only addressed the numbering exhaustion issues. Engineers often get caught in the "well if I am changing this code anyway" trap.
> This is the only real reason in my opinion, why IPv6 is doomed to be second-grade citizen for (probably) a few more decades.
Except if you're using a mobile phone, in which case many telcos hand out only IPv6 addresses to handsets. 2018 NANOG presentation "T-Mobile's journey to IPv6":
Exactly enough to fill out the address, which is always the same length. BTW, IPv4 does basically the same thing. The address 127.1 is equivalent to 127.0.0.1.
Not really the same, the mechanics are different and this particular behaviour is pretty much an accident, not abbreviation.
In IPv4 you also have 127.257 equal to 127.0.1.1, 123456789 equal to 7.91.205.21, and 010.010.010.010 is a well-know DNS server. This notation is also rejected by most implementations.
I've said this since time immemorial, and networking people often dismiss it. "Just use DNS," say people who have never actually worked netops or devops.
The length of the addresses and the clunky nature of their ASCII representation is absolutely the #1 reason the IPv6 has taken this long. User experience is the most powerful force affecting large scale adoption, and IPv6 has poor UX.
I think the UX is partly fixable by creating less horrible ASCII representation, but this would take a lot of coordination that was hard even back then and is virtually impossible now. If someone told me in 500 years we're still running dual-stack IPv4/IPv6 absolutely unchanged, I'd believe it.
Half the reason (literally) the address looks so bad is not because of IPv6 but because everyone keeps choosing to implement randomized in-subnet addresses and cycle through them for privacy reasons.
E.g. 2600:15a3:7020:4c51::52/64 is not too horrible but 2600:15a3:7020:4c51:3268:b4c4:dd7b:789/64 is a monster by unrelated intent of the client.
This is pretty much on the money. IPv6 addressing can be pretty simple if you design your subnets and use low numbers for hosts. But hosts themselves will forgo that and randomly generate 64 bit random host addresses for themselves - some times for every new connection. Now you have thousands of IPv6 addresses for a single computer speaking out to the Internet.
"Modern" tooling in the consumer space is pretty dire for IPv6 support too. The best you can reasonably get is an IPv6 on the WAN side and then just IPv4 for everything local. At least from the popular routers I've experienced lately.
I’ve been amazed for years at the fact that many of the best routers turn V6 off by default.
Of course I know why. If you turn it on it slightly increases edge case issues as complexity always does. Most people don’t actively need it so nobody notices.
Yes, I forgot about SLAAC and worthless privacy extensions.
Privacy extensions are worthless because there are just sooooo many ways to fingerprint and track you. If you are not at least using a VPN and a jailed privacy mode browser at a bare minimum, you are toast. If you’re serious about privacy you have to use stuff like Tor.
V6 privacy extensions are like the GDPR cookie nonsense: ineffective countermeasures with annoying side effects.
SLAAC sucks too. They should have left assignment up to admins or higher level protocols like with V4. It’s better that way.
I mean yes, but there’s no escape from the fact that ip addresses need to be longer as amount of devices on the internet already exhausted the pool of IPv4 addresses by multiple orders of magnitude.
I guess it could be possible to implement sort of mnemonic phrases for addresses, à la bip-39, but it would be just trading one kind of pain for another.
It’s a really complicated rule called “subtraction”. Addresses are always 128 bits long, or 8 groups of four hex digits. 2000::1 is two groups, so you need six groups in between to make 2000:0000:0000:0000:0000:0000:0000:1. But I don’t know why people always ask this, because it’s always the computer you are typing addresses in to that does the subtraction. You never ever have to type out the whole address. Just type the shortened version, because 2000::1 _is_ the whole address.
My answer was too terse. IF there was two :: in the address, then the length of EACH :: denoted section is not known. It can be either longest left :: or longest right :: and that wasn't defined, because the rule is THERE IS ONLY ONE :: section.
the :1 is short for :0001 basically and then just put that bit of the address at the very end and put the first bit of the address at the front, and then just fill each missing group inbetween with 0000
> Peer-to-peer communications such as gaming usually have to deal with NAT traversal, but with IPv6 this is no longer an issue, especially for multiple gamers using the same connection
You know the list of "benefits" is thin when the second item is entirely theoretical. Even though IPv6 doesn't have to do NAT traversal, it still has to punch through your router's firewall which is effectively the same problem. Most ISP provided home routers simply block all incoming IPv6 traffic unless there is outbound traffic first, and provide little to no support for custom IPv6 rules.
Even if that were not an issue, my bet is that there are close to zero popular games that actually use true peer to peer networking.
> There are also still a lot of misconceptions from network administrators who are scared of or don’t properly understand IPv6
Enable IPv6 on a TP-Link Omada router (ER7212PC) and all internal services are exposed to the outside world as there is no default IPv6 deny-all rule and no IPv6 firewall. I get why some people are nervous.
> Enable IPv6 on a TP-Link Omada router (ER7212PC) and all internal services are exposed to the outside world as there is no default IPv6 deny-all rule and no IPv6 firewall. I get why some people are nervous.
A router routing traffic makes people nervous? Isn't that what it's supposed to do? I'd be annoyed if my router did not pass traffic.
Now, if the ER7212PC was a firewall that would be something else.
(And no, I'm not being pedantic: routers should pass traffic unless told otherwise, firewalls should block traffic unless told otherwise. The purposes of the two device classes are different, they just happen to both deal with Layer 3 protocol data units.)
Routers and access points are also typically separate device classes. Yet the market has figured out that most consumers
prefer all-in-one devices. Expecting households to run dedicated firewalls besides their AiO wifi-routers is ludicrous.
What firewall do you recommend a typical user couple their ER7212PC (which BTW is already tripling as VPN gateway and cloud-controller) with?
The problem is that TP-link does not give two cents to security in their products.
You are of course correct, but most people will disagree because the world we live in is a lot messier than what we should do and people expect a base line. You have to remember that people rely on IPv4 NATing for security, despite every network engineer knowing that is it is not - in effect it is.
Are you suggesting that people should buy both a router and a firewall for their home networks? I suppose they should buy a separate Wi-Fi AP as well, and a switch or two, in your opinion?
OpenBSD makes it easy to try IPv6 tunnelbroker.net with NAT64/DNS64 if your ISP only has IPv4 ("one more lab test away.." they say).
This has worked for me well for a couple years. I do use a VLAN to keep the IPv6-only network separate (homelab) from video streamers in the household.
In my pf.conf:
# IPv6 tunnel
block in log on $tun6_if all
block in quick on $tun6_if inet6 from fd00::/8 to any
antispoof quick for $tun6_if
# allowed icmp6
pass in quick log on $tun6_if inet6 proto icmp6 icmp6-type {
unreach, toobig, timex, paramprob, echoreq
}
# MSS clamping 60 bytes less than HE 1480
# 20 byte IPv4 tcp header + 40 byte IPv6 ip header
match on $tun6_if all scrub (random-id max-mss 1420)
My two IPv6 issues (even having had a HE tunnel in the past):
- My local ISP (US Internet, soon to be part of T-Mobile Fiber) hasn't enabled it, even though the CEO has said on Reddit for years that it's a priority. Now that they've been acquired who knows if it'll ever happen.
- Linode allows transferring v4 addresses between machines, so if I need to rebuild something I can do so without involving my client who usually has control over DNS. They do not support moving v6 addresses, which means that the only sites I have control over that support v6 are the ones that I control DNS.
Making IPv6 a thing seems like it would be super easy if a couple hours could be spent solving a bunch of dumb lazy problems.
> My local ISP (US Internet, soon to be part of T-Mobile Fiber) hasn't enabled it, even though the CEO has said on Reddit for years that it's a priority. Now that they've been acquired who knows if it'll ever happen.
Being a priority doesn't mean it's high priority. It could be a priority, but the lowest ranked one, so other stuff always comes first. :P
T-Mobile wireless US is pretty invested on IPv6, so if they take over the network, they may well push it.
When I moved to an ISP that supported IPv6 earlier this year I ran into niggly problems. Ubuntu failed to update because one of its regional servers was misconfigured. OpenDNS one of its servers seemed not to be there on a regular basis over IPv6. I also had odd behaviour and latency issues where sometimes IPv6 would fail to route for short periods and it would fail and fall back to IPv4.
It was a painful experience of trying to work out if I had misconfigured it, if it was something to do with my opensource router software or if it was my ISP or the end services. I didn't get to the end of working this out and reporting issues and I just gave up. Due to the intermittent nature of the issues I was facing I never managed to get a report of issues my ISP would accept.
So I'll give it some time and give it a try after a year and see if things have improved, but it was definitely not ready for prime time.
Here's China's current IPv6 plan.[1] It was an explicit objective of the 14th Five Year Plan, now concluding, to get most of China's Internet on IPv6. About 70% of China's mobile users are on IPv6 now. But fixed IPv6 traffic in China is only 27%.
Am I missing something? Where's the part where he actually talks about his experience in that week? This goes straight from an overview of IPv6 to the conclusions section.
My ISP has good IPv6 support. I was using it for a while and recently disabled it across my home network for simplicity of maintenance, cutting my vyos config in half. When I need to access something not available on IPv4 I'll set it up again but I'm not convinced that will happen in my lifetime.
> Don’t blame your provider when they deploy CG-NAT, embrace IPv6 and global routing instead.
In theory this makes sense, but in practice my personal experience is that not a single wireline ISP I've ever seen deploy CG-NAT offered IPv6 service at all, nor did any of them indicate any intent or even interest when asked about it.
The mobile providers on the other hand have almost entirely gone IPv6-first, using 6>4 transition methods as the default form of v4 access which I fully support.
4>4 CG-NAT should never have existed and providers who deploy it without offering fully functional v6 should be shamed.
I have firsthand experience doing that experiment about 3 months ago. Completely removed my IP4 DHCP lease from my ISP at the router. About 50% of the public sites I tried to visit didn't resolve. So many public sites, that I gave up and went back to dual stack after just a day. Google, ChatGPT, and a few other popular sites were fine with pure IPv6 traffic, however sites like eBay and even HN did not resolve. IPv6 simply is still not ready for everyone to just transition into overnight.
Well, we'll have to see what all the "in-between" bits do. There's a lot in it, that will require implementation by countless layers of routers, switches, caches, firewalls, etc.
Look at Bluetooth, for an example, or TIFF.
I printed out the Bluetooth spec once, just for Ss and Gs. It was over 2,000 pages (double-sided).
I once tried writing a fully-compliant TIFF reader. Didn't go so well.
I wish I could switch my network to all IPv6 and use NAT64/DNS64, but Android, the world's most popular OS, purposefully disables DHCPv6. I am forced to support IPv4/DHCPv4 for the foreseeable future to support these broken devices.
Of course after over a decade of denying that Android needs some kind of DHCP in IPv6, it seems that Android may finally be getting some kind of solution:
I can't run SLAAC and DHCPv6 at the same time without giving devices multiple addresses, and Android doesn't support DHCPv6, so I'd have to carve out a separate, SLAAC-based, android-only network. And then figure out firewall rules, multicast reflection, etc.
No control over which source address is used. I'm assigning a lot of clients DHCP reservations so I can use static addresses for monitoring and firewall rules. With multiple addresses on the same network, clients may use their SLAAC address which won't match the firewall rule.
That still doesn’t really make sense. Why not run SLAAC on one subnet and have a single firewall rule for the whole thing? You’re not running any major servers on an Android phone, so it won’t be anything complex.
I thought this was a problem too. Then I realized that addresses are not in short supply, so I stopped caring that some devices get multiple addresses. The ones I care about are handed out over DHCPv6, and the firewall works accordingly. The rest gets basic connectivity and nothing else.
No. Admittedly, my firewall rules are all about granting something extra beyond the basics. I only do this for clients I care about anyway, so I can always tell them to use the right address.
Android supports DHCPv6, just not stateful DHCPv6. You can give each device its own /64 or if you really want to track a devices usage you should use an authenticated layer on top of your base network.
While these articles are useful in understanding the utility of IPv6, what would really help is an article explaining step by step how to configure a home network using IPv6. The tutorial should answer these questions:
- How to ensure there are no collisions in address space? Translates to, how to pick safe addresses, is there a system?
- How do I route from an external network resource to an internal network resource? Translates to, can you provide syntax on how to connect to an smb share? Set up a web service that works without WireGuard or equivalent?
- How does one segment networks, configure a vlan, set up a firewall?
- if you're talking a private/local prefix, you can use tools like this to generate one: https://unique-local-ipv6.com/. Otherwise DHCPv6 and SLAAC will ensure no collisions for the most part.
- Use global/public addresses on all your devices (using something like prefix delegation) or use NAT.
- Same as IPv4. Prefix delegation will let your ISP assign you multiple networks, and then most routers will break these up into /64 networks for each of your VLANs.
> do you just scramble keys when picking an address?
No. Your ISP or tunnel broker gives you a network prefix. Then you configure SLAAC to use that prefix and hand out addresses within it. Job done.
For example, the prefix might look like 2001:470:e904::/48. Your computers can use any addresses you want as long as they start with that prefix. Since you don’t want to manually hand out addresses to every computer, you configure a router to hand out addresses via SLAAC. Your computers will use SLAAC to discover the prefix from the router, then fill in the bottom 64 bits of the address with a random number. They then ask the local network if anyone is using that full address. If not then they are done and have a working address. If somehow someone is using that address then they try again with a different random number. Servers that want a fixed address will just use their network card’s MAC address (or anything similar, if you want) instead of a random number. The protocol is the same either way.
Notice that this actually gives you some bits of your own to play with, if you want. The full address is 128 bits long. The first 48 were used by the prefix and the bottom 64 by the individual devices, leaving 16 bits in the middle. You could tell your router that the prefix for SLAAC is 2001:470:e904:42::/64, for example, and then use the other subnets for other purposes. Maybe 2001:470:e904:beef::/64 is a special subnet just for your meat freezer and associated monitoring equipment. I don't know, you get to make these things up for yourself. Maybe you manage a corporate network that has a separate VLAN for phones than for normal PCs, and a third VLAN for the guest WiFi. You can give them each a different prefix by embedding the VLAN id into the prefix you advertise via SLAAC.
There’s also DHCPv6 if you want even more control over which addresses are handed out, or you want to subdivide your network even more finely. Or if ISPs ever start handing out smaller prefixes.
> If your ISP gives you a static IPv6. Unfortunately in Germany none of the ISP for private users does (last I checked).
Sure, that’s true. But they probably don’t hand out static addresses for IPv4 either. Not without paying extra, that’s for sure. Either way if you want some static identifier for your computer(s) then the solution is the same: DNS.
Of course if you _are_ running a corporate network with a bunch of VLANS like that then you should actually get your own prefix from your RIR rather than from your ISP. Then you purchase IP transit services from your ISP rather than consumer internet access. You can then advertise your prefix(es) via BGP. Again, this is exactly what you would do for IPv4. Same software, same configuration, just longer addresses. The main advantage of this extra work is that you can keep your addresses static even if you move to an entirely different ISP. You can also use the same addresses over multiple connections to multiple ISPs for better redundancy.
This is a good overview. I think the difficulty with IPv6 is that people rely on all of the crutches invented for IPv4 as features: private addressing NATing gives you security (it doesn't) and portability (it does), IPv6 usually uses subnets per physical location making failover difficult, where as IPv4 will use bgp announcements to failover public IPs, etc. I'm not saying one way is better than the other, just that IPv6 is pretty different and people very much have a IPv4 world view.
I'm very surprised by the questions in this thread. There are some extremely basic things people are just not understanding. I suspect people hating on IPv6 have not spent the time with it. There is a difficulty in that it does behave quite differently to IPv4, and the lack of private addresses are also probably a shock.
The basic thing proponents don’t understand is that nobody in their right mind can intuitively understand IPV6 addresses because they look like MAC addresses with trisomy and are a pain in the ass to remember or type for absolutely no benefit to the non-network engineer. And there are infinitely more people with home routers and a few dozen devices than there are people running ISPs, fortune 500s, and data centres. Play with your convolution all you want, in 20 years the rest of us will still be happily assigning 192.168.x.x and ignoring it. V4 space running out is a no more the average persons problem than undersea cables or certificate authority.
What’s the pragmatic solution to ipv6 allowing everybody in my household to be trivially and stably mapped to a unique subnet? I like the accidental semi-randomization that ipv4 and ISP NAT offered and I don’t see anything like it short of putting my entire home net on a VPN (it’s expensive and can’t keep up with my ISP’s bandwidth)
Each device gets directly addressable from WAN with v6 but it also gets a randomised privacy IP that rotates very frequently so each individual device is just as "hidden" as it was with v4+NAT.
Your v6 subnet prefix is no different than whatever WAN-side v4 your NAT had. "Accidental semi-randomization" of the WAN side IP is not something one could reliably count on. Many ISPs just hand over a static-like IP, that is, even when it's supposed to be random the pool of IPs is so constrained that it's usually the same simply through the IP lease surviving power cycling. And that was before CGNAT.
If your concern is being identifiable through your IP then counting on whatever v4 artifact is the wrong move. Use a VPN with randomised exit nodes.
It's true that you won't get CGNAT without having CGNAT. Depending on your concern, it is possible to NAT66 to make your entire network appear as one IP.
I don’t think that’s true. But of course it depends how you’re measure the majority of websites.
Most of the figures I see show 60-70% of the top 100 sites do support it. But maybe that does not reflect your usage.
Why do you need it? Maybe you don’t right now since ipv6 only sites are niche. The most tangible advantage I’ve seen is avoiding CGNAT. Gamers in particular don’t like that because it introduces latency. Services like Xbox live definitely do support ipv6 for this reason.
I guess it would, but remember there are more services out there than just HTTP(S).
For example the last time I had an IPv6-only host I had issues cloning things from github, as "git clone git@github.com..." failed due to github.com not having IPv6 records.
I need to switch my home network to at least use IPv6 externally, because my ISP recently deployed CG-NAT, which made my SSH server that used to work no longer reachable from outside of my LAN.
Hot take: IPv4 might be techinically worse, but it's "politically" (in the classic sense of the word) better.
IPv6 essentially enables "universal internet IDs" for every device, which could streamline a lot of things, but enable a lot of weird surveillance/power balance issues that the cruft of IPv4 is actually incidentally helping guard against.
Again, I'm old enough to remember when e.g. the ISPs were going to try to charge per device in each household.
This hasn’t been the case in decades, every OS defaults to randomly generating the trailing 64 bits of your address and cycling through new addresses periodically. Your IPv6 address is only fixed to your device if you choose to configure it that way.
Since the network half (leading 64 bits) is as fixed as your IPv4 address was, and the host half is random and constantly changing, an IPv6 address is exactly as uniquely identifying as an IPv4 address used to be.
> It's unfortunate, but IPv6 doesn't really solve any problems for a home user.
CG-NAT and strict NAT in general. Newer ISPs often force users onto CG-NAT, and my consoles have had numerous issues with NAT in general over the years. ISP routers also often make fixing this an opaque or impossible problem for the user.
I don’t think IPv6 is the best thing ever, but I do think it solves the problems IPv4 did along with some annoying issues IPv4 struggled with.
It does make it easier. IPv6 pinholes are simpler than port forwarding. My IPv4 is not static but my IPv6 prefix is. So I don’t need dynamic DNS. I have no IPv4 port forwards, instead I run snid on a VPS to support legacy internet clients and call it a day.
So you basically have a cloud server and a domain with a wildcard record, and you then forward IPv4 through IPv6?
I think this somewhat proves my point that IPv6 doesn't solve much for self-hosting. You still need some kind of working IPv4 setup. You are using IPv6 in place of either a reverse proxy or something like tailscale, which I suppose is more convenient.
the reason why I explicitely disable ipv6 cause "this shit don't work" (at the moment, will probably change in the future)
- random slowdowns
- horrible routing
- larger packet overhead
- hated by a lot of the people who run the internet
- hated by companies who provide ddos protection
- my poor TCAM cache in my budget routers
- supporting ipv6 is really expensive in chassis routers
However, I believe there is a solution:
Swap ISP's to IPv6 only, swap to IPv4 unless there is an IPv6 route present then directly forward. This solves quite a few issues: Once every ISP has IPv6 you can drop ipv4 and swap directly to ipv6 without having to split your TCAM. This works because IPv6 can encode IPv4 in it.
In my direct experience, in the USA, at least Spectrum, AT&T, and Xfinity (Comcast) still run IPv4, of course, but they also have IPv6 working and on by default on their home internet offerings.
All mainstream computer and mobile OSes support it by default and will prefer to connect with it over IPv4.
‘Everyone’ in many areas is using it. For many of us, our parents are using Facebook and watching Netflix over it. Over 50% of Google’s American traffic is over it. It just works.
Unlike IPv4, my LAN addresses include the prefix, so every time they change it, all my LAN addresses change.
Combined with the lack of DHCP6 support in many devices, this means reverse DNS lookups from IP to hostname can't be done, making identifying devices by their IP essentially impossible.
IPv6 also has local addresses, but a lot more of them. Anything starting with fd00::/8 is a local address with 40 bits available as the network number. So you can set up your local network with the prefix fdXX:XXXX:XXXX::/48 (where the Xs are chosen randomly) as the prefix and still have 16 bits left over for different subnets if you want. These addresses do not change when your ISP changes your public prefix.
And if you want to add reverse dns for SLAAC addresses then just have your router listen for ICMPv6 Neighbor Announcement addresses and use them to update your DNS server as appropriate. Or configure your servers to use stable addresses based on their MAC address rather than random addresses (which are better for privacy), and then just configure the DNS as you add and remove servers.
So I don’t have the changing ip issue. I do however have an issue if I want to change ISP as it’s a whole mess of rules to update rather than a couple of dns entries and two dst nat rule (one per public IP)
I believe the idea in v6 if you have multiple prefixes on the same network - including a local fc00::/7 one for local services. Layers and layers of things to break.
For example, I recently attended the IETF meeting in Montreal, which offers a by default v6-only network. My Mac worked fine, but my son's school-issued Chromebook had glitchy behavior until I switched to the network that provided v4.
Doesn’t remove the need for nat - my wired IsP might be able to bgp with me, but my backup 5g won’t, and when I want to choose which to send my traffic through with PBR that means natting.
My router doesn’t support 64, so I have to use my isp’s which is speed constrained compared with native 4. Ok that’s on my setup. Haven’t tested my 5g provider and where 64 occurs, I’d hope in their network, but how do I configure my dns64.
Still need to provide v4 at the edge and thus 46 nat so I can reach internal v6 only servers from v4 only locations
Perhaps lost of that is because my router doesn’t do 64, but again that just shows that v4 is still essential. I haven’t found a single service that’s v6 only, so if I have to run a v4 network (even if only as far as a 64 natting device) why bother running two networks, double the opportunity for misconfiguration and thus security holes. Enabling dual v6 on my IoShit network would allow more escape routes for bad traffic, meaning another set of firewall rules to manage. Things like SLACC make it harder to work out what devices are on the network, many end user devices are user hostile now and keeping control of them on v4 alone is less work than in v4 and v6.
Yes, it does. You just have each of your routers (wired and 5G) advertise the /64 prefix delegated by each of your ISPs. Your hosts will self-assign a v6 address from each prefix.
To control which link the traffic uses, you just assign router priority in the router advertisement (these are all standard settings in radvd.conf).
> Things like SLACC make it harder to work out what devices are on the network
Again, not true. If you really don’t trust your devices, then DHCP isn’t going to save you. Malicious hosts absolutely can self assign an unused v4 address, and you’ll be none the wiser if you just look at your DHCP leases.
For example, I recently attended the IETF meeting in Montreal--practically the epicenter of v6 thinking--which offers a by default v6-only network. My Mac worked fine, but my son's school-issued Chromebook had glitchy behavior until I switched to the network that provided v4.
Until you want to like, use GitHub.
Can someone explain why it's ambiguous?
On the subject, IPv6 is one of the strangest inventions on the internet. Its utility and practically are obvious no matter how you look at it except... just one thing.
Network-related things are generally easy to remember and then type from memory: IPv4, domain names, standard port numbers. Back in the day it was the phone numbers, again, easy to remember and dial when you need it. IPv6 is just too long and requires copy/paste all the time. This is the only real reason in my opinion, why IPv6 is doomed to be second-grade citizen for (probably) a few more decades.
2000::1::1 could be 2000:0000:0000:0000:0001:0000:0000:001, or 2000:00000000:0001:0000:0000:0000:001
There's ambiguity on where to fill in the five groups of 0000 in the second case.
Edit: Whoops. Didn't read what the above post was in response to. My bad.
I do get that but I also get 'There are so many I could have all I wanted ... or I could if any of our fiber ISPs would support it, that is'
That becomes 2001:0c2d:4308::/48 instead
After that you just need to remember the subnet number and the host number. If you remember 12.45.67.8 maps to 192.168.13.7 you might have
2001:0c2d:4308:13::7
So subnet “13” and host “7”
It’s not much different to remebering 12.45.67.8>192.168.13.7
I was sort of expecting that this week.
I had to transcribe a v6 addy for a WAN-WAN test (a few mi apart).
That's when I noticed that Charter (Spectrum) had issued
ref: https://bgp.he.net/AS33363#_prefixes6IPv6 was designed by political process. Go around the room to each engineer and solve for their pet peeve to in turn rally enough support to move the proposal forward. As a bunch of computer people realized how hard politics were they swore never to do it again and made the address size so laughably large that it was "solved" once and for all.
I firmly believe that if they had adopted any other strategy where addresses could be meaningfully understood and worked with by the least skilled network operators, we would have had "IPv6" adoption 10 years ago.
My personal preference would have been to open up class E space (240-255.*) and claw back the 6 /8s Amazon is hoarding, be smarter about allocations going forward, and make fees logarithmic based on the number of addresses you hold.
IPv4 was not designed as such, but as an academic exercise. It was an experiment. An experiment that "escape the lab". This is per Vint Cerf:
* https://www.pcmag.com/news/north-america-exhausts-ipv4-addre...
And if you think there wasn't politics in iPv4 you're dead wrong:
* https://spectrum.ieee.org/vint-cerf-mistakes
> IPv6 was designed by political process.
Only if by "political process" you mean a bunch of people got together (physically and virtually) and debated the options and chose what they thought was best. The criteria for choosing IPng were documented:
* https://datatracker.ietf.org/doc/html/rfc1726
There were a number of proposals, and three finalists, with SIPP being chosen:
* https://datatracker.ietf.org/doc/html/rfc1752
> I firmly believe that if they had adopted any other strategy where addresses could be meaningfully understood and worked with by the least skilled network operators, we would have had "IPv6" adoption 10 years ago.
The primary reason for IPng was >32 bits of address space. The only way to make them shorter is to have fewer bits, which completely defeats the purpose of the endeavour.
There was no way to move from 32-bits to >32-bits without every network stack of every device element (host, gateway, firewall, application, etc) getting new code. Anything that changed the type and size of sockaddr->sa_family (plus things like new DNS resource record types: A is 32-bit only; see addrinfo->ai_family) would require new code.
> There was no way to move from 32-bits to >32-bits without every network stack of every device element (host, gateway, firewall, application, etc) getting new code. Anything that changed the type and size of sockaddr->sa_family (plus things like new DNS resource record types: A is 32-bit only; see addrinfo->ai_family) would require new code.
That is simply not true. We had one bit left (the reserved/"evil" bit) in IPv4 headers that could have been used to flag that the first N bytes of the payload were an additional IPv4.1 header indicating additional routing information. Packets would continue to transit existing networks and "4.1" capable boxes at edges could read the additional information to make further routing decisions inside of a network. It would have effectively used IPv4 as the core transport network and each connected network (think ASN) having a handful of routed /32s.
Overlay networks are widely deployed and have very minor technical issues.
But that would have only addressed the numbering exhaustion issues. Engineers often get caught in the "well if I am changing this code anyway" trap.
Except if you're using a mobile phone, in which case many telcos hand out only IPv6 addresses to handsets. 2018 NANOG presentation "T-Mobile's journey to IPv6":
* https://www.youtube.com/watch?v=d6oBCYHzrTA
From 2014, "Case Study: T-Mobile US Goes IPv6-only Using 464XLAT":
* https://www.internetsociety.org/deploy360/2014/case-study-t-...
But who cares about mobile phones, right? They're only second-grade devices.
I'm used to cablemodems with static ipv4 for months basically until mac changes
* https://en.wikipedia.org/wiki/IPv4_shared_address_space
ref:https://old.reddit.com/r/tmobileisp/comments/1gg7361/why_is_...
I booted an LTE router using a T-Mobile SIM.
Within an hour I had two different WAN IPs from AS749 US-DOD NIC (in 33.79.135.0/24 & 21.140.100.0/24).
They were cgnat'd behind TMble's advertised asn.
They're probably using CG-NAT, though IP changes that often is a bit aggressive.
Because you don’t know how many zeroes are on each side around the 0001 in the middle.
It can be 2000:0000:1:0000:0000:0000:0000:1 or 2000:0000:0000:0000:0000:1:0000:1 etc.
IPv4 also has a similar, though rarely documented or utilized, shortcut system. Try `ping 1.1` for example. It expands to 1.0.0.1.
Your link does not show different addresses from a valid compression, it shows different addresses from an invalid compression.
Conversely, if we compress the expanded addresses in your link, we will get 2 different compressed addresses.
In IPv4 you also have 127.257 equal to 127.0.1.1, 123456789 equal to 7.91.205.21, and 010.010.010.010 is a well-know DNS server. This notation is also rejected by most implementations.
I was reminded of this 2d ago; I was testing one IPv6 WAN from another. DDNS had failed so I didn't have my usual crutch to lean on.
The length of the addresses and the clunky nature of their ASCII representation is absolutely the #1 reason the IPv6 has taken this long. User experience is the most powerful force affecting large scale adoption, and IPv6 has poor UX.
I think the UX is partly fixable by creating less horrible ASCII representation, but this would take a lot of coordination that was hard even back then and is virtually impossible now. If someone told me in 500 years we're still running dual-stack IPv4/IPv6 absolutely unchanged, I'd believe it.
E.g. 2600:15a3:7020:4c51::52/64 is not too horrible but 2600:15a3:7020:4c51:3268:b4c4:dd7b:789/64 is a monster by unrelated intent of the client.
"Modern" tooling in the consumer space is pretty dire for IPv6 support too. The best you can reasonably get is an IPv6 on the WAN side and then just IPv4 for everything local. At least from the popular routers I've experienced lately.
Of course I know why. If you turn it on it slightly increases edge case issues as complexity always does. Most people don’t actively need it so nobody notices.
Privacy extensions are worthless because there are just sooooo many ways to fingerprint and track you. If you are not at least using a VPN and a jailed privacy mode browser at a bare minimum, you are toast. If you’re serious about privacy you have to use stuff like Tor.
V6 privacy extensions are like the GDPR cookie nonsense: ineffective countermeasures with annoying side effects.
SLAAC sucks too. They should have left assignment up to admins or higher level protocols like with V4. It’s better that way.
I guess it could be possible to implement sort of mnemonic phrases for addresses, à la bip-39, but it would be just trading one kind of pain for another.
Posed as a question, disingenuously.
You know the list of "benefits" is thin when the second item is entirely theoretical. Even though IPv6 doesn't have to do NAT traversal, it still has to punch through your router's firewall which is effectively the same problem. Most ISP provided home routers simply block all incoming IPv6 traffic unless there is outbound traffic first, and provide little to no support for custom IPv6 rules.
Even if that were not an issue, my bet is that there are close to zero popular games that actually use true peer to peer networking.
Enable IPv6 on a TP-Link Omada router (ER7212PC) and all internal services are exposed to the outside world as there is no default IPv6 deny-all rule and no IPv6 firewall. I get why some people are nervous.
A router routing traffic makes people nervous? Isn't that what it's supposed to do? I'd be annoyed if my router did not pass traffic.
Now, if the ER7212PC was a firewall that would be something else.
(And no, I'm not being pedantic: routers should pass traffic unless told otherwise, firewalls should block traffic unless told otherwise. The purposes of the two device classes are different, they just happen to both deal with Layer 3 protocol data units.)
What firewall do you recommend a typical user couple their ER7212PC (which BTW is already tripling as VPN gateway and cloud-controller) with?
The problem is that TP-link does not give two cents to security in their products.
> And no, I'm not being pedantic
You very much are.
Customer edge routers are expected to contain firewall (see RFC 7084 and RFC 6092).
This has worked for me well for a couple years. I do use a VLAN to keep the IPv6-only network separate (homelab) from video streamers in the household.
In my pf.conf:
and in /var/unbound/etc/unbound.conf: Done. I don't have 464XLAT on Win11 but I do want to know if there's a hard coded IPv4 address anyway. I never had an issue.- My local ISP (US Internet, soon to be part of T-Mobile Fiber) hasn't enabled it, even though the CEO has said on Reddit for years that it's a priority. Now that they've been acquired who knows if it'll ever happen.
- Linode allows transferring v4 addresses between machines, so if I need to rebuild something I can do so without involving my client who usually has control over DNS. They do not support moving v6 addresses, which means that the only sites I have control over that support v6 are the ones that I control DNS.
Making IPv6 a thing seems like it would be super easy if a couple hours could be spent solving a bunch of dumb lazy problems.
Being a priority doesn't mean it's high priority. It could be a priority, but the lowest ranked one, so other stuff always comes first. :P
T-Mobile wireless US is pretty invested on IPv6, so if they take over the network, they may well push it.
It was a painful experience of trying to work out if I had misconfigured it, if it was something to do with my opensource router software or if it was my ISP or the end services. I didn't get to the end of working this out and reporting issues and I just gave up. Due to the intermittent nature of the issues I was facing I never managed to get a report of issues my ISP would accept.
So I'll give it some time and give it a try after a year and see if things have improved, but it was definitely not ready for prime time.
[1] https://www.cac.gov.cn/2025-05/20/c_1749446498560205.htm
I said the same thing for 6-6-16 too.
In theory this makes sense, but in practice my personal experience is that not a single wireline ISP I've ever seen deploy CG-NAT offered IPv6 service at all, nor did any of them indicate any intent or even interest when asked about it.
The mobile providers on the other hand have almost entirely gone IPv6-first, using 6>4 transition methods as the default form of v4 access which I fully support.
4>4 CG-NAT should never have existed and providers who deploy it without offering fully functional v6 should be shamed.
I suspect that what will actually end up being implemented, will be a core subset of the spec.
We'll have to see what's still standing, when the dust settles.
Look at Bluetooth, for an example, or TIFF.
I printed out the Bluetooth spec once, just for Ss and Gs. It was over 2,000 pages (double-sided).
I once tried writing a fully-compliant TIFF reader. Didn't go so well.
It does not "disable" DHCPv6. It does not support DHCPv6. Android (really Lorenzo Colitti) in/famously WONTFIX adding DHCPv6 client support:
* https://issuetracker.google.com/issues/36949085
Of course after over a decade of denying that Android needs some kind of DHCP in IPv6, it seems that Android may finally be getting some kind of solution:
* https://android-developers.googleblog.com/2025/09/simplifyin...
* Via: https://blog.ipspace.net/2025/09/android-dhcpv6-prefix-deleg...
Hopefully, having admitted (?) the error of their ways with being SLAAC-only they'll also add 'regular' DHCPv6 in addition to DHCPv6-PD.
I have used these on my network and office to move to IPv6-only for Android.
What about lack of DHCPv6 prevents you from using IPv6 on Android?
Works great for me.
Use MAC as the key for firewall and monitoring. Then you don't have multiple rules per device.
- How to ensure there are no collisions in address space? Translates to, how to pick safe addresses, is there a system?
- How do I route from an external network resource to an internal network resource? Translates to, can you provide syntax on how to connect to an smb share? Set up a web service that works without WireGuard or equivalent?
- How does one segment networks, configure a vlan, set up a firewall?
- Use global/public addresses on all your devices (using something like prefix delegation) or use NAT.
- Same as IPv4. Prefix delegation will let your ISP assign you multiple networks, and then most routers will break these up into /64 networks for each of your VLANs.
- Open holes through firewalls, point DNS at the address, and it should just work, the joys of actually having public addresses.
- Same way as with IPv4 mostly. The only real difference is because SLAAC assumes a /64 you probably want your networks to be at least that big.
But come on! It is a legitimate question, do you just scramble keys when picking an address?
> the joys of actually having public addresses.
If your ISP gives you a static IPv6. Unfortunately in Germany none of the ISP for private users does (last I checked).
No. Your ISP or tunnel broker gives you a network prefix. Then you configure SLAAC to use that prefix and hand out addresses within it. Job done.
For example, the prefix might look like 2001:470:e904::/48. Your computers can use any addresses you want as long as they start with that prefix. Since you don’t want to manually hand out addresses to every computer, you configure a router to hand out addresses via SLAAC. Your computers will use SLAAC to discover the prefix from the router, then fill in the bottom 64 bits of the address with a random number. They then ask the local network if anyone is using that full address. If not then they are done and have a working address. If somehow someone is using that address then they try again with a different random number. Servers that want a fixed address will just use their network card’s MAC address (or anything similar, if you want) instead of a random number. The protocol is the same either way.
Notice that this actually gives you some bits of your own to play with, if you want. The full address is 128 bits long. The first 48 were used by the prefix and the bottom 64 by the individual devices, leaving 16 bits in the middle. You could tell your router that the prefix for SLAAC is 2001:470:e904:42::/64, for example, and then use the other subnets for other purposes. Maybe 2001:470:e904:beef::/64 is a special subnet just for your meat freezer and associated monitoring equipment. I don't know, you get to make these things up for yourself. Maybe you manage a corporate network that has a separate VLAN for phones than for normal PCs, and a third VLAN for the guest WiFi. You can give them each a different prefix by embedding the VLAN id into the prefix you advertise via SLAAC.
There’s also DHCPv6 if you want even more control over which addresses are handed out, or you want to subdivide your network even more finely. Or if ISPs ever start handing out smaller prefixes.
> If your ISP gives you a static IPv6. Unfortunately in Germany none of the ISP for private users does (last I checked).
Sure, that’s true. But they probably don’t hand out static addresses for IPv4 either. Not without paying extra, that’s for sure. Either way if you want some static identifier for your computer(s) then the solution is the same: DNS.
Of course if you _are_ running a corporate network with a bunch of VLANS like that then you should actually get your own prefix from your RIR rather than from your ISP. Then you purchase IP transit services from your ISP rather than consumer internet access. You can then advertise your prefix(es) via BGP. Again, this is exactly what you would do for IPv4. Same software, same configuration, just longer addresses. The main advantage of this extra work is that you can keep your addresses static even if you move to an entirely different ISP. You can also use the same addresses over multiple connections to multiple ISPs for better redundancy.
Your v6 subnet prefix is no different than whatever WAN-side v4 your NAT had. "Accidental semi-randomization" of the WAN side IP is not something one could reliably count on. Many ISPs just hand over a static-like IP, that is, even when it's supposed to be random the pool of IPs is so constrained that it's usually the same simply through the IP lease surviving power cycling. And that was before CGNAT.
If your concern is being identifiable through your IP then counting on whatever v4 artifact is the wrong move. Use a VPN with randomised exit nodes.
As far as I know, the majority of websites (about 70%) do not support IPv6.
If you have a mobile device with data, you’re likely already using it.
You can share that IP address by putting multiple hosts on the same local network. NAT was invented because of lacking enough addresses.
Most of the figures I see show 60-70% of the top 100 sites do support it. But maybe that does not reflect your usage.
Why do you need it? Maybe you don’t right now since ipv6 only sites are niche. The most tangible advantage I’ve seen is avoiding CGNAT. Gamers in particular don’t like that because it introduces latency. Services like Xbox live definitely do support ipv6 for this reason.
For example the last time I had an IPv6-only host I had issues cloning things from github, as "git clone git@github.com..." failed due to github.com not having IPv6 records.
A quick search revealed this open 3+ year old discussion - https://github.com/orgs/community/discussions/10539
IPv6 essentially enables "universal internet IDs" for every device, which could streamline a lot of things, but enable a lot of weird surveillance/power balance issues that the cruft of IPv4 is actually incidentally helping guard against.
Again, I'm old enough to remember when e.g. the ISPs were going to try to charge per device in each household.
Since the network half (leading 64 bits) is as fixed as your IPv4 address was, and the host half is random and constantly changing, an IPv6 address is exactly as uniquely identifying as an IPv4 address used to be.
I don't really see that coming again and if it does you can just do NAT66 just like you can do NAT4.
But, network effects.
Try connecting to your IPv6-only service on Hotel WiFi -- you usually can't.
It's unfortunate, but IPv6 doesn't really solve any problems for a home user. And I say this as someone that has deployed IPv6 at home before.
CG-NAT and strict NAT in general. Newer ISPs often force users onto CG-NAT, and my consoles have had numerous issues with NAT in general over the years. ISP routers also often make fixing this an opaque or impossible problem for the user.
I don’t think IPv6 is the best thing ever, but I do think it solves the problems IPv4 did along with some annoying issues IPv4 struggled with.
So you basically have a cloud server and a domain with a wildcard record, and you then forward IPv4 through IPv6?
I think this somewhat proves my point that IPv6 doesn't solve much for self-hosting. You still need some kind of working IPv4 setup. You are using IPv6 in place of either a reverse proxy or something like tailscale, which I suppose is more convenient.
- random slowdowns
- horrible routing
- larger packet overhead
- hated by a lot of the people who run the internet
- hated by companies who provide ddos protection
- my poor TCAM cache in my budget routers
- supporting ipv6 is really expensive in chassis routers
However, I believe there is a solution: Swap ISP's to IPv6 only, swap to IPv4 unless there is an IPv6 route present then directly forward. This solves quite a few issues: Once every ISP has IPv6 you can drop ipv4 and swap directly to ipv6 without having to split your TCAM. This works because IPv6 can encode IPv4 in it.