For my own networks I use the private range internally (fd00::/8). That way the addresses remain the same when we move or change the pipe to a bigger one. Also, they can be routed, just not on the Internet. It's easy to join remote networks over wireguard and there's plenty of room for experimentation.
Do you actually own that /48? The problem with using the globally routable addresses internally is that your public /48 might change in the future, and and that will force you to change a bunch of internal stuff.
I have my router set up to advertise two /64 prefixes on each LAN subnet: one from fddd:deca:fbad::/56* that I use for all internal communication, and one from 2001:5a8:xxxx:xxxx::/56 that is only used for talking to the internet. Every device I've ever tested supports this configuration flawlessly, including linux/apple/windows laptops, apple/android mobile devices, an IoT vacuum, and a 10+ year old VoIP phone.
My router is a Linux PC, so I can configure radvd however I want (no GUI, I just edit the configs over SSH). Maybe home routers won't let you do this.
* You're really supposed to pick a random prefix in fd00::/8, but uniqueness only matters if you intend to merge networks with somebody else later, I care more about it being easy to remember.
So I decided to use Free Range Cloud service provider to lease a /48, which cost me around C$10/year. I also used their tunnel service to then route this over to me.
The link embedded in the pull quote is [0], which isn't maximally helpful, but it's useful. Approximately 60 seconds of poking around there brings us to [1], which quotes a "ARIN - /48 IPv6 lease ... Use on our network or yours" for $8/year with a $2 setup fee. That sounds a lot like what's mentioned in TFA.
Ideally it'll be standard that your DHCP will assign you both an internet IP from your ISP-provided prefix (dynamic or static), and private IP from a ULA prefix, which can be made static through address reservation.
> * You're really supposed to pick a random prefix in fd00::/8, but uniqueness only matters if you intend to merge networks with somebody else later, I care more about it being easy to remember.
If you don't care about collision resistance, why didn't you pick fd00:: ? That's way easier to remember than that jumble of letters you selected. It's actually my go-to subnet when someone claims that local-only IPv6 addresses are "hard to remember". fd00::1 is notably shorter than 10.0.0.1.
In my experience the ISP generally fixes a /64 for each customer. So if in the future you change your ISP, you might want to keep the remaining addresses same while just using a script to replace the preceding /64 address.
I find it much simpler for troubleshooting etc to have simple IPv4 addresses. But cool that it can be done :)
I've switched off IPv6 on my router anyway, I haven't yet needed it. My provider didn't offer it last time I checked but when they do enable it I don't want it suddenly popping up against an untested router configuration.
I suspect I am going to be running dual stack for at least the next decade, IPv4 switch off feels very far away. I don't think there is much advantage or disadvantage to running IPv4 compared to translation. The current internet doesn't feel ready. I have had less issues with IPv6 this year compared to last so there has been some progress but I am still getting fallbacks to IPv4, some companies don't seem to care much about IPv6 outages currently.
I attempted a similar effort, and found my router had critical ipv6 vulnerabilities including binding the admin and SSH to the WAN on ipv6 (not on ipv4) , and disabling IPv6 firewall altogether so the LAN services were exposed to the internet.
I had the vendor publish their GPL drop, and their upstream vendor did not even have IPv6 support in the product ( the firmware init scripts & admin UI) . So the IPv6 support in the finished product was a rushed copy-paste of IPv4 setup.
I encourage full black box testing of your IPv6 setup, as IPv6 is not in the critical path for QA or consumers, so vulns can persist for years.
I messed with this at one point and gave up when I realized every device would have a permanent externally addressable IP within a block that is basically linked to me (good luck trying to change your IPv6 /48 every month or whatever you get with consumer IP addresses)
It’s probably not a big deal and NAT etc. is no protection but it gave me the heebie jeebies.
104 comments
I have my router set up to advertise two /64 prefixes on each LAN subnet: one from fddd:deca:fbad::/56* that I use for all internal communication, and one from 2001:5a8:xxxx:xxxx::/56 that is only used for talking to the internet. Every device I've ever tested supports this configuration flawlessly, including linux/apple/windows laptops, apple/android mobile devices, an IoT vacuum, and a 10+ year old VoIP phone.
My router is a Linux PC, so I can configure radvd however I want (no GUI, I just edit the configs over SSH). Maybe home routers won't let you do this.
* You're really supposed to pick a random prefix in fd00::/8, but uniqueness only matters if you intend to merge networks with somebody else later, I care more about it being easy to remember.
> Do you actually own that /48?
Well. From TFA:
The link embedded in the pull quote is [0], which isn't maximally helpful, but it's useful. Approximately 60 seconds of poking around there brings us to [1], which quotes a "ARIN - /48 IPv6 lease ... Use on our network or yours" for $8/year with a $2 setup fee. That sounds a lot like what's mentioned in TFA.So. You tell me?
[0] <https://freerangecloud.com/>
[1] <https://freerangecloud.com/products.php>
> * You're really supposed to pick a random prefix in fd00::/8, but uniqueness only matters if you intend to merge networks with somebody else later, I care more about it being easy to remember.
If you don't care about collision resistance, why didn't you pick fd00:: ? That's way easier to remember than that jumble of letters you selected. It's actually my go-to subnet when someone claims that local-only IPv6 addresses are "hard to remember". fd00::1 is notably shorter than 10.0.0.1.
>Do you actually own that /48?
In my experience the ISP generally fixes a /64 for each customer. So if in the future you change your ISP, you might want to keep the remaining addresses same while just using a script to replace the preceding /64 address.
I find it much simpler for troubleshooting etc to have simple IPv4 addresses. But cool that it can be done :)
I've switched off IPv6 on my router anyway, I haven't yet needed it. My provider didn't offer it last time I checked but when they do enable it I don't want it suddenly popping up against an untested router configuration.
https://lore.kernel.org/netdev/20260319151230.655687-1-ralf@...
I had the vendor publish their GPL drop, and their upstream vendor did not even have IPv6 support in the product ( the firmware init scripts & admin UI) . So the IPv6 support in the finished product was a rushed copy-paste of IPv4 setup.
I encourage full black box testing of your IPv6 setup, as IPv6 is not in the critical path for QA or consumers, so vulns can persist for years.
It’s probably not a big deal and NAT etc. is no protection but it gave me the heebie jeebies.