[matrix2003]

Why do dynamic address allocations matter? Most IPv4 consumer WAN addresses are also dynamic.

I’m asking, because I’m an advocate of having your gateway advertise a separate, stable ULA /64 in conjunction with the globally-routable dynamic /64.

This gives you a stable set of addressable LAN IPs, and you can usually ignore the dynamic globally routable IPs.

Granted this won’t work for everyone, but if dynamic global addresses are an issue, you should be requesting a plan that supports a static delegation from your ISP anyway.

[vetinari]

It matters, because when the prefix changes, it changes IP addresses of every single device in your network.

As you wrote, internally, you can use ULA. But you cannot open access from outside, because your firewall rules will become invalid with prefix change. With classic IPv4 NAT, your internal addresses don't change, so your port forwarding works, even if the WAN address changes.

Together, with a single /64 -- which means no subnets for you -- you are getting worse deal than with IPv4. You shouldn't have to contact your ISP for a plan (for a premium, obviously), that allows you to segment your network or open access to specific devices. What's the use of direct connections -- the IPv6 promise -- when you cannot use them anyway?

In short, with limitations like these, you are getting a bad deal.

[xrisk]

I don’t know what router you use, but openwrt lets you set firewall rules that only match the last 64 bits. This should solve your problem, provided you configure your router to hand out static IPv6 leases to devices.

[vetinari]

There are wildly different solutions for different routers.

I'm using Mikrotik, which doesn't allow prefix-less addresses in firewall, but allows you to put hostnames into your rules (so it will ask DNS what the address is and once the ttl expires, it will ask again).

On some CPEs (I don't remember which), it allowed to enter mac addresses, so the forwarding would always work for specific device, with any GUA address.

But we have to remember, that all these solution are optional and brand-specific; there's a wide range of devices that do not have anything to solve this problem.

[thedanbob]

> It matters, because when the prefix changes, it changes IP addresses of every single device in your network.

My solution for my home network was to write a script that periodically checks my IPv6 prefix and updates the firewall rules and DNS if it ever changes. It doesn't feel like a great way to do it but it seems to work.

[matrix2003]

Could you NAT the router WAN external address and route it to a static ULA?

I think the more elegant solution is to use static IP space for hosting services, but most of us home users aren’t used to that.

[withinboredom]

A /64 is a literal ton of subnets. Not sure what you mean by that.

[kbolino]

SLAAC requires the bottom 64 bits to be part of the host portion of the address. A network prefix larger than /64 limits SLAAC to providing link-local addresses only, which means another mechanism needs to provide routable addresses, such as DHCPv6. That, in turn, prevents the use of privacy addresses.

[vetinari]

DHCPv6 is also optional, clients do not have to support it; some do not support it intentionally. So for example, any Android device won't be up and running on SLAAC-less network.

[preisschild]

Having an extra 1:1 ipv6 NAT for ULA is added complexity that wouldn't be neccessary if you just give out static addresses.

Its not like IPv6 /56 subnets are expansive. Just give each customer a full /56 net and you are done.

[matrix2003]

I think the OC was arguing that if your global /64 changes, the firewall rules would change as well for any hosted services.

I proposed that you might be able to route the external router’s WAN to a ULA via NAT to save in complexity when the PD changes, but I agree that a static delegation would by far be the easiest. Us home hosters aren’t used to that even though it is technically against the license agreement more often than not.