[magicalhippo]

> I don't understand why people are so negative about IPv6. [...] It just works!

Networking is a lot more than being able to ping a single host.

As a concrete counter-example, IPv6 routinely broke for me when I was using pfSense as a router. Why? Because pfSense, with no way of disabling this behavior, published its public IP as the DNS server for internal clients.

So each time I got a new prefix from my ISP, which happens about once a week or more often, machines stopped being able to perform DNS lookups for hours or until I rebooted them.

And, if I had bothered configuring IPv6 firewall rules, those would have had to be reconfigured manually with the new prefix. I understand this is mostly fixed in pfSense recently, but this was the case for many, many years.

Another counter-example is that Android only supports SLAAC, and SLAAC only supports providing a few key infrastructure details like router and DNS. If you want to tell the Android client something else, like NTP server, you're outta luck. Also, if Android successfully gets an IPv6 address via SLAAC, it requires the DNS server IP to also be an IPv6 address. So your internal DNS server must then also serve on IPv6. If that wasn't the case, it would just silently use Google's own DNS servers, breaking any local configuration you had.

Another point is that a lot of us tried using IPv6 decades ago, and so we still have scars from that time. IPv6 today is a lot better, but I still have a lot of IPv6 frustration associated with it from 15-20 years ago.

[MaKey]

> And, if I had bothered configuring IPv6 firewall rules, those would have had to be reconfigured manually with the new prefix. I understand this is mostly fixed in pfSense recently, but this was the case for many, many years.

Why would you have to reconfigure your firewall rules when you're getting a new IPv6 prefix?

[magicalhippo]

> Why would you have to reconfigure your firewall rules when you're getting a new IPv6 prefix?

Because the IP address of the target changes when you get a new prefix.

There's some discussion in this[1] old pfSense ticket.

With IPv4 you typically do address translation (NAT) and so the internal target address is not tied to the global address.

[1]: https://redmine.pfsense.org/issues/6626

[delotrag]

My consumer router uses iptables under the hood, so it accepts a mask in the firewall rule (so e.g. I can do ::0123:4567:89ab:cdef/::ff:ffff:ffff:ffff:ffff as a target, and when my /56 changes, the rules Just Work™)

[magicalhippo]

It seems iptables has been ahead there.

But I think it further strengthens my case, software support for IPv6 has been quite spotty over the years, which combined with the less-than ideal deployments out there has made things frustrating for many users over the past couple of decades.

[happymellon]

> As a concrete counter-example, IPv6 routinely broke for me when I was using pfSense as a router. Why? Because pfSense, does really bad things.

I mean, I have a router that is trash with IP4. Therefore IP4 is trash!

[magicalhippo]

Please don't put words in my mouth. I did not say "Because pfSense, does really bad things."

How pfSense works is fairly reasonable if every IPv6 deployment had been as the original designers intended, ie you have a static prefix.

It's just that the way IPv6 ended up getting deployed in practice was often not aligned with that original vision. And that has been a large source of IPv6 frustration.

[gertrunde]

There's a few things here that are a bit iffy tbh!

I can't see why an ISP is dynamically changing the IPv6 addressing for a client, but if that's what is going on, then v6 NPT is your friend (RFC6296 - https://datatracker.ietf.org/doc/html/rfc6296).

But pfsense's behaviour is a bit iffy too, unless when you say 'public IP', you mean the IPv6 address being used on the pfsense facing the clients? (I'm assuming it's using DHCPv6 prefix delegation, and the delegation is being changed? And potentially the uplink subnet as well).

[direwolf20]

It's a legal requirement in Europe for privacy. A long term static address is a personal identifier.

[illiac786]

How could this be a legal requirement and at the same time you can purchase static IPs as a paid option from ISPs, like I did?

[direwolf20]

You're allowed to consensually waive your own privacy rights.

[anikom15]

Does the mailman come around and change house numbers and street names every month, too?

[pmezard]

Any vague source for that?

Asking as a European who did not have his IPv4 address changed for months or even years. Or is it IPv6 specific? But I cannot see why.

[illiac786]

opnsense can use the delegated prefix for DHCPv6, it then automatically becomes the “LAN net” firewall alias and you can refer to it in a firewall rule I believe. I assume it’s the same for pfsense and I suspect they are not the only ones.

[magicalhippo]

> v6 NPT is your friend

So NAT is the one true solution after all.. /s

> unless when you say 'public IP', you mean the IPv6 address being used on the pfsense facing the clients?

Well, that's kinda the thing, pfSense seems to assume global means it's also the IP facing the local clients. I couldn't get pfSense to advertise its ULA as the DNS server for example. But if you have a static prefix, that's not a bad assumption. And a static prefix is what the IPv6 designers envisioned.

> I'm assuming it's using DHCPv6 prefix delegation, and the delegation is being changed?

ISP indeed uses DHCPv6 prefix delegation. The prefix I get can change "randomly". It always changes when my router or modem reboots, but other times too (perhaps when their equipment reboots).

I should note that after getting very frustrated with pfSense, I threw it away a few years ago and switched to OpenWRT which has worked much, much better when it comes to IPv6.