Preamble Pre-rambling

I’ve played with IPv6 at home a few times in the past. For my first attempt, I used one of the Hurricane Electric tunnels. I quickly experienced Netflix blocking traffic from it, and also learned about the IPv6 peering saga between Hurricane Electric and Cogent.

For my second attempt, I leased a /48 from Free Range Cloud and back-hauled it from a VPS through a wireguard tunnel.

Overall it was neat, but HE wasn’t practical for serious use, and adding latency by back-hauling internet traffic to a VPS didn’t seem very practical either.

When I finally decommissioned my EdgeOS router and switched to clammy-ng, I didn’t bother keeping IPv6 alive.

After migrating, I noticed some occasional external IPv6 packets when watching raw traffic on the WAN interface. I made a few attempts at enabling DHCPv6 via systemd-networkd settings, but that wasn’t enough to get it over the line. I read a bit about needing to solve for handling the prefix delegation, but I struggled to understand why I wasn’t get an IP on the WAN interface. (Because you don’t need one I learned later).

Trying again and it actually working.

Jeff Geerling recently made a casual social media post that he was tearing down IPv6 at home out of an excess of legitimate frustration. I totally get it–and respect it. Sometimes you need your technology to not be a science project, and must accept the limitations of what you have. There’s not always time to live a technologically principled life 24/7.

Somehow that post inspired me to try again. Most likely because I’ve sold out to the robot this year and consequently, I have a pretty cool workflow for managing my home infrastructure.

It was annoying. For example: I use netplan to manage my router’s network interfaces. Well, netplan doesn’t support all the extra parameterized that systemd-networkd needs regarding accepting and distributing router advertisements. The fix is to use a systemd-networkd drop-in, which is basically an overlay file that goes into a folder named after your interface config. I extended clammy-ng’s netplan ansible role to generate a drop-in based on some netplan context.

Config Learnings

Verizon does not provide an address (aka an IA_NA ?) for your WAN interface. In fact it sends a message saying it’s not providing one. That seemed to be confusing networkd a bit causing the RA to be overlooked, so we have to explicitly say UseAddress=false. The WAN using a link-local IPv6 connection to Verizon to get the router advertisements.

Verizon router
  |  RA: link-local default gateway
  |  DHCPv6-PD: dynamic /56
  v
wan on clammy-ng
  |  systemd-networkd selects subnet ID 1
  v
user-vlan: delegated /64
  |  Router Advertisements + SLAAC
  v
user clients

Here’s the networkd drop-in I used for my WAN interface.

[Network]
IPv6Forwarding=yes

[DHCPv6]
PrefixDelegationHint=::/56
WithoutRA=solicit
UseAddress=false
UseDelegatedPrefix=yes
RapidCommit=false

[IPv6AcceptRA]
DHCPv6Client=always

I started with just delegating a prefix to my user VLAN, and opted to just call it subnet ID one. Here’s my networkd drop-in for my user VLAN interface:


[Network]
DHCPPrefixDelegation=yes
IPv6SendRA=yes
IPv6Forwarding=yes

[DHCPPrefixDelegation]
UplinkInterface=wan
SubnetId=1
Announce=yes

[IPv6SendRA]
EmitDNS=yes

My firewall changes were light. It mainly entailed creating a new macro for DHCPv6 and permitting DHCPv6 traffic from the WAN to localhost zone on my router

foomuuri_macros:
  - "dhcpv6-client udp 546 ipv6"

wan:
  to_zone:
    - any:
        description: permit to all
        rules:
          - ping
          - dhcp-client
          - multicast accept
    - localhost:
        description: permit DHCPv6 replies to the router
        rules:
          - dhcpv6-client

Reflection

It’s cool seeing the traffic flow–and maybe it’s less CPU overhead not having to worry about NAT. Since I’m using SLAAC…. I have no idea what IPs my devices have. I feel like I’m losing some insights from that perspective. I’ll have to research DHCPv6 servers and see if its worth the effort. I’m confused how that will play out with my Android phones. I’m not sure if there’s a stateful SLAAC or not.

As far as my homelab and internal network… I read several threads talking about ULA, “servers should be static” and all those rabbit holes. There’s a lot of work for things to be elegant. Although, I do have good tooling for using IPAM with netbox… I do often just rely on cloud-init with DHCP and hostnames wired into my DNS to provision VMs and other resources. I often just tail my DHCP leases to see if things are online. A lot of that convenience goes away without new tooling and orchestration.

That’s for another day. I do think I’ll leave IPv6 for up for userspace. My other networks will require more planning.