this post was submitted on 29 Oct 2024
14 points (100.0% liked)

Selfhosted

39921 readers
235 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
14
Chaining routers and GUA IPv6 addresses (lemmy.ml)
submitted 6 days ago by robber@lemmy.ml to c/selfhosted@lemmy.world
8 comments fedilink hide all child comments
 

Hey fellow self-hosting lemmoids

Disclaimer: not at all a network specialist

I'm currently setting up a new home server in a network where I'm given GUA IPv6 addresses in a 64 bit subnet (which means, if I understand correctly, that I can set up many devices in my network that are accessible via a fixed IP to the oustide world). Everything works so far, my services are reachable.

Now my problem is, that I need to use the router provided by my ISP, and it's - big surprise here - crap. The biggest concern for me is that I don't have fine-grained control over firewall rules. I can only open ports in groups (e.g. "Web", "All other ports") and I can only do this network-wide and not for specific IPs.

I'm thinking about getting a second router with a better IPv6 firewall and only use the ISP router as a "modem". Now I'm not sure how things would play out regarding my GUA addresses. Could a potential second router also assign addresses to devices in that globally routable space directly? Or would I need some sort of NAT? I've seen some modern routers with the capability of "pass-through" IPv6 address allocation, but I'm unsure if the firewall of the router would still work in such a configuration.

In IPv4 I used to have a similar setup, where router 1 would just forward all packets for some ports to router 2, which then would decide which device should receive them.

Has any of you experience with a similar setup? And if so, could you even recommend a router?

Many thanks!

you are viewing a single comment's thread
view the rest of the comments
[–] 2xsaiko@discuss.tchncs.de 2 points 6 days ago (7 children)

Not a professional networking guy either but here's my opinion.

What I would do is use the ISP router as is, open all ports on it (except to itself, hopefully it doesn't do that...), and put a firewall in between the router and everything else that controls the actual access to everything behind it (in bridge mode between the two network interfaces of the firewall, so you only have the one network).

Could a potential second router also assign addresses to devices in that globally routable space directly?

Devices in IPv6 assign addresses themselves via SLAAC, you just need one device advertising the prefix which the ISP router should already do. The firewall should be able to just purely be there for packet filtering. If you need fixed addresses for public facing servers I would just assign them manually to the respective boxes as you likely also need to add them to public DNS manually anyway.

[–] robber@lemmy.ml 1 points 6 days ago (6 children)

Thank you! Do you have an example for such a firewall device? Could something like the TP-Link Archer AX55 in IPv6 "pass-through" mode do the job? Or would you go for a standalone firewall? My budget is around a hundret bucks.

[–] 2xsaiko@discuss.tchncs.de 2 points 6 days ago (1 children)

Most computers with (at least) two network interfaces will do. If it's something too crappy your throughput will be limited by CPU speed but I can't tell you exact recommendations here. Here's OPNsense's hardware recommendations for example, they're not high at all. Off-the-shelf devices that allow you to do this should probably be fine too.

I'd put Linux on it and use nftables but BSD PF seems to be very popular for firewalls (OPNsense/pfSense are built on this) which I have never used so consider that too.

[–] robber@lemmy.ml 1 points 5 days ago

Thank you! I'll evaluate and report back.

load more comments (4 replies)
load more comments (4 replies)