[GLLUG] Direct Fibre To The House

Andy Smith andy at bitfolk.com
Mon Aug 29 20:22:42 UTC 2022


Hello,

On Mon, Aug 29, 2022 at 03:08:08PM +0100, Chris Bell via GLLUG wrote:
> On Monday, 29 August 2022 13:40:54 BST aidangcole--- via GLLUG wrote:
> > Would using Headscale / Tailscale simply solve this without all the
> > routing hassle and admin ?
> 
> Sorry, not understood. I have had to use port forwarding over a single IPv4 
> address together with careful firewalling to do anything.

So, you are used to having a static IPv4 at home and using NAT to
forward ports on that IP to application servers within your home
network.

e.g. if your globally routable IPv4 were 1.2.3.4 and your
LAN was 192.168.123.0/24 maybe you NAT 1.2.3.4:80 to
192.168.123.4:80 so that the web server on 192.168.123.4 is
reachable from the public Internet as http://1.2.3.4/.

You now get native IPv6 but the problem is that it's a dynamic /48
of which the first /64 is automatically set up on your LAN, but you
don't know which /48 it will be a part of and this can change at any
time.

First of all I want to reiterate that your goal is quite niche. Most
people are not hosting things at home, and don't want to host things
at home. The need for IPv6 connectivity is like the need for basic
Internet connectivity. It's so they can consume content that's out
on the Internet, not run a datacentre at home.

So, your most sensible options in my opinion are:

a) Rent a server with static IPv6 assignment and use that as your
   front end, not the IPv4/IPv6 at your home

   This server might be a VM which at the low end would only be a
   few dollars a month. Or it might be in one of the popular clouds.
   Not literally a bare metal server, though that would work too.

   You would VPN to it from your home using something like
   wireguard, either directly or with a helper like the already
   mentioned tailscale which makes things very simple.

   Your home plus an arbitrary number of other locations connect
   to your server and it does not matter that your home has dynamic
   IPs because your home identifies itself to the VPN server (and
   vice versa) by certificates.

   You carve out /64s from the IPv6 assignment on your server, for
   example maybe you have:

    2001:db8:1234::/48 - Hosting provider assignment to your server
        2001:db8:1234:0::/64 - things on your server
        2001:db8:1234:1::/64 - your home
        2001:db8:1234:2::/64 - another site
        2001:db8:1234:3::/64 - third site
        .
        .
        2001:db8:1234:ffff::/64 - 65,536th site

   So there's a scheme for up to 65,536 globally routable networks
   under one IPv6 prefix with each underlying network being v4, v6,
   static or dynamic, doesn't matter. You can do it right now. Each
   end site can change provider and connectivity method any number
   of times but its global v6 assignment remains the same as long as
   you keep your server.

   e.g. http://[2001:db8:1234:1::4]/ hits your server, packets go
   down the VPN to your home, served off of the same machine as
   192.168.123.4 (or whatever its ISP-supplied v6 address is, and
   obviously it would usually be a DNS name not a bare IPv6 address
   used in the browser).

   Downside is a star topology with all the traffic going through
   your server. A further consequence of that is that you would have
   to take steps to ensure that the things at each site are usable
   locally to the site even if your server is not reachable by them.
   Obviously you don't want to be unable to control your heating and
   lights or manage your CCTV just because your VM at Linode is
   unreachable! This isn't an insurmountable problem, just one that
   too few people think about.

b) Wait until there's enough choice of connectivity provider that
   you can pay extra for static IPv6 assignment at home

   Downsides:
    - Probably costs more than the VM
    - May not be available at all
    - Might be harder to reliably serve things from your home than
      from a VM or bare metal server in a purpose built datacentre
    - Renumber every time you change domestic ISP unless you become
      a member of RIPE NCC (€1,400/year), be allocated a v6
      network of your own and then find a broadband ISP that will
      announce it for you (more expense, hard)¹.

It's possible that things could have been different if IPv6 had
gained traction before the whole world was put behind IPv4 NAT to
conserve address space, but it wasn't, so statistically no one² is
running globally routable home networks with real services on them.
All the IoT stuff has been built with that in mind and it's extra
effort to self-host.

Cheers,
Andy

¹ It is also much easier and cheaper to find a VM provider that will
  announce your own network(s) than it is to find a home broadband
  supplier that will do the same.

² Yes, I am, and I'm sure plenty of other people on this list are,
  because that's our thing. But in terms of customer base for any
  commercial product or service, it's not really a market. They
  expect the consumer to use their centralised cloud-hosted web
  interface, self-host in the cloud, or else self-host at home and
  access via VPN.

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



More information about the GLLUG mailing list