I'm having so much fun trying to migrate to IPv6 hosting. No success yet. But because AI answers are confidently wrong so much of the time, I thought it would be easier asking my favourite forum. Long story: - Synology NAS - Unifi UCG-ultra gateway - Community Fibre ISP - Homelab including Home Assistant via Cloudflare tunnel and Adguard Home for DNS caching My ISP contract is up for renewal, my current package is CGNAT for new customers. So I guess it's only a matter of time before I get CGNAT treatment. This means I can no longer port forward for my Synology NAS, 443 for family chat and photos and 7001 for file access. It's 443 that's most important to me as I don't want to fix Tailscale problems for my parents. For example forgetting to turn it on before opening chat or photo app. I read Cloudflare tunnel have 100mb file transfer limit, which means no-go for both chat and photo app, which have videos. I have successfully turned on IPv6 and limited Prefix Delegation to 1 IP, this is assigned to my NAS. All other devices on the main VLAN get limited to IPv6 starting with F, which I gather is local not accessible from online. Or is that not a concern and can be reliant on gateway/device firewall? Then I opened 443 in the firewall and once applied online IPv6 port tool says it has changed from closed to open. Is there any way to test this? Firefox, Chrome and Edge all take IPv6 as though I wanted to do a search. Even with https:// at the start. I then disabled IPv4 for Synology DDNS on the NAS, only resolving the new IPv6 address. This is checked via normal and AAAA lookup. However, neither my phone on 5G or computer on local can access the domain name. I've restarted Adguard DNS cache to flush the cache. I've tried restarting my phone. Could not allowing IPv6 PD to work for my other LAN devices be causing this? Short version: NAS now have IPv6 address and 443 port opened, tested. Then IPv4 DDNS disabled, only use IPv6 for DDNS. But can't access NAS via DDNS domain name. Q: 1. Are my devices (PC's, phones, etc) receiving globally routable IPv6 a concern? 2. How to test IPv6 directly via IP in regular browsers? 3. Is there any problem with IPv4 device accessing IPv6 stuff? If a device behind a gateway/provider that doesn't have working IPv6, can it still access stuff only hosted via IPv6 address? 4. What alternative solutions are there? I read VPS get mentioned but haven't seen step by step guide. What's the cheapest solution (local-ish southern England) to help me route 443 NAS traffic?
I solved this problem by throwing £5 more a month at my ISP for a static IPv4 which sits outside the CGNAT pool. One of these days I'll get around to experimenting with IPv6... maybe. Answers, and given that I have only theoretical experience with IPv6 anyone is free to chime and correct me at any time: In theory, no. IPv6 is such a massive address space that you basically can't scan it. Needle in a haystack. You'll need a machine - external to your network - with an IPv6 connection, then it's as simple as trying to connect. Yup: they can't. If a machine is connected via IPv4 then it can't see IPv6 stuff at all. Bar NAT traversal, anyway. If someone's internet connection is IPv4 only (like mine, 'cos I've never bothered flicking the switch - the ISP supports it, and tried to convince me to do that instead of paying for a static IPv4) then IPv6 stuff just doesn't exist for them. Paying your ISP for a static IPv4? Reverse tunnel to a VPS? There's stuff like Cloudflare Tunnel and Tailscale which are popular for exactly this kind of use-case, and you wouldn't have to faff with IPv6 or even open any ports on the router - but I've not tried 'em myself.
Thank you for answer. The first one not so reassuring..... I think I've found the reason I can't connect with mobile data, combined with your answer. Doing an IP check, it turns out my mobile data doesn't get IPv6 address. So that's why I can't test my IPv6 only hosted stuff. This means IPv6 is a complete no go, I don't want my stuff to work sometimes and not other times. As for more money at ISP..... £25 for residential 1 Gbps with CGNAT (this is my current package, no CGNAT but contract is ending soon) or £63 for 5 Gbps "premium wifi" (don't need, I have recently installed better unifi gear) or £125 for 1Gbps business account. They've removed 2.5 Gbps non premium wifi package so have to double the price for not CGNAT. With practices like that, I'd rather spend my money with VPS. Cloudflare tunnel has 100 MB limit on file transfers, it's not accessed by many people just family photos and videos, but most videos would exceed that. Not keen on setting up Tailscale for parents devices and possibly loose access should their app plays up. There's also Synology quickconnect, I've been testing it on my phone, it is super slow. So, now looking for good UK based VPS.
So I signed up to cheapest Ionos Linux VPS for £1.20 a month. Unmetered bandwidth, 1 Gbps connection, seems to be fixed IP. This time AI (gemini) was more helpful and helped me set up wireguard and reverse tunnel. Everything seems to be working well so far. Done restarts on both end and still auto reconnects. Only doing 443 and synology DS File 7001. I think I'm ready for CGNAT: - cloudflare tunnel for Home Assistant and other homelab stuff, no large files - VPS reverse tunnel for my NAS to handle files/videos/photos - Synology quickconnect as fallback for NAS access - tailscale as VPN to access home network - Unifi teleport as fallback VPN None requires inbound port to be opened on my gateway.
Since my 'net connection was down anyway, I enabled IPv6 to see what all the fuss is about. My ISP supports it natively, and I can confirm that everything (that supports IPv6, which is basically just the Real Computers and none of the IoT stuff) now has a publicly-routeable IPv6 address. Well, several. Some of which are temporary, some of which are maybe permanent? I dunno, it's weird. There's a firewall, on by default, which prevents anything from actually being exposed to the internet, and then I can open ports (which is the equivalent of port-forwarding, except because everything has its own IPv6 address I can "forward" the same port to multiple different devices). Haven't tried that yet, tho'. Weirdly, my phone - Moto Edge 50 Neo, Android... 15? 16? I forget - fails the IPv6 browser test sites I've tried. The desktop's happy as Larry, tho'.
Am I being paranoid about having publicly-routeable IPv6? That's so reliant on the gateway having robust firewall. With IPv4, it's a straightforward: if incoming traffic doesn't know where to go, so it's dropped. When I tried IPv6 on my home network, my iphone did get a valid address and passed those browser tests. However, turning off wifi fails those test. This whole IPv6 still seems to be still in roll out stage after hearing about it soooo many years ago. In unrelated news, my parents were moved from CGNAT back to static IP. Their LitFibre had been transferred to Zen, such an epic win. I'd happily pay £50 a month for Zen to supply me with symmetrical fibre and a static IP. Alas, I'm stuck with Community Fibre.
It doesn't have to be "robust," in that it's not actually doing anything security related - it's not like an antivirus where it has to have updated signatures or stuff gets through, it's just a blanket "deny all" policy in iptables (or whatever.) If you don't add something overriding that (i.e. "forwarding" a port) then it goes nowhere, just like NAT in IPv4.
That's very true. I have been thinking of it the wrong way. It is just a brick wall, anything not recognised is discarded. So just as secure as NAT in IPv4.
Wow that was fast. Within about 10min after confirming new contract, around the time I put down the phone, I'm now on CGNAT, IPv4 starting with 100. (IPv6 allocation of /56 unchanged) Luckily with VPS and others I've set up, all my services remain accessible.
