Server Version#: 1.21.2.3943 (Linux)
Basically the same issue as IPv6 in "LAN networks" - #22 by Duffyx.
IPv6 networks are not supported in “LAN Networks” option, resulting in “Error parsing allowedNetworks ‘2a01:cb08:7c6:dc00::56’: Invalid argument”.
Is there any plan to get this option working with IPv6 ?
Thanks
Plan? Yes.
Idea when? No.
Engineering has it on their radar but we have no insight when it might happen.
Most ISPs I am aware of default to IPv4 for the LAN segments.
Every ISP with IPv6 support have IPv6 in LAN segment, otherwise there’s no point to have IPv6 at all, IPv6 is not supposed to have NAT.
The issue is 3,5 years old since first report now…
Really?
I have Comcast in the US and have their new 1200+ (this area just got service).
I have gigabit (1200/40)
They assigned me an IPv4 address, not an IPv6 addrss.
My LAN is IPv4, not IPv6
Stupid question I have… (please do forgive my ignorance at not understanding)…
Why / who would need 64K devices in their home plus all those subnets.
I truly am not understanding because NAT / filtering (at minimum) is required to protect yourself and (2) my home device IP addresses shouldnn’t change every time my ISP WAN address does. So? Why have IPv6 internally? Is it just for consistency sake?
Most major isp are now dual stack, ip4/ip6.
Folks behind CGN (double nat) will only have a public ip6 address.
Do you have IPv6 on WAN side ?
If not, then Comcast does not have IPv6 support, at least not for their end users.
If they do and use NAT46 (so IPv4-only on the LAN segment, and one IPv6 on WAN segment that is used to NAT), then it’s REALLY bad.
But I checked online, I see nothing that indicates that Comcast is doing NAT46. Are you sure you’re having IPv6 at all ?
Most ISPs with IPv6 are doing dual-stack, so IPv4 (with NAT) + IPv6 (without NAT), because it’s the most convenient way to do it. It allows anyone to reach both IPv4 and IPv6 networks without issues, while slowly deploying IPv6.
The point of IPv6 is not to have more devices on their LAN, it has never been (the actual “true” number if you’re implementing IPv6 properly, with a /48 per physical site, is 65,536 LAN segments with 18,446,744,073,709,551,616 addresses each). Of course no one expects to reach those numbers of devices.
There’s actually a lot of ways to configure IPv6 on LAN segments, but most devices have more than one IPv6 at one point, which allows to change IP a lot if desired (for privacy reasons, mostly).
It also allows to remove NAT entirely, which is a VERY good thing. NAT was never here for security reasons, NAT/PAT was designed because of the IPv4 public space was filling way too fast when every device were given an IPv4 public address (there was no NAT at all on the beginning of the internet, and it prevented A LOT of headaches).
Using NAT as a security is actually a bad practice, it just provides some security by accident. The correct way of filtering connections is using a firewall, not NAT. There are also NAT implementations that does not provide any additional security at all, like NAT 1:1.
The point of having IPv6 internally is to have devices that are reachable in a consistent matter whenever it’s from inside or outside devices. Not having NAT is far better, because your routers have much less computing required for packet processing (NAT does requires some computing performance, especially at >1Gbps throughput), and because it’s much more easy to do numbering, especially on big networks.
Given its nature, it also permits to choose if you want to change IP on a regular basis (which is actually desirable for a simple device, to limit tracking purposes), or not at all (like on a server). Or even both.
You can do pretty much anything you want with IPv6. Going back to networks without NAT is truly a nice and exciting thing for a network engineer.
Thanks for explaining.
Now for the really dumb questions 
Why the “H” didn’t they just take the existing octet-decimal notation and extend it? Everyone knows how that’s written and is used to it. Am I getting that old? When I looked at the IPv6 LAN address generation, Is it true that part of the LAN address has bytes repositioned (formed from the WAN address) and isn’t a true 128-bit wide word? I don’t understand that yet. I am trying but , as was pointed out, in spite of the network readiness for v6, it doesn’t look like traffic flow is that high (adoption rate is still very low by comparison). Yes?
I don’t want all my stuff remotely accessible. I’m not an IoT type person. If I want traffic to come into my LAN , it will be through that one gateway address. The idea of having a gateway subnet makes no sense. I am far too private for that.
I have pfSense (netgate appliance) as my edge security device. It does the LAN routing (which is a single subnet). It also provides the WiFi VLAN
I know there is NO security in using multiple LAN subnets on VLAN 1. If someone wants to wall off traffic, do it in the hardware. This is how I keep the WiFI VLAN isolated from the main VLAN. I use VLAN 1 and VLAN 1002. Those VLAN IDs should make sense to some of you.
Backbone here is 10 GbE. Main equipment is 10 GbE. New modem is 2.5 GbE capable. I’m waiting for the switch to arrive which will allow me to complete configuring the WAN side of the pfSense for M-gig. I will be future-proof for some time to come.
Your last point about IPv6 being great for a network engineer; I can see that. For me, the now-retired, working for Plex, engineer – is IPv6 a “MUST-HAVE” at home or a “Nice to have”? I highly doubt I will ever be in a must-have situation. We ‘seasoned engineers’ still like to keep things simple and not do things ‘just because we can’. We’ve been there, did it, and got a huge collection of tee-shirts 
Probably because of the huge number of possible addresses. There’s 3.4 x 10^38 total IPv6, which would give very long numbers in octal notation.
Also, note that IPv6 is meant to be used with DNS, so there’s no need to try to remember any IPv6.
I’d say that IPv6 adoption is getting really widespread now, especially in the last 5 years. For instance, in France, our 4 national ISPs have IPv6 in residential networks, and getting IPv6 on their mobile networks ready as we speak (I got IPv6 very recently on my phone carrier). Google estimates the adoption as ~32% (IPv6 – Google), you can see in the links given by TeknoJunky that IPv6 is being adopted fast.
That’s not an issue. You can lock down your internet network using a firewall, which can be on your router. It’s not that different than IPv4, except it’s actually more simple because there’s no need to mess with NAT in the process.
pfSense is perfectly capable of having proper IPv6. I actually have pfSense too as my edge router, with IPv4 NAT and IPv6 PD (Prefix Delegation) to give /64 to my LAN subnets at home.
Indeed, using multiple subnets inside a single VLAN does not provide any additional security. VLAN are here for that, and also to limit broadcast inside a plain network. VLAN 1 should be avoided when possible, because some switches (looking at you, Netgear) use this one as their default VLAN and that cannot be changed. You should avoid VLAN 1-3 if possible.
I myself do have 2Gbps at home, and (hopefully) 10Gbps at home soon-ish. Beware of prosumer hardware at those throughput, routing 10Gbps (especially with NAT) is not an easy task at small packet sizes.
IPv6 is a must everywhere, because IPv4 public space is already exhausted in ARIN (America) and RIPE (EU). It means that any organization needs to get their IP from someone else or wait for IP to be returned to RIPE/ARIN.
There’s plenty of IPv6 space for everyone, and deployment of IPv6 is getting really fast because of that: there is simply no more IPv4 left (except in Africa, Australia and Asia, but those will exhaust too, sooner or later).
It’s beneficial for home users too: it allows them to have plenty of IPs to play with if they need to, to change it or not (much like having static vs dynamic IPv4, except you can have both at the same time).
And last but not least, now that IPv4 is exhausted, it’s meant to disappear. Sure, it’ll take time, because of its use pretty much everywhere, but I’ve actually seen some customers (I work for a IaaS Cloud Service myself) migrating to IPv6-only networks (so no IPv4 AT ALL on LAN, and NAT64 on border to reach IPv4 networks from their IPv6 networks). IPv6 is the future, it’s not just a fashion 
thank you for that.
You made some points which I asked myself.
IPv4s are largely exhausted (thanks to all those wasted Class A types – Apple, IBM, etc, etc, etc). We only got 1/2 the usable space.
If everything does go IPv6 on the WAN side (which it will eventually), because everything is DNS (as you stated) do i care if IPv4 . IPv6 . IPv8 ?
PfSense supports the DNS-based firewall rules so I can write them that way (which is how I do write rules to avoid mistakes). I made FAR too many mistakes writing hexidecimal bitmasks at this point. Yes it’s easy to see but if the engineer can’t do binary ↔ decimal math (2^n) in his head – do you really want him generating netmasks? 
I do worry about those Pro-sumer types who, thinking they can carve up that 64 bit LAN space go crazy and then expect people like me to figure out what they did wrong. NOT HAPPENING 
Regarding the VLANs, I will be re-engineering the entire LAN here when the switch arrives (Ubiquity US-XG-6POE). It will be the new backbone. The existing, due to lack of ports, will feed a Netgear (haha) GS-110EMX to trunk 4 GbE to an HPE-1820-24g and the Synology (Backup) NAS. I will be adding some VLANs for the L2 work (pfsense xg-7100 & Ubi connectivity) before it exits onto the main LAN. I’m not happy about it but it’s what I have to do being fixed-income. It will be ok and easy to maintain.
To share a bit of humor , having retired from building aircraft and orbital systems which can never fail, this is how I view myself and my tasks
Sound about right?
To the purpose of this thread:
IPv6 on LAN.
PMS has partial support for LAN IPv6. The demand has been low because most of the users are IPv4 and will be in that IPv4 NAT configuration for some time. Will they fully implement IPv6 on LAN? I’m sure they will. When? No idea. I tend to the forums ; they (Engineering and Product) are in better position to know what’s needed and when to add things.
I don’t know if you’e seen the feature requests section but they pull a lot of ideas out of there based on , of all things, vote count. So if a lot of people want it, and up-vote it, it will have higher visibility (I know, it sounds lame but what other metric is reasonably reflective of the users’ wishes?)
Extra point I forgot.
I am working toward having everything on my LAN also be DNS (with cert) based.
I’m 99% there.
I only need IP addresses when testing some new equipment and it doesn’t want to behave as it should.
Indeed. I’ve seen a customer with a whole /20 used on… internal networks. Not a single one exposed to internet. What a waste 
IPv6 is meant to stay up to the point where Internet won’t be usable as-is (so, until the next “big thing” that will replace it). You don’t really care on the DNS side if it’s only IPv4, IPv6, or both.
Except that NAT can be tricky, because you usually have a single IPv4 but a lot of IPv6, so a single DNS record can actually point to one device (in IPv4), like, your router, but directly to your machine in IPv6. In this scenario, PAT cannot be used (like, port 8000 mapped to 80, for instance).
DNS should not be used in a firewall, because DNS is layer 7, while IP is layer 3. You should use alias instead. The good news is that “static” IPv6 can be assigned quickly with SLAAC, where your router give the prefix to your machines, then your machines self-assign IPv6 with this prefix in a consistent and predictible manner based on the MAC address of your NIC (+ random additional IPs if needed/wanted).
That is indeed a nice t-shirt (and pretty much accurate indeed for us, IT people )
For the IPv6 on LAN, indeed I missed the feature request forum. I’ll post it here, with hope that it’ll get enough votes to be seen soon in Plex
If you start relying on DNS a lot (which is a good idea to prepare to IPv6), make sure to make it highly available and have backups (with paper copy, if possible).
The downside of having everything in DNS is that you lose access to everything if it goes down. Happened to me once, it was not a fun time…
Thanks for the heads up on V6 and DNS. The pfsense backs up to the cloud and externally to a config file. The local file is on the Syno (my ‘archive’ machine). Being a creature of habit, my LAN address mapping (what goes where) is pretty standard. All the critical systems are in x.2 → x.15, Secondary in .16 → .31, etc. NAS & work equipment in x.32-> x.63, DHCP is .128+ I’ve setup solutions like this for (more than i want to admit) years. haha.
You’d be surprised how simplistic some of the networking is for some of the things you would expect to be complicated. It’s all done that way to minimize hardware requirements. We made the hardware simple and robust so it wouldn’t fail + so the pilots couldn’t get it to lock up / break it.
A consistent numbering is a great idea, it allows for predictible IPs, which can be really useful, especially when you try to guess which host is throwing packets that are rejected on the firewall (not a huge problem at home, since the device number is very limited, but it can be really hard to track in enterprise environment).
Using public DNS instead of local DNS will solve that.
My ISP and many others are going to a NAT64 or DS-LITE deployment. I don’t have an IPv4 address. We need IPv6 support soon!
Thanks for that feedback.
I’ve written a request to our core services, engineering, and operations teams.
Let’e see if we can get traction sooner than later.
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.
