Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
raffraffraff a day ago

This! I guess a good number of tech people will have IPv4 home networks long after their non-tech parents, neighbors and friends will be using IPv6 (without even knowing it).

IPv4 in the home is dead easy. You only need to remember the last digit (unless you've got multiple networks, but most won't). You can ssh to any device by remembering that ".1" is router, ".2" is NAS etc. Firewalls are simple.

You can buy a cheap domain and use it as your home DNS (eg "router.myhome.net" -> "192.168.0.1") so it works anywhere! In the home or roaming (over VPN). I don't really need to run DNS at home. My domain runs on Cloudflare DNS, my devices use NextDNS (with rebind protection disabled for my home domain).

I run OpenWRT and preallocate DHCP addresses for all known devices. Then I shrink the DHCP pool to a blacklisted range. A script automatically creates DNS records for all preallocated devices. If a new device appears in the blacklisted DHCP pool, I can manually allocate its MAC address a proper IP.

It's easy to get TLS certs for any service in the house using the ACME DNS01 challenge.

Tailscale is sexy and it worked fine until one day while roaming it wouldn't connect without "admin work", so I instantly dropkicked it. I'm now using the very unsexy OpenVPN Cloud (free for limited use) and in over two years it has never failed me. Plus it doesn't fuck with the IP addresses with fancypants tailnet addresses - I access devices directly using their DNS names which resolve to private addresses.

So, from inside or outside the home I can access the NAS to watch a movie, sync photos to Immich, print a document, check my IP cameras or ask my wife to put a document on the ancient scanner and access it via the raspberry pi phpscan website (which is on https://scanner.myhome.net)

I'm sure there's a very good reason not to do this and someone will now point it out.

nottorp 21 hours ago | parent | next [-]

> IPv4 in the home is dead easy

Exactly. I randomly try to "upgrade" to ipv6 in my home once in a while and i always give up because I'd have to do the whole enterprisey setup for no good reason.

Edit:

Basically ipv6 is too complex and automated to hold your home network's whole configuration in your head without effort.

So the techies don't set it up at home unless they have a fetish for overcomplicated setups. They're not familiar with it so they don't push for it at work either.

Adoption is solely driven by ipv4 address space exhaustion. There is no "new toy!" feeling involved.

immibis 20 hours ago | parent [-]

IMO, not having NAT is a "new toy". It allows end-to-end connectivity again. Any peer-to-peer apps work much better on IPv6, and if you're developing one then it's actually possible again.

You could try fd00::1, fd00::2, ... for short internal static addresses. You don't have to use a random prefix in that range - it's just policy (for good reasons that might not matter for a small network).

nottorp 18 hours ago | parent [-]

> Any peer-to-peer apps work much better on IPv6, and if you're developing one then it's actually possible again.

Yeah, and my Windows box is again accessible from the outside with whatever services MS deems to run by default...

Yes, there are firewalls, but isn't it better if a potential attacker doesn't even know what's behind my router?

P.S.: Since webrtc showed up to do whatever it wants with my network, peer to peer has started to mean "donating resources to some company" to me.

Dagger2 17 hours ago | parent [-]

v4 networks commonly only get one IP for the whole network, and people use NAT with port forwarding to make inbound connections work. With this setup, an attacker only needs to scan the 65536 ports on the router to exhaustively enumerate every single publicly accessible server on your entire network, which is about 3 megabytes of traffic and takes approximately no seconds.

On v6, you don't use NAT and networks are /64. Finding every server requires scanning 65536 ports on all 2^64 IPs, which is about 72 billion petabytes of traffic. There are ways to prune this down somewhat, but however you do it the search space is still far larger.

If you want attackers to not know what's behind your router, you want v6.

nottorp 9 hours ago | parent [-]

> to exhaustively enumerate every single publicly accessible server on your entire network

Enterprise thinking. It's not the publicly accessible servers i worry about, it's the other boxes that shouldn't be publicly accessible...

justsomehnguy 21 hours ago | parent | prev [-]

# IPv6 in the home is dead easy. You only need to remember the last digit (unless you've got multiple networks, but most won't). You can ssh to any device by remembering that ".1" is router, ".2" is NAS etc. Firewalls are simple.

# You can buy a cheap domain and use it as your home DNS (eg "router.myhome.net" -> "2003:123:4:5::1") so it works anywhere! In the home or roaming (over VPN). I don't really need to run DNS at home. My domain runs on Cloudflare DNS, my devices use NextDNS (with rebind protection disabled for my home domain).

# I run OpenWRT and preallocate DHCP addresses for all known devices. Then I shrink the DHCP pool to a blacklisted range. A script automatically creates DNS records for all preallocated devices. If a new device appears in the blacklisted DHCP pool, I can manually allocate its MAC address a proper IP.

# It's easy to get TLS certs for any service in the house using the ACME DNS01 challenge.

There is literally no difference between v4 and v6 here.

raffraffraff 9 hours ago | parent [-]

So why bother with v6?