You should be using dynamic DNS and firewall rules should be on the subnet boundary in this scenario, any decent firewall (including referee PFsense/OpnSense) support ACLs that follow IPv6 address changes.

▲

bigfatkitten 2 hours ago | parent | next [-]

> You should be using dynamic DNS

That doesn't solve the problem. DNS remains broken until each and every device, assuming VERY generously that it is capable of dynamic DNS at all, realises that one of its prefixes has disappeared and it updates its DNS records. With DNS TTL and common default timeouts for prefix lifetime and router lifetime, that can take anywhere from 30 minutes to 30 days.

> and firewall rules should be on the subnet boundary in this scenario, any decent firewall (including referee PFsense/OpnSense) support ACLs that follow IPv6 address changes.

This requires you to assign one VLAN per device, unless perhaps you've got lots of money, space, and power to buy high end switches that can do EVPN-VXLAN so that you can map MAC addresses to SGTs and filter on those instead.

▲

magicalhippo an hour ago | parent | prev | next [-]

> any decent firewall (including referee PFsense/OpnSense) support ACLs that follow IPv6 address changes

In the case of pfSense this is a recent change. It was not supported when I migrated away from it less than five years ago.

▲

hdgvhicv 2 hours ago | parent | prev | next [-]

I want to send my ssh via my low latency reliable connection, I want to route my streaming via another connection. That’s just a routing rule and srcnat in ipv4

That’s before you go on to using PBR. I want to route traffic with different dscp via different routes.

Ultimately I want the rout g to be handled by the network, not by the client.

IPv4 and nat makes that a breeze.

▲

sekh60 2 hours ago | parent [-]

How is it not a routing rule with ipv6? Firewalls and routers typically support dynamic prefixes (even Vyos, pfSense, openSense do).

▲

hdgvhicv 2 hours ago | parent [-]

How do I tell my phone that I want to send traffic to server A via isp1 and server B via isp2

▲

sekh60 2 hours ago | parent [-]

On your router?

edit Less flippantly, what are you wanting to base the routing rule on? What's your ipv4 routing rule?

DSCP is allowed in ipv6.

https://www.juniper.net/documentation/us/en/software/junos/c...

	▲	hdgvhicv 2 hours ago \| parent [-]
		Without nat, my understanding is the right way in v6 is to issue addresses of every network and then send a message to each end device asking it to use a specific ip address to route traffic and hope every client implements RFC 4191 in the right way.

▲

sekh60 2 hours ago | parent | prev [-]

The amount of ignorance in these ipv6 posts is astounding (seems to be one every two months). It isn't hard at all, I'm just a homelabber and I have a dual-stack setup for WAN access (HE Tunnel is set up on the router since Bell [my isp] still doesn't give ipv6 address/prefixes to non-mobile users), but my OpenStack and ceph clusters are all ipv6 only, it's easy peasy. Plus subnetting is a heck of a lot less annoying that with ipv4, not that that was difficult either.

▲

transcriptase 2 hours ago | parent [-]

“it’s easy peasy” says guy who demonstrably already knows and has time to learn a bunch of shit 99.9% of people don’t have the background or inclination to.

People like you talking about IPv6 have the same vibe as someone bewildered by the fact that 99.9% of people can’t explain even the most basic equation of differential or integral calculus. That bewilderment is ignorance.

	▲	Dylan16807 an hour ago \| parent [-]
		These people apparently had the time and inclination to learn a bunch of shit about IPv4, though. "Easy" is meant in that context. The people acting like the IPv4 version is easy. So your second paragraph doesn't fit the situation at all.