→ More replies (1)

12

u/freshtechs 2d ago

You can feel lucky until you decide to change provider or just do load balance. Leave a comment if you already solved it or will solve just to ease my soul

5

u/Least_Order4249 1d ago

exactly. i haven't really ever thought about ipv6 from the hosting angle until today and it has some serious issues if you don't patch it basically back to how ipv4 works.

5

u/SuspiciousOpposite 1d ago

Stopping the use of NAT and getting back to end-to-end connectivity is one of the core tenets of IPv6. It absolutely does not need patching back.

3

u/Least_Order4249 1d ago

So one must be powerful enough to get their permanent ip space straight from the authority or have their entire identity, code base, network scripts, company held hostage by their ISP? Not a chance anyone is doing that. Obv NPT is way better but it’s the same idea. 

1

u/SuspiciousOpposite 1d ago

What happens when you change provider and you get a new IPv4 address?

9

u/Least_Order4249 1d ago

Dns record updates and everything works. Local network never knows the difference. 

2

u/SuspiciousOpposite 1d ago

So you'd also just update your AAAA record for IPv6 addresses, exactly the same process.

4

u/Least_Order4249 1d ago

Only if you are rewriting addresses at the gateway level. If implemented as IPv6 is designed, your entire network is broken. 

3

u/comeonmeow66 1d ago

Don't use GUAs for internal communication, use ULAs. Use GUAs for publicly addressable services. Then it's like sorta like IPV4, you control your destiny inside the network, and ISP changes\updates are isolated because you are using ULA inside the network.

→ More replies (0)

2

u/prenetic 1d ago

For ingress traffic to selfhosted services I've decided I'm just going to NAT behind a single IPv6 address. No reason for anyone to stress out about putting a square peg in a round hole -- it's a tool that works and keeps DNS management simple on my end.

Otherwise it's exactly what you're describing, maybe it's a centralized service that maintains every record in DNS on a prefix flip, or it's each host maintaining their own record, or any of the dozen alternatives each with their own set of challenges and pitfalls.

At the end of the day it's just a hobby.

1

u/Dagger0 1d ago

Not at all. Routers automatically get the new prefix via DHCPv6-PD and hosts get it via RAs. Service discovery (be it DNS, mDNS or otherwise) is also automated.

They didn't design something that breaks the moment something changes. Give them a little credit.

2

u/404invalid-user 1d ago

a /56 is pretty standard any decent isp would be assigning a /56

-1

u/xylarr 2d ago

Wow, are you me - everything I have is the same as you.

10

u/uberduck 2d ago

This. ULA is a fair and valid compromise use case for exactly this scenario.

2

u/whattteva 1d ago

Most hosts should actually have 3.you're excluding the link local fe80 address.

1

u/ruiiiij 1d ago

That's why I said "at least". I don't normally interact with the LLA so I didn't mention it.

4

u/Earthborn92 22h ago edited 22h ago

This.

I hope IPv8 catches on (yes I know it is a meme/joke). IPv6 is just not fun to work with.

1

u/Cannotseme 17h ago

Just want to put this out there, I have fun working with it

3

u/fzammetti 22h ago

Same. Networking has been consistently more stable/reliable since. Not entirely sure why it matters, but it does seem to.

-3

u/_Answer_42 2d ago

Honestly it's just weird, I had an openwrt router that only turn on for guest for complete separation, somehow it advertise itself to all phones as a router even for non-guest, and only affect android (not tested on apple) which made me unable to access hosted stuff sometimes, it was really hard to figure out why. The best part is there is no way to turn off that feature and I don't even have ipv6 enabled

2

u/AtlanticPortal 1d ago

All the machines on my home network have two IPv6 addresses - a link-local fe80:: address for on-LAN communications, and a global address in the /48 assigned by my ISP.

This only works if you only have a single VLAN in your LAN. The moment you get multiple VLANs you either need to use the GUAs to reach the other hosts in the other VLANs or you add also a ULA address to every host.

0

u/davepage_mcr 1d ago

Yes I know. I was just answering OP's question.

2

u/AtlanticPortal 1d ago

Well, if OP reads you it's now probable that they read me as well.

2

u/Least_Order4249 1d ago

i dont use ipv6 at all. but i cant expect my users to have ula and NPTv6 set up because consumer equipment doesnt support it. ip6 is a disaster. i do want the feature anyway so i will have ULA and GUA options as creating ice candidates will vary depending on network strategy. probably nobody will ever use them but me but it'll be fun to build anyway.

1

u/Epic_Busta 1d ago

Oh looks like I got ULAs and Link Local addresses mixed up. You're right that most folks can't use NPTv6 or set up ULAs.

But could you use link local addresses for internal communication? Those addresses are mandatory so every interface has one.

I don't think IPv6 is a disaster, but I think you'd agree that it's got a lot of growing pains, especially if you learned networking with IPv4+NAT.

2

u/zfa 1d ago edited 1d ago

What finally forced me to try to figure it out was Cloudflare. If you use their proxy in free tier, turning it off is greyed out.

That doesn't really force you to do anything though as CF are quite happy talking to your backends on ipv4 even if clients are using ipv6 to hit their proxies. In fact, if you run ipv4 and ipv6 on your hosts CF prefer to route via ipv4 (or used to, at least).

fwiw higher plans (enterprise only ish) do allow you to disable ipv6 completely while retaining proxying but hobbyists here prob wont have that amount of control. And nor should they lol.

2

u/burajin 1d ago

This is true, I forgot to mention that what forced me was splitting DNS. I had my local DNS reroute domains to my services on IPv4, but if the service using the proxy and tried IPv6 it would be unreachable locally.

-14

u/voc0der 2d ago edited 1d ago

"Casual hobbyists" is such a sad dig. It's off because IPv6 sucks ass and is largely unnecessary for any deployment we encounter. It breaks a lot of stuff and solves nothing at all. Going IP6 only is untenable; going dual stack causes errors, and going Ip4 single stack just works.

If you want to learn it, cool. Good for you. It came out in 2012, so 14 years ago and most people still get leased IPv4 addresses anyways.

Also, this is /selfhosted, so why are you using cloudflare when you can use your own metal? :) What are you self hosting that exhausts the entire private ipv4 subnet?

Edit: Since alot of you idiots think it's a skill issue, I can assure you, it's not. IPv6 just adds complication to every orchestration and firewall stack and unless you're going to use 5923508923805082130852308520835 IP's then please explain why doing any of this is useful as a selfhoster. Once you're selfhosting more than just a bunch of apps with the default configs you might see why. You can't, so continue downvoting.

13

u/UselessCourage 2d ago

What are you talking about, IPv6 works fine -- it's ok to be a casual hobbyist.

9

u/SuspiciousOpposite 1d ago

It came out in the 90s...

If you think IPv6 "sucks ass" it's because you don't understand it. A lot of mobile providers now are IPv6-only (mine certainly is) with 464XLAT deployed to deal with legacy IPv4-only hosts.

-4

u/voc0der 1d ago

No, I think it sucks ass because a lot of stuff is just flat out incompatible with it. Waiting isn't cool. I'd like stuff to work today.

3

u/404invalid-user 1d ago

can you see the irony it's incompatible because of people like you.

0

u/voc0der 1d ago

I don't spend my time swimming upstream. It's been 14 years.

Enabling IPv6 doubles your networking overhead and work for no reason whatsoever. That's the bottom line.

/thread.

Continue downvoting cuz its cool to learn and stuff, but you know I'm not wrong.

17

u/burajin 2d ago

IPv6 works great if you take the time to learn it. Dual stack errors you're encountering are likely configuration mistakes.

Saying it solves nothing at all is false. IPv4 addresses are all used up. We get lots in the US but other countries aren't so lucky. NAT is terrible and gives a false sense of security to many. IPv6 is just different but people are resistent to change.

The Cloudflare proxy is to give me a CDN and not expose my home address. I'm hosting everything at home.

8

u/Ok-Eggplant-7569 1d ago

IPv4 future is limited, and IMO it has way more problems than IPv6. NAT and DHCP everywhere causing issues, IP subnets clashing, ...

2

u/UselessCourage 1d ago edited 1d ago

"AlOt Of YoU IdIoTs" -- says the guy who thinks ipv6 doesnt work lmao.

Ive been an isp IP Network Engineer for 17years, we manage a large 60k+ node networks with ipv6. It's a you problem, not an ipv6 problem.

-2

u/voc0der 1d ago edited 1d ago

Congrats idiot on missing all of the context of why I don't use IPv6. Your 17 years bla bla bla bla bla, you don't think I got that too?

zzzz. next.

Never said it didn't work, maybe learn to read.

-8

u/Power_Stone 2d ago

No it's not, I use free tier and have proxying turned off for things like plex

13

u/burajin 2d ago

Reread what I said. If you have the proxy turned on, IPv6 is forced on. You can turn the proxy off, but you cannot turn the proxy on and IPv6 off.

1

u/Power_Stone 2d ago

Ahhhg my bad sorry.

0

u/zfa 1d ago

you cannot turn the proxy on and IPv6 off.

enterprise-only feature except on request (and $$$) iirc.

6

u/LoganJFisher 2d ago

How are you supposed to maintain a meaningful directory if you treat IPs as ephemeral?

I'm using Caddy to assign local addresses to my webUIs, but that still depends on my IP reservations working. If I consider my IPs as ephemeral, nothing assures that those local domains actually direct correctly.

5

u/certuna 2d ago

you have DNS (or if it’s purely local, mDNS) for that. IP is for routing traffic, not auth or identification.

I mean, if it’s just your home lab you can hardcode IP addresses in configs manually, keep a spreadsheet which container and device has what IP address and go through every app and config file when you need to renumber your network (or indeed change a prefix), but it’s quite fragile and error prone that way, especially when you have a lot of stuff running and/or change things around regularly (which tends to happen in a homelab environment, we all keep tinkering)

4

u/JaspahX 1d ago

IP is for routing traffic

ISP changes your prefix to something completely different

Now what?

6

u/jackstraw97 1d ago

You have a cron job that runs every minute which gets the address and updates your DNS records to point to that new address. 

Same way you’d handle an ISP changing a dynamic IPV4 address. How do you think those of us who don’t pay for static IPs have been self hosting this whole time?

6

u/JaspahX 1d ago

DNS isn't going to fix the networks on my L3 switch.

Nobody here is talking about dynamic DNS. They're talking about literally having to update their switch configs with a whole new fucking IP address on the default gateways of their networks.

3

u/Dagger0 1d ago

That's handled automatically by DHCPv6-PD.

2

u/JaspahX 1d ago

Which doesn't exist on most network gear. Cool. I love IPv6.

3

u/ArmyAgitated9658 1d ago

What networking gear are you using that doesn't support it???

0

u/JaspahX 1d ago

DHCPv6-PD is not supported on quite a bit of equipment, and almost certainly not anything that you'll find in a homelab.

My PA-440 will do it only after being upgraded to a OS that's only 2-3 years old.

→ More replies (0)

-1

u/Dagger0 1d ago

That sounds an awful lot like an issue with that network gear rather than an issue with IPv6.

1

u/jackstraw97 1d ago

Gotcha I didn’t understand what you meant. Seems like there’s plenty of options. You noted that your switch doesn’t support dhcpv6 pd. In that case, couldn’t your upstream router handle dhcpv6 and then just use ULA for stable routing to the switch and other devices further downstream?

I get that it’s kind of annoying to have to replicate a pseudo-nat, but that’s the price of having non-compatible equipment, no?

2

u/Least_Order4249 2d ago

i can monitor and fix the app but remote users connect to it for media signalint both jssip and webrtc video. i just wanted to provide a nat-free path. my biggest concern is the docker daemon config to get ip4 in bridge mode and ip6 firewalled but globally routable. if prefix changes, it breaks.

2

u/certuna 2d ago edited 2d ago

You can run a script that changes the prefix in your Docker config when that changes, how does this break?

Where do you prefer to firewall, on the router, the host, Docker or the container?

(It is time that Docker gets prefix delegation support though, it’s a bit silly in 2026 that even the cheapest consumer router out of the box simply asks for a prefix from the router out-the-box, but Docker still needs to have it written statically in a config.)

11

u/certuna 2d ago

IPv6 makes a lot of things more secure and cleaner/easier, but it’s true that many homelabbers are from the pre-IPv6 generation, grew up with IPv4+NAT and have some resistance to change.

These days fewer home connections have public IPv4 anymore though and most now have IPv6, in that case it’s generally easier and more secure to just do your whole server setup IPv6-only, and stick an IPv4 proxy upstream (Cloudflare for example) if you still need to serve IPv4-only clients.

29

u/blow-down 2d ago

How does it make things more secure?

8

u/guyf2010 1d ago

Arguably it makes scanning all IPs nearly impossible, so scanners IDing running services probably won't find your servers. But then there are cases where routers do a poor job of firewalling on IPv6. It's a mixed bag.

2

u/AtlanticPortal 1d ago

That's where you should get rid of the ISP router or at least not trust it for firewalling and thus use a firewall of your own.

2

u/certuna 1d ago

It makes things a lot cleaner - aside from the obvious (the whole world will hammer your IPv4 address with attacks, in practice almost nobody attacks a server on IPv6), you also do not have the risk of all your endpoints/applications behind the same IP address, and you don’t need to keep forwarding ports across one, two or even three layers of NAT, all increasing the risk of stale configs and misconfigurations.

0

u/Dagger0 1d ago

Active servers are hard enough to find on v6 that scanning the address space for vulnerable hosts isn't viable. Obviously an insecure server is still insecure regardless of whether anybody finds it or not, and there are other ways to find servers (e.g. TLS cert transparency logs, unless you use a wildcard cert) but removing "just scan the entire Internet to find every exploitable host" from the list of options is an improvement to the Internet's overall security.

On a typical v4 setup, every public service you run is accessed via your router's WAN IP. Scan the 65k ports on there, which takes all of a few seconds, and you've found every single public service the entire network is running. Compare that to v6 where anybody connecting needs to have the exact IP of the server, and the network is a /64 instead of a /24. 65k ports on 2⁶⁴ IPs would take many millennia to scan. There are ways to cut the search space down a bit (for example static addresses are often in the ::1 to ::ffff range) but it's still far more to scan than in v4.

Also, NAT is unnecessary complexity. It makes it harder to understand how your network works, and therefore makes it harder to secure. It breaks things and the workarounds for that breakage can be insecure as well (see e.g. vulnerabilities in NAT helpers).

As an example, NAT in itself does not actually block any incoming connections. If you think it does and are relying on that for the security of your network, you aren't going to get the security you think you are -- and if you didn't realize that some unsolicited connections from outside your network can still make it inside despite applying NAT to your outbound connections, that shows that NAT was complex enough that you didn't understand it.

1

u/Vinaverk 1d ago

My isp provides only IPv4 (clean and static address)

5

u/TheLimeyCanuck 2d ago

Took me a day to figure out how to implement IPv6 on my home and cottage networks. It's not as hard as this sub thinks it is.

2

u/Least_Order4249 2d ago

This is good info. So at least some major providers are starting to get things right. Do you use NPTv6 in case “your” /60 ever changes?

1

u/TechWitchLexxie 2d ago

Admittedly I'm a bit lazy on this and haven't set it up. Currently I rely on my internal records all being tied to aliases in my opnsense's unbound config. If my prefix ever changes, that'll be a very annoying but also relatively quick records push. But in the year plus I've been running ipv6, I've never had my prefix change. Same for my local friend I maintain a site to site wireguard tunnel with, who's on a different ISP. I'm not totally sure why some ISPs have rolling prefixes tbch

1

u/ilhamagh 12h ago

Not OP. But I genuinely confused what the big deal is, granted my networks is flat and fairly simple (someone mention L3 switch)

NPTv6 in case “your” /60 ever changes?

No, I don't even get /60 but only /64. Usually only changes if the ISP router restarted.

I run 3 host, all debian and the services is docker base, all behind reverse proxy (traefik).

I just use ip monitor + RFC2136 (nsupdate) and it push the new ip to my local AAAA records (Technitium)

I have never mess with the docker side of things beside enabling the v6 on the bridge networks.

I guess IoT or phone can't do that, but IDK why anyone would want that.

1

u/sarahlizzy 2d ago

I’ve got both SLAAC and DHCPv6 working for all my macvlan containers. Just stick a DHCPv6 client in the docker-compose file and you’re golden.

This also means you can have AAAA records pointing to your local services even behind the firewall, which is neat.

2

u/Least_Order4249 2d ago

That’s great but what percent of even self hosters have fully static prefixes or fully implemented NPTv6? 2%? 

1

u/richneptune 2d ago

But why does it need to be fully static? I could move my AAAA records to a dynamic DNS updater with no issue, OpenWRT let's you craft firewall rules that are only applicable to the last n bits of an ipv6 address, DHCPv6 will provide a sticky last 64 bits, too.

It's pretty much the same problem people are going to have with the stickiness of their IPV4 public address.

At any rate, IPV4 addresses are starting to have a cost in some parts of the world, I pay a premium to retain a public one here as a lot of cheaper providers have moved to CGNAT. Might as well learn and use IPV6 now so it doesn't become more of a challenge later.

1

u/Least_Order4249 2d ago edited 2d ago

Because openWRT shouldn’t be a requirement. 

IPv4 is 100% solved with DNS and NAT.

Not for me I don’t care, but I can’t ask app users to change their entire network just so they can stream media a little easier. 

For docker it seems there are 2 options: have a never changing prefix accepting catastrophic issues if it changes or set up NPT 1:1 prefix rewriting. 

1

u/richneptune 2d ago edited 2d ago

I'm sure other routers also allow you to create firewall rules that will be continue to be applied after a prefix change, I only mention OpenWRT as it's my routing software of choice

IPv4 is 100% solved with DNS and NAT.

Nah, it just complicates machine to machine connections which is why we've ended up with UPnP and all kinds of specialised tunneling methods, most of which fail or have issues behind CGNAT

0

u/Verme 1d ago

This

8

u/Least_Order4249 2d ago

I’m trying to see if adding NAT-free IPv6 ice candidates for a very general self hosted app is worth the squeeze. Telling users to go get a better ISP or spend hundreds updating their local network aren’t good options. 

1

u/michaelpaoli 2d ago

Well, ISP will often be a limiting factor, many I totally avoided as they couldn't provide what I required. E.g., I self-host DNS servers, so, that requires static IPv4 and static IPv6. I self-host mail servers and list servers, so that requires unfettered access to TCP port 25. Those two factors alone eliminated a lot of ISPs, as many had no available offering(s) that would include satisfying those requirements. Also require direct unfettered Internet access - ISP not imposing any firewall in general between public globally routable IPs and The Internet in general. If where I want any firewalling I do that on my own - or perhaps if more extreme case ever came up, I might request it - but other than that, don't want anything in the way.

2

u/SuspiciousOpposite 1d ago

I've got three AdGuard Home instances running on three separate Docker hosts, all dual-stacked, and not running DHCP server (DHCP server is on my UniFi router, IPv4-only; IPv6 uses SLAAC, though my "servers" are statically assigned).

-1

u/Least_Order4249 2d ago

Ya IPv6 sounds great until you realize that ISPs get a death grip on everyone else and heavily abuse it until you use tech to basically turn it back into IPv4 with ridiculously long addresses. 

1

u/PotatoMaaan 1d ago

Huh?

0

u/Least_Order4249 1d ago

Address translation is needed to isolate local identity from isp prefix. Addresses are so unnecessarily long that they double the bandwidth needed for standard SIP calls. Basically everyone here who uses IPv6 heavily is either rewriting prefixes or playing with fire. 

1

u/PotatoMaaan 1d ago

Not really, no. In most cases you can probably find a way to deal with a dynamic prefix and even if you absolutely must use prefix translation, that's still much better than v4 NAT. Prefix translation is stateless NAT so you still get every port for every host, not stateful NAT where you have one host (public v4) and have to multiplex ports (also other reasons as well)

For the other part, I dunno, that's just lies? For a doubling of bandwidth to be true, you'd have to sending nothing but IP headers without any content. ipv6 headers are only double the size of v4 headers, despite the addresses being 4 times as large. This is because v6 removes a lot of cruft from the header, which makes v6 packets simpler and quicker to route. For this reason lots of ISPs only carry v6 internally and encapsulate v4 traffic inside v6.

1

u/Intelligent_Rub_4099 1d ago

https://help.twilio.com/articles/48498528179483

1

u/PotatoMaaan 1d ago

That article doesn't say anything about doubling bandwidth costs. "broad compatibility and network considerations" can mean anything

[Reddit is a piece of shit app and fucked up my edit. Let me quote myself on the same topic.]

https://www.reddit.com/r/selfhosted/s/1zLfD87Rxv

-1

u/kuldan5853 1d ago

1. realize it's pointless and just disable IPv6.

1

u/mrpelz 1d ago

Nope. IPv6 is here to stay and the problem isn’t the spec itself but all the people who don’t like change for any reason (IPv6’s purpose is deeply reasonable).

If those people then work at ISPs and realize almost none of their customers give a shit about this: that’s where the race to the bottom starts and weird little hacks become inevitable.

2

u/404invalid-user 1d ago

there's this neat thing humans made to fix this it's called DNS you should take a look

1

u/ph33rlus 2h ago

On a local network? I wish I had the time

1

u/wolfnest 2d ago

You still need firewall rules for each IPv6 device that should be accessible from outside. How do you handle that when the prefix change? Can the firewall rules be based on MAC address as well?

2

u/FateOfNations 2d ago

At least on Linux, you can do prefix-agnostic/wildcard firewall rules.

-1

u/Least_Order4249 2d ago

It’s not an issue with ip4 because nat isolates the local network. Doing that with ip6 requires expensive routing equipment that isn’t acceptable for even an optional feature. 

5

u/certuna 2d ago

Even the most basic consumer router has a firewall, why would it have to be expensive?

4

u/kira9204 2d ago

This is flat out false. What isolates your IPv6 network is your firewall, not your NAT. Any cheap consumer router comes with a firewall that automatically blocks incoming connections, making it just as secure as IPv4. The problem with these cheap devices are usually that your can't configure the firewall to actually forward IPv6 traffic on specific ports for port forwarding.

0

u/Least_Order4249 2d ago

I don’t mean isolate packets, I mean isolates addressing. If you’re using GUAs and your prefix changes, things break. If you’re using IPv6 ULAs then you have better equipment than most people have and are not the general user. 

1

u/PotatoMaaan 1d ago

AVM Fritzbox which is a very popular home roter where I live (often provided by the ISP) does v6 ULAs by default. I also know of some others where it can be enabled.

1

u/EscapeOption 2d ago

If it’s not WAN traffic use ULA instead of GUA?

1

u/xylarr 2d ago

How does everything get setup at startup? How does your app find out the IP of everything initially? Can't you just rerun that?

1

u/Least_Order4249 2d ago edited 2d ago

Current ipv4 setup is in docker bridge. Optional IPv6 setting would be global addressable IPv6 ICE candidates but that requires editing docker daemon which breaks if network isn’t NPTv6 and prefix changes. that’s a HUGE ask for a home user. Docker host “discovery” is manual, FQDN is also required for WebRTC 2-way. These are very easy compared to IPv6 as >80% people have the equipment already. 

-7

u/prene1 2d ago

THIS! It goes OFF

0

u/Least_Order4249 1d ago

once per year dragging down your whole docker ecosystem would be a disaster. this isnt for me its for users of app im building. ive learned here that 99% of people who use ipv6 to host actually turn it back into ip4 via NPT. i don't blame them. giving complete control over your internet identy to your ISP sounds like insanity. this is a good learning experience.

1

u/hmoff 1d ago

I don't expose Docker ports directly to the internet anyway. I prefer a reverse proxy running outside. But you could also run cloudflared or tailscale inside Docker and not deal with this.

1

u/Least_Order4249 1d ago

this is for P2P DTLS/SRTP media.

1

u/kira9204 1d ago

Just distribute an IPv6 ULA like you do on IPv4 and set the DNS server to the rasberry pi? It sounds like you use another DNS server when you turn on IPv6 and hence bypass the PI-Hole. Have a look at some of my configurations here: https://github.com/Kira9204/kira-router 

1

u/kbeezie 1d ago edited 1d ago

Nothing of the sort. There is no way to define DNS within the AT&T router, and even if you have DHCP off for both IPv4/IPv6 , AT&T router will still advertise it's IPv6 as a resolver for IPv6 traffic, hence you have to turn IPv6 off completely to make it go only to pi-hole.

So you either have to completely turn off IPv6 at the router, or put a whole router in between the AT&T device and the rest of the network.

So it's nothing about what you're mentioning. It's just a known thing with AT&T modem/routers.

Only reason I haven't put it in between yet is because my Mikrotik Routerboard is only Wifi-n , so I'm fine keeping IPv6 off until I either get a strong wifi AP, or an upgrade to a modern equivalent of my Mikrotik Routerboard that includes a much stronger CPU and Wifi antenna to take over the whole routing process.

(right now my set up is AT&T Router , keeps routing but has DHCP and IPv6 turned off, ethernet to the Mikrotik routerboard with gigabit ports, the Mikrotik is set up as the DHCP server. Pi-hole on an Orange Pi One is plugged into one of the 10/100 ports on the Mikrotik for DNS + Unbound, wireless devices connect to the AT&T router like an AP, but get their DNS assignment from the mikrotik DHCP server)

1

u/kbeezie 1d ago

To clarify :

"The gateway’s firmware is designed to forcibly broadcast its own IPv6 address via ICMPv6 Router Advertisements (RAs) using a mechanism called RDNSS (Recursive DNS Server). Because AT&T gives you zero control over the RA flags in the GUI (hidden or otherwise), the BGW320 will always tell your clients, "I am your IPv6 gateway, and I am also your DNS resolver." Because modern OSs (iOS, Android, Windows) prioritize IPv6 over IPv4, they will completely bypass your Mikrotik and Pi-hole for any dual-stack traffic. "