• evranch@lemmy.ca
    link
    fedilink
    arrow-up
    3
    ·
    1 year ago

    Your last paragraph is why we’ve heavily used the cloud here in rural Canada for years.

    Monitoring data is much easier to push into the cloud and read from there than it is hope for a reliable connection to a farm or rural plant.

    Self-hosted services need to be cloud hosted for uptime and because it was getting ever harder to get a routed IPv4 address from any provider. IPv6 is nice to finally have, but Starlink is the only provider at all supporting it and it’s only been a few months at that. Their prefixes change constantly too, come on guys get your shit together.

    Even basic remote access systems require a VPS or VPN cloud service as you always need both ends to punch out through layers of CGNAT. Now we can finally have one end available through IPv6 but the remote user is often trying to use a IPv4 CGNAT network to connect… So you still need something in the cloud to punch holes.

    Can’t believe it’s been over 20 years for the IPv6 rollout

    • I’m always baffled when I read about ISPs handing out unstable IPv6 prefixes. The lack of IPv6 is ridiculous enough, but the unstable prefix is just bullying customers at this point. Same with CGNAT to be honest, at least Liberty Global has decent IPv6 support in the places they employ CGNAT (though they totally could go full dual stack if they wanted, they just choose not to).

      I’ve used Hurricane Electric’s tunnelbroker for a quick and easy IPv6 solution for ages because some great mind over at OVH decided to hand out /128s for their IPv6 implementation.

      People invented Tor and Veilid for safe, censorship free communication, but as ISPs find new ways to be shittier than before, I’m getting more and more convinced that the security layer of those protocols is actually a façade to hide the fact that they do firewall hole punching.

      I’ve actually set up Tor as a NAT bypass algorithm at some point and it works surprisingly well, especially if you drop the privacy aspect and shorten the path length. The long service names are unfortunate and the initial connection takes a moment, but once everything is running, Tor will break through any kind of NAT you can imagine. With the additional public key auth it provides, it’s actually quite a secure way to expose your SSH port to only the right people…

      • evranch@lemmy.ca
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        I’m still trying to figure out how to use Docker with an unstable prefix (hey Docker, this is as much your problem as the ISPs, honestly) as any of the v6NAT solutions I’ve found that enable the same full containerization available on IPv4 all require you feed the Docker daemon a fixed prefix on startup. Frustrating.

        I’m also tired of reading posts about v6NAT being irrelevant because half of the point of containers is the interchangeability, Docker containers aren’t supposed to be routable unless you intentionally put them on the host network! Docker just needs to work the same on v4 and v6!

        Tor as a hole puncher is an intriguing idea but I don’t think I would use it for something customer facing… Too many moving parts. We like to use Wireguard and a tiny cloud VPS instance when someone needs to punch into an unreliable network around here.

        • Depending on your network, an ULA can help keep the local prefix the same, and use something like NPTv6 to translate the IPv6 address quite well. Unlike IPv4 NAT, NPTv6 will just swap out the prefix with a local one (i.e. 2001:db8:1001:1234:abcd to fd00::1234:1001 and back) so you can still use a normal IPv6 firewall and to the outside it’s like your addresses are all completely stable.

          This will also make it easier to switch ISPs and adds the possibility to use a fail over from another ISP with another prefix without your entire network freaking out.

          It’s not exactly recommended (prefixes should just be static ffs) but it’s a possibility.