• I’m always baffled when I read about ISPs handing out unstable IPv6 prefixes. The lack of IPv6 is ridiculous enough, but the unstable prefix is just bullying customers at this point. Same with CGNAT to be honest, at least Liberty Global has decent IPv6 support in the places they employ CGNAT (though they totally could go full dual stack if they wanted, they just choose not to).

    I’ve used Hurricane Electric’s tunnelbroker for a quick and easy IPv6 solution for ages because some great mind over at OVH decided to hand out /128s for their IPv6 implementation.

    People invented Tor and Veilid for safe, censorship free communication, but as ISPs find new ways to be shittier than before, I’m getting more and more convinced that the security layer of those protocols is actually a façade to hide the fact that they do firewall hole punching.

    I’ve actually set up Tor as a NAT bypass algorithm at some point and it works surprisingly well, especially if you drop the privacy aspect and shorten the path length. The long service names are unfortunate and the initial connection takes a moment, but once everything is running, Tor will break through any kind of NAT you can imagine. With the additional public key auth it provides, it’s actually quite a secure way to expose your SSH port to only the right people…

    • evranch@lemmy.ca
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      I’m still trying to figure out how to use Docker with an unstable prefix (hey Docker, this is as much your problem as the ISPs, honestly) as any of the v6NAT solutions I’ve found that enable the same full containerization available on IPv4 all require you feed the Docker daemon a fixed prefix on startup. Frustrating.

      I’m also tired of reading posts about v6NAT being irrelevant because half of the point of containers is the interchangeability, Docker containers aren’t supposed to be routable unless you intentionally put them on the host network! Docker just needs to work the same on v4 and v6!

      Tor as a hole puncher is an intriguing idea but I don’t think I would use it for something customer facing… Too many moving parts. We like to use Wireguard and a tiny cloud VPS instance when someone needs to punch into an unreliable network around here.

      • Depending on your network, an ULA can help keep the local prefix the same, and use something like NPTv6 to translate the IPv6 address quite well. Unlike IPv4 NAT, NPTv6 will just swap out the prefix with a local one (i.e. 2001:db8:1001:1234:abcd to fd00::1234:1001 and back) so you can still use a normal IPv6 firewall and to the outside it’s like your addresses are all completely stable.

        This will also make it easier to switch ISPs and adds the possibility to use a fail over from another ISP with another prefix without your entire network freaking out.

        It’s not exactly recommended (prefixes should just be static ffs) but it’s a possibility.