I realize this is a long post. My actual questions start at paragraph 5, the first 3 are after this are included for historical/explanation information.
I've been learning a lot over the past two weeks while trying to get IPv6 working on my network hooked to the Internet via Comcast. I can access IPv6 sites, and I have figured out how to allow my Web server to be accessible to other Web users outside my network. I am currently starting to look into the possibility of using https://www.duiadns.net/ to set up DDNS for my web server via IPv6. I'd have to run their client on my Linux box since it doesn't appear the USG20W will use any DDNS hosts which currently provide IPv6 DDNS services. (I don't like that - would much rather have the router handle DDNS directly.)
I've learned that the most difficult thing to get over when trying to learn IPv6 is to toss out the complicated world of IPv4 as opposed to trying to compare the two. For instance, I get a 64 bit prefix delegation from Comcast. For my home that's all I need. Far more than I need. Though the prefix delegation CAN CHANGE, thus upsetting the ability for outsiders to be able to connect to my servers, that doesn't happen often. Even so, I don't need to try to "subnet" this "IPv6 prefix" but just need to accept it. Hopefully I'll find a DDNS solution which will address a possible situation where the IPv6 prefix changes, and hopefully eventually this solution will be built directly into my router.
So, using a 64 bit prefix delegation from Comcast means I need to come up with a 64 bit suffix (aka interface identifier) for each network device on my network I want to be accessible outside my LAN. The 64 bit prefix and 64 bit suffix together make up the 128 bit IPv6 address. Once I got the USG to properly pass on the prefix and learned how my specific devices come up with their own suffixes I felt I finally had a good basic understanding of the system. For example, by default the OS on my main computer, Windows 8.1, creates a suffix randomly. Once created (and if I understand what I'm learning correctly,) it is permanent for all intents and purposes. Once appended to the prefix obtained from Comcast via prefix delegation it makes up the main IPv6 address for the computer which is Internet routable and thus can be used to connect to a server on my LAN from the Internet.
So, every IPv6 capable networked device on my network will have an Internet routable IPv6 address. (I realize I haven't hit upon link local, Windows Temporary IPv6 addresses, gateway IPv6 addresses and the fact that IPv6 interfaces can utilize multiple IPv6 addresses at once but I understand the basics of these things. I think.) But there are a few problems I'm having with IPv6 behind the USG which bother me.
First, what if I don't want some basically random suffix for my IPv6 devices but don't want to statically assign IPv6 suffixes to all my network devices? I can't find a way for the USG to use DHCPv6 to assign suffixes. Is it supposed to be able to do this? It'd be nice to have addresses such as ::0.0.0.10 instead of ::feab:102e:2c2b:192e to be able to organize my network as I please. I've tried changing things in the settings screens but nothing changes on my Win8.1 (for instance) machine. I'm not sure if the USG isn't working, if I'm not implementing the settings properly or if I need to change something in my OS because it's automatically creating random suffixes instead of asking the router for a suffix as I'd like it to do. Maybe Win8.1 won't even allow me to do this? Either automatic or static - no other choice?
My second issue has to do with what seems to be a design implementation with the IPv6 system. If I have a web server and a NAS with a web interface and am using prefix delegation, both will be assigned a globally routable IPv6 address. In order to allow Web users to connect to my Web server I just open http service in the USG's firewall. But since I can't specify a specific IPv6 address in the firewall rule wouldn't opening up port 80 allow Internet users to connect to both my Web Server and the Web interface of my NAS? Or can I control what network addresses on my LAN Web surfers have access to by creating an IPv6 network address object...
I've found testing very difficult because nobody I know outside my network is using IPv6 right now, including my employer.
EDIT:
I was able to create a firewall rule which allowed HTTP traffic to the IPv6 address of my Web server through. HOWEVER, I was forced to specify both the prefix and suffix of the IPv6 address. So, if my ISP changed my prefix delegation I see no way the USG's firewall would let traffic through to the newly assigned IPv6 address of my Web server without me manually going in and adjusting the firewall rule. :(
↧