My inner nerd has never felt right using the ISP-supplied consumer router. It's for those mere mortals who just play Farmville right? So I've splashed out on some over-the-top UniFi kit.
There are actually a couple of good reasons (honest) for setting up an enterprise-style network in your flat. I use an increasing number of IoT devices, which I'm always paranoid are about to get hacked. I'd like to put them on an isolated VLAN - they need access to the internet, and sometimes each other, but not my NAS.
I'm also running a small Kubernetes cluster that runs things like webcams, personal web apps and critically internet-connected fairy lights. I'd like to access those web apps remotely - while I could put them in the cloud, they're written as quick hacks to solve small problems and they'd need effort to harden. Hosting a VPN for my phone from my home seems an easier solution.
Fortunately, at home I have a high-speed, synchronous, unlimited fibre connection with static IPv6 - I want to make the most of it! I'm on a Hyperoptic connection, so your mileage may vary.
Firstly, I bought a UniFi USG gateway/router, switch and wireless access point. Out of the box, these should connect to your ISP using DHCP to give you an IPv4 address (most likely, NAT). I'm using a locally running UniFi Controller until I can run it in my K8s cluster or splash out again on a Cloud Key.
To enable IPv6, you need to configure the WAN network to get IPv6 addresses from your ISP and configure your LAN network to use the addresses within this allocation. Finally you need to configure an IPv6 compatible DNS server (on either your router or devices).
Loosely and inaccurately - IPv6's insanely larger address space means that compatible devices don't need to share a single outbound address with NAT. You also don't share a public v6 address with other ISP customers. This is achieved by the ISP either allocating IPs on request with DHCP (as your local DHCP server works) or by giving you the static configuration details for a block of IPs.
My experience was with an ISP that supports DHCPv6 and Stateless Autoconfiguration (SLAAC), but either way, you need to request one of the following from your ISP:
- DHCP: your Prefix Delegation Size - an IPv6 CIDR mask that indicates how many IPs you will be allocated for your devices (or just try one of the three below).
- Static: a static IPv6 address for your WAN, a Prefix Length (similar to Prefix Delegation) and a Router Address (assumably, their router).
Your local IPv6 addresses will be composed of 128 bits formatted in 8 groups. These are grouped into three fields - the routing prefix (usually the first three groups), subnet id (fourth group) and an interface identifier (the rest). Depending on your prefix length, your ISP is allocating you a routing prefix and number of subnets.
The most common prefix allocations tend to be a
/64. A prefix of
/56 gives you 256
/64 subnets, each of which can hold 18 quintillion IP addresses. I don't pretend to fully understand the new CIDR mapping, but essentially you stop thinking about allocating addresses and start thinking about allocating entire subnets to devices. Crazy.
In your UniFi Controller, under Settings > Networks select your WAN settings, and configure the IPv6 section using the information from your ISP.
The other side of the puzzle is configuring each LAN network to request IP addresses from your WAN allocation. Under Settings > Networks, select the LAN you'd like to enable IPv6 for and configure as below:
- Interface type: Static/Prefix depending on your ISP support: Static/DHCP respectively,
- Delegation interface: the WAN interface you configured previously,
- Prefix ID: leave blank, unless you are configuring multiple LANs. If you are configuring multiple LANs and have a
/56, use the
/64you would like to allocate:
01, up to
- Enable Router Advertisement (RA).
- Configure your DNS as below.
Finally, you'll need some IPv6-ready DNS providers to use, else you'll still be routing to IPv4 addresses. I went with Cloudflare's 188.8.131.52, but Google's 184.108.40.206, Cisco OpenDNS or your VPN provider's are also options. Set these in the LAN config (and you should probably use the IPv4 variants in the WAN config). If your devices don't use the router DNS servers, configure those as well.
Three utilities to use to verify your IPv6 setup:
ping6 <hostname> is the equivalent of ping, using IPv6 resolution. Check both
ping6 resolve a domain name.
https://test-ipv6.com/ is a connectivity and readiness test suite to verify you've got everything set up correctly.
https://ipv6-test.com/ will show you your IPv6 address and run several compatibility tests. Try it on multiple devices and spot your unique addresses!
How about encryption?
Once I've got the VPN set up, DNS-over-TLS/HTTPS is my next project. While the USG itself can't handle this out of the box, you can use a separate device as your local DNS server. I'll be looking at using a Pi-Hole to combine private DNS lookups and ad-blocking everywhere.