So, I am working with IPv6 via Comcast residential. Like most residential services, the addresses are handed out via DHCP and subject to change any time. In practice, I have seen them stick for long periods, but any detailed firewall rules or other features that need a prefix entered won't work long term. I do not want to deal with adjusting all that manually if Comcast decides the prefix I'm using needs to change. On the up side, they do give out /60 prefixes, which is great for people like us that like to experiment and have VLANs etc..
Just to be clear, changing ISPs is not an option. There are no ISPs to change to. Even getting Comcast required working with my neighbors, which are family, allowing me to run a wire over there. It's my own account, totally legit, but Comcast refuses to provide service as do most ISPs. Just how it is. I would consider paying extra for static prefix, but they only do that for business accounts at about 4x the cost.
I'm currently using pfSense, which works reasonably well for the basics of handing out addresses from the prefix to the LAN. I can also add other prefixes to VLANs. This is alright, and I can even do most firewall rules this way by referencing "LAN Network" etc..
Anything beyond that though, it falls over. I can't even add ULA space, which would be nice for local servers in DNS, as doing so will break routing for the global addresses. There is a bug filed, but the response so far is "change ISPs". Yes, in an ideal world we would all get static /48s from our ISP as it should be. The real world doesn't work that way. And no, HE.net won't do. It adds latency and effectively blocks Netflix and others. Yes, there are ways around that, but it's a ridiculous thing to do when I have IP space. I also doubt HE would appreciate me trying to stuff a gigabit of traffic through them.
I also can't create IPv6 VPNs as those require static entered prefixes. I could use ULA/NPT, but since adding a ULA breaks everything else, that's not an option either. And NAT sucks, but I'd be willing to live with it for this use. I'd be the only one using it and it would only be for accessing internal stuff on occasion anyway. It's more to get practice with IPv6 stuff, so I might set it up on a separate server instance and accept that it might break.
I think I could get an internal server accessible with dynamic DNS and referencing that DNS name in the firewall rules. A bit clunky, but ok I guess.
It would be interesting to try delegating prefixes to another internal router as well, just to work with it. But that's not an option with dynamic either.
I'm just wondering if anyone has experience with other setups that work better with this sort of thing. These sorts of connections are the norm all over the world, from posts from people with similar issues, but there doesn't seem to be much in the way of support for them.
Just to be clear, changing ISPs is not an option. There are no ISPs to change to. Even getting Comcast required working with my neighbors, which are family, allowing me to run a wire over there. It's my own account, totally legit, but Comcast refuses to provide service as do most ISPs. Just how it is. I would consider paying extra for static prefix, but they only do that for business accounts at about 4x the cost.
I'm currently using pfSense, which works reasonably well for the basics of handing out addresses from the prefix to the LAN. I can also add other prefixes to VLANs. This is alright, and I can even do most firewall rules this way by referencing "LAN Network" etc..
Anything beyond that though, it falls over. I can't even add ULA space, which would be nice for local servers in DNS, as doing so will break routing for the global addresses. There is a bug filed, but the response so far is "change ISPs". Yes, in an ideal world we would all get static /48s from our ISP as it should be. The real world doesn't work that way. And no, HE.net won't do. It adds latency and effectively blocks Netflix and others. Yes, there are ways around that, but it's a ridiculous thing to do when I have IP space. I also doubt HE would appreciate me trying to stuff a gigabit of traffic through them.
I also can't create IPv6 VPNs as those require static entered prefixes. I could use ULA/NPT, but since adding a ULA breaks everything else, that's not an option either. And NAT sucks, but I'd be willing to live with it for this use. I'd be the only one using it and it would only be for accessing internal stuff on occasion anyway. It's more to get practice with IPv6 stuff, so I might set it up on a separate server instance and accept that it might break.
I think I could get an internal server accessible with dynamic DNS and referencing that DNS name in the firewall rules. A bit clunky, but ok I guess.
It would be interesting to try delegating prefixes to another internal router as well, just to work with it. But that's not an option with dynamic either.
I'm just wondering if anyone has experience with other setups that work better with this sort of thing. These sorts of connections are the norm all over the world, from posts from people with similar issues, but there doesn't seem to be much in the way of support for them.