#IPv6 und #Netcup

Mir fliegt ziemlich exakt alle 20 Minuten das v6 weg bei Netcup, ein flush auf die Input-Chain plus neuladen des Regelsatzes hilft dann (für 20 Minuten). Ich habe RA in Verdacht.

Wenn ich sämtliches v6 in der Input-Chain gestatte, gibt es keine Ausfälle.
Wenn ich nur diese gestatte:

• destination unreachable (1)
• echo request (128)
• neighbor advertisement (136)
• neighbor solicitation (135)
• packet too big (2)
• parameter problem (4)
• redirect (137)
• router advertisement (134)
• router solicitation (133)

dann knallt es wieder nach 20 Minuten. Was könnte mir fe len? Oder ist es unbedenklich, einfach alles anzunehmen?

Just installed #crowdsec on my new VPS (Virtual Private Server) and happily noticed that all my 3 servers prefer #IPv6 to talk to crowdsec :)

How to install crowdsec on a RHEL10 (Red Hat Enterprise Linux) machine? Glad you ask! https://codeberg.org/jwildeboer/gists/src/branch/main/2025/20250830CrowdSec.md

Does it work? Well, yes, in my opinion. 55k IP addresses blocked right now. On a VPS with 2GB RAM, no real performance impact.

#SelfHost #Firewall

Alt...

List of my 3 public servers that use crowdsec to feed their respective firewalls. All 3 use IPv6 to communicate with the central API.

Alt...

Local API Decisions Reason │ Origin │ Action │ Count │ ssh:bruteforce │ CAPI │ ban │ 1824 │ crowdsecurity/http-bad-user-agent │ crowdsec │ ban │ 1 │ crowdsecurity/postfix-non-smtp-command │ crowdsec │ ban │ 1 │ free_proxies │ lists │ ban │ 25189 │ generic:scan │ CAPI │ ban │ 1117 │ http:crawl │ CAPI │ ban │ 22 │ pop3/imap:bruteforce │ CAPI │ ban │ 775 │ smtp:spam │ CAPI │ ban │ 49 │ SMTP bruteforce │ cscli │ ban │ 80 │ Spam │ cscli │ ban │ 9 │ firehol_botscout_7d │ lists │ ban │ 3228 │ http:exploit │ CAPI │ ban │ 10712 │ http:scan │ CAPI │ ban │ 3075 │ SASL bruteforce │ cscli │ ban │ 973 │ firehol_greensnow │ lists │ ban │ 7953 │

New blog post: "IPv6 at home — my simple solution" A very minimal, pragmatic solution so I can start working with IPv6 in my network at home — even without an internet connection. Experts might get a bit irritated and I hope you can channel your wisdom in friendly replies to this post so we can all learn and become better at IPv6, help a n00b!

Replies to this post will show up as comment under the blog post.

https://jan.wildeboer.net/2025/08/SimpleIPv6AtHome/

#SelfHost #IPv6 #HomeNetwork

RDS Data API now supports IPv6
Posted on: Aug 29, 2025

https://aws.amazon.com/about-aws/whats-new/2025/08/rds-data-api-ipv6/

#aws #ipv6

@jwildeboer I wish I could get #IPv6 but my #ISP is so incompetentband unwilling to provide details (despite being obligated to do so by law), but given they have absurdly high latency for uplink and downlink (despite being DOCSIS) I am convinced they have some serious peering issues...

Habt Ihr auch immer im Urlaub pläne und schafft das dann doch nicht? Wollte eigentlich mal #ipv6 bei mir konfigurieren... #homelab

Creative use of the Match rule in ssh, part 2. At home my machines now all have IPv6 addresses in my private ULA (Unique Local Address) range.

So I can check if I am at home with a simple `ping6` and if yes, connect directly via IPv6. If not, I go through port forwarding on my bastion host with IPv4.

No matter where I am, `ssh homepi` should JustWork™ :)

(I obviously changed some bits here and there to avoid you trying to hack into my network :)

#SelfHost #SSH #IPv6

Alt...

Match originalhost homepi exec "timeout 0.1 ping6 -c1 fdda:a4da:69a5:0:4b9e:d2a6:d62:a3" HostName fdda:a4da:69a5:0:4b9e:d2a6:d62:a3 Port 22 Host homepi HostName hga12.dynd.ns User root Port 2341

Yes, NAT66 exists. It's also an abomination. It should not be used, especially to work around a provider's faulty implementation. Make noise! Make them fix it! Otherwise there won't be any impetus for those who come along behind to do it right either.

#ipv6

Watching the premier of the Python documentary ( https://www.youtube.com/watch?v=GfH4QL4VqJ0 ). Reminded how the Python 2 -> 3 transition has a lot of parallels to the IPv4 -> #IPv6 transition.

⚠️ News/Changes:

BoxyBSD will bring in a feature for more advanced users for our free boxes. Instead of only selecting a set of pre-defined BSD based images, you'll soon also be able to create your install simply from scratch with full remote access to your box. This lets you perform custom installations of #FreeBSD, #NetBSD, #OpenBSD, #DragonflyBSD, #MidnightBSD but also of some other niche systems like #illumos

Unfortunately, this might still take some time and fully relies on the spare time of @gyptazy.

#freeVPS #VPS #BSD #Box #BoxyBSD #gyptazy #opensource #education #community #foss #runbsd #hosting #freehosting #learning #ipv6

I tried disabling IPv4 on my laptop just to see what would happen. Kind of fun to see which bits of the Internet still work on pure #IPv6 and which don't.

In terms of my usual activity: Fedi, #Signal, #WhatsApp, #Codeberg and #Facebook are fine on an IPv6-only connection.

I suspect #Discord wouldn't work, except I have a workaround for the #OnlineSafetyAct so I'm not connecting directly to it, but via an IPv6-enabled proxy.

#Dreamwidth, #Reddit and #BBCNews don't work on IPv6. The last of these does surprise me.

AWS App Runner expands support for IPv6 compatibility
Posted on: Aug 27, 2025

https://aws.amazon.com/about-aws/whats-new/2025/08/aws-app-runner-expands-support-ipv6/

#IPv6 #aws

@jan Which vps provider, so we can steer clear of them? #ipv6

I'm going to do the horrible thing and use #NAT66 since I only get one ipv6 /64 subnet from my VPS provider, and I need two... #ipv6

Kind reminder that there is this neat tool: Yggdrasil Network.

https://yggdrasil-network.github.io/

#IPv6

#ItsAlwaysDNS Finally learning IPv6, a thing I tried to avoid for the longest time. All my servers are reachable via IPv6, I know how to do that, but now I am learning to set up IPv6 in my home(lab) network and wrapping my head around concepts like ULAs (Unique Local Addresses, that don't route to/from the internet), prefixes I get from my ISP and how all of that translates to DNS entries on my BIND9. Mistakes will be made.

1/4

#SelfHost #Homelab #IPv6 #DNS

For once it seems that having a VDSL connection with Deutsche Telekom is worth it, as their IPv6 setup delegates a /56 to my home. This means I get 255 /64 to play with :)

2/4

#SelfHost #Homelab #IPv6 #DNS

Enough for today, which I will remember as my personal IPv6 day :) Time for a cuppa and a Madeleine. Uffa.

4/4

#SelfHost #Homelab #Ipv6 #DNS

OK. Step 1 done. My homelab machines get ULAs and I have added AAAA records to my DNS. So this already works :) Ping and ssh via IPv6 with hostname resolution via my own DNS server. Now to add reverse lookup.

Unfinished brain dump at https://codeberg.org/jwildeboer/gists/src/branch/main/2025/20250827BasicIPv6Unfinished.md

Corrections and enhancements welcome! I'm a noob wrt IPv6 ...

3/4

#SelfHost #Homelab #IPv6 #DNS

Alt...

cat /var/named/forward.homelab.jhw $TTL 3600 @ IN SOA inf01.homelab.jhw. root.homelab.jhw. ( 2025082705 ;Serial 3600 ;Refresh 1800 ;Retry 604800 ;Expire 86400 ;Minimum TTL ) @ IN NS inf01.homelab.jhw. @ IN A 192.168.1.10 inf01 IN A 192.168.1.10 inf01 IN AAAA fdda:a4da:69a5:0:2783:8c26:b2f1:a6f7 hl01 IN A 192.168.1.11 hl01 IN AAAA fdda:a4da:69a5:0:6e4b:90ff:fe75:3a73 hl02 IN A 192.168.1.12 hl02 IN AAAA fdda:a4da:69a5:0:6e4b:90ff:fe21:c3f5 hl03 IN A 192.168.1.13 hl03 IN AAAA fdda:a4da:69a5:0:6e4b:90ff:fe21:ca06 ca IN CNAME inf01.homelab.jhw.

Alt...

% ping6 -c 2 hl01.homelab.jhw PING6(56=40+8+8 bytes) fdda:a4da:69a5:0:1c38:385f:940:d721 --> fdda:a4da:69a5:0:6e4b:90ff:fe75:3a73 16 bytes from fdda:a4da:69a5:0:6e4b:90ff:fe75:3a73, icmp_seq=0 hlim=255 time=16.264 ms 16 bytes from fdda:a4da:69a5:0:6e4b:90ff:fe75:3a73, icmp_seq=1 hlim=255 time=9.203 ms --- hl01.homelab.jhw ping6 statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 9.203/12.733/16.264/3.531 ms % ssh -6 root@hl01.homelab.jhw Web console: https://hl01.homelab.jhw:9090/ or https://192.168.1.11:9090/ Last login: Wed Aug 27 21:20:42 2025 from 217.237.90.172 root@hl01:~# who root pts/0 2025-08-27 21:29 (fdda:a4da:69a5:0:1c38:385f:940:d721) root@hl01:~#

AWS Client VPN now supports connectivity to IPv6 resources
Posted on: Aug 26, 2025
https://aws.amazon.com/about-aws/whats-new/2025/08/aws-client-vpn-connectivity-ipv6-resources/

#aws #ipv6

@jwildeboer @luisfcorreia

Dynamic Prefix is a major hassle for connectivity and especially for the homelabers.
There are numerous RFC to work around the broken ISPs like the one you mentioned.
Currently there is an active discussion in the IETF WG how to solve this problem.
What I learned in this regard, only use ULA as a last resort, as this is not an RFC1918 equivalent.

Please tag your posts with #IPv6.

@jwildeboer
Most of it is quite easy.

The shitty part of #IPv6 is basically:
* dynamic readdressing caused by dynamic prefix rotation
* upstream source filtering esp. when dual homed and you don't have a flat internal network
* cellular source filtering sometimes to a single /128 and a specific TTL
* Docker and dynamically getting addresses, esp. on notebooks when you don't fully control upstream network (neigh proxy, prefix delegation, ...)
* multi homing with multiple ISPs (without peering)

I wonder how many of you does really have to, or, need to, configure NAT64 routing. Any special scenario you guys have stumbled upon that wanna share with the rest of the class ?

https://bsdrp.net/documentation/examples/nat64

#ipv6 #ipv6 #bsd #freebsd

Alt...

#ipv6 #ipv6 #bsd #freebsd

@snep If only there was a way for everyone to get all ports! Gosh, too bad we as humanity haven't come up with a solution to this. (#IPv6 👀)

I am now a RIPE NCC Certified IPv6 Security Expert.
I am happy that I passed the exam despite technical difficulties with the exam platform.

@ripencc #IPv6

Alt...

You can see a kind of digital pin badge. It is silver around the edge and purple on the inside. It bears the text "RIPE NCC Certified Professionals IPv6 Security Expert".

Alt...

A certificate with a purple pattern. The text "RIPE NCC Certified Professionals" is at the top left. "Marek Küthe has completed the RIPE NCC Certified Professionals requirements and is recognised as an IPv6 Security Expert" is in the middle. "Issued on: 25 AUG 2025" "Expires on: 25 AUG 2028" is at the bottom left. "Issued by RIPE NCC" "Verify: https://www.credly.com/go/5hEun2tP" is at the bottom right.

ooh this'd be a fun thing to implement as a public DNS server dynamically returning TXT for reverse lookups and AAAA for forwards

https://github.com/lstn/ip6words

#IPv6 #DNS

https://blog.apnic.net/2025/08/25/the-ipv6-divide/

#ipv6 #blog #apnic
#notbyGeoffHuston

Was ich gar nicht wußte: Bei #Vodafone bekommt man mittlerweile einfach so ein /64, ohne das irgendwo beantragen zu müssen.
Und es funktioniert noch dazu, kein Gehampel mit #tunnelbroker mehr, der #Mikrotik macht das sauber inklusive Sonderlocken wie "ignoriere die Nameserver, die Vodafone Dir aufs Auge drücken möchte, nimm den #pihole!"

#ipv6 wie es sein soll. Na gut, größer als /64 bekomme ich als Privatkunde wohl nicht, d.h, #Vlans im Heimnetz gehen dann eben nicht, jedenfalls nicht mit v6.
Irgendwas ist ja immer, für jetzt bin ich zufrieden.

In general, I like netcup. The FediMeteo VPS rocks and they're quite reliable but....their IPv6 implementation is such a mess! Hetzner allows you to route, so each vnet jail can have its own IPv6 address. On netcup, I have never been able to achieve such a result.

#ipv6 #Networking

Does anyone have experience with #proxmox #sdn and #IPv6 ?

It works fine as long as there's only an IPV4 range configured, but when I add an IPv6 ULA it breaks. Starting a CT leads to

```
DEBUG utils - ../src/lxc/utils.c:run_buffer:560 - Script exec /usr/share/lxc/hooks/lxc-pve-prestart-hook 103 lxc pre-start produced output: org.freedesktop.DBus.Error.ServiceUnknown: The name uk.org.thekelleys.dnsmasq.local was not provided by any .service files
```

The forums have no clue.

Anyone using OVHCloud with IPv6?
I have a server at Netcup.de and it seems, there's a nasty routing issue from OVH to the German Nuremberg Datacenter of NetCup.

Could someone try reaching out to 2a0a:4cc0:c1:2f90::2 from an OVH network? (Ping, SSH, Traceroute ..)

#networking #ovh #netcup #fedihelp #routing #ipv6 @OVHcloud @netcup

Explore the latest in AWS VPC & IP addressing for 2025. Learn best practices to design secure, scalable cloud networks. A must-read for DevOps & cloud engineers.
Read more: https://medium.com/@ismailkovvuru/aws-vpc-ip-address-secrets-what-every-engineer-must-know-in-2025-8166818d3589

#AWS #VPC #CloudNetworking #DevOps #IPAM #IPv6 #AWSBestPractices #tech #security

Stay ahead in 2025 with AWS VPC & IP addressing best practices. Learn how to design secure, scalable cloud networks. Perfect for DevOps & cloud engineers.
Read more: https://medium.com/@ismailkovvuru/aws-vpc-ip-address-secrets-what-every-engineer-must-know-in-2025-8166818d3589

#AWS #VPC #CloudNetworking #DevOps #IPAM #IPv6 #AWSBestPractices #tech #security

@goetz nothing... Not even after nagging for 8 years. Not willing to add #ipv6 knowledge leads to these horrible routing layouts

@nico
They don't even have an #IPv6 prefix allocated to their AS?
What a shame!

Real life #legacy Internet routing - this is so broken. Snapshot taken from a provider who did not deploy #IPv6 at all. I personally find it very shameful.

Kann einer dem Dobrindt mal sagen, dass er bei der Vorratsdatenspeicherung nur die #IPv6 Adressen speichern muss, weil sich die Kriminellen damit sicher fühlen. Ich wäre da z.B raus. IPv4 💘

$ host -t AAAA isitfridayyet.net
isitfridayyet.net has no AAAA record

#ipv6

Predict when GitHub will deploy IPv6.

https://www.metaculus.com/questions/37128/when-will-github-deploy-ipv6/

Current community prediction is Sep 2030.

#IPv6 #github

@apalrd https://community.ui.com/releases/UniFi-Network-Application-9-4-17/e5af0578-a091-4644-8205-2b912034b756

Significant progress on the current protocol, on this release (still in RC, as of this moment).

#IPv6 #Ubiquiti #UniFi

#ipv6 #dns

https://www.theregister.com/2025/08/20/ietf_dnsop_3901bis_ipv4_ipv6/

https://datatracker.ietf.org/doc/draft-ietf-dnsop-3901bis/04/

by @tfiebig

There are dozens of server mirrors of my distro of choice in my country, half of them compliant with actual Internet standards a.k.a. #IPv6 enabled & the ISP I have @ home (AS18881), despite being one of the biggest if not the biggest company around and providing #IPv6 connectivity for decades... due to "internal politics", they won't peer with ANYONE in this stack. The result? To reach the server literally next door, the connection goes to Disney and back

https://ipv6.reddit.com/r/InternetBrasil/comments/1imwrbj/apenas_mais_um_dia_de_pacote_fazendo_batevolta

[...]