Hacker News

I use ipv4 on my internal lan, and turn off ipv6

It is well supported, easy to configure, private, secure.

...and I don't have to configure and secure ipv6 in parallel

T-Mobile, a major phone provider, runs an ISP which is IPv6 only. That is, your phone never gets an IPv4, unless connected to WiFi. They offer home access points with a 5G modem and a router; the external address is also IPv6 only.

It works plenty well. I access everything accessible via IPv6, and the rest through their 464XLAT, transparently.

My LAN still has IPv4, because some ancient network printers don't know IPv6. OpenWRT on my router supports IPv6 just fine. Of course I do not expose any of my home devices to the public internet, except via Wireguard.

My problem with IPv6 is that my ISP (Xfinity) won't give me a static prefix, so every now and again it changes.

Unlike IPv4, my LAN addresses include the prefix, so every time they change it, all my LAN addresses change.

Combined with the lack of DHCP6 support in many devices, this means reverse DNS lookups from IP to hostname can't be done, making identifying devices by their IP essentially impossible.

Well, for some value of "just works".

For example, I recently attended the IETF meeting in Montreal, which offers a by default v6-only network. My Mac worked fine, but my son's school-issued Chromebook had glitchy behavior until I switched to the network that provided v4.

Myeah... I've had weird issues on my network that I could only resolve by disabling IPv6. Granted, it's probably my fault, but if everything still works fine with ipv4 that's fine to me. One day I will get into it and learn how it work and maybe I'll get it figured out... One day...

Corporate laptop won’t work (their version of windows seems to require an ipv4 adddess on an interface, not sure if that’s a windows thing or a them thing)

Doesn’t remove the need for nat - my wired IsP might be able to bgp with me, but my backup 5g won’t, and when I want to choose which to send my traffic through with PBR that means natting.

My router doesn’t support 64, so I have to use my isp’s which is speed constrained compared with native 4. Ok that’s on my setup. Haven’t tested my 5g provider and where 64 occurs, I’d hope in their network, but how do I configure my dns64.

Still need to provide v4 at the edge and thus 46 nat so I can reach internal v6 only servers from v4 only locations

Perhaps lost of that is because my router doesn’t do 64, but again that just shows that v4 is still essential. I haven’t found a single service that’s v6 only, so if I have to run a v4 network (even if only as far as a 64 natting device) why bother running two networks, double the opportunity for misconfiguration and thus security holes. Enabling dual v6 on my IoShit network would allow more escape routes for bad traffic, meaning another set of firewall rules to manage. Things like SLACC make it harder to work out what devices are on the network, many end user devices are user hostile now and keeping control of them on v4 alone is less work than in v4 and v6.

For consumer traffic, your probably right. In data centers, cloud computing, and various enterprise networking solutions, IPv4 is still king. I'm sure IPv6 would work fine in all these use cases, but as long as many large tech companies are not exhausting the CIDR ranges they own (or can opt for using private ranges) there is no impetus to rework existing network infrastructure.

I had working IPv6 in the past, but currently I seem to have no working IPv6. Using Xfinity. I have access to some servers at a friend's place in another city, pretty sure he also doesn't have IPv6. Maybe some phone calls would sort it out, but when "everything" still works (with IPv4), it's hard to care.

It’s still a pain to manage ipv6 AWS infrastructure via Terraform.

Well, for some value of "just works".

For example, I recently attended the IETF meeting in Montreal--practically the epicenter of v6 thinking--which offers a by default v6-only network. My Mac worked fine, but my son's school-issued Chromebook had glitchy behavior until I switched to the network that provided v4.

I'm "niche" - but i had issues with Wireguard being able to connect me through ipv6 to a v4 - other than that i spent most of my time on v6 and as you said it just works

CenturyLink, an ILEC, only offers IPv6 using 6rd gateways. The IPv6 throughput is a fraction of IPv4 and has much higher latency. During peak times, the 6rd gateway saturates, forcing me to stop advertising the prefix to restore internet access. It has been this way for years.

It is also impossible to report IPv6-specific outages. CenturyLink technical support is the worst of the worst, with agents utterly incapable of doing more than pushing a "check ONT" button on their end and scheduling a technician visit with a multiday window. If you ask them for the 6rd configuration information, they act like you're speaking an alien language.

Even among their technicians, IPv6 knowledge is rare. Imagine the guy installing hundreds of dollars of gigabit fibre equipment at your demarc staring you like an idiot because you spoke two extra syllables between "IP" and "address". I'd think the term "IPv6" is chatbot poison if it weren't for the fact it's a human physically in front of me.

The result is their service is effectively IPv4-only.

Not all of the skepticism is "does IPv6 work", some of it is "why should I want it as an end user who values privacy and minimal attack surface?"

From my perspective:

• CGNAT is a feature, not a bug. I'm already deliberately behind a commercial VPN exit node shared with thousands of others. Anonymity-by-crowd is the point. IPv6 giving me a globally unique, stable-ish address is a regression.

• NAT + default-deny inbound is simple, effective security. Yes, "NAT isn't a firewall", but a NAT gateway with no port forwards means unsolicited inbound packets don't reach my devices. That's a concrete property I get for free.

• IPv6 adds configuration surface I don't want. Privacy extensions, temporary addresses, RA flags, NDP, DHCPv6 vs SLAAC — these are problems I don't have with IPv4. More features means more things to audit, understand, and misconfigure.

• I already solved "reaching my own stuff" without global addressing. Tailscale/Headscale gives me authenticated, encrypted, NAT-traversing connectivity. It's better than being globally routable.

So yes, my parents are using IPv6 to watch Netflix. They're also not thinking about their threat model. I am, and IPv4-only behind CGNAT + overlay networking serves it well.

"It just works" isn't the bar for me to adopt IPv6. "It serves my goals better than IPv4" is the bar, and IPv6 doesn't meet it. Never has, never will.

IPv6 wasn't designed as "IPv4 with more bits." It was designed as a reimagining of how networks should work: global addressability as a first-class property, stateless autoconfiguration, the assumption that endpoints should be reachable. That philosophy is baked in. For someone like me, whose threat model treats obscurity, indirection, and minimal feature surface as assets, IPv6 isn't just unnecessary, it's ideologically opposed to what I want.

Want me to adopt a new addressing scheme? Give me a new addressing scheme, don't impose an opinionated routing philosophy on me.

> It just works.

Until you want to like, use GitHub.

Yes the largest companies have the most resources. Makes sense.

Most do not.

There are far more single person, small, and mid sized companies that do not.

This includes b2b, regional ISPs, etc.

Punching through just a firewall is much easier than punching through a typical NAT+firewall setup

https://tailscale.com/blog/how-nat-traversal-works

> it still has to punch through your router's firewall

That's why most routers use a stateful firewall. Then nothing has to "punch through" it just has to be established from the local side.

> block all incoming IPv6 traffic unless there is outbound traffic first, and provide little to no support for custom IPv6 rules.

This is why STUN exists.

> my bet is that there are close to zero popular games that actually use true peer to peer networking.

For game state? You're probably right. For low latency voice chat? It's more common than you'd think.

Getting a streamer’s IP attracts DDoSes and doxxing, so yeah it’s generally considered a vulnerability to use P2P in games

Not having a congested CGNAT in the mix at 4pm every day is a nice benefit.

2000:1::1 would expand to 2000:0001:0000:0000:0000:0000:0000:0001

2000::1::1 could be 2000:0000:0000:0000:0001:0000:0000:001, or 2000:00000000:0001:0000:0000:0000:001

There's ambiguity on where to fill in the five groups of 0000 in the second case.

> This is the only real reason in my opinion, why IPv6 is doomed to be second-grade citizen for (probably) a few more decades.

Except if you're using a mobile phone, in which case many telcos hand out only IPv6 addresses to handsets. 2018 NANOG presentation "T-Mobile's journey to IPv6":

* https://www.youtube.com/watch?v=d6oBCYHzrTA

From 2014, "Case Study: T-Mobile US Goes IPv6-only Using 464XLAT":

* https://www.internetsociety.org/deploy360/2014/case-study-t-...

But who cares about mobile phones, right? They're only second-grade devices.

I said this in a previous post and was shot down hard. I think you are right. Every time I look at a ipv6 address my brain goes “fack this”.

> Can someone explain why it's ambiguous?

Because you don’t know how many zeroes are on each side around the 0001 in the middle.

It can be 2000:0000:1:0000:0000:0000:0000:1 or 2000:0000:0000:0000:0000:1:0000:1 etc.

> Network-related things are generally easy to .. type from memory [but] IPv6 is just too long

I was reminded of this 2d ago; I was testing one IPv6 WAN from another. DDNS had failed so I didn't have my usual crutch to lean on.

I mean yes, but there’s no escape from the fact that ip addresses need to be longer as amount of devices on the internet already exhausted the pool of IPv4 addresses by multiple orders of magnitude.

I guess it could be possible to implement sort of mnemonic phrases for addresses, à la bip-39, but it would be just trading one kind of pain for another.

I've said this since time immemorial, and networking people often dismiss it. "Just use DNS," say people who have never actually worked netops or devops.

The length of the addresses and the clunky nature of their ASCII representation is absolutely the #1 reason the IPv6 has taken this long. User experience is the most powerful force affecting large scale adoption, and IPv6 has poor UX.

I think the UX is partly fixable by creating less horrible ASCII representation, but this would take a lot of coordination that was hard even back then and is virtually impossible now. If someone told me in 500 years we're still running dual-stack IPv4/IPv6 absolutely unchanged, I'd believe it.

whats the rule to say where the first 1 floats between the 2000: and the :1 at the end? the :: rule says "all zeros" but not how long.

That's more proof that TP-Link should not be trusted than that there is a problem with IPv6, really. Even cheap $20 Aliexpress routers have a firewall enabled by default.

I believe that was more a bug in the firmware that's been fixed for a while now.

> Enable IPv6 on a TP-Link Omada router (ER7212PC) and all internal services are exposed to the outside world as there is no default IPv6 deny-all rule and no IPv6 firewall. I get why some people are nervous.

A router routing traffic makes people nervous? Isn't that what it's supposed to do? I'd be annoyed if my router did not pass traffic.

Now, if the ER7212PC was a firewall that would be something else.

(And no, I'm not being pedantic: routers should pass traffic unless told otherwise, firewalls should block traffic unless told otherwise. The purposes of the two device classes are different, they just happen to both deal with Layer 3 protocol data units.)

> That said... This is from early 2023. Any chance it's better now?

I accidentally went IPv6 only on my home wifi for a few weeks a while ago. I only noticed when GitHub didn't load (I avoid work things at home, hence accessing GitHub being rare.)

Relatedly, fuck GitHub and their incompetence at rolling out IPv6. It's nothing other than that at this point. Blank, unadulterated incompetence.

None of the ISPs where I live provide NAT64 gateways. Exactly one advertised it, I signed up almost a year ago and they still haven't enabled it for me yet (I think they don't actually offer it and just forgot to remove the page).

Why are you setting up anything? You turn on IPv6, the router figures out its prefix from the upstream router, and then router broadcasts the network to devices.

The netmask for IPv6 is nearly always /64. ISPs give out /60 to allow multiple subnets, but router makes /64 subnets from that.

If you have ATT fiber, it’s a pain in the butt. Their default router will only issue a single passthrough /64 on request. If you have multiple VLANs you have to setup some scripts to ask for more, and even then you only get 8 of them. The gateway reserves the other 8 from the /60 it gets for its own use.

The only way I got IPv6 working well with them was to bypass their gateway. Now all my VLANs have /64, which is the standard subnet size.

Their IPv6 deployment rate saw a huge jump from 40ish% to 53% after this report though.

https://stats.labs.apnic.net/ipv6/CN

> My local ISP (US Internet, soon to be part of T-Mobile Fiber) hasn't enabled it, even though the CEO has said on Reddit for years that it's a priority. Now that they've been acquired who knows if it'll ever happen.

Being a priority doesn't mean it's high priority. It could be a priority, but the lowest ranked one, so other stuff always comes first. :P

T-Mobile wireless US is pretty invested on IPv6, so if they take over the network, they may well push it.

Forgot the most important part of pf.conf!

    # NAT64
    pass in inet6 from any to $nat64_prefix af-to inet from ($ext_if)

The basic thing proponents don’t understand is that nobody in their right mind can intuitively understand IPV6 addresses because they look like MAC addresses with trisomy and are a pain in the ass to remember or type for absolutely no benefit to the non-network engineer. And there are infinitely more people with home routers and a few dozen devices than there are people running ISPs, fortune 500s, and data centres. Play with your convolution all you want, in 20 years the rest of us will still be happily assigning 192.168.x.x and ignoring it. V4 space running out is no more the average persons problem than undersea cables or certificate authority.

> There is a difficulty in that it does behave quite differently to IPv4

Which can be fine if you have a /solid/ transition plan to move networks wholesale from v4 to v6. They absolutely failed on this point and almost purposefully refused to carry over any familiar mechanisms to make dual stack easier to manage.

It's a University protocol that escaped into commercial usage based mostly on false fears of global routing table size becoming unmanageable or impossible to store in RAM. The results are absolutely predictable.

I haven't spent a lot of time with my power grid either, but I do expect the light to go on when I press the switch.

(Needing to dedicate time for it is, to some extent, either a failure of the protocol or at least a contributor to the lack of adoption.)

- if you're talking a private/local prefix, you can use tools like this to generate one: https://unique-local-ipv6.com/. Otherwise DHCPv6 and SLAAC will ensure no collisions for the most part.

- Use global/public addresses on all your devices (using something like prefix delegation) or use NAT.

- Same as IPv4. Prefix delegation will let your ISP assign you multiple networks, and then most routers will break these up into /64 networks for each of your VLANs.

- SLAAC - the address spaces for IPv6 are so huge, collisions are extremely unlikely outside of intentional actions.

- Open holes through firewalls, point DNS at the address, and it should just work, the joys of actually having public addresses.

- Same way as with IPv4 mostly. The only real difference is because SLAAC assumes a /64 you probably want your networks to be at least that big.

> but do I really want my thermostat or doorbell or lock or garage door opener or light switch directly accessible on the Internet or is the nat serving a useful purpose?

You should have a firewall, regardless of v4/v6.

> I wish I could switch my network to all IPv6 and use NAT64/DNS64, but Android, the world's most popular OS, purposefully disables DHCPv6.

It does not "disable" DHCPv6. It does not support DHCPv6. Android (really Lorenzo Colitti) in/famously WONTFIX adding DHCPv6 client support:

* https://issuetracker.google.com/issues/36949085

Of course after over a decade of denying that Android needs some kind of DHCP in IPv6, it seems that Android may finally be getting some kind of solution:

* https://android-developers.googleblog.com/2025/09/simplifyin...

* Via: https://blog.ipspace.net/2025/09/android-dhcpv6-prefix-deleg...

Hopefully, having admitted (?) the error of their ways with being SLAAC-only they'll also add 'regular' DHCPv6 in addition to DHCPv6-PD.

Android supports SLAAC and has good support transitional tech like xlat464 and DHCP option 108.

I have used these on my network and office to move to IPv6-only for Android.

What about lack of DHCPv6 prevents you from using IPv6 on Android?

Android supports DHCPv6, just not stateful DHCPv6. You can give each device its own /64 or if you really want to track a devices usage you should use an authenticated layer on top of your base network.

Why can't you use stateless autoconfig?

Each device gets directly addressable from WAN with v6 but it also gets a randomised privacy IP that rotates very frequently so each individual device is just as "hidden" as it was with v4+NAT.

Your v6 subnet prefix is no different than whatever WAN-side v4 your NAT had. "Accidental semi-randomization" of the WAN side IP is not something one could reliably count on. Many ISPs just hand over a static-like IP, that is, even when it's supposed to be random the pool of IPs is so constrained that it's usually the same simply through the IP lease surviving power cycling. And that was before CGNAT.

If your concern is being identifiable through your IP then counting on whatever v4 artifact is the wrong move. Use a VPN with randomised exit nodes.

Everybody in your household is already mapped to a single IPv4 address that rarely changes with most ISPs. Mine hasn't changed in over 3 years. My IPv6 /56 prefix delegation hasn't changed, either.

It's true that you won't get CGNAT without having CGNAT. Depending on your concern, it is possible to NAT66 to make your entire network appear as one IP.

what exactly do you mean by "trivially and stably mapped to a unique subnet"?

Depends on your ISP. If you live in a place where there aren't many IPv4 addresses available, CGNAT is the reason you're seeing a lot of Cloudflare/Akamai/Google CAPTCHAs everywhere, and IPv6 fixes that.

You need it because there aren’t enough IPv4.

If you have a mobile device with data, you’re likely already using it.

I don’t think that’s true. But of course it depends how you’re measure the majority of websites.

Most of the figures I see show 60-70% of the top 100 sites do support it. But maybe that does not reflect your usage.

Why do you need it? Maybe you don’t right now since ipv6 only sites are niche. The most tangible advantage I’ve seen is avoiding CGNAT. Gamers in particular don’t like that because it introduces latency. Services like Xbox live definitely do support ipv6 for this reason.

I guess it would, but remember there are more services out there than just HTTP(S).

For example the last time I had an IPv6-only host I had issues cloning things from github, as "git clone [email protected]..." failed due to github.com not having IPv6 records.

A quick search revealed this open 3+ year old discussion - https://github.com/orgs/community/discussions/10539

The IPv6 spec looks long because it also includes protocols that are separate on IPv4 (DHCP/SLAAC, NDP, depending on the document ICMPv6, mirroring DHCP, ARP, ICMP, NetBIOS, etc.), as well as the addressing schemes that were different RFCs in IPv4 such as multicast/unicast/network classes/subnets.

As for the implementation: just about anything more powerful than an ESP32 has the entire protocol implemented and running already.

Your computer, and every other computer on the planet, already supports the entire IPv6 spec. There is no subset.

You can use a NAT-traversing VPN like tailscale to work around this.

HN has IPv6 now.

If Reddit would finish adding IPv6, almost all of my browsing would be IPv6.

> It's unfortunate, but IPv6 doesn't really solve any problems for a home user.

CG-NAT and strict NAT in general. Newer ISPs often force users onto CG-NAT, and my consoles have had numerous issues with NAT in general over the years. ISP routers also often make fixing this an opaque or impossible problem for the user.

I don’t think IPv6 is the best thing ever, but I do think it solves the problems IPv4 did along with some annoying issues IPv4 struggled with.

It does make it easier. IPv6 pinholes are simpler than port forwarding. My IPv4 is not static but my IPv6 prefix is. So I don’t need dynamic DNS. I have no IPv4 port forwards, instead I run snid on a VPS to support legacy internet clients and call it a day.

This hasn’t been the case in decades, every OS defaults to randomly generating the trailing 64 bits of your address and cycling through new addresses periodically. Your IPv6 address is only fixed to your device if you choose to configure it that way.

Since the network half (leading 64 bits) is as fixed as your IPv4 address was, and the host half is random and constantly changing, an IPv6 address is exactly as uniquely identifying as an IPv4 address used to be.

> Again, I'm old enough to remember when e.g. the ISPs were going to try to charge per device in each household.

I don't really see that coming again and if it does you can just do NAT66 just like you can do NAT4.