Selfhosted

In the home/lab, I use public addresses with mostly SLAAC, but the host server has a static IP. I get A public /56 prefix via DHCPv6-PD from my ISP. There is a bit of a pain point if the prefix changes but it hasn’t happened since I moved here.

My ”production” setup is a bit more controversial. Since Hetzner charges extra for extra IPv6 subnets I simply created small /80 subnets for the VMs. While this does mean that SLAAC doesn’t work I can simply generate and assign static IPv6 IPs, same way as I do with IPv4. All generated from an ansible playbook that creates the VMs.

I have some ULA ranges as well, but it’s a bit of a special case as I only use it as internal IP ranges in a Kubernetes cluster. This is completely separated from the external network, with the cluster doing NAT to the node IPs anyway (even for IPv6), and all internal traffic being on an overlay network.

My ISP provides a /48 for IPv6 via prefix delegation so all internal machines that support it have a ULA and DHCPv6. I have disabled SLAAC . In docker I assign a /64 of that prefix to docker containers. The local addresses is what most of the internal network stuff is based on (DNS etc) rather than the globally accessible address. The PD addresses are only about going onto the internet.

SLAAC actually is just fine, I just didn't really want to be exposing the manufacturer information of the addresses online so preferred DHCP, but either or both together works from OpenWRT prefix delegation.

IPv6 is disabled at the firewall. I'm just not in a hurry to redo my network.

Personal opinion, IPv6 has been on the table so long it's no longer something I think about. 20 years ago I thought it was going to be amazing.

I use both ULA and global addresses. Servers set a token to make the last 64bits predictable, which simplifies dyndns. For some critical internal communication, I hard code the ULA address in my hosts file, for everything else, I rely on DNS (with global addresses). No DHCPv6.

I usually just disable IPv4 on my VMs, unless there is a specific need for IPv4. Most container networks are single stack as well. I have a squid proxy that services can use to access IPv4 http/https destinations if really necessary (combined with some additional filter rules); ideally I would like to have 464xlat/a nat64 gateway, but I never bothered to set that up yet. I will likely do that when I buy a new router (end of year?). I expect all my devices to support CLAT by then, so that will be the end of IPv4 on my network.

Blocked by my ISP. So I have it all blocked.

Don't use ULA, those are non internet routable addresses so they will never use v6 for internet things. Use the range assigned from your ISP.
SLAAC. Because Android has one ass of a dev who refuses to include DHCPv6

I don't use IPv6 on my lab. They been screaming to the bleachers since like 2010 that IPv6 is right around the corner due to lack of addresses, and I've still seen no real reason to want to adopt for it.

My current provider doesn't even support it... so why should I?

I can't get IPv6 in any worthwhile form from my ISP. IMHO IPv6 isn't any more useful than IPv4 if you only have ULA. And NAT is not as well supported since it wasn't intended to even be really necessary for example. So even if you are starting from scratch or just using it internally, there are some disadvantages to implementing it over just sticking with IPv6. But if your ISP actually provides IPv6 it might be worth it as long as your devices all support it. But otherwise you're going to need to set up IPv4 in addition, anyway, so you're just going to create problems for no good reason, IMHO.

ISP issues a prefix that I delegate.

Also delegate an ULA prefix, intended for stake local addresses but d actually just use ipv4 for those (also had difficulty getting ipv6 to work with microk8s and multus due to inexperience).

SLAAC.

My provider doesn't provide IPv6, but I rented a server in a data center, bought a subnet, and tunneled it home via WireGuard. So the scheme is roughly: VPS (fd00:1::/64) <-> (fd00:1::/64) Home router (realv6/64) <-> Home network

Router configuration:

/etc/sysctl.d/10-ipv6-privacy.conf

net.ipv6.conf.all.use_tempaddr = 0
net.ipv6.conf.default.use_tempaddr = 0
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.default.forwarding = 1

/etc/radvd.conf

interface br0 {
    AdvSendAdvert on;
    MinRtrAdvInterval 3;
    MaxRtrAdvInterval 30;

    AdvManagedFlag on;      # M=1 → Address via DHCPv6
    AdvOtherConfigFlag on;  # O=1 → Additional options via DHCPv6

    # SLAAC is still possible for Android
    prefix realv6::/64 {
        AdvOnLink on;
        AdvAutonomous on;   # Allow SLAAC
    };

    RDNSS realv6::1 {
        AdvRDNSSLifetime 1800;
    };
    DNSSL home.lan {
        AdvDNSSLLifetime 1800;
    };
};

/etc/kea/kea-dhcp6.conf

{
  "Dhcp6": {
    "interfaces-config": {
      "interfaces": [ "br0" ]
    },

    "lease-database": {
      "type": "memfile",
      "persist": true,
      "lfc-interval": 86400,
      "name": "/var/lib/kea/dhcp6.leases"
    },

    "renew-timer": 21600,
    "rebind-timer": 43200,
    "preferred-lifetime": 43200,
    "valid-lifetime": 86400,

    "subnet6": [
      {
        "id": 1,
        "subnet": "realv6::/64",
        "interface": "br0",
        "pools": [
          { "pool": "realv6::1000 - realv6::ffff" }
        ],
        "option-data": [
          { "name": "dns-servers",   "data": "realv6::1" },
          { "name": "domain-search", "data": "home.lan" }
        ]
      }
    ],

    "loggers": [
      {
        "name": "kea-dhcp6",
        "output-options": [
          { "output": "stdout" }
        ],
        "severity": "WARN"
      }
    ]
  }
}

And of course, iptables is necessary. Something like: /etc/iptables/ip6tables.rules

# Generated by ip6tables-save v1.6.0 on Thu Sep  8 13:29:11 2016
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
#BASE INPUT
-A INPUT -i eno1 -j DROP
-A OUTPUT -o eno1 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eno1 -j DROP
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p ipv6-icmp -j ACCEPT
COMMIT

My setup is a pile of kludges built on top of each other over the last two decades.

I started with ULAs distributed through DHCP, connected to named, which allows hosts do declare their own name and let me access local services as though I had a real domain.

My ISP eventually started supporting IPV6, but only assigned /128, so the ULAs got NAT-6ed out to the real world.

I eventually learned how to request prefix delegation from the ISP and set up SLAAC.

So now, my PIv6 clients have a) their link-local address, b) the ULA, c) a "privacy" SLAAC, and d) a unique SLAAC. All my internal services still refer to the ULAs.

I don't think I'd recommend this system for someone setting up from scratch. The easiest thing would be to go with SLAAC, if you can get prefix delegation, and set your DNS/pihole to send the unique-SLAAC address of any servers you run.

I use ULA for my WireGuard tunnels, otherwise it's all public IPv6 (mostly lightly firewalled).

I'm fine with SLAAC, even for servers. I just manually update my DNS with the server addresses when I set them up.

I use IPv6 local only. Everything else is IPv4. Reason being, my commercial VPN does not support IPv6 and I have reservations about leakage. My ISP already ships with IPv4 & IPv6.

SLAAC with ISP-provided prefix. Everything that wants an IPv6 address gets one and I've got my firewall set to block pretty much all in-bound traffic other than SSH. It's nice being able to SSH directly to something rather than using a jump host or VPN.

I also use ULA because NFS mounts over IPv6 on the global addresses would hang/timeout every time the SLAAC address rotated which is frequent due to privacy extensions.

Just static IP, since I have a static subnet delegated by my provider, on a shitty cable modem.

I use global addresses for everything. ULA is the equivalent of the private networks like 10.0.0.0/8 on IPv4. It doesn't need a static IP. ULA will work without any internet connection. If you run an IPv6 only network, it would be a good idea to set up ULA so you can access your local devices if the internet goes down.

I only use SLAAC on my network because DHCPv6 is not well supported. My router does use DHCPv6 to get a prefix from the ISP though.

The only systems with ip6v in my network are Wi-Fi devices and my public-facing reverse proxy. I use a prefix delegated by my ISP.

All of my non-public servers have ipv4 only.

Every discussion I have seen on the subject says that docker ipv6 is pretty busted from a security perspective and you have to implement a bunch of workarounds.

I don't have to time both to migrate to podman (and maybe have to run dual stacks for what isn't available) AND migrate to ipv6. But apparently the way podman does it is also kind of a hacky way (I am far from a networking expert) so I will sit with my pretty decent, secure, and working ipv4 lol

Idk. what assignment we use, but our ISP gave us (company) a prefix and we offer our services (for our team) IPv6 first. IPv4 is only used within the company network where a DNS server resolves the domains if needed.

It works great for us. If my private ISP would allow it, I would do the same.

Until very recently, I exclusively used the /56 prefix I get from my ISP exclusively. This is still relatively annoying in my case as this prefix changes at least daily for some reason. Clients get their IP via SLAAC.

I've added ULA literally less than a week ago as I have a local reverse proxy I want to handle both local and external request, in both v6 and v4. Obviously more hosts should be accessible from local clients. But I can't tell local clients apart except by IP, and since the prefix is unstable this would require some sort of hook to update the proxy with that new prefix (might be possible, but seems like a real hassle). So here we are.

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

[Thread #284 for this comm, first seen 11th May 2026, 19:20] [FAQ] [Full list] [Contact] [Source code]