DDNS: how to handle dynamically assigned IPv6 prefix delegation?

I switched to another ISP after being disappointed with a /64 prefix delegation from my old one. The new ISP gives me a /60 prefix, which I can delegate downstream to my vlans/subnets. Now that all my devices has a public IPv6 address, I face a new problem with the dynamically assigned prefix, which prevents me from accessing my devices from the public Internet.

Some CCTV cameras have built-in DDNS client, which helps with this situation. But other devices do not. I can do a VPN and access them using ULA, but there are times when I need to allow a random user on the Internet to access my devices. Is there anything I can do now?

Are the devices' ULA addresses stable? If so, you could open/forward ports on the WAN. Obviously not the greatest security-wise unless these devices are the super-exception in a world of crap firmware.

Not something I've tried but: You could make the security posture better by putting something like haproxy on the WAN "in front" of these devices. It seems able to do TLS termination and even authentication (e.g. HTTP Basic) before forwarding to your internal devices. Also it should be able to use their internal DNS names rather than (ULA or otherwise) addresses.

As you are talking about IPv6, I assume you want to access your device with IPv6?

It does work more or less the same as IPv4 but instead of port forwarding you open a port on your internet connected router for that specific device.

See how I did this for my WG server: IPV6 Firewall Port Opening Help - #2 by egc

There may be DDNS providers that allow updating the IPv6 prefix for a whole group of devices (never needed this functionality myself, but it's said to exist).

Even with IPv6, I would still strongly recommend using a (road-warrior style) VPN, to avoid exposing the not quite that security hardened firmware of your IoT/ smart devices (cameras in particular) to the open web, which can help to side-step this issue (using AAAA records for the ULA addresses of your devices and no direct internet exposure).

1 Like