Hey fellow self-hosting lemmoids

Disclaimer: not at all a network specialist

I’m currently setting up a new home server in a network where I’m given GUA IPv6 addresses in a 64 bit subnet (which means, if I understand correctly, that I can set up many devices in my network that are accessible via a fixed IP to the oustide world). Everything works so far, my services are reachable.

Now my problem is, that I need to use the router provided by my ISP, and it’s - big surprise here - crap. The biggest concern for me is that I don’t have fine-grained control over firewall rules. I can only open ports in groups (e.g. “Web”, “All other ports”) and I can only do this network-wide and not for specific IPs.

I’m thinking about getting a second router with a better IPv6 firewall and only use the ISP router as a “modem”. Now I’m not sure how things would play out regarding my GUA addresses. Could a potential second router also assign addresses to devices in that globally routable space directly? Or would I need some sort of NAT? I’ve seen some modern routers with the capability of “pass-through” IPv6 address allocation, but I’m unsure if the firewall of the router would still work in such a configuration.

In IPv4 I used to have a similar setup, where router 1 would just forward all packets for some ports to router 2, which then would decide which device should receive them.

Has any of you experience with a similar setup? And if so, could you even recommend a router?

Many thanks!

  • robber@lemmy.mlOP
    link
    fedilink
    English
    arrow-up
    1
    ·
    11 hours ago

    Thank you! Do you have an example for such a firewall device? Could something like the TP-Link Archer AX55 in IPv6 “pass-through” mode do the job? Or would you go for a standalone firewall? My budget is around a hundret bucks.

    • Max@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      ·
      9 hours ago

      I’d recommend something that you can put openwrt or opnsense/pfsense on. I think the tplink archers support openwrt at least.

      The ISP router opening things at a port level instead of a host level is kinda insane. Do they only support port forwarding? Or when you open a port range can you actually send packets from the WAN to any LAN address at that port.

      Can you just buy your own modem, and then also use your own router? (If the reason you need the ISP router is that it also acts as a modem).

      Does the ISP router also provide your WiFi? If it does you should definitely go with a second router/access point and then disable the one on the ISP router.

    • 2xsaiko@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      2
      ·
      10 hours ago

      Most computers with (at least) two network interfaces will do. If it’s something too crappy your throughput will be limited by CPU speed but I can’t tell you exact recommendations here. Here’s OPNsense’s hardware recommendations for example, they’re not high at all. Off-the-shelf devices that allow you to do this should probably be fine too.

      I’d put Linux on it and use nftables but BSD PF seems to be very popular for firewalls (OPNsense/pfSense are built on this) which I have never used so consider that too.