Your “IP address” is already public. That’s why an IPv4 address is assigned to you as a “public IP address” and you NAT to a private space. When using IPv6, everything is public.
The key is to secure everything with access restrictions.
Also true
I bought Plex Pass when it was $75 for the lifetime option.
I prefer Jellyfin, but sharing is harder for family members with it because I can’t get them to just log in without existing credentials (Google Account, Apple ID, etc). Trying to convince my 67 year old mother-in-law to enter a URL, username, and password into an app with a remote is like asking my child to eat broccoli.
For now, I’ll keep running dual stack with both. If Plex pulls lifetime passes, even though it’ll be a PITA, I’ll convert everyone to Jellyfin despite the pain.
Indirect Playback goes through them first. Also, they host DynDNS for the Plex media server to make accessing it remotely from apps easier.
The second thing is a joke to host and requires no resources. The first one can be a significant resource usage item.
I’m using a Ryzen Mini PC running Debian and Flex Launcher.
Works well as both a media consumption machine and light gaming rig.
Xfinity/Comcast hijacks DNS, even if you use another DNS server (they just redirect DNS requests to them). I suspect that they’re using it for analytics data to sell while disguising it as “security”.
They also block access to root DNS servers, so you can’t use a full DNS Resolver run locally. It’s super f***Ed.
If you want to ensure they don’t do it, use your own modem and always force DNS over TLS.
Doesn’t matter who makes the software, as long as it’s open sourced and audited.
Just because you can doesn’t mean anyone does. I’ve never seen an ISP hand out “private” IPv6 addresses. Ever.
If you’re doing NAT on IPv6, you’re doing it wrong and stupid. Plain and simple.
Network Prefix Translation isn’t the same thing. That’s used for things like MultiWAN so that your IPv6 subnet from another WAN during a failover event can still communicate by chopping off the first half and replacing the subnet with the one from the secondary WAN. It is not NAT like in IPv4 and doesn’t have all of the pitfalls and gotchas. You still have direct communications without the need for things like port forwarding or 1:1 NAT translations.
I’m a Network Engineer of over a decade and a half. I live and breath this shit. Lol.
CGNAT only applies to IPv4. You cannot NAT IPv6 effectively. It’s not designed to be NATed. While there IS provisions for private IPv6 addressing, nobody actually does it because it’s pointless.
It’s why IPv6 is important, but many didn’t listen.
Yes, but OP mentioned nothing about Cloudflare.
Sweet. Both OPNSense and pfSense firewalls have the ability to tie into MaxMind’s GeoIP service. Not sure what your perimeter device is, but it’s pretty easy on those. And free.
Best solution is a VPN to your home network.
However, if you want to host it publicly, at least restrict access to it via GeoIP. For example, if you live in Europe and only need access from there, only allow the areas in Europe you travel to and block everything else. This will greatly reduce your attack surface.
Also, make sure everything is patched. Always. And implement something like fail2ban to deny repeated failed logins, along with a reverse proxy.
pfSense = Firewall and router system based on FreeBSD. Has both open source and commercial versions. Built for SMB to Enterprise uses. Extremely powerful with all of the bells and whistles you’d expect from a professional firewall product.
OPNSense = Basically pfSense with a different UI. It’s a fork of pfSense. Much of the same capability, but is built by a smaller company.
OpenWRT = Replacement firmware for embedded devices (as well as x86). It’s open source WiFi router firmware that runs on tens of thousands of devices. Many vendors will even base their custom firmware on OpenWRT and put a different skin on it (GL.iNet, for example).
If they’re providing IPv6 to you, port forwarding shouldn’t be necessary most of the time for online gaming.
Are they allowing UPnP upstream?
If you’re getting a /64 from your ISP via DHCPv6, you likely need to send a prefix hint. I’d guess /60. Then you’ll have multiple /64s to work with on your inside interfaces.
Who is the ISP?
If you’re allocated DHCPv6-PD with a subnet, you don’t use a relay.
Prefix ID of 0x1 means “Use the first prefix available in the block as a /64 for the LAN”. Essentially your ISP probably gave you a /48, /56, or /60. The firewall is giving prefix IDs to all of the /64s you can fit inside of one of these and allocating them numbers 1 through whatever. Each LAN you have can have its own prefix ID. A /60 has 16 /64 networks that you can subnet it into.
Chances are you’ve had the same public IP for a long time. Mine hasn’t changed in 2 years.