Network IPv6 directly addressing a local server from the Internet

Question

The ISP was running out of IPv4 addresses so he gave us an IPv6; Now I have a static IPv6 address, which is good. According to the IPv6 description I should now be able to directly address any device in the LAN from the WAN without going through Port forwarding to LAN IPv4 addresses (just setting the IPv6 Address and the Firewall permits).

Now when I ask for my IP address on any of the PC in the LAN I get following 0000:aaa:bbbb:cccc:dddd:eeee:ffff:gggg The first 4 groups are always the same on any of the PCs, so that is my external public IP and the last 4 groups change not only by device but also by time if called from the same PC (so that is this Interface Identification created by the Program). Now where is the IPv6 address part for an individual device in the LAN? How can I get the IPv6 address of a device in the LAN and then address that device directly from the WAN with that IPv6 address. I can still use my LAN server by using Port forwarding as I did before but how to change to this advanced direct IPv6 addressing? Do I understand here something totally wrong ???

Answer 1

The first 4 groups are always the same on any of the PCs, so that is my external public IP

No – the first four groups are your LAN's network prefix. The actual IP address is all 8 groups, i.e. network prefix + interface identifier combined.

So the important difference is that your ISP doesn't merely assign you a single address in IPv6 – they assign you a whole network (i.e. address range).

(For comparison, in IPv4, if you had the typical /24-sized LAN network, then "192.168.1" would be the network prefix but "192.168.1.25" would be the whole IP address.)

where is the IPv6 address part for an individual device in the LAN?

You're looking at it. 0000:aaa:bbbb:cccc:dddd:eeee:ffff:gggg is the device's IP address.

the last 4 groups change not only by device but also by time if called from the same PC

Whether the interface identifier changes over time or not is entirely up to the computer itself. (Most operating systems use the "privacy extensions" feature, which means they self-assign multiple addresses – the first one is static, the other ones change over time.)

So if you want a stable address for connecting to the computer, look at its own IP address list instead of asking a website – e.g. run ip addr on Linux or ipconfig /all on Windows, and pick the one which doesn't say "Temporary" next to it.

Answer 2

IPv6 precludes NAT, so no address translation is required. It is now replaced by firewall filters and rules.

Because devices may be directly accessed/attacked from the internet, firewall permitting, a random address is appended to the global prefix for the purpose of obfuscating addresses, as defined in the DHCPv6 standard. As the number of possible values is enormous, an attacker is highly unlikely to hit on an IPv6 address that is assigned to an actual device.

You may assign any device on the local network a static/non-random IPv6 address, then define rules in the router's firewall for which access is allowed to that address. This heavily depends on the quality of IPv6 support in the router's firmware.

This practice is extremely risky, as by accessing the internet from this device you could be disclosing its IPv6 address to an attacker.

You would be better off not using static IPv6 addresses, but using instead a dynamic DNS service that supports IPv6 and dynamic detection or other mechanisms. See for example the No-IP IP Detection Service (no recommendation intended). This option again depends on the capabilities of the firewall in your router's firmware.