if your prefix ever changes you’ll have to update it everywhere
I mean that's a good point but I'm paying money to not have my prefix changed. If I were to do it the intended way using DNS, how would I set up the DNS to be prefix agnostic? How would I reference devices in the firewall?
Its a bit complicated and depends on your ISPs support level.
If your ISP supports basic IPv6 they will likely use SLAAC or DHCPv6 to advertise the /64 that any directly connected devices, like your router, can use (/64 being the default size for a single LAN segment, even between point-to-point connections). If you have devices behind that router that want to use IPv6, you will need additional prefixes. The most common method nowadays is to use Prefix Delegation (DHCPv6-PD) where your router will ask the upstream router for an additional routeable prefix which you will use on another interface of the router. The RFC for prefix delegation recommends a /48, but many ISPs are not delegating that much. I only get half of a /60 from my ISP's modem.
If the ISP just provides you a static routeable prefix, then you would just assign that to your router's interface and enable SLAAC/DHCPv6 to give out that prefix. This would only need to be configured in a single device and is why they don't recommend hard coding servers and workstations with IPV6 addresses.
Keep in mind that your router will also need a firewall as all of these IPv6 prefixes are routeable and public. While IPV6 space is quite like finding a needle in a haystack, you could still find yourself having a bad day if you treat it like private IPV4 space.
The end result though is that you would setup DNS so that devices register their IPv6 addresses and it just works. There's also the MDNS protocol that supports IPv6 which will do segment-local resolution for device names.
I think there's some misunderstanding
I get how IPv6 works, I got a /48 from my ISP. The problem is that I have some 15 devices here that I have to refer to in DNS and either I have to change their static IPs or I have to change their IPs in DNS if the prefix ever changes (it shouldn't, because I pay for them to not do that). My laptop, phone and desktop do not get a static IPv6 and use the privacy extension. Is that not how you're supposed to do it?
I don't understand it either. On one hand people say don't remember addresses, use DNS and on the other DNS relies on static addresses but then every device is "supposed" to have random addresses via SLAAC or privacy addresses. It just doesn't seem to tie together very well, but if you use them like IPv4 addresses you're apparently doing it wrong.
Not sure if you know privacy extension is mostly for outbound traffic. When you go to a website it well use privacy ipv6. Can still use management ipv6 for local connections.
For max privacy every device should have it enabled as there are ways to trace if some devices do not have it enabled on your network.
I don't think you understand. I know privacy extension is for outbound and not inbound, but what use is it on a server?
From reading one device can ruin the privacy extension use. Don't know if a server would be they bad since it isn't going to sites.
I mean that's a good point but I'm paying money to not have my prefix changed. If I were to do it the intended way using DNS, how would I set up the DNS to be prefix agnostic? How would I reference devices in the firewall?
Its a bit complicated and depends on your ISPs support level.
If your ISP supports basic IPv6 they will likely use SLAAC or DHCPv6 to advertise the /64 that any directly connected devices, like your router, can use (/64 being the default size for a single LAN segment, even between point-to-point connections). If you have devices behind that router that want to use IPv6, you will need additional prefixes. The most common method nowadays is to use Prefix Delegation (DHCPv6-PD) where your router will ask the upstream router for an additional routeable prefix which you will use on another interface of the router. The RFC for prefix delegation recommends a /48, but many ISPs are not delegating that much. I only get half of a /60 from my ISP's modem.
If the ISP just provides you a static routeable prefix, then you would just assign that to your router's interface and enable SLAAC/DHCPv6 to give out that prefix. This would only need to be configured in a single device and is why they don't recommend hard coding servers and workstations with IPV6 addresses.
Keep in mind that your router will also need a firewall as all of these IPv6 prefixes are routeable and public. While IPV6 space is quite like finding a needle in a haystack, you could still find yourself having a bad day if you treat it like private IPV4 space.
The end result though is that you would setup DNS so that devices register their IPv6 addresses and it just works. There's also the MDNS protocol that supports IPv6 which will do segment-local resolution for device names.
I think there's some misunderstanding
I get how IPv6 works, I got a /48 from my ISP. The problem is that I have some 15 devices here that I have to refer to in DNS and either I have to change their static IPs or I have to change their IPs in DNS if the prefix ever changes (it shouldn't, because I pay for them to not do that). My laptop, phone and desktop do not get a static IPv6 and use the privacy extension. Is that not how you're supposed to do it?
I don't understand it either. On one hand people say don't remember addresses, use DNS and on the other DNS relies on static addresses but then every device is "supposed" to have random addresses via SLAAC or privacy addresses. It just doesn't seem to tie together very well, but if you use them like IPv4 addresses you're apparently doing it wrong.
Not sure if you know privacy extension is mostly for outbound traffic. When you go to a website it well use privacy ipv6. Can still use management ipv6 for local connections. For max privacy every device should have it enabled as there are ways to trace if some devices do not have it enabled on your network.
I don't think you understand. I know privacy extension is for outbound and not inbound, but what use is it on a server?
From reading one device can ruin the privacy extension use. Don't know if a server would be they bad since it isn't going to sites.