alt.hn

12/27/2025 at 1:59:16 PM

Beyond the Nat: Cgnat, Bandwidth, and Practical Tunneling

 https://blog.rastrian.dev/post/beyond-the-nat-cgnat-bandwidth-and-practical-tunneling

by rastrian

1/1/2026 at 6:02:10 PM

If you are already running a VPS, the SSH -J option is useful if you don't want to expose your SSH to your home public address.

You create an SSH reverse tunnel (-R option) from a server in your home network to your remote VPS. This gives you a localhost port on your VPS to your server SSH port. Something like:

    ssh -NT -R 2222:localhost:22 vpsuser@yourvps.com
From your laptop, use your your VPS address and localhost port in the -J option. Something like:

    ssh -J vpsuser@yourvps.com:2222 homeuser@yourhome.com
I only allow ssh key auth and only my laptop is trusted by my home server. The home server doesn't need to trust the VPS "jump server".

by idatum

1/1/2026 at 4:22:38 PM

> Home internet in the 90s felt simple. You plugged into Ethernet, got an IPv4 address, and you could expose a service directly.

Maybe the 2000s, yes. This experience in the 90s was reserved for businesses and schools that could afford a T-carrier connection. The rest of us had dialup.

by teeray

1/1/2026 at 5:29:30 PM

Even on dialup it was common to get a public IPv4 address, depending on what service. The service I had in like 95-98 didn't promise static IPs but I effectively got the same address for weeks at a time, I'm assuming due to whatever logic was mapping accounts to addresses. They also gave you access to a FreeBSD shell if you wanted to read email via elm or pine or the like, one of the first places I saw SSH!

by reincarnate0x14

1/1/2026 at 4:42:47 PM

I had dialup with a static IP and inbound access to listening ports.

by kstrauser

1/1/2026 at 7:26:40 PM

This looks like an excellent overview of the current state of things, and some nice practical instructions on getting end to end connectivity working.

Personally I don't think IPv6 will ever supplant IPv4. As far as big tech is concerned, NAT solves the problem well enough for clients and SNI routing solves it well enough for servers.

What incentive do they have to make things better for small orgs and p2p use cases? Better from their perspective to retain control over IPv4 real estate and extract rent.

by apitman

1/1/2026 at 8:03:06 PM

For one, most major governments have told them to do it or else. I'm not sure which year it will be but there's already a mandate that US federal client systems can't have IPv4, and contractors must support IPv6, and a later deadline is for servers and websites to not have IPv4, at which point if your ISP doesn't provide access to federal government websites then all your customers can sue you into oblivion for failure to provide contracted services, including damages for any missed federal government interactions, which your liability waiver will not limit since your lack of IPv6 support by that time is intentional gross negligence. Google and Apple both require apps to work on IPv6-only networks or they get removed from app stores, and the majority of mobile networks are IPv6-native (with a slow translation layer for IPv4). Over 50% of internet traffic is IPv6 right now.

I'm not sure why you guys keep saying IPv6 won't happen, when it's already happened. Just ostriching, or incentivized to keep IPv4 address prices high, or what gives?

by immibis

1/1/2026 at 9:39:01 PM

I wish I had an IPv4 block to hoard.

Far more important than current adoption is rate of adoption, which is slowing.

US mandates will certainly help and may be enough, but the US can't force other countries to follow. Many countries have far lower adoption rates.

by apitman

1/1/2026 at 11:34:06 PM

Major internet centers are US (V6 mandate), Europe (V6 mandate, I think - and if not already, they will), China (V6 mandate) and to a lesser extent the west Pacific rim (Japan, Korea, Singapore, Australia). Other countries will do whatever they have to do to remain connected to these, unless they want to make their own isolated BR(not I)(not C)S internet with blackjack and hookers.

by immibis

1/2/2026 at 2:49:38 AM

I hope you're right

by apitman

1/1/2026 at 8:46:43 PM

Accusation of malice is a little far, I think the ipv6 transition isn't obvious to people because it has mostly been on mobile networks and the big datacenters. There are a lot of large organizations yet to implement it internally.

by unethical_ban

1/1/2026 at 7:16:48 PM

Call me a tailscale simp, but since it was launched I honestly stopped caring about any of such issues.

They've built such an incredible product I actually feel guilty I pay absolutely nothing for it.

by yuvadam

1/1/2026 at 10:03:11 PM

public ip abundance of the internet should not depend on mappings in the tailscale servers owned by tailscale or self hosted by other people

by beautyReloaded

1/1/2026 at 5:45:26 PM

New fiber provider across town does CGNAT and no IPv6.

I guess that works for most people except gamers and people who get rate limited because of the actions of others.

Article is correct, IPv4 didn’t die hard.

by kmbfjr

1/1/2026 at 5:59:31 PM

It's bizarre to me that there is still so much effort spent on resisting IPv6 implementations, we were converting some industrial control networks to it almost 10 years ago and those organizations are basically defined by ancient equipment. Rather than byzantine v4 NAT coordination we mapped entire plants and substations to V6 addresses and put in 6to4 for the PLCs that were old enough to vote, so that multiple sites that all used the same 10.x.y.z blocks because of course they did could be routed together. Had V6 available from my house to pretty much anywhere I cared about in 2017.

by reincarnate0x14

1/1/2026 at 7:20:49 PM

As a business, especially a small business, there is no financial reason to do so in the United States for the vast majority of businesses. This gets talked about on NANOG all the time.

It doubles the workload and knowledge required, doubles the security attack surface, and because of the 2nd part, doubles the security risk.

Right or wrong that's the calculation for most spots.

by esseph

1/2/2026 at 12:10:21 AM

re: the attack surface, I will say that I see such a tiny fraction of probe attempts and common exploit scripts hitting V6 spaces that I open some services on V6 only.

At my house I've had SSH open to the V6 internet for 8 years and have the logger set up to email me for any connections, and I have never once seen an attempt that wasn't me. For popular sites with well known DNS names that's obviously different, but I keep DNS current and can SSH by name to that V6 listener from anywhere so it's not my ISP trying to save me from myself either. And that's not even a host with the normal automatic temporary addresses, it's been a fixed interface id portion with an effectively static V6 prefix for years.

For a while I had several other services open as well, at one point we even played around with using NFS and iSCSI over IPv6 on the internet just for giggles, no actual important data. I can imagine some sysadmin's face twisting in horror just reading that knowing the carnage that would have ensued doing that with V4, where we commonly drop entire geo-blocks just to curtail the log spam of all the various automatic admin portal and VPN login scans.

There are of course techniques to gather live V6 addresses but between the vast space and temporary addresses on most end-user devices it really has been a night and day difference.

by reincarnate0x14

1/2/2026 at 12:18:03 AM

It's more likely when you have public DNS pointing to ipv6 enabled hosts, not so likely with a random scan because of the sheer number.

by esseph

1/1/2026 at 8:07:42 PM

You're banned from being a federal contractor if you don't. Isn't that pretty important since that's where all the money is?

by immibis

1/2/2026 at 12:19:16 AM

All the money is in federal contracting?

Did it for a decade, and that's news to me.

by esseph

1/1/2026 at 9:54:31 PM

It's the same bullshit everywhere it seems. There goes the CGNAT with their router where the "advanced" options are basically defining DHCP settings - through a shitty phone app. There is also the stupid TV that no one asked for but it's part of the package.

And when they do give you v6 its a /64.

I wish there might be a category of prosumer friendly ISP of sorts. Those exist but they are hard to find.

by irusensei