![Zarathustra[H]](/data/avatars/m/9/9298.jpg?1723407683){kind=avatar}
Zarathustra[H]
Extremely [H]
- Joined
- Oct 29, 2000
- Messages
- 42,210
Intersting.
Too bad DHCPv6 cannot use dynamic subnets. I guess DCHPv4 never could either, but it didn't have to because it was using a private address space.
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
-
Some users have recently had their accounts hijacked. It seems that the now defunct EVGA forums might have compromised your password there and seems many are using the same PW here. We would suggest you UPDATE YOUR PASSWORD and TURN ON 2FA for your account here to further secure it. None of the compromised accounts had 2FA turned on.
Once you have enabled 2FA, your account will be updated soon to show a badge, letting other members know that you use 2FA to protect your account. This should be beneficial for everyone that uses FSFT.
Let's Talk IPV6
- Thread starter Zarathustra[H]
- Start date
-
- Tags
- ipv6
Intersting.
Too bad DHCPv6 cannot use dynamic subnets. I guess DCHPv4 never could either, but it didn't have to because it was using a private address space.
Zarathustra[H]
Extremely [H]
- Joined
- Oct 29, 2000
- Messages
- 42,210
Huh. I thought IPV4 was built into IPV6 in a specific address range so you can access IPV4 hosts?
Or did I completely misunderstand that at some point.
I could have sworn there was a special address range reserved for embedding IPV4 addresses in IPV6, and This would allow IPV6 clients to reach IPV4 hosts, but not vice versa.
Last edited:
how do you not run dns? do you have a rainbow table for a host file?
Zarathustra[H]
Extremely [H]
- Joined
- Oct 29, 2000
- Messages
- 42,210
I have a structure to my subnets and I have memory.
I only need to rememeber the last octet of the IP address. I only have about 25 servers I need to keep track of. Easy to remember them. Why would I complicate things with DNS?
Last edited:
BlueLineSwinger
[H]ard|Gawd
- Joined
- Dec 1, 2011
- Messages
- 1,534
Afraid it doesn't work that way. It's important to remember that, despite their many similarities, IPv4 and IPv6 are different protocols. For example, IPv6 doesn't implement broadcast at all. In practice it's really no different than running IPv4 alongside other network protocols (e.g., IPX, AppleTalk, etc.) was years ago.
You may be think of something like IPv4-mapped IPv6 addresses, which are certain ranges/subnets set aside in IPv6 to represent IPv4. No one actually assigns these to a host (at least I hope not, such subnets aren't even publicly routable). Instead, they are used to facilitate things like NAT64, which allows an IPv6-only host to access an IPv4 server. But AFAIK no one really uses such things, as they already have IPv4 set up anyways and dual-stack is just as easy (probably easier, actually). Though if we get to some weird point where it's impossible for some to get IPv4 addresses and others are still stuck solely on them, such hacks might be necessary.
Last edited:
so when you need to bring up google in a web browser do you type google.com or 172.217.11.36?
Zarathustra[H]
Extremely [H]
- Joined
- Oct 29, 2000
- Messages
- 42,210
No. I of course cannot memorize all domain names in the world. I use DNS for accessing WAN addresses, or most of them at least, I just don't run a DNS service for my LAN because I don't feel I need it.
I'm with OP. IPV6 is a CF.
I'm sure it goes against best practices, but we just disable it on any piece of equipment we touch as SOP because it seems to cause so many quirky issues. We tried to make do for a while because it was the future. At this point I'll believe it when the US converts to the metric system lol.
I'm sure it goes against best practices, but we just disable it on any piece of equipment we touch as SOP because it seems to cause so many quirky issues. We tried to make do for a while because it was the future. At this point I'll believe it when the US converts to the metric system lol.
so you run dns on your router
- Joined
- Jun 7, 2007
- Messages
- 13,728
You don't need DNS on your router to access the internet. A computer can communicate directly with a DNS server on the internet – just need it's IP address.
so when you run ipconfig /all on your pc what do you get for a dns server? I got a million on your routers IP address.
BlueLineSwinger
[H]ard|Gawd
- Joined
- Dec 1, 2011
- Messages
- 1,534
I wouldn't call IPv6 a clusterfuck. For sure it has its quirks. Many apps needed to be updated and network hardware replaced/upgraded, but that's pretty much settled. There have been some growing pains and initial adoption was slowed by such, but has picked up considerably in the last few years (FWIW, the US is near the top of IPv6 adoption at >40%, according to Google and Akamai. The Internet Society's State of IPv6 Deployment 2018 is also interesting.)
I'd say that if you're in a position to be doing IT/network for a business and you're actively disabling IPv6, you're going backwards.
The Internet Society also has a nice page of IPv6 resources for getting started.
* * *
Also follow-up/modify what I wrote about NAT64 earlier. I was thinking more business/corporate/office-type install. I'd completely forgotten about things like very large provider networks, such as cell/mobile networks. Many of those, especially in fast-growing regions, are going IPv6-only. They'd have to be using NAT64 or a similar solution. Still though, not something most of us would/should be looking at, and dual-stack is the way to go.
- Joined
- Jun 7, 2007
- Messages
- 13,728
208.67.222.222
For the average user, they aren't even aware they're using IPv6. For those that need to care, it isn't too complicated to adapt to in the home, business or enterprise. Im sorry, it's just not.
Those that complain of issues, operational or technical are those that may have had an issue a decade or so ago or those that continue to hammer IPv4 learned fundamentals to shape their IPv6 deployments.
It's different, but it is stable. Get over it.
Those that complain of issues, operational or technical are those that may have had an issue a decade or so ago or those that continue to hammer IPv4 learned fundamentals to shape their IPv6 deployments.
It's different, but it is stable. Get over it.
so how does any device on your network talk to other devices On your by hostnames?
- Joined
- Jun 7, 2007
- Messages
- 13,728
They don't, because they don't need to. Like OP, I don't have a lot of devices, and the ones I have don't need to communicate with eachother. When they do, I can just figure out the IP, no big deal. The DNS in my router isn't being used, and would be disabled if I could do so.
Early on in this thread, the OP mentioned not wanting to be beholden to ISPs for putting devices on an internal fully IPV6 network. A bunch of people chimed in saying that isn’t an issue and taunting the OP’s backward thinking ways. What I’m reading now is that you actually do need a block from an ISP, many of us won’t be able to obtain one, and the solution is to run an internal IPV4 network? I definitely don’t understand IPV6 as well as I would like but have to admit I don’t necessarily like the idea of a single directory, and it doesn’t sound like the panacea some on this thread have made it out to be.
someone mentioned IPV6 privacy extensions, could someone elaborate on what they are / are not?
someone mentioned IPV6 privacy extensions, could someone elaborate on what they are / are not?
BlueLineSwinger
[H]ard|Gawd
- Joined
- Dec 1, 2011
- Messages
- 1,534
Dual-stack IPv4/IPv6 has long been the recommended setup. It allows for the introduction and integration of IPv6 while allowing the existing IPv4 network to continue to cover circumstances where the former isn't quite there yet. I don't think anyone here has called for a wholesale swap-out, or been less that forthcoming about IPv6's current shortcomings. But it does correct a number of issues with IPv4, most notably the address shortage and ubiquitous need for NAT.
One way or another, at the consumer level, you're dependent on your ISP to define and supply your IPv6 subnet. Unfortunately, much as they will not assign you a static IPv4 address, most ISPs also will not assign a static IPv6 subnet. For the majority of users this is not an issue. They're not doing anything that really requires communication between local nodes and static addressing and/or hostname resolution is not needed. For those of us that are the exception (raises hand), this is one of those instances where current IPv6 shortcomings are filled in by maintaining IPv4. And of course, there are still a lot of servers out there (including this forum) that have no IPv6 address.
A quick googling of IPv6 privacy extensions should give you a decent overview. Basically, it's the periodic randomization of the IPv6 address used by a node to connect to other nodes.
I'm not sure what you mean by "a single directory".
- Joined
- Mar 1, 2014
- Messages
- 13,205
This thread had been amazing. I learned so much! I used to think just like Zara, so I'm glad I read this post!
If I understood correctly, privacy concerns that IPv4 "solved" with NAT are mitigated by the use of (daily) temporary IPv6 addresses. Question is, how would I block outgoing connections from certain devices if they change their IPs daily? By host names?
- Joined
- Jun 7, 2007
- Messages
- 13,728
Hostname and/or MAC address, or you could filter by port if it's hardwired and the router/switch supports it.
Disable SLAAC and use DHCPv6 reservations on your network.
Thay wouldn't "anonymize" the devices, though.
I personally don't see the benefit of anonymizing the individual devices on a network. A good network firewall is imperative of course.
What's the use case for "hiding" devices behind a single or few public addresses?
I don't want my ISP to know how many devices I have and what each of them is doing, nor mobile providers to control any tethering and such.
The only way they won't is if they aren't able to.
Zarathustra[H]
Extremely [H]
- Joined
- Oct 29, 2000
- Messages
- 42,210
Yeah, putting that genie back in the bottle won't be easy.
Data mining is part of the built in revenue stream of absolutely anything and everything with software now. There will be kicking and screaming before any of these players give that up.
Either make it impossible for them to track you by taking increasingly difficult (in most cases impossible) precautions on your end, OR support legislation to make it illegal, battling what probably would be the biggest and most well funded lobby the world has ever seen.
Oh boy, thats a bit much dude
My ISP hands out /64 ipv6... Unfortunately it's dynamic and changed often. Pretty much a completely broken implementation. Luckily ipv4 is behind a double NAT, so absolutely no way to setup any sort of port forwarding. Was wanting to setup ipv6 on my home network but wasn't sure how easy it'd be to work around a constantly changing ip range.
BlueLineSwinger
[H]ard|Gawd
- Joined
- Dec 1, 2011
- Messages
- 1,534
I don't know that I'd call their IPv6 broken. It's certainly the minimal offering. It kinda sucks that they're always changing up the subnet address, but that's not really an issue if all you need is for your nodes to be set up with IPv6 addressing.
If you're looking to access a LAN node from the outside via IPv6, a dynamic DNS setup should work. A quick search on "dynamic dns provider ipv6" brings up a number of results (none of which I personally have any experience with). Just make sure your firewall is properly set up.
Yeah, forgot the other half of the issue is their modem doesn't broadcast the right subnet either. I would have to write a web scraper to constantly poll the modems admin page for changes. It's a poor implementation. I still haven't had any success even if I set an IP manually of being able to ping a box from the outside world. Maybe one day if I get bored enough I'll look into it more, but it's satellite internet and mostly useless to anyways.
Zarathustra[H]
Extremely [H]
- Joined
- Oct 29, 2000
- Messages
- 42,210
To come back to this two years later, I guess my real question (and it might not be an answerable one) is:
How long until there start being things I want to do on the internet that just won't work with IPV4.
Essentially, when will major players, service providers and websites start shifting to IPV6 only, and abandoning IPV4 users.
I still have IPV6 disabled at the interface level on my router on both the LAN and WAN sides, because I don't fully understand how to firewall it properly, and don't want to risk having a gap in the firewalls until I have the time to properly read up on it.
My thought process is that at some point I'll have the time to read up on, and become comfortable with IPV6, enough such that I can configure my nine different VLAN's to work properly and all my firewall rules between them to block things properly, but that hasn't happened yet.
That, and the transition would require that I have downtime, and I abhor downtime....
Quite frankly, at this rate it may never happen, unless it absolutely has to, In other words, when things stop working because I am still on IPV4 only.
My gut is still telling me to - when I am finally forced to make the switch - to try to construct something like what I already know, and just set up NAT66. This way I'll be able to keep my WAN and my LAN completely independent of each other the way I like it.
I also HATE the idea of having to use DNS or hostnames to find machines on my local network instead of just memorizing all the IP addresses like I have always done it.
- Joined
- Oct 7, 2000
- Messages
- 75,927
- Joined
- Nov 12, 2003
- Messages
- 14,032
It depends....in the US? Perhaps never. You can still go aws.amazon.com, sign up for an account, and spin up a server with an "elastic" IPv4 address for a very low amount of money.
In Asia? Likely within the next 10 years, a large portion of Asian hosted websites will be IPv6 only simply because they have a much smaller pool of IPv4 space and a lot more people. If American Technology companies want to continue courting that market, they will also need to get themselves IPv6 ready to reach these consumers.
When IPv4 address space trades at such high prices on the secondary market, that it's financially unaffordable or impractical to continue buying IPv4 space to support new customers. At this point, the major American providers already have more than enough space to sustain themselves for many years so I don't see this happening anytime soon. Even if it does, there is trickery they can do with CG-NAT to stretch the IP's out even further.
As mentioned above, Asia is a different story.
IPv6 has been around for over 10 years at this point. The major firewall manufacturers have the sense to include automatic rules that block traffic originating from "outside" IPv6 addresses to "inside" IPv6 addresses. This functionality should work out of the box.
Side Note: Keep in mind that there is a difference between a pure router and a firewall. Using a firewall that has the capability to route is the ideal use case for people with home/small networks - you get a device that is capable of blocking a decent amount of traffic from outside to in while also providing basic static routing to the outside world. Pure routers are designed to...route...with support for advanced routing protocols and large tables to move packets as fast as possible. Most people use the two terms interchangeably but there are significant technical differences when you look under the hood in terms of the actual capabilities of the device that make themselves incredibly relevant when you operate networks at scale.
There are some curveballs that exist in IPv6 setups vs. IPv4. The biggest are:
- Address acquisition for hosts does not necessarily run on DHCPv6 but relies on a protocol called SLAAC. Android/Google devices still do not support DHCPv6 and may very well never use DHCPv6 due to an interpretation of RFC standards from their technical fellows. (Plenty of documentation and drama around this in their bug tracker - https://issuetracker.google.com/issues/36949085)
- You do not determine the subnets your network uses....at least not the first few Hextets. Your ISP assigns a prefix (usually a /56) to your firewall which then breaks it down to /64's - enough for 256 different subnets (if I did my math right)
- Subnetting in IPv6 is a tad different - standard practice is to use /64 for everything even for simple point to point links or very small subnets. For all intents and purposes, it's the replacement for the /24 in IPv4 world.
- ARP is a think of the past and has been replaced by NDP. Your "link local" address on any interface also plays a much larger role in connecting yourself to an IPv6 network, negotiating an IP address with the other clients in the same VLAN and ultimately acquiring a list of DNS servers, next hop (default gateway), and an IP address.
- As most people know, due to the absolute insane number of IP addresses, there is no NAT. College campuses back in the day used to operate IPv4 with no NAT as they could go out and get /16's and /12's with relative ease. Only difference is that you don't have the "dummy" security a typical NAT setup provides and a firewall just has to act as an actual firewall and filter inbound traffic originating from unknown sources.
I have it fully enabled on my PFSense firewall and it was relatively straight forward once you understand the basic concepts and different of IPv4. No issues thus far and roughly 20% of my internet traffic has been flowing via IPv6.
No...it doesn't. You can run IPv4 and IPv6 in a "dual stack" configuration. No downtime needed for the IPv4 side of things
The reality is that the vast majority of users will move to IPv6 and not realize it because they just use routers managed by their ISP's. They won't notice any difference in the functionality of the internet.
Setting up NAT66 is just adding a step of complexity for you. While you can do it...there is absolutely no point. There is absolutely nothing wrong with using firewalls as....well what firewalls were meant to be....a stateful filter for packets and not a dummy device that hides a "private" network behind a single IP address.
This is what DNS was designed to do. DNS has reached mass adoption and there are no "normies" out there manually typing in IP addresses to reach their favorite websites. There are things you can do to make IPv6 addresses more memoizable but since I have DNS fully implemented on my internal network, I really don't care anymore. The only places where you may consider not using DNS or DHCP reservations, for that matter, are networks not connected to the internet and where you don't want a DHCP or DNS server being a single point of failure. At this juncture, however, there are plenty of ways to mitigate that and it's just much easier to use DHCP and DNS as intended as it makes managing the address space on your local network, at scale, much easier.
Last edited:
Zarathustra[H]
Extremely [H]
- Joined
- Oct 29, 2000
- Messages
- 42,210
I think what I have to do is build up a level of comfort with SLAAC and that my internal network depends on the global IPV6 address.
I have become very happy with the concept of my local network being completely independent of anything outside it. As long as I stay within one of the private address blocks, I can give my local machines any IP address I want and the outside world absolutely does not matter. The WAN IP address or address range can change, and it does not matter. The WAN can completely go down, and it does not matter. My internal network stays the same. It gives me a lot of flexibility.
After all, most of my newtwork traffic never leaves the house. it is a minority of it that goes out over the WAN..
In my case I currently have 9 separate VLAN's, each set up with it's own /24 block inside the 10.0.0.0/8 block.
VLAN1 uses 10.0.1.0/24
VLAN2 uses 10.0.2.0/24
VLAN3 uses 10.0.3.0/24
etc. etc.
When I spin up a new machine in any of those I never have to even think about what is going on on the WAN side. I just make sure an IP address isn't in use (I mostly have all of this in my head, but I also keep a list, in case I forget), and set up a new static IP of my choosing. I don't even use DHCP for anything other than mobile devices over wifi. Everything else gets hardwired via wired ethernet, and gets a static IP address configured on the local machine.
It also bothers me to use DNS to map to hosts on the local network, or to even use hostnames at all. I feel like I should be in control and know all of my servers by IP address. That's how I've been doing it to date, and that's what I'm comfortable with.
I know that my Unifi server is 10.0.1.24, that my MythTV backend is 10.0.1.19, that the color printer is 10.0.1.16, the black and white printer is 10.0.1.15, the main switch is 10.0.1.2, etc. etc. etc. I have my entire network in my head. The concept of complicating things by adding another abstraction layer like DNS really annoys me.
Maybe this is a 90's way of thinking about networks, but what can I say. I'm a 90's kind of guy. I like having manual control over everything and not being dependent on any system that isn't strictly necessary or anything I don't control, like my ISP. My local network is mine, and it is completely separate and independent from the outside internet, unless I instruct a packet to traverse the router and head out to the WAN. I don't view them (the greater internet and my local network) as being part of the same thing. I view them as independent and partitioned things that are connected via a bridge. The whole outside world could die, but my network will still be my network. I feel like IPV6 is forcing me to change this mindset, and quite honestly, I hate it. I hate that every machine on my network will become independently addressable by the outside world. I like the obfuscation of a single IP facing the outside world, and no one knows what, if anything at all, is behind it.
Essentially, I North Korea my local network. Now IPV6 wants me to treat my local network as if it is a part of the greater internet and free trade it, and I am not liking that at all.
So where everything used to be simple and local and fully within my control, now I am going to be dependent on my ISP via SLAAC, and have to set up abstraction layers to keep track of things. It really feels like a step in a every wrong direction.
Also, being forced to dual stack things is a bloody nightmare. It's enough work to stay on top of one set of firewall rules. Now having to maintain two separate sets? What a bloody nightmare.
Last edited:
pek
prairie dog
- Joined
- Nov 7, 2005
- Messages
- 3,463
Like computerbox34 said, firewalls today don't make a distinction between ipv4 rules and ipv6 rules (thank god), you don't have to make separate rules or separate virtual firewalls (with all their routing pita's), it's just a rule the has both address types. If you have a firewall between you ad the great unwashed, you've isolated yourself, the firewall blocks by default, and on the odd chance is doesn't, just make "any, any, all, all, deny" the last rule (do NOT make it the first rule), I always do that on any firewall I set up, work or home, it's habit by now.
Zarathustra[H]
Extremely [H]
- Joined
- Oct 29, 2000
- Messages
- 42,210
Hmm. So in the rule I'd need to list BOTH the IPV4 and IPV6 addresses it applies to? I guess that's a little bit better, but still more addresses to keep track of when doing this shit.
How would this work in the case where
Do you have to firewall off the automatically generated link-local addresses as well or are they automatically local only? I haven't wrapped my brain around how this works quite yet.
Also, how do you keep track of your firewall rules when SLAAC could change them at any moment, or - as the problem Ready4Dis has, when his ISP changes the block on him?
Does a change in the block, result in a change in the address, and if I have written my rules against a specific address, it is now different, and breaks?
Or can you somehow write the rules against only the last /64 portion of the address and have the rest of it be a wildcard?
Still, seems way more complicated to manage than the status quo, even with the complications of NAT.
Zarathustra[H]
Extremely [H]
- Joined
- Oct 29, 2000
- Messages
- 42,210
So I am trying to figure out how to do this in pfsense:
The dropdowns allow me to select the protocol for my rule as IPv4 + IPV6 but I still just have the one source and one destination field to enter the affected address:
Do I have to create an alieas, and then in that alias list, list both the IPV4 and IPV6 addresses?
And how do I even structure it, such that it still works when the block changes or the SLAAC assigns a different address?
How do I even use static IP's on my local network anymore if IP's are doled out by the ISP via SLAAC?
Does this mean I can't use static IP's on my local network without paing my ISP for "business internet" that includes static IP's?
I guess I could play around with it a little bit, by enabling IPV6 only on my WAN, and then creating a new VLAN, and enabling IPV6 only on that LAN, giving me some space to experiment without tanking my current setup, but as of right now IPV6 is still making very little sense to me, and it is making me pretty angry that I am being forced into dealing with this shit.
Last edited:
BlueLineSwinger
[H]ard|Gawd
- Joined
- Dec 1, 2011
- Messages
- 1,534
Yeah, these are all valid concerns/shortcomings regarding IPv6/SLAAC. IIRC I and others addressed them previously in this thread. I'm not familiar enough with current pfSense to offer specific guidance there.
There's no way to dynamically update any firewall if the ISP changes out the IPv6 block they issue from under you...
In theory, if the firewall can accept a hostname instead of an IP address (oh, you'd hate that I bet, I kinda cringe at the thought as well), then it resolves the above issue...
However, I'm not aware of any mechanism that enables a host to update it's AAAA record on the DNS server when forced to update its IPv6 address in a SLAAC setup. So, back to square one.
Personally, I haven't bothered with setting up any IPv6 firewall rules for specific LAN hosts. Everything incoming is blocked, excepting ICMPv6, and DHCPv6 to the router itself. There are online IPv6 firewall scanners you can use to verify your setup. If I need to allow external access to a local host I stick with IPv4 for now.