IPv6 questions

[marjohn56]

I have another question, if you set the DHCPv6 range to a narrow range say ::2000 - ::4000 on a /64
the addresses it hands out show up as /128 on the clients not /64
why is this?  the client then seems to get another address /64 so it is able to have comms with others on the same network.
Seems a bit crazy.

Becasue then it has another address, if I want to block a client on a schedule how can I tell which addresses I need to block?
often the client seems to get 2 or 3 addresses from the /64 subnet
I suppose if every machine gets 3 addresses on the planet, that'll run down the address space a bit quicker, lol

In your /64 network you have 18,446,744,073,709,551,616 addresses, Zen gives you a /48 which is 65K of those /64 ranges. ISP's are usually allocated a /32 ranges, which allows them to dish out 65K /48s. I can't be bothered to take it to even shorter prefixes, but we will not run out of v6 addresses in the foreseeable future. They don't expect you to have 8,446,744,073,709,551,616 clients on your own LAN segment, it's done for security and privacy, the addresses can and will change on new sessions and that's the way v6 works, yes, you can assign a fixed address to client using dhcpv6, and that address will be given to only that client. but unless privacy extensions are disabled on the client then you cannot stop it getting further addresses.

[fgsfdgfds]

I see thank-you.
Just seems a bit crazy, it (the client) has an address why go and get more and more.
having more than 1 public IP was always a server thing in my book.

maybe for firewalling I'll have to consider another method of separating clients on IPv6.
How can I block kids by IP from using their devices all night on IPv6?

Can't work it out, used to hand out static IPv4s and block on mapped mac to IP addresses
worked well for years

[Greelan]

If you only use DHCPv6 to hand out IPv6 addresses and not SLAAC, you will still be able to control things. But you can't use DHCPv6 on Android devices

[marjohn56]

I see thank-you.
Just seems a bit crazy, it (the client) has an address why go and get more and more.
having more than 1 public IP was always a server thing in my book.

maybe for firewalling I'll have to consider another method of separating clients on IPv6.
How can I block kids by IP from using their devices all night on IPv6?

Can't work it out, used to hand out static IPv4s and block on mapped mac to IP addresses
worked well for years

Those days are gone, you can just live with v4 or use smart APs that limit access by time. For example, I use EAP 225s, they support VLANS. So I can have multiple SSIDs, one for the Kids ( if there were any at home ) that I can turn on and off by schedule. If it's a wired network, VLANs will do it for you, you could use cron to take down an interface at a specific time.

[marjohn56]

If you only use DHCPv6 to hand out IPv6 addresses and not SLAAC, you will still be able to control things. But you can't use DHCPv6 on Android devices

Correct, Android is SLAAC only.

[Greelan]

And who wants to configure every other device on DHCPv6 anyway? [emoji23]

[marjohn56]

Rather go the Wifi shedule or VLAN route than play wack-a-mole anyway, you only have to change the DUID or MAC on the client and you get a new address, most 10 year olds probably now how to get around that sort of block.

[fgsfdgfds]

I have many unmanaged switches on site.
But if I changed the 2 at the house which the wifi APs connect to, to VLAN managed switches and set 2 ssids, then wifi stuff on 1 ssid could be switched off from the net based on VLAN and time of day in OPNsense?

The rest of the switches could continue as they are, unmanaged, would that work?
Thanks

[marjohn56]

Yes, if that's the only way the kids connect. If the APs don't support VLANs you would need have each AP on a different VLAN. If they do support VLANs that means they will likely also support multiple SSIDs, in which case you can either use the AP based scheduler ( if it has one ) or a simple firewall schedule that disables internet access on that VLAN at given times.

[fgsfdgfds]

Oh OK,
So my APs in the house support VLAN and multi SSIDs, but my switches don't.
Kids almost always use WIFI.
So if I set a new SSID on the APs with a VLAN, that will work without changing the unmanaged switch?
Never really felt the need for VLANs to be honest until IPv6 and the way that works. (so will have to read up on them)
1 of the APs is old and will not support IPv6, will that make it harder to setup 1 AP with VLAN ipv4+ipv6 other ipv4 only?

[marjohn56]

I only went over to VLANs about eighteen months ago, when smaller managed switches were available, when I mean small I mean the size of a couple of cigarette packets. as in several places in the house I only need a couple of wired connections. At the same time I changed my WAPs to VLAN supported WAPs and went the while hog, now I have separate IOT, work and primary VLANs, primary wifi and guest wifi and it all runs flawlessly; there are four 8 port switches and one 24, but that's in my study and has all sorts of stuff connected to it for testing Opnsense instances and two WAPs, one upstairs one downstatirs. There are now 5 port switches available that were not when I set it up originally, it's a good investment I'm happy with.

[fgsfdgfds]

so will my main switch (unmanaged non vlan) that's next to opnsense happily pass the VLAN tagged packets correctly to other VLAN APs that are further back in the network?

I have I think 8 of the blue netgear unmanaged switches across the farm (4 in the house) (plus more on another network subnet with routing etc to another business)

[Greelan]

No. If the switch is not VLAN aware, it is not VLAN aware

[fgsfdgfds]

don't understand your answer.
Are you saying to have VLANs working on an VLAN compatible AP, the switch the AP connects to must be a managed switch?
I only want the switch to pass the VLAN packets to OPNsense nothing more.

[Greelan]

Depends. If you are passing only 1 VLAN into the switch then it should work (assuming the switch doesn't choke on the VLAN tags and drop the packets as invalid). The issue arises if there are multiple VLANs going into the switch - the switch can't distinguish between them