IPv6 questions

[marjohn56]

The problem is, and I though that I had posted this in an earlier message, might have though it then the wife wanted me to do something and I forgot..


You cannot pass untagged and tagged packets down the same piece of cable, well you can, but it will not work. The reason is that the clients, PCs etc, cannot distinguish between the tagged packets and the untagged packets, so for example, if you put a VLAN (tagged) with a dhcp server on it and an untagged ( Non VLAN) with dhcp server server on it then you have a piece of wire that has two networks providing an address and the client sees both of them. Hence you need a managed switch to 'split' the network back in to the correct segments. The cables between the switches are known as trunks ( well in Cisco land ) and they carry all the VLANs, you cannot plug a client directly onto that trunk ( unless you know how to set the VLAN tag on the client's NIC ).

[fgsfdgfds]

Cheers,
Well just to try and see what happens, I set the 2 APs to have an extra SSID called kids, I set this SSID with VLAN tag2.
Then made a new interface with new IPv4 subnet+DHCP, put the kids laptops/phones on the new ssid and they seem to now be separate from the main LAN.
Or at least best I can tell, they are on the other subnet.
Maybe I should change the switch to a managed netgear 'plus' switch, but for now, I think it's working.
so thanks for your input, i will probably reinstall and do pppoe bridge on the draytek sometime, but for now it seems OK.
I think the mrs get a bit annoyed when the internet goes down when I messing.

But really I needed to get IPv6 going at some point, have put it off long enough

[GiantJack]

Rather go the Wifi shedule or VLAN route than play wack-a-mole anyway, you only have to change the DUID or MAC on the client and you get a new address, most 10 year olds probably now how to get around that sort of block.

I faced this some monthes ago: not really on purpose by the kids, but some android now offer random mac address on wifi.
This is a good idea for public wifi, but not good for home :-)
To avoid this, I restricted wifi AP with mac address white list: so only known mac are allowed (this option on phone to use random MAC has to be disabled)
This "Static ARP" option in DHCP can be usefull too, all this to be combined with dedicated VLAN/AP

So at the end, only known MAC can be used have to match known IP on a dedicated VLAN/subnet, so you can rules them all :-)
I have done only in IPv4 so far, due to this SLAAC only on android (also I didn't see something similar to static ARP on DHCPv6)
it may be possible to manage with the alias on MAC trick.

[AbstractGeo]

I'm sorry to drag this thread back from the depths, but, to an extent, wasn't all of the IPv6 stuff here started because "I need to be able to use OpenVPN from outside my network, so I need a static IP?" I skimmed the thread, so I may have missed stuff, but, why not do what I do?

Use a VPS or other server elsewhere with a static IP, and have that proxy your VPN connection stuff. (Or use any of a number of other similar solutions.) Basically: My OPNSense box - behind starlink - drills an outbound OpenVPN tunnel to my Linode VPS. That VPS has an iptables rule that basically passes all traffic it gets (on my custom OpenVPN port) back across the VPN tunnel to my OPNSense box.

You can use certificates to avoid MITM attack risk, and the performance hit is about ~10ms for me. The hit there is small enough that it's WAY better to use that vs. the connection that goes directly to my DSL line w/o those extra hops, because of the MASSIVELY improved bandwidth on Starlink.

Just my two cents - and, maybe a good 'backup option' - if you're willing to spend ~$5 USD to get a VPS/shell account/whatever somewhere.