[Tutorial] How to not waste your time

Started by millerwissen, June 17, 2025, 03:11:13 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
June 17, 2025, 03:11:13 PM Last Edit: Today at 12:27:39 PM by millerwissen
Do not make tutorials on websites people cannot think outside the box
August 30, 2025, 06:21:52 PM #1 Last Edit: Today at 12:28:31 PM by millerwissen
People are too stupid.
.
September 19, 2025, 05:38:35 AM #2 Last Edit: Today at 12:29:23 PM by millerwissen
The Inside the box thinking is strong with this one
September 19, 2025, 08:10:33 AM #3
The whole point of IPv6 is that NAT must die. It breaks the end to end principle upon which the Internet was built and there already are lots of applications giving firewall admins headaches because of NAT - FTP (ok, deserves to die, too), VoIP, ...
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
September 19, 2025, 12:49:04 PM #4 Last Edit: Today at 12:29:40 PM by millerwissen
Time
September 19, 2025, 01:18:34 PM #5
Internal does in now way necessarily mean NAT. You can have well segregated networks across multiple locations all connected by secure VPNs and use the same GUAs the systems use to access the Internet for internal communication, too.

You could even do this back in the IPv4 days when everybody got globally routed prefixes easily.

"Internal" and "special private addresses" are not connected. "Internal" is a qualifier of your network topology and nothing more.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Rid
September 19, 2025, 02:07:02 PM #6 Last Edit: Today at 12:29:55 PM by millerwissen
Information
October 26, 2025, 10:23:04 PM #7 Last Edit: October 27, 2025, 04:32:14 AM by drosophila
Thanks for the guide! I can understand and relate to both sentiments; years ago I'd have been thrilled to have a "personal" IP so I could just send print jobs to my home printer instead of emailing attachments, with the convenience of not needing dynamic DNS even.
But today the sole reliance on properly configured and working firewall rules seems to not suffice to counter the ever-increasing threat the internet poses. So now that I have it, I don't want it anymore.
And AFAICS, the one singular purpose of a firewall is to break connectivity, it's the whole idea behind it. So it makes sense to have an additional layer of "connectivity breakage by default", unless you truly need to provide services that cannot be put in a DMZ, for which you'd be willing to lower the "breakage level". It's all a matter of use case, and the real boon of IPv6 to me is not to be forced to use one or the other, even if the use case doesn't lend itself well to it, anymore.

Plus I don't feel like reconfiguring all my devices whenever I change ISPs or when/if they decide to send me a different prefix. So I looked for guides such as this, and before finding yours I found this one:
https://blog.apnic.net/2018/02/02/nat66-good-bad-ugly/
I totally love how he clearly expresses his resentment of NAT, in a refreshingly humorous way, only to grudgingly set it up himself because it provides a solution to his problem. :)

Right, the actual thing I'd set out to ask is if using the officially assigned "private" range (ULAs, fc00::/7), which makes the system prefer IPv4 over IPv6, would be an impediment if I relegate IPv4 to local hosts only, anyway, with using IPv6 for WAN exclusively?
Edit: seems like it is ( https://datatracker.ietf.org/doc/html/draft-buraglio-v6ops-ula-05 ) in cases of v6-only hosts (do those even exist yet?) or if I deny outbound IPv4. I'd still rather use the ULAs over other ranges in the hope they'll be declared "unroutable" and therefore unable to leak into the internet because the first ISP router would block them.
November 01, 2025, 07:24:58 AM #8 Last Edit: Today at 12:30:08 PM by millerwissen
More
November 01, 2025, 07:35:31 AM #9 Last Edit: November 01, 2025, 07:59:47 AM by Monviech (Cedrik)
I built something that might be interesting to you. Will be an available plugin soon:

https://github.com/Monviech/ndp-proxy-go

https://github.com/opnsense/plugins/pull/4998

Hardware:
DEC740
November 02, 2025, 07:06:10 PM #10 Last Edit: Today at 12:30:22 PM by millerwissen
waste of time
November 02, 2025, 08:14:08 PM #11 Last Edit: November 02, 2025, 09:22:51 PM by Monviech (Cedrik)
Im not sure it can help if the ISP monitors your Routers MAC address and make sure it never has more than 1 GUA in their NDP table... thats on a whole different level of petty xD.

With this proxy it looks like your router has multiple GUAs on the WAN interface, since it pretends its your clients, but responds with its own MAC address instead. In the provider NDP table the same router MAC would have multiple entries with different GUAs.

It also doesnt help if the evil ISP only hands out a single IA_NA (/128) and nothing more.
Hardware:
DEC740
November 03, 2025, 10:39:50 AM #12 Last Edit: Today at 12:30:35 PM by millerwissen
waste of time
November 03, 2025, 01:42:48 PM #13 Last Edit: November 03, 2025, 02:50:32 PM by Kets_One
Hi Millerwissen,

Thanks for your extensive information!
My ISP issues just a /64 prefix by DHCPv6 on WAN and suffix is derived from MAC addresses by SLAAC on LAN.
This means that each of my servers exposed to WAN has a unique, routable address. This is desirable since it means that the IPv6 addresses are predictable and fixed, but not ideal.

But it also means that other devices (i'm talking about other devices than the servers) are exposed using the RA.
Therefore they could be tracked across the internet. Does it make sense to translate these addresses at the Opnsense router using your (no. 3) method?
Also i would like to improve network segregation using your approach. On the other hand i dont want to "mess up" my network.

I have already changed any ULA addresses i use from fd::/8 to f000::/4. But since this this range is not considered "bogon", i still need to add firewall rules for blocking f000::/4 out from WAN.
Deciso dec3840: EPYC Embedded 3101, 16GB RAM, 512GB NVMe
November 03, 2025, 04:51:19 PM #14 Last Edit: Today at 12:30:52 PM by millerwissen
pfsense is better
Print
Go Up Pages1 2
User actions