[Tutorial] How to not waste your time

Started by millerwissen, June 17, 2025, 03:11:13 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
November 03, 2025, 07:28:52 PM #15 Last Edit: November 04, 2025, 08:23:57 AM by Kets_One
Thanks. I didnt express myself clearly which is important with these complicated matters ;)
So far the following is updated and working:

- Created virtual IPv6 address f777::1 instead of fd07::1 to prevent IPv4 preference as described in your first post.
- Setup of NAT66 to translate all routable addresses of LAN devices (other than the servers) to a virtual IPv6 routable address based on /64 prefix from ISP. Suffix is not based on a MAC address. Does it matter what suffix i choose? Just the first address in the range (::1) or last or aything?
I think it would be good to regularly rotate the address. Is there a way to do this automatically?
- Setup of floating FW block rules for the f000/4 address space.

I plan to see how this works for a while.
PS: Please explain why traffic to multicast addresses like ff::/8 need to be allowed to WAN as in your example. These addresses are normally not forwarded to WAN.
Deciso dec3840: EPYC Embedded 3101, 16GB RAM, 512GB NVMe
November 04, 2025, 11:47:37 AM #16 Last Edit: Today at 12:31:22 PM by millerwissen
pfsense is better after all
November 04, 2025, 03:44:50 PM #17 Last Edit: November 04, 2025, 03:47:38 PM by bimbar
Let me be clear that you should do none of those things.

There are solutions to these problems, but not those.

There are even problems where NPTv6 is a legitimate solution (small site multihoming, for example), but not that one.

But maybe I don't understand, so, tell me, what problem does all of that actually solve?

EDIT: If you really want to know how to do IPv6 in your local network, I would advise you to read https://forum.opnsense.org/index.php?topic=45822.0 .
November 04, 2025, 04:30:38 PM #18 Last Edit: Today at 12:31:36 PM by millerwissen
yep
November 04, 2025, 04:50:21 PM #19
Globally unique addresses everywhere, not necessarily globally reachable. That's exactly what firewalls are for.

And a common prefix size of /56 for an individual or /48 for a company is more than enough room for "hierarchy and complex site-to-site intranets". Even more so, because you will never have address conflicts.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
November 04, 2025, 05:18:33 PM #20 Last Edit: Today at 12:31:48 PM by millerwissen
waste
November 04, 2025, 06:11:59 PM #21
Definitely one of the more bizarre threads around here.

Just as a PSA for newbies stumbling over this: Do whatever you want in your own private networks, but the ideas presented here are pretty fringe and in no way best practice or widely accepted.

(First and only comment.)

Cheers
Maurice
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
November 04, 2025, 08:12:30 PM #22
Indeed may seem pretty 'fringe' haha.
Im not understanding everything, but the things i do get and agree with i have implemented.
My goal is to see how this works for some time.

I'm especially fascinated by replacing the suffix of the IPv6 address for all devices on LAN by some random address using Outbound NAT.
For now i have created ~20 random suffixes and loaded these in an alias. These are used round-robin (sticky).
Since i have a fixed IPv6 prefix, i don't need to worry about that changing. I plan to rotate these random suffixes regularly, but would love to see a more automatic solution.

Thanks Millerwissen for your time and ideas.
Deciso dec3840: EPYC Embedded 3101, 16GB RAM, 512GB NVMe
November 04, 2025, 08:58:12 PM #23
Quote from: Kets_One on November 04, 2025, 08:12:30 PMI'm especially fascinated by replacing the suffix of the IPv6 address for all devices on LAN by some random address using Outbound NAT.
For now i have created ~20 random suffixes and loaded these in an alias. These are used round-robin (sticky).

Why bother? IPv6 privacy extensions do that for free when you use SLAAC.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
November 04, 2025, 09:16:04 PM #24 Last Edit: Today at 12:32:07 PM by millerwissen
so long
November 04, 2025, 09:19:47 PM #25 Last Edit: Today at 12:32:19 PM by millerwissen
waste time
Today at 10:44:30 AM #26
Ok, the way to do this by the book:

- use GUA internally to reach the internet
- use ULA (as secondary address) and/or IPv4 addresses for internal addressing, primarily if you have internal servers that need static addresses
- firewall using the above addresses you assigned. OPNsense has the functionality to support this using dynamic IPv6 address objects or interface address objects

Let me stress that NAT is not a security feature - firewalling is used for that. NAT is only relevant if there is a routing / addressing issue that can not be solved in any other way. Using reserved addresses is never a good idea - renumbering of static networks is potentially a huge hassle and you may be forced to if those addresses are used in the future.

The only reason I can see for NPTv6 is if you have a small site with dynamic IPv6 addresses that is multihomed. In that case in my opinion it is necessary to NPTv6 the secondary uplink in order to solve some problems regarding source address selection on the client.
Print
Go Up Pages 1 2
User actions