How well does OPNsense work with an XBOX if you don't enable upnp?

[comet]

Well, the Opnsense NAT is symmetric NAT, like your friend was saying earlier.  It's Strict NAT.  So, in the cases of gaming and VOIP, it's easier to get something like your assus working.

DD-WRT (I use it for some things even today), is less strict but also its less secure and less full-featured.  For instance, it can turn IPV6 on but then its not so easy to secure it.

I guess this is one of those areas where I don't really understand the difference.  As far as I've known, NAT is NAT, and I've never really understood normal NAT very well, because I've never had to in order to make a router work.  Like I've said, this is the really the first time I'm trying to use anything other than an off-the-shelf router with either its stock firmware or a modified version thereof, or DD-WRT (oh, and a long time ago I tried installing Tomato on a router but the less said about that, the better!).

I suppose that part of the reason that I am having so much trouble understanding this is because I had thought that installing OPNsense really didn't require much knowledge above and beyond what you'd need when setting up an off-the-shelf router, at least to get it to function in a similar manner to one of those routers.  I thought that it would only get tricky when trying to use some of the addons.  I did not for a moment imagine before I started that if I ran into trouble and asked a question in the forum, more than half the time at least a portion of the answer would be nearly incomprehensible to me.  I had no idea that OPNsense might use a different type of NAT from an off-the-shelf router; now you are saying it does but I still have no real understanding of what the difference is or why it would affect something as seemingly simple as port forwarding.

Opnsense allows very safe use of IPV6.

I would suppose that's true if (and only if) you actually know anything about IPv6, which I don't.  I mean, I obviously know it exists and I know that it has a much larger address space than IPv4, but I would have no idea how to construct effective firewall rules for IPv6.  Because it's something I don't understand, and because I don't need it for any of the devices on my local network, I always disable it.

Don't mean to wander off topic too much but I will just say that the proponents of IPv6 have done a very poor job in educating the general public about how it works.  For example, many people now know that their local network is 192.168.1.0 - 192.168.1.255, but I'll bet not 1 in 100 people who know that have any idea what their local network would be in IPv6.  I sure don't. And yes, I suppose the answer is "whatever you set it to" but I would not even have any idea what are the allowable ranges for a local IPv6 network (what is the IPv6 equivalent of 192.168.x.x, for example?).

However, if you:

1st Forward the ports you need to X-Box.
2nd Sort of follow along with that video to get your static outbound NAT configured.
3rd Save it to use hybrid outbound NAT (Not automatic or Manual)

Remember to save and apply.

It should work.  If it's not working like you want after that, I'd be surprised.

I hope it is that simple, but I'm still not sure why you'd need to set the static outbound NAT, since you don't need to do anything like that in an off-the-shelf router.  But I'm not sure I would understand if you tried to explain it to me.  I'll give it a try, though.

As far as the lack of documentation, Opnsense is a work in progress and I'm sure the devs would be the first people to agree the documentation needs further developing.  Takes time.  People just like you do contribute to the documentation though.  Not being sarcastic at all.

I realize that, I'm just saying you can't document something if you don't first understand it yourself.  And there's a whole lot about this that I just don't understand.

[Ciprian]

(what is the IPv6 equivalent of 192.168.x.x, for example?)

There isn't! (!)

Because IPv6 is a very, very (very) much larger IP addresses space, you don't need "private - aka non-routable - IP Address range(s)".
Neither NAT.

In IPv6 ALL and EVERY IP address is (or at list, is intended to be) public/ routable. No portion of IPv6 address space is reserved as "private range", so there isn't an equivalent of 10.0.0.0/8 & 172.16.0.0/12 & 192.168.0.0/16!

And here comes many people lack of understanding: there is the possibility to implement IPv4 things (like NAT, port fwd etc) to IPv6 standard, mainly but not only for security or/ and IP range isolation/ filtration purposes, but IPv6 is made to be used, preferably, only with route, without NAT etc.

Hope this helps.

[comet]

(what is the IPv6 equivalent of 192.168.x.x, for example?)

There isn't! (!)

Because IPv6 is a very, very (very) much larger IP addresses space, you don't need "private - aka non-routable - IP Address range(s)".
Neither NAT.

In IPv6 ALL and EVERY IP address is (or at list, is intended to be) public/ routable. No portion of IPv6 address space is reserved as "private range", so there isn't an equivalent of 10.0.0.0/8 & 172.16.0.0/12 & 192.168.0.0/16!

And here comes many people lack of understanding: there is the possibility to implement IPv4 things (like NAT, port fwd etc) to IPv6 standard, mainly but not only for security or/ and IP range isolation/ filtration purposes, but IPv6 is made to be used, preferably, only with route, without NAT etc.

Hope this helps.

This begs so many questions, but I guess my first would be, let's say that sometime in the future you have a pure IPv6 network - how do you keep all your local network devices together?  Who assigns the IPv6 addresses?

Put it this way - if my local network is in the 192.168.1.x range and my ISP changes my WAN IP address, or I get a new ISP that assigns me a different IP, my local network for the most part doesn't care - it still keeps using the same local IP addresses.  Let's say I had to go without any Internet access at all for a few days; the devices on my local network will still happily communicate.  But if there is no such thing as a local IP address in IPv6, then who assigns the IP addresses so that there are no conflicts, and how do the ISP's know how to route traffic to any given IPv6 address?  If it is the responsibility of the ISP's to assign addresses then if you get a different ISP or move, everything would change.  If each networked device has an IPv6 address assigned at time of creation, then how would an ISP know how to route traffic there, given that the device might move around between networks or even be part of an isolated network?  Or, if you just get to arbitrarily assign an IPv6 address, then what's to keep you from stepping on someone else's IPv6 address?

I just can't conceive of not having a local network where you can keep all of your devices grouped together.  I can see why IPv6 hasn't been catching on!

[ChrisH]

Okay, very simply explained: (see e.g. Wikipedia for more details):

The first half (usually) of an IPv6 address specifies the network and gets assigned by your ISP. That can change and your devices don't care. Think of this as your IPv4 WAN address.

The second half of an IPv6 address specifies the device in the network and gets assigned by a router in your network (DHCPv6), or manually by the admin, or automatically by the device itself (because there are so many addresses in every single network to choose from, this is the default and you don't need a DHCP server). That part is fairly static. Think of it as your LAN address.

The nice thing about IPv6 is that it combines both things: You know how to get to the network (first part) and then to the specific device (second part).

In addition to that there are local IPv6 addresses, so devices on a network will be able to communicate even without an internet connection. Every IPv6 interface automatically has one of those (called link-local) and this is also how they find there local router automatically without DHCP.

[xinnan]

Comet: What you just asked about is very insightful for someone who claims to know nothing about IPV6.

The way ISPs do it now is they will give you a bunch of dynamically changing and somewhat random looking /64s for the LAN(s).  Pretty useless if you decide to run a server there, which I honestly think is the point.  I think they have gone out of their way to make sure you get usable IPV6 but not something simple to use for a server.  This is why I have static /48s from hurricane electric.  All very nice and neat, and it follows you when you move. And it's free...  Later I suspect for a small fee you will be able to buy a /48 of static IPV6 tunneled on dynamic IPV6.  Now is a good time to learn about this. 

Personally, I see no reason why every man, woman, and child on earth shouldn't have a permanently assigned static /48 for life. 

[ChrisH]

Personally, I see no reason why every man, woman, and child on earth shouldn't have a permanently assigned static /48 for life.

Have you ever heard the name "Edward Snowden"?

[xinnan]

I used to work with him in Hawaii.  Same building anyway.  He was one of many IT guys.

[ChrisH]

And you don't see a reason why a personalized static life-long identifier on the internet could be a bad thing?

But we are getting off-topic ;)

[xinnan]

Well - You could own it and use it for whatever you want, or not.  You definitely still need access to networks that offer anonymity and privacy.  I effectively do have /48 blocks for life (I hope).  But I still have randomly assigned addresses as well and access to non-personally identifying networks (VPN) if I like. 

Anyway, IPV6 can solve many problems, like Comets NAT problems, and SIP server problems, and "I'd really like to run 10 small low bandwidth servers at my house" problems.  I wouldn't fear it.

[comet]

Comet: What you just asked about is very insightful for someone who claims to know nothing about IPV6.

Even a blind squirrel finds a nut once in a while.

I really don't know anything about IPv6 other than that it exists and that it has a huge number of possible addresses.  The questions I asked were because I have at least a small glimmer into how IPv4 works, but couldn't figure out how what I know about that would work with IPv6 if there are no local networks.  But I couldn't tell you the format of an IPv6 address if my life depended on it, simply because I've never had any need to use them.

My real concern about IPv6 is that I would think setting up proper firewalls would be much more difficult, but maybe that's only because I don't really understand it.

[comet]

Okay, very simply explained: (see e.g. Wikipedia for more details):

The first half (usually) of an IPv6 address specifies the network and gets assigned by your ISP. That can change and your devices don't care. Think of this as your IPv4 WAN address.

The second half of an IPv6 address specifies the device in the network and gets assigned by a router in your network (DHCPv6), or manually by the admin, or automatically by the device itself (because there are so many addresses in every single network to choose from, this is the default and you don't need a DHCP server). That part is fairly static. Think of it as your LAN address.

The nice thing about IPv6 is that it combines both things: You know how to get to the network (first part) and then to the specific device (second part).

In addition to that there are local IPv6 addresses, so devices on a network will be able to communicate even without an internet connection. Every IPv6 interface automatically has one of those (called link-local) and this is also how they find there local router automatically without DHCP.

Thank you for that explanation, it makes more sense when you put it that way.  I will just say that there are a lot of people out there that barely "get" IPv4 and this at first glance seems even more complicated.  Especially when you say "The second half of an IPv6 address specifies the device in the network and gets assigned by a router in your network (DHCPv6), or manually by the admin, or automatically by the device itself (because there are so many addresses in every single network to choose from, this is the default and you don't need a DHCP server)." I don't know but it just seems to me that if devices can assign their own addresses randomly, there is always the possibility of two devices choosing the same address, especially if they are the same make and model device.  Sort of like when you have two TV's of the same brand in adjacent rooms, and find that the remote control for either one triggers both of them.

[xinnan]

Nope.  It's no more difficult if you ask me.  If you can understand IPV4 you can understand IPV6.  Just a matter of sitting down and giving it a bit of time, exactly the same way you did IPV4.  Your X-Box will thank you.

I'd say its like linux users say windows is hard and windows users say linux is hard. 
Actually, neither is difficult, just need to get familiar. 

[Ciprian]

@comet

Of course there are mechanisms implemented for everything you wonder about, but for the most part IPv6 works on totally different principles and rules than IPv4, and for the least part, there are similarities.

Nobody can teach you IPv6 answering to every question you have, every answer transforming itself  in another 3 questions. Learn IPv6, it's not difficult to understand, especially since you start learning having a clear idea that you should NOT expect IPv6 to be only an increment of IPv4, having (maintaining) most of the principles/ rules/ best practices etc the same.

If it was up to me, I would forbid IPv4 at law level, I would sue anyone (still) using it! (Joking, of course) :)
But I'm very serious when I say it's a dinosaur long due to meet "the asteroid", and the only reason being still used is the inertia and the comfort zone any human being is akin to... ;)

I'm not an expert in every detail regarding IPv6, but as much as I know about it makes me say that, once understood, it simplifies one's life.

Cheers!

[comet]

Nope.  It's no more difficult if you ask me.  If you can understand IPV4 you can understand IPV6.  Just a matter of sitting down and giving it a bit of time, exactly the same way you did IPV4.  Your X-Box will thank you.

And you were doing SO WELL at not being annoying for a while there.

I've already told you, I'm not using IPv6  or upnp.  I don't even know if my ISP supports IPv6; I rather doubt they do, and even if they do now, I'm pretty certain my cable modem doesn't support it.  Just because I'm maybe trying to grasp some of the concepts doesn't mean I'm in any way ready to use it on my network.  For one thing, I'm still light years from knowing enough about it to properly secure it.  And I'm still hopeful that port forwarding (such as I now use on my Asus router) will be sufficient.  The XBOX can thank me by telling me that the NAT type is open when I am using simple port forwarding!

[xinnan]

Wasn't trying to not annoy you.  Doesn't even factor into it.  Just rattling off facts as I know them. 

IPV4 wasn't ever meant to be deployed the way it is.  Basically, its a broken protocol really that people sort of force to work.  It was created to work for labs and things like that and not very many of them.  IP exhaustion and reliance on NAT wasn't even a thing.  If you don't like IPV6, I'd say you are screwed long term.  Heck.  If you have a phone the odds are about 100% you are using IPV6 for your most sensitive data already.  Cellular calls, email, SMS, all your personal data that you have stored in the phone and in the clouds.  So its sort of like saying that you trust IPV6 with all your most sensitive and important stuff, but not a game console. 

Anyway, I don't actually need to convince you of this since you are absolutely positively going to get dragged by your heels, perhaps kicking and screaming, into using it, like it or not.