How well does OPNsense work with an XBOX if you don't enable upnp?

[comet]

But I'm very serious when I say it's a dinosaur long due to meet "the asteroid", and the only reason being still used is the inertia and the comfort zone any human being is akin to... ;)

That is exactly the problem.  Among typical computer users, networking has always been something of a "black art".  You can be totally comfortable in Windows or MacOS or Linux and still barely know a thing about networking.  I mean, it was probably only two or three years ago that I finally understood that /24 is the same as /255.255.255.0 in a netmask, and I'm still not sure how a netmask works other than that it specifies the range of your network, or how many IP address you can have.  A networking genius, I'm not.  And I'm pretty sure I'm not the only one.  Most computer users know just barely enough to configure their off-the-shelf router, and a lot of times they have to get a techie-type friend to help with that.

So now IPv4 has been around long enough that many users sort of "get it", at a very rudimentary level.  By which I mean, they sort of understand how IPv4 addressing works.  They (and I) could not explain to you what magic a router does to direct an incoming packet to a specific device.  There are reasons that there are college level classes in networking; it's not that easy to understand if you really want to get into it (someone in my family took a college course in networking several years ago and they taught him Novell.  What a waste).

So now enough people "get" IPv4 so that they can set up their home routers, and maybe some of them can even set up a decent firewall using iptables or something similar.  Now you want to throw IPv6 into the mix.  But people's attitude is, "My computers work fine with IPv4, and nobody's forcing me to learn IPv6, and everything I access on the Internet uses IPv4, so why should I even bother with it?  Especially since I have no idea how to secure it properly."

I'm not an expert in every detail regarding IPv6, but as much as I know about it makes me say that, once understood, it simplifies one's life.

But how much effort did it take before you understood it, even at the non-expert level?

What is really needed is a wonderfully clear and simple YouTube video that explains everything a user needs to know to set up and secure an IPv6 network WITHOUT a lot of unnecessary history or abstract theory.  I truly believe that most YouTube video creators are in love with the sound of their own voices because they will drone on and on for 45 minutes when what you really want to know could be said in under 5 minutes.  There are exceptions, of course, but anyway what I'm saying is that if they could cut the fluff and stick to practical information only, maybe more people would be willing to watch and try to grasp IPv6.  If you know of such a video, please feel free to post a link to it.  I have watched so many videos about router configuration in the last couple of weeks (including some really terrible ones) that I've developed a bit of a YouTube aversion. :)

[comet]

Wasn't trying to not annoy you.  Doesn't even factor into it.  Just rattling off facts as I know them.

Now if you'd just stopped there, you would have been fine.  But you just couldn't, could you.

IPV4 wasn't ever meant to be deployed the way it is.  Basically, its a broken protocol really that people sort of force to work.  It was created to work for labs and things like that and not very many of them.  IP exhaustion and reliance on NAT wasn't even a thing.  If you don't like IPV6, I'd say you are screwed long term.  Heck.  If you have a phone the odds are about 100% you are using IPV6 for your most sensitive data already.  Cellular calls, email, SMS, all your personal data that you have stored in the phone and in the clouds.  So its sort of like saying that you trust IPV6 with all your most sensitive and important stuff, but not a game console.

You are assuming an awful lot there.  I don't need to go into my cell phone usage but suffice it to say that I still use a desktop computer for anything where security matters, and I don't trust cell phone security any further than I can spit.  I am not one of those people who trades security for convenience.  Anyway, I don't have to configure any networking stuff on my phone, so that's not an issue.

Anyway, I don't actually need to convince you of this since you are absolutely positively going to get dragged by your heels, perhaps kicking and screaming, into using it, like it or not.

Goodness, I didn't realize I was talking to a psychic!  You must see me getting REALLY old in your crystal ball!  ;D

[franco]

Please keep this topic on track. Step out for a day if you can't. Then come back and let this discussion go. It helps...

[Ciprian]

I'm only saying that IPv6 is like IPv4 without the need for NAT: because IPv4 was "segmented" in public/routable &&& private/ non-routable IP addr ranges only because it was depleted, and a workaround in prolonging its life was this segmentation.

Now, IPv6 is IPv4 without the need of private IP addr. ranges, rest is more or less the same: you don't secure IPv4 because of it's addressing scheme, you secure it at different/ superior levels.

Cheers!

PS (My last comment on the off-topic matter of IPv4 <-> IPv6 comparison!)

[ChrisH]

(what is the IPv6 equivalent of 192.168.x.x, for example?)

There isn't! (!)

Sure there is. Link-local and ULA.

Because IPv6 is a very, very (very) much larger IP addresses space, you don't need "private - aka non-routable - IP Address range(s)".

Yes, you do. And that's why they exist in IPv6.

In IPv6 ALL and EVERY IP address is (or at list, is intended to be) public/ routable. No portion of IPv6 address space is reserved as "private range", so there isn't an equivalent of 10.0.0.0/8 & 172.16.0.0/12 & 192.168.0.0/16!

Wrong.
fe80::/64 is your internal network (segment) and not routable even across other internal networks.
fc00::/7 is explictly reserved for internal and private networks and is not publicly routable.

I don't know if you don't know better or are just trying not to confuse people, but telling wrong facts does not help.

[ChrisH]

I don't know but it just seems to me that if devices can assign their own addresses randomly, there is always the possibility of two devices choosing the same address, especially if they are the same make and model device.

There isn't. ESPECIALLY if there are the same make. There are 2^64 possible addresses in a single network. Thats 18,446,744,073,709,551,616. Which makes the chances of two devices choosing the same address astronomical. Plus they check if the address is used first.

Sort of like when you have two TV's of the same brand in adjacent rooms, and find that the remote control for either one triggers both of them.

That's because there are not 2^64 available TV remote codes and neither the TVs nor the remote controls can talk to each other to see if somebody else is already using that code.

I was going to point you to Wikipedia again but I just noticed the German version explains things much better than the English one. Maybe somebody else can suggest a good English source for IPv6 beginners.

[Ciprian]

I don't know if you don't know better or are just trying not to confuse people, but telling wrong facts does not help.

@ChrisH, thank you very much for clarifications! :)

Personally, still consider fe80::/64 & fc00::/7 different for IPv6 than 10.../8, 172.16.../12 & 192.168.../16 for IPv4, but I'll revise my knowledge, maybe you're right and I'm misinterpreting a few things. Combined with my main purpose of KISS (Keeping It Short & Simple), sorry if my reply doesn't help at all, and maybe even harms!

Cheers! :)

[ChrisH]

Cheers as well ;) You are welcome. Thanks for not taking it personally.

fe80::/64 is more like APIPA (169.254.x.y), but it's still local and not routable.
But fc00::/7 is the exact equivalent to the RFC1918 IPs (10./8 etc.). We use this e.g. for transfer networks, secure network segments that must not have internet access, VPN tunnels and the like.

[comet]

However, if you:

1st Forward the ports you need to X-Box.
2nd Sort of follow along with that video to get your static outbound NAT configured.
3rd Save it to use hybrid outbound NAT (Not automatic or Manual)

Remember to save and apply.

It should work.  If it's not working like you want after that, I'd be surprised.

That in fact does appear to be all that was needed.  It did not work until I set the static outbound NAT as shown in the video, and set it to use hybrid outbound NAT.  But once I did that, the XBOX was happy.

In particular, I did NOT have to use IPv6 in any form, I did NOT need to enable upnp, and I did NOT have to use port 3544 (the horrible Teredo tunneling "fix").

Initially I used "Pass" as the Filter rule association in the port forwards, and that worked, but I think I can probably go back to using an associated filter rule and I think it will probably still work.  I changed it back to that late last night, so I will know whether it works that way next time the kid tries to play XBOX.  EDIT: Still works fine (XBOX shows open NAT type) using an associated filter rule (the default filter rule association).

[xinnan]

Yeah - I posted this same thing on the pfsense boards about 5 or 6 years ago, but its sort of a hack to patch a bigger problem, which is having a requirement for NAT at all.  2- 3 more years, won't be an issue anymore.  Glad its working for you.  Same fix works for SIP issues also, in case you ever experience VOIP problems.

[comet]

Yeah - I posted this same thing on the pfsense boards about 5 or 6 years ago, but its sort of a hack to patch a bigger problem, which is having a requirement for NAT at all.  2- 3 more years, won't be an issue anymore.  Glad its working for you.  Same fix works for SIP issues also, in case you ever experience VOIP problems.

Well I wasn't going to bring up SIP but I did find that the same fix worked there, however I also had to go to System: Settings: Administration and put the dynamic DNS address that I use in the "Alternate Hostnames" field, otherwise a non-local extension wouldn't stay connected (it would connect and then almost immediately disconnect).

I suppose the reason you think that the requirement for NAT will disappear in 2-3 years is because you are under some delusion that everyone will be using IPv6 by then, but if you think that you obviously underestimate the lengths people will go to in resisting change.  Even if all ISP's started enforcing the use of IPv6 only to the cable or DSL modem - and my guess would be that won't happen for at least another ten years - there are still a lot of people that would use IPv4 only on their local networks.  Some of these would be security conscious people like me - I don't EVER want every device on my local network to be directly accessible from the Internet - but mostly it will be because there are too many people (also like me) who really just don't understand IPv6 and in particular, don't have a clue how to keep the bad guys out of an IPv6 network.  If every device on a local network has its own IPv6 address, the perception (and maybe the reality) is that anyone on the Internet has a direct superhighway into the weakest device on your network.

The change to IPv6 might be accelerated, though NOT to within 2-3 years, if someone(s) would come up with wonderfully clear and easy to understand explanations of IPv6, and how to secure it, in videos or on web pages.  I see lots of people bemoaning the fact that IPv6 isn't widely adopted, or that no one wants to use it, but that's generally because people are just being told "you should use IPv6."  And the people saying that act as if they think that everyone will suddenly realize it's the right thing to do, and start doing it, even though right now they don't know the first thing about it.

I have yet to see a web page or video that a) doesn't ramble on about irrelevant nonsense (NOBODY wants to read or listen to a long-winded academic explanation of how IPv6 came to be), or b) isn't mind-numbingly boring, like the worst teacher you ever had, or c) doesn't talk so far over the head of the average user that they'd learn just as much watching a video explaining the differences in styles of ancient pottery.

Also, when have you ever seen people do the right thing just because some "experts" told them to?  Compare IPv6 to any important social issue; some people will argue with you that it's not an issue, and even some people who do recognize that it might be an issue nevertheless don't want to make any personal effort (like people who realize we have an epidemic of obesity but can't stop drinking their pop/soda).  It's like the old joke about "How many psychiatrists does it take to change a light bulb?", and the answer is none, because the light bulb has to want to change first.  People are used to using IPv4, they sort of understand it a little (and don't understand IPv6 at all), it's working for them, and they don't want to change to IPv6.  And if you think any of that will magically change in just 2-3 years, I have a friend that really wants some of whatever you're smoking.  ;D

[xinnan]

The adoption rate is currently on a 2.5x per year rate of increase.  In mathematical terms a curve that is flattening against the Y axis as time on the X axis passes.  The numbers look clear to me.  I'm sure there will be a few hold outs, (lab setups in basements) but it is following the same sort of accelerating curve you see in things like population growth or bacterial growth in nature.  It is extremely predictable once a curve like this is evident. Numbers don't lie.  There are a few things that could stop it...   

Coronal Mass ejection like the one in 1859...   Lets see...   Asteroid collision like the one that wiped out the dinosaurs.   Things like that. 

This graph was produced using regression and curve fitting I'm sure.

[xinnan]

Now - Comparing the mathematical predictions in 2016 to the actual usage all the way to today in Nov 2017, the upward curve remains steady at a slightly higher than predicted rate.  Good news for all gamers and anyone who hates NAT.

https://www.google.com/intl/en/ipv6/statistics.html#tab=ipv6-adoption&tab=ipv6-adoption

[comet]

Mathematics are not a reliable way to predict the behavior of human beings.  Look at the predictions for many political races vs. the actual outcomes.  And also, nowhere more than in the case of human behavior is the saying "What goes up, can come down" appropriate.

In the case of IPv6, all it would take to sink it for a generation or so would be some major hack where a large number of people have their identity and/or their money stolen, that could be tied directly to IPv6.  And given that so few people know how to secure IPv6, that is not a far-fetched scenario.

I'm sure you could have probably found a similar curve of people who thought that putting their life savings in banks was a good idea, right up until 1929 or thereabouts.  Then after many people suffered loss, it was decided that it might be a good idea to secure people's funds (in the form of insurance on savings), but it took many years before some people would take their "sock money" and put it back in the bank.  This is the big problem with IPv6; it's still relatively insecure compared to IPv4, and nobody seems all that concerned about it (I am not asserting that the protocol itself is any more or less secure than IPv4, I am saying that most people have no idea how to properly secure IPv6 because those few who know how - if anyone really does - haven't seen fit to make that information widely available in such a way that ordinary people can understand it).

As for the accuracy of mathematics, didn't mathematics once "prove" that the bumble bee can't fly?  I think your math just might be counting people who potentially could use IPv6, not necessarily those who actually do.  Sort of like how cable companies sometimes count the number of homes passed by their cable, which gives you no idea of the number of actual subscribers.  Or, it may only be counting the adoption rate of ISPs and large corporations.  How would they even know how many home networks are running IPv6, and how many are running IPv4 only?

[xinnan]

Haha - I feel pretty good about the odds I will win this bet.