Providing isolation between Vlans!

johnpoz

@jarhead only problem is - maybe he wants to see default logs on is lan side interfaces, but not on his wan.

You can't just turn off not log default for specific interfaces - its all or nothing ;) So if he wants to see those logs, but not all the noise on is wan, creating your own catch all block that would be hit before the default that does not log, would accomplish that.

I wouldn't do it the way he is doing it either ;) But hey there are multiple ways to skin a cat..

JKnott

@jarhead

I use block on the WAN side, instead of reject, as it makes it appear as nothing is there. A reject will tell incoming traffic it's not allowed, revealing the presence of some device. I'm not sure if the default rule is reject or block.

On internal rules, I use reject, not block.

Jarhead

@jknott It's block.

Bob.Dig

@jknott said in Providing isolation between Vlans!:

This is an interesting one: Reject "Prefix".
If your prefix is dynamic, like for most of us who at home get IPv6 from their ISP, it would be nice to have this feature, but not much interest so far it seems.

But I know, jknott will keep his prefix stable by all means and john doesn't care for IPv6 to much.

johnpoz

@bob-dig said in Providing isolation between Vlans!:

and john doesn't care for IPv6 to much

Haha - not that I don't care for it, I just don't see it as actually needed as of yet. I agree its the future for sure, and its got some slick stuff going for it.. But its not something you actually need. My isp doesn't even have it ;) I play with it via HE tunnel.. Which to be honest has some huge advantages over many an isp IPv6 so called deployments..

Its something that everyone should play with, but if you don't have time or desire to learn its differences - sure simple solution is not worry about it.

When someone here actually names one resource that requires I have IPv6 that I would care to visit ;) Then sure I will turn it on for all my networks, other then my play vlans, and my pc which I just toggle it on or off if I am playing with something IPv6 related.

For the time being and many years into the future, its just not something a user actually needs to worry about. If they are having issues with it, it simpler to just not use it.. Nothing say you have to.

Here something I keep meaning to look into for example, site I use pretty often tvmaze, just doesn't work with IPv6.. It has an IPv6 address (i can ping it on IPv6), I just can get to it when I enable IPv6 on my pc. It never fails back to IPv4. Its on my list of things to investigate why ;)

Bob.Dig

@johnpoz But around the world it is different, you often only get a public and dynamic IPv6 (prefix) reachable from the outside. I will "fight" this for myself as long as I can for sure but for others, it is their reality.

PS: I pay one and a half bug per month for a VPS with its own dedicated IPv4-address and I am almost feeling guilty.

the other

@bob-dig said in Providing isolation between Vlans!:

it would be nice to have this feature, but not much interest so far it seems.

Hello there,
I have to contradict: I am VERY interested in that feature. In fact, I wouldn't know, why anyone with dynamic prefix lease from ISP can be NOT interested...

JKnott

@bob-dig said in Providing isolation between Vlans!:

This is an interesting one: Reject "Prefix".

I manually entered that value. My ISP uses DHCPv6-PD to assign prefixes, but mine doesn't change. In fact, it has survived replacing, at different times, my modem and the computer I run pfSense on. Even on IPv4, my address is virtually static and the host name will only change when I change hardware.

JKnott

@johnpoz said in Providing isolation between Vlans!:

I just don't see it as actually needed as of yet. I agree its the future for sure

It's that attitude that keeps it "in the future".

JKnott

@the-other

If you want stable addresses to use with local DNS, you can use Unique Local Addresses.

johnpoz

@jknott said in Providing isolation between Vlans!:

It's that attitude that keeps it "in the future".

Yeah my not using it is holding up the world :) hehehe

What keeps in the future is cost of migration. Without need - phones have now unlimited IPs with IPv6... So there is no reason to move the rest of the planet ;)

Just like with nat when they ran out of IPv4 vs doing something about the IP shortage then - they came up with a work around ;) Guess what happens happens now, we have a work around - all the things that Need lots and lots of IPs can use IPv6.. And they will just 464XLAT them to get to the IPv4 world.. Your car will need to be connected as well - lots and lots of cars, they will use IPv6 as well.

But sorry the rest of the planet is going to long drawn out process to move.. If it completes before we are dead and buried..

And there is a very flourishing grey marking for the buying and selling of IPv4 space as well.. So as long as that market is viable - there is money to be made from the selling of IPv4, so it not going anywhere any time soon.

So yeah - if billy bob not an IT guy, he has zero use for IPv6 currently.. Now if his isp won't give him IPv4 then he as need to work out how to use IPv6 for inbound. But guess what, most of the other uses on the planet can't get to them - and they have no desire too.

Lets see one of the major players say hey - in 202X we will turn off IPv4.. So you better be on IPv6 if you want to use us. That is never going to happen, but that would drive desire for IPv6 from the user base. Like I said my isp doesn't provide it, nor have I seen any announcements of them having it even on their roadmap..

Derelict

ISPs are holding back IPv6 adoption by deploying it wrong.

johnpoz

@derelict yeah good point as well ;)

Bob.Dig

@derelict said in Providing isolation between Vlans!:

ISPs are holding back IPv6 adoption by deploying it wrong.

Na... they pushing it but in a wrong way and will keep doing it.

JKnott

@johnpoz said in Providing isolation between Vlans!:

Yeah my not using it is holding up the world :) hehehe

I bet you didn't realize you were such an influencer.

But yes, this sort of attitude is the problem. For example, I'm on Rogers, in Canada. Rogers has been providing native IPv6 for over 6 years. Prior to that, they used 6to4 and 6rd tunnels. They also have full support on their cell network and tethered devices also get IPv6 addresses. On the other hand, another major provider, Bell Canada, does not provide it to their Internet customers and they do a very poor job on their cell network, to the point a phone will only get 2 at test-ipv6.com and forget about tethered devices. North America is fortunate with IPv4 in that it has most of the addresses. Other parts of the world aren't so fortunate and cannot provide adequate IPv4 connections.

Bottom line, the world has to move to IPv6 and the sooner the better. People or companies who refuse to move are just prolonging the problems caused by sticking with IPv4, including NAT. I've been using IPv6 for over 12 years. It's well past time for the rest of the world to catch up.

the other

@jknott yeah, that's what I'm doing, using ulas as well as gua...still would be nice.
And I agree with the opinion about ISPs breaking ipv6 with those dynamic prefix idea...
To get a fix prefix german telekom wants about 20 Euro a month more by providing half the bandwith. So...wonder ,why they implement it as they do...(not)
:)