Ethernet Filtering
-
Why do you keep telling people to not use IPv6? That's where the world is moving and the sooner the better.
I agree MAC filtering would be useful and I thought so even before I was running IPv6. It's available in Linux systems using iptables. Maybe a little info about Ethernet Filtering, in pfSense, would be more useful than saying don't use IPv6,
BTW, years ago, I was at a Linux presentation and the presenter thought he could use MAC filtering to allow only his computer to access from a remote location. I quickly pointed out how he was wrong about that and the only MAC he'd see was the nearest router.
-
@JKnott said in Ethernet Filtering:
Why do you keep telling people to not use IPv6?
Because it is the "easy" solution to their problem - duh!
Still waiting for years for you to provide even 1 actual resource that would require me to have IPv6..
Sure its the future - but not enabling it if your having issues with it sure and the hell not going to slow down the snails pace to its complete adoption.
Why do you keep saying people should enable something they really have zero need of.. Would be the better question..
If you want to bug people about using IPv6 - why don't you start emailing MS, their msn.com domain doesn't even support it.. But thought MS was out of IPv4 space and had to start using IPv6 even on their internal space because rfc1918 wasn't enough - but they can't even run msn.com off IPv6?
What about twitter.com or one of the largest domains on the planet baidu.com, no IPv6 - but yeah a few users not using it because they have issues with it, or don't understand it enough to secure it.. They should run it anyway because them not doing so is going to stop the migration <rolleyes>
Lets see have users that have no understanding of the changes that come with IPv6, most likely with a shitty lack luster deployment of IPv6 from their isp in the first place try and work through issues, or click none on the pfsense IPv6 interface settings.. What is the easier solution here?
Lets see, even if I could manage to talk 1000x the user base here on pfsense to turn off IPv6 it wouldn't be a drop in the ocean in how many users isp don't even provide it.. But guess I am single handedly preventing the migration of the planet to ipv6 ;)
-
@johnpoz said in Ethernet Filtering:
Because it is the "easy" solution to their problem - duh!
Except it's not. @ronv42 said he's behind CGNAT, which means IPv4 is not an option.
Regardless, people should be encouraged to move to IPv6, as IPv4 is holding back so much.
-
@JKnott said in Ethernet Filtering:
people should be encouraged to move to IPv6
Not if they are having issues with it!
The simple solution to the problem is almost always the best solution.. Why should someone create complexity to their network when they have zero reason to..
Again still waiting for just that 1 resource that would require me to have ipv6.. Hosting your own shit because your behind a cgnat is not a public resource I would want to get to.. And even if I do host using IPv6, guess what - most of the planet wouldn't be able to get to me anyway because they don't have IPv6.
You keep promoting it, and I will continue to give the easy simple solution to their problem..
Not saying their not good things about IPv6, sure getting rid of nat would be good thing.. Not disagreeing with you at all here - but billy deciding to not use IPv6 on his network because he has no use for it at this time. And choosing not to enable it removes whatever issue he might be having, isn't doing anything to slow or hinder the overall adoption of IPv6..
Its just not - you think if I decided to not by beer anymore that any brewery anywhere would have to lay off staff or go out of business? You think if I could talk everyone here to not buy or drink beer anymore it would have effect at all on the beer industry?
-
In some parts of the world, only CGNAT is available. This means people cannot access their own network. Some countries are planning on being IPv6 only in the near future. I recently read about China's plans for that, but they're not the only one. How does sticking with IPv4 help anyone long term?
IPv4 has been broken since the day it became necessary to use NAT to get around the address shortage. Some things, like blockchain, really want to be on IPv6.
As I mentioned before, I first learned about IPv4 in early 1995 through a local college. While sitting in that class, I realized 32 bits was not enough and this was before I actually started working with it. At that time, my only exposure was my own dial up Internet connection. Even Vint Cerf says 32 bits was a mistake. Coming from a telecom background, I also knew it wasn't adequate.
Yes, there are issues with some ISPs. However, ignoring a problem does not fix it.
Is Ethernet filtering available in the CE version? If so, I might take a look at it. As I mentioned, it's in Linux and has been for many years.
PfSense running on Qotom mini PC
i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
UniFi AC-Lite access pointI haven't lost my mind. It's around here...somewhere...
-
@JKnott The GUI components are Plus only. pf(4) on CE supports Ethernet filtering as that is part of FreeBSD CURRENT
-
@ronv42 I was researching with it,
Keep in mind it is experimental. If you have no backup access to the firewall with a console cable, I would not attempt it. I got locked out of the GUI and lost internet access about 5 times while testing items. Great puzzle while on summer break from studies.
https://forum.netgate.com/topic/180861/experimental-ethernet-layer-2-firewall-rules
I was able to block out ipv6, I made mapping for all my devices, I have traffic showing. I tested default blocks I have let to get that to work however. My isp only hands out ip4 so blocking it helps.
As soon as I got it working Snort had that failed ruleset from Emerging threats that caused me confusion as it was staying stateless filter in use. I thought it was my rules turns out it wasn't. I have had it working for a few days with only blocking ipv6
-
@JKnott said in Ethernet Filtering:
In some parts of the world, only CGNAT is available
How many times are you going to bring up this non sequitur -- what does that have to do with anything.
Not my problem that Billy's isp will not give him public IPv4 - it has zero to do with me needing to run IPv6 - unless billy going to provide something I wanted to access it has nothing to do with me turning on IPv6 or not. Zero!!
It is not my problem - until such time that some service I want to access is only available on IPv6 - there is zero reason for me to enable - period..
If a user wants to turn off IPv6 because he is not ready technically to support it doesn't slow down the adoption on a global scale of IPv6... Sorry but it has zero to do with anything.
-
@JonathanLee Thanks for the link to your journey with Mac address filtering. I activated the option on Monday but haven't created any rules yet. I will learn from your expertise with baby steps with using these types of rules.
-
