Can FDQN resolve to the active IPV6 address?
-
"Dumb switches are generally capapble of passing VLAN frames."
True but they do not honor them or understand them.. So to them all traffic is no different than its default traffic… So you loose your separation of layer 2 traffic and broadcast and multicast that should be in a vlan now get sent to all ports on the switch.. Its not a good edit to do this, pretty much ever!!! Maybe if you your smart switch died and you had dumb switch you could use, until the new dumb switch gets delivered.. Other than that - no I would never suggest anyone ever do such a thing..
And just because they are generally capable of not stripping the tags, this is not for sure and could be possible they just do not pass on the tags or strip them completely... Lets go over it again - its a bad idea to think its ok to send tagged traffic over a dumb switch. ;)
-
And just because they are generally capable of not stripping the tags, this is not for sure and could be possible they just do not pass on the tags or strip them completely… Lets go over it again - its a bad idea to think its ok to send tagged traffic over a dumb switch. ;)
Actually, since switches are not suppose to touch the frame they're passing, they shouldn't even notice it's a VLAN frame. It's just another valid frame. Where the issue may arise is if the frame is larger than the standard maximum Ethernet frame size, due to the extra 4 bytes the tags use. However, I don't know how common that situation is. Of course, only 802.3 frames have a maximum size. Ethernet II frames have no such restriction. IP is normally carried on Ethernet II frames.
One situation where you often have VLANs to the user is with VoIP. With VoIP phones, you can usually connect a computer to the phone, which in turn connects to the switch. An unmanaged switch will work, though CoS will not be available. You just need to have the VoIP PBX provide it's own VLAN tagging and the phones configured to use the VLAN. Regardless, managed switches should be used in all but the smallest networks.
-
So you going to mark your stuff on what should be in what? And I we can draw it up - which makes it easier to understand.
I haven't made firm decisions on which devices need to be on the VPN and which don't. I'm pretty sure I'll want all computers, phones and tablets to go though the VPN, but for now just my desktop PC, the MacBook, my phone and my tablet need to go through the VPN. The PC and MacBook have Ethernet connections in the office, and the phone and tablet come in on the Time Capsule AP in the office.
I think my first pass at this is to define two VLANs, one for VPN connections and one for direct WAN connections. Let's call them VLAN 10 and VLAN 20, respectively.
1. I would replace dumb switch #1 with a smart switch and connect it to the NIC (I think I need to use a trunk port for that connection, no?) I'd move the PC and MacBook from the Time Machine to ports on the smart switch defined as VLAN 10 (VPN). If I need to take the PC or MacBook off the VPN, I can always temporarily change the VLAN assignment on their respective switch ports.
2. The two SDRs would be moved from switch #1 to switch #2 to make room for the PC and MacBoook on switch #1.
3. The new smart AP would connect to the smart switch via a trunk port. I'd define two SSIDs on the new AP, one connected to VLAN 10 and one connected to VLAN 20. That should make it easy to switch my Wi-Fi devices to use the VPN or not.
4. All of the family devices are on Wi-Fi and normally use the Office AP. I'd initially configure them to use the non-VPN SSID on the new AP, then move them to the VPN SSID one at a time and see if anyone complains (e.g., about not being able to use netflix, weird geolocation results, etc.)
5. I'd connect the Time Capsule AP to a VLAN 20 port. I'd turn off its wireless use it for an upstairs guest network. It's network drive and Ethernet ports would be assigned to VLAN 20.
6. The rest of the switches in the network would stay as dumb switches for now and will be connected to VLAN 20 ports on the smart switch (no VPN.)
7. Later I'll may replace switches #3 and #5 (and maybe #6) with smart switches so their devices can be assigned to the VPN or non-VPN VLAN.
Two question marks in this are the Guest Network AP and shared devices (network media drive on the Time Capsule, printers, etc.):
-
The Guest network will come in on VLAN 20, so guests will use the ISP directly. At some point I may want to move guests to the VPN by default, at which point it would probably make sense to replace the existing AP with a smart AP and have SSIDs for Guest VPN and Guest non-VPN. Of course I'd have to replace switches #4 and #5 with smart switches for that to work.
-
One printer is used only by my PC, so it can be on the same VLAN. Not sure how to attach the other printer, which is shared by everyone. Same goes for the network media drive. Can a device on one VLAN use a device on another VLAN? I'm hoping I can control that from the firewall – i.e., allow specific user devices to access the shared devices or not.
Big question: The PC and a tablet are my main devices for accessing the pfSense web interface. Is it dangerous to have them on VLANs? Do I need to do anything special to allow pfSense to be accessed (or not) by devices on the VLANs. If worse comes to worse, can I connect a device to an undefined port on the smart switch or directly to the NIC to access pfSense? What about configuring the WAN to allow access?
-
-
"I haven't made firm decisions on which devices need to be on the VPN and which don't."
This doesn't matter what network/vlan they are on - you can do this with a simple policy route.. IP address X go out the vpn… Just set a reservation for that machine so it gets that IP or set it static - and it will use the vpn.
The big thing you want to decide is what you want to be able to isolate from each other. What uses the vpn doesn't matter if on specific vlan or not.. Sure you can have this vlan use your vpn, this vlan not.. But you can get as granular with that as you want with simple firewall rule.
As to pc and tablet being on whatever - makes zero difference. The web gui for pfsense can be gotten to from any vlan if you want it to be available.
-
This doesn't matter what network/vlan they are on - you can do this with a simple policy route.. IP address X go out the vpn… Just set a reservation for that machine so it gets that IP or set it static - and it will use the vpn.
You may recall that I originally setup the firewall to route hosts to the VPN based on static IPs or FQDNs. But the problem that brought all this up is not being able to set a static IPV6 address on iOS devices. Every time they connect via wireless they get a new IPV6 address. So I can't route their IPV6 traffic to the VPN using a static IPV6 address and it doesn't appear that their FDQNs resolve to their current IPV6 addresses (though maybe if I wait long enough it'll resolve correctly – haven't tested that yet.)
If I route the iOS devices based on their static IPV4 or FQDN, their IPV6 traffic leaks. So, either I turn off IPV6 system-wide or, per your recommendation, I use VLANs to route the iOS devices (and maybe others) to the VPN.
Make sense?
-
Ah my bad sorry.. Forgot about the whole ipv6 problem..
Yes the simple solution to ipv6 is do it based upon network and that way you don't care what IPv6 they use to go outbound on..
So which devices do you want to use the vpn via ipv6.. Where are they in your network, what switches or are they all wifi - if all wifi its easy and you really only need the 1 smart switch to connect your AP that does vlan on.
-
So which devices do you want to use the vpn via ipv6.. Where are they in your network, what switches or are they all wifi - if all wifi its easy and you really only need the 1 smart switch to connect your AP that does vlan on.
Good question. Generally speaking I want ipv6 capability for any device that supports it, which I think at this point are the PC, Macbook, phones and tablets. The rest of the devices aren't capable of ipv6 and it's unclear at this point whether I want them on the VPN to protect against inbound incursion. Different subject. Anyway, the PC is hardwired and the Mac is setup for hardwired on wi-fi. The phones and tablets are wi-fi.
I moved ahead this weekend. Got a TL-SG108E and a Unify Lite AP. The smart switch has replaced dumb Switch #1. The Unifi has replaced the Time Capsule as the main upstairs AP and I moved the TC downstairs to replace the older Guest Network TC that doesn't support 802.11ac. Defined a couple of VLANs and played around with them this weekend. Got a good education about configuring VLANs, as well as some further experience with firewall rules.
I have VLAN 10 and VLAN 20, with the intent being VLAN 10 or LAN for non-VPN and VLAN 20 for VPN. I setup SSIDs on the Unifi for VLAN10, VLAN20 and LAN (upstairs guest network.) Configured The smart switch port 1, which connects to the router NIC, and port 2, which connects to the AP, as tagged on both VLAN10 and VLAN20. Defined the PC port as untagged on VLAN20. At first I had the rest of the devices untagged on VLAN10, but ran into enough issues with certain devices wanting to be on certain subnets that I put them all back on VLAN 1 until I can figure out what firewall rules they need. Also put in a bunch of firewall rules for the PC so it can access the LAN and either VLAN (for example, couldn't access the network printer until I did that.) Came to the conclusion that I might not need VLAN10. Non-VPN devices can use the LAN. But left VLAN10 configured just in case.
All it'll take is two or three more smart switches to be able to have complete flexibility for any device. And I think I've got a handle on the firewall rules I'll need to grant or restrict access.
As far as switching from VPN to non-VPN, the wireless devices have it easy – just switch networks. It's a bit of a pain to reconfigure the PC switch port, so I left an empty LAN port on the smart switch so I can just plug the PC into a VPN or non-VPN port as needed.
-
"Generally speaking I want ipv6 capability for any device that supports it"
Why to be honest? If your so worried about sending their traffic out a vpn or not?? IPv6 while the future has ZERO requirement currently.. There is not one legit resource on the internet that you can not get to via ipv4..
"I want them on the VPN to protect against inbound incursion."
Huh??? Yeah your going to need to expand on that ;)
I am all for ipv6 adoption, it is best to get ahead of the curve - even if the curve has a very very long way to go still.. I run it on my own network, but in very controlled manner. Only devices I want to use it on have it enabled. I don't have it on all my segments.. And I don't give too shits about any traffic having to go out some vpn or not.
So I don't see why you should cause yourself grief?? There is actually zero reason for a device to need ipv6 on your network. If your concerned about what wan be it vpn or not your clients take - this seems to be your primary concern. Then make it easy on yourself and just disable ipv6 for those networks. I am really curious what vpn your using that supports ipv6? Since you have another thread which really points to it not working anyway. Which prob correct - does the vpn service you running actually state they support ipv6? The whole point of privacy ipv6 is to prevent tracking who is who.. with the 18 quintillion IPs in a /64 kind of hard to say who is who when the ips keep changing, etc.
Post up your rules if you don't mind.. New users to pfsense almost always get it wrong ;) With rules that are not required or make no sense.
Rules are evaluated top down, first rule to trigger wins no other rules are evaluated.
-
Like I said, I'm new to all this, especially IPV6 and sophisticated routing/firewall tools!
I guess I needed to hear from someone in the know that IPV6 is a long way from being a requirement. With that in mind, I have two options:
1. Disable IPV6 network-wide.
2. Allow native IPV6 on the ISP WAN but disable IPV6 on VPN connections (requires VLANs to get around iOS not allowing static IPV6 addresses).The VPN is Perfect Privacy. Near as I can tell, they're the only VPN that supports IPV6. As I said in the other thread, it works with IKEv2 on iOS – IPV6 addresses get mapped properly so there's no leak.
IPV6 leakage seems to be an issue with VPN security watchdogs. That's why every VPN with pfSense configuraion instructions tells you to turn off IPV6 system-wide. If you don't, you have to use firewall rules to prevent the native IPV6 addresses from leaking. But if the IPV6 addresses aren't static, and change each time a device connects (as they do under iOS), then you need VLANs, as we've discussed here.
As for the danger of leakage, if the IPV6 address leaks, couldn't someone identify my network as the source of the traffic (assuming they had access to my ISP's logs?)
-
In your other thread - they DONT support IPv6, not in anyway that makes sense.. They are giving you 1 IPv6 address and expecting you to nat all your traffic to it. Sorry but that is BORKED out of the gate..
"As for the danger of leakage, if the IPV6 address leaks, couldn't someone identify my network as the source of the traffic (assuming they had access to my ISP's logs?)"
That is a lot of ifs.. Most ISPs the ipv6 range they give you changes all the time.. Part of the reason I don't use native from comcast is the prefix keeps changing and is a pain in the butt ;) I use a tunnel from HE.. So I get a /48 and can assign the specific prefixes I want to my my different segments..
So this somebody or someone is going to have a court order? Why would they have access to your ISP logs? Is this someone at the ISP? So website X sees IPv6 xyz access their server.. The would know it came from isp abc sure. But now how are they going to have the logs from your isp to know that we gave that prefix to Joe on 123 Street.. That is even if the ISP has such logs.. I find that hard to believe to be honest…. Reboot your modem and you will have a completely different prefix anyway most likely.. Lets say they have this info and are sharing it without the court order. So now they know that "someone" or some device on 123 Street had that IP at that that time.. Who was it exactly? Was it susan that lives there? Was it Billy? How do you prove it was Joe? Maybe it was Kevin from down the street that was on Joes wifi at the time, etc..
How tight is your tinfoil hat exactly? ;)
So who says this VPN is not logging every IP they give you, and what your doing and what you ask for dns? Because they say so?? Why do you believe them and not your ISP? I never understand this logic.. You pay your isp way more money I would think then some vpn that you pay a few bucks a month, etc.
All that being said - again IPv6 is the future!! And yes it is coming.. But I am fairly sure I will be freaking retired from the industry before it becomes any sort of requirement to get anywhere. I am 52, so I have like 15 years left for sure.. Yes there is a shitton of stuff on ipv6, and yes the amount of traffic flowing over ipv6 grows every day.. But until they start turning off stuff like ipv4 access to something - its not a requirement!! So when you can not get to www.google.com unless you have IPv6 - then yeah its a requirement.. Name one source that is not dark web or p0rn current that is only available via ipv6 that you want/need to get to.. Until you can name this service it is not a requirement to run ipv6.
Play with it!! Run it controlled on your network - learn about it!! Get a tunnel from HE so you can deploy how ever many /64 segments you want.. Work with getting a vpn working with it if you want - bug your vpn provider to do it correctly! etc. etc.. But sorry as much as us in the field want to speed along and become a requirement/mainstream - its just not there yet.. And I would really be surprised if happens in the next 15 years..
I work for a service branch of tier 1 provider - and what I can tell you is there is ZERO ipv6 in NA on their network.. I should know I have access to all of it ;) And to be honest I don't think much if any on their global network other than the other sister company that does cell phones.. There is talk, and they say its coming... I have been asking about it for the the 8+ years I have worked for them.. Still nothing... None of the major customers we support or that I work on directly have it, not on on their local networks - not on their public networks, etc. etc.. These are not web companies.. These are companies actually making stuff or providing services, etc. I would love nothing more to get put on a ipv6 rollout project! But just not any sort of push..
-
Points well taken. I'm doing all this because I got the bug to see if I could make my presence on the Internet as private and untraceable as possible. Easier said than done (e.g., getting google out of one's life), and I'm far from reaching conclusions on what's really possible.
But before we cast aspersions on the VPN's implementation of IPV6, take a look at my latest post in my other IPV6 thread. The IPV4 and IPV6 addresses reported for my connection to the VPN when I used IKEv2 on iOS are different for each device. I think this means they assign an IPV4 subnet and an IPV6 prefix.
In any case, I'll ask the VPN and post what they say.
-
… But the problem that brought all this up is not being able to set a static IPV6 address on iOS devices.
As long as my IPv6 supplier (he.net) doesn't change the prefix, the IPv6 my iPhone obtains has been the same for the last 2 years or so …
(Ok, I helped somewhat by setting up a static lease in the dhcp6d)So, when your IPv6 setup is ok on the WAN side, the inner side, LAN, etc, will work just fine.
-
(Ok, I helped somewhat by setting up a static lease in the dhcp6d)
I'm not sure what you mean by this. Where and how did you set the static lease?
-
(Ok, I helped somewhat by setting up a static lease in the dhcp6d)
I'm not sure what you mean by this. Where and how did you set the static lease?
Here : => Services => DHCPv6 Server & RA => LAN => DHCPv6 Server - at the bottom of the page I added a boatload of
DHCPv6 Static Mappings for this Interface DUID IPv6 address Hostname Description .....
Like in the old IPv4 days, all my devices (iOS stuff included) have their "fixed" IPv6. When I open up an IPv6 address in the firewall (the he.net IPv6 only interface) I can reach the device from the net.
With a (mine) DNS server on net and some arpa reverse magic I can even uses URL's like "diskstation.brit-hotel-fumel.net" port 22 to rsync to it - using only IPv6.
" And, hey, Mam : Look ! No NAT ! " :)
My IPv6 addresses didn't change for the last several years. -
Thanks. I have my network setup to use the native IPV6 address from my ISP. The WAN interface IPV6 is set to DHCP6 and the LAN interface IPV6 is set to Track Interface (WAN). I got that from an article on how to configure pfSense to use Comcast native IPV6. Everything seems to work the same as when I had the Comcast modem doing the routing. Only problem is the iOS devices. If I understand correctly, your method has pfSense doing the IPV6 assignment and you defined static IPV6 addresses for all the devices. Right?
If I were to go down that road, what would I use for an IPV6 prefix? Something I make up? Something based on the Comcast native IPV6 prefix?