IPV6, IPV4, traffic shaping, and pfblockerng
-
I have a simple home network. Just a handful of devices with an AP providing WiFi. I realized that a number of devices are using IPV6 instead of static IPV4 addresses I assigned. I read through the documentation and am thoroughly confused and need some guidance.
I want to ensure my traffic shaping (PRIQ) works as intended and that my packages function as intended as well. I have floating rules for traffic shaping to prioritize traffic but imagine those rules are not applied since an IPV6 lease is assigned to the device rather than the static IPV4.
Should I disable IPV6?
Am I able to apply PRIQ to IPV6? Is it already applied?
Should my other packages work as expected (pfblockerng, suricata)?Any and all guidance is greatly appreciated.
-
I have a simple home network. Just a handful of devices with an AP providing WiFi. I realized that a number of devices are using IPV6 instead of static IPV4 addresses I assigned. I read through the documentation and am thoroughly confused and need some guidance.
Pure IPv6 devices exist when you force them to use only IPv6. I guess you didn't,, so they all ask (DHCP) for an IPv4 and, if they can handle it, an IPv6.
I want to ensure my traffic shaping (PRIQ) works as intended and that my packages function as intended as well. I have floating rules for traffic shaping to prioritize traffic but imagine those rules are not applied since an IPV6 lease is assigned to the device rather than the static IPV4.
Can't tell, never shaped anything in my life.
Should I disable IPV6?
Maybe, for the time being.
But guidance isn't what you need. IPv6 is a huge subject. As "IPv4", you'll have to go through the "learning phase".Am I able to apply PRIQ to IPV6? Is it already applied?
Never heard that shaping, or "PRIQ" is IPv4-only.
Should my other packages work as expected (pfblockerng, suricata)?
pfblockerng will work well - checkup with their support. But you should know that that the concept of "lists with bad IPv6" will never work out in the future, it's simply to big. Using DNSBL still works.
suricata is more an packet inspection tool. These are still the same. The "IPv4" or "IPv6" is just the envelop that transports the packet.
The thing is : as a firewall operator you do not have a choice, you should become friends with IPv6.
Remember : a firewall handles IP packets. And IP means : IPv4 or IPv6, knowing that IPv4 will fade out (in the next decade so you have some time ;))