ipv4 only no more
-
@jwj
2.5.0 have the ability to forward ipv6 dns requests̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
Please do not use chat/PM to ask for help
we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
Don't forget to Upvote with the 👍 button for any post you find to be helpful. -
@kiokoman said in ipv4 only no more:
@jwj
2.5.0 have the ability to forward ipv6 dns requestsThank you! By this you mean the ability to redirect ipv6 dns requests to some other address? I'll have to go dig around and find details about that.
Thanks again, that's useful!
-
Personally I am a big fan of HE tunnel - you can get a /48.. Its free, its STATIC... Once you request and get your /48 - that won't change. Or it hasn't changed for me in the like 10 years I have mine. If you decide to go to with some other ISP.. You still can have your same /48, be it your new isp has ipv6 or not, etc.
Its easier to setup to be honest, no worried about tracking anything for what your interfaces IP will be. Its just your /48 and you can do with it what you want.. If you want to hand it out via dhcpv6 or auto on your network - that is fully up to you.
Added beni is you set the PTRs for any IPv6 addresses you want. Does your ISP allow that?
The only possible draw back is you might add a few ms to your latency having to go through a tunnel to whatever the closes pop is, and depending on the peering for your ISP, etc. this could add some ms.. But it shouldn't be more than a few, its not going to be in the 100s of ms, etc. So in the big picture the benefits sure out way what your ISP is providing - unless they are going to give you a static /X ipv6 block routed to you ;)
Also from my experience - even the largest isp really don't get how they should actually setup ipv6.. Using their deployment could for sure come with pain and changes and issues..
If you want to play with IPv6 on your network - my opinion is HE is the way to do it.. Unless your isp deployment is rock solid, and they don't go changing space on when ever the wind blows..
-
@johnpoz Thanks John. I do agree. I'm leaning to HE or just staying ipv4 only.
There is no explanation for what ISPs do other than complete disregard for their customers. Rate increases and the same old crappy service. I look forward to the day, someday, when more states will allow more community internet service. Stop giving these companies monopoly control by disallowing competition.
-
@jwj
Another slight benefit to /48 from HE being static.. Is you can use whatever prefix out of your /48 you want on any of your networks.
So I match up the 3rd octet and host address of the IPv4 network with the IPv6 prefix.
That is more difficult to do when your tracking and just limited by the /64 that are sub of whatever PD they hand you.
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
yup, i'm using the /48 from he.net with a couple of ms more than ipv4
@jwj yes you can redirect ipv6 dns requests with pfsense 2.5.0
-
@johnpoz @kiokoman Thanks! I do like the idea of coordinating the two addresses. Kinda like having your vlan id and ipv4 addresses match. vlan 10 is 192.168.10.0/24. A little thing that makes it cleaner.
I'm going to have to give this a good think ;) Probably should consider flattening things a bit. I have a lot of subnets/vlans because it seemed more "professional". I then violate the segregation left and right to keep the family happy.
-
@jwj said in ipv4 only no more:
Kinda like having your vlan id and ipv4 addresses match
Yeah this is a very common practice for sure ;) And do it both at work when you can and for sure at home..
How many vlans do you have? I could/should prob create some more vlans for my iot stuff - that is pretty lumped together with different types of devices in the same vlan... My alexa's and lighting stuff and thermostat, etc are all in the same vlan. I did break out the rokus on their own vs putting them in with the other iot devices..
But that was more an attempt to keep my wifi ssids limited.. If I ever get around to setting up dynamic vlans based on mac for the iot devices then yeah I would segment the stuff better.
I tested it that it could be done.. But then upon thinking about it more - it would still leave me with multiple ssids.. Enterprise for my stuff. psk for iot stuff and psk for guests.. So it would only allow me to go down to 3 vs the 4 I currently have.. So wasn't really worth the extra effort to just split the few types of iot stuff I have, etc.
-
@johnpoz @JKnott @kiokoman Thank you all! This has been helpful. I have learned a few things and I have had some things I thought confirmed.
I wonder if the average forum user realizes what a good resource they have here? Sure, there is the occasional FOSS forum drama but mostly you get questions answered by actual professionals. For free. Nice!
-
@johnpoz said in ipv4 only no more:
How many vlans do you have?
I have 8 subnets/vlans.
LAN (default vlan): Switchs, APs and controller
Infrastructure: Pi-Hole
Home: iPhones, iPads, Macbooks
Media: LG TV, Roku TV, Apple TVs, Sonos Speakers
Server: Synology and QNAP NAS
Printer: HP printers
IoT: Kindles and Bike Computers
Guest:I have 3 SSIDS
Freeside: Enterprise Radius assigned VLAN
Chiba: PSK Radius assigned VLAN by MAC address
Sprawl: GuestI put everything I could on Freeside, including one of my printers that supports WPA2 Enterprise EAP-TLS. Lots of fun with Apple Configurator for the others.
Chiba gets the kindles, bike computers and Roku TV. Before anyone has a fit, no you can't get on this network by MAC address only. They are only used to do VLAN assignments. You still have to know the pre shared key. Unifi is kinda misleading with this, they call it 'RADUIS MAC AUTHENTICATION". I tested this and found that you have to have a user in Radius that matches the MAC address and the PSK. Radius shows it as a successful logon if you have no password or the wrong password but the AP doesn't connect you in that case. Maybe you could do this on an open network or do something in Radius to make it a MAC bypass. That is a terrible idea.
Sprawl is the guest network.
Everything that is stationary is on a wired connection with the exception of the Roku TV and one Apple TV.
One printer (an all-in-one) is on a cart and connects to Freeside (didn't know it supported Enterprise EAP-TLS until recently, never bothered to look when I bought it) :)
I violate the F out of the L2 segregation using avahi (mDNS/Bonjour) and udpbroadcastrelay (SSDP, for the Sonos). I'd post up all my firewall rules but that would just serve to make me look dumber than I already do. They get the job done but are not nearly as locked down as they could be.
There is a lot that could be improved. We're probably going to move late spring/early summer and that will be the time to get some gear that is quieter and more energy efficient. A Netgate appliance and new switch(s). Get rid of my unifi stuff and replace them with Ruckus APs if I can find some for a decent price used. Put bigger drives in my Synology and retire the QNAP. There's always something...
