Need some instructions for getting started with IPv6

Ulysses_

My close-to-a-decade-old Wifi AP's transport just fine IPv4 and IPv6 used by iPhone and other devices.

I think you may have missed the point. The wifi AP here fully supports IPv6. But we are asked to remove the router function from the modem/router which I believe will stop wifi working but I may be wrong, maybe the modem can be used simultaneously by 4 ethernet devices and lots of wifi ones without a router function.

JKnott

@dotdash said in Need some instructions for getting started with IPv6:

already double natting and unwilling to change that,

Perhaps we should be asking why they're unwilling to change. NAT is a curse on networks, caused by the inadequate IPv4 address space.

In my own network, I get a single IPv4 address, which I have to NAT to handle all my devices. I have no choice in the matter. On IPv6, I have a block of 4.72236648287 x 10²¹ addresses, so no NAT needed. Every IPv6 capable device gets global unique addresses. This means I can directly access any of those devices from elsewhere, without having to worry about port forwarding, etc..

JKnott

@Ulysses_ said in Need some instructions for getting started with IPv6:

But we are asked to remove the router function from the modem/router

We are here because we use pfSense. Most people running pfSense will put their modem into bridge mode and let pfSense handle everything for routing and firewall. The WiFi is a secondary issue and you're likely better off with a proper AP anyway. It is not IPv6 that's causing this issue, it's your sticking with the modem in gateway mode.

BTW, I live in a condo. If I relied on the modem WiFi, I would have a great signal at one end, but poor at the other. By using a PoE AP, I was able to put it roughly in the middle of my unit and so get a good signal throughout. My AP is high up on the wall in my laundry room. Very often, sticking with the WiFi on the modem results in a poorer signal. Also, the firewall that's built into my modem is crap that's nowhere near as capable as pfSense. So, considering WiFi signal, IPv6 and firewall, I'm far better off with the modem in bridge mode.

johnpoz

What jknott is trying to tell you is your not going to get IPv6 to work as it designed when your isp device in front of pfsense is doing nat.. While it might hand out and IPv6 address to pfsense wan... Its not going to be able to do correct delegation of the prefix(es) that would allow pfsense to put an IPv6 prefix on its lan..

So you can either go the hacky way of doing it and do some sort of nat on the ipv6 address pfsense gets on its wan... This can work sure - but is not how ipv6 is meant to be used.

The correct solution would be to use your isp device as bridge.. So it doesn't do nat, and then hopefully pfsense can get a delegated prefix or prefixes that it can use for network on its lan side. But this would depend again on your ISP - many of them do ipv6 all F'd up and only hand out 1 /64 anyway... Its freaking moronic at best ;)

While this will pretty much break the isp devices use as wifi AP... Normally you would want wifi behind pfsense as well, this would be done with either some wifi router being used as just AP, or an actual AP or multiples... I have 3 myself in my little sub 1500 sq ft house ;) Expecting to get "good" wifi from 1 AP located the 1 router is problematic to say the least.. Unless your in some small studio setup or something...

Another work around if you do not want to put your isp device into bridge mode, would be to setup a Hurricane Electric tunnel (FREE BTW) so you could get a /48 and break that up into your /64s to put behind pfsense.

And while jknott doesn't like this point of view - there is also the point well made by Ulysses_ that do you really need IPv6.. It is just plain fact currently that it is not an actual requirement at this time... There is not one actual resource that you would actually need to get to that is not available via IPv4.. So there is no actual "need" for IPv6 for the end user at this time... And to be honest I do not see that changing for many many many years!!! All the devices that were sucking up IPv4 space - ie phones!! are being migrated to IPv6 and then an IPv6 to IPv4 gateway run by the company to allow these IPv6 devices to talk to the IPv4 space..

So my advice is if you do not want to take the time to learn what is required to properly deploy, use, troubleshoot and secure IPv6 - its quite often a better and easier option to just not enable its use on "YOUR" network... Until such time that want to put in the work to do it correctly.

I would love nothing more for a massive push to get everyone on ipv6.. It for sure the future - but that future is not actually now no matter how many people want to believe it is.. I too have been using it for 10 some years... And while I love playing with it, and learning about it, and experimenting with it - just have yet to run into anything be it personal or professional that actually truely requires that it be available to the end user. Now if worked in the say the mobile phone business that might be a different story ;)

Ulysses_

Another issue is privacy. Have you ever thought if the designers of IPv6 are so keen with giving a unique IP to every single device in the world, for reasons other than neatness?

For example, pretty much everyone has plenty of 192.168.0.0/16 and 10.0.0.0/8 IP's for their devices in their LAN. If the designers wanted simplicity they would just leave this alone and ISP's would just give out a single IPv6 IP to each customer. But no, Big Brother wants it all, every single device in the world must be tracked.

Ulysses_

By the way, why are there two IPv6 IP's here?

johnpoz

That second one (fe80...) is link local.. There could also be more actual global addresses as well.. IPv6 uses out of the box will have many privacy address in the same prefix.. unless that feature is turned off..

If you think IPv6 for each device is for tracking purposes? From Big Brother? Think maybe someone been reading some conspiracy sites ;) Do they also cause autism? ;)

You understand when IPv4 was first started, the idea was every address was to be globally reachable - NAT came latter as after thought to when hey there is going to be more devices on this network than we ever imagined ;)

Such questions are clear examples of someone needing to understand IPv6 more before attempting to actually use it ;)

That first one there is owned by OTE, so your in Greece..

Link-Local addresses are like their IPv4 cousins the 169.254 range which is meant as L2 only address.. They don't route but serve a huge function in IPv6 use.. Every device that uses IPv6 will have a link local address.

Ulysses_

IPv6 for each device is for tracking purposes? From Big Brother? Think maybe someone been reading some conspiracy sites ;) Do they also cause autism? ;)

What's for sure, 10.0.0.3 is more readable than 2a02:587:220d:8b00:bafb:6402:b954:9ae5.

A sound design would insulate the end user from this, and only the infrastructure people would need to learn IPv6.

By the way, I hope you realise Big Brother is a metaphor, not a literal person. How do you feel about the Russian government dumping Windows 10 from all their public sector and armed forces systems, in favour of a debian derivative of their own build with added strong encryption? I think Microsoft trying to be Big Brother is a major part of it.

https://en.wikipedia.org/wiki/Astra_Linux

JKnott

@Ulysses_ said in Need some instructions for getting started with IPv6:

But no, Big Brother wants it all, every single device in the world must be tracked.

Actually, there are multiple addresses. Most of them will be privacy addresses. You get a new one every day, for a total of 8. The privacy addresses are used for outgoing connections. You'd use the consistent address for incoming connections. Also, the fe80 address is called link local. It goes no further than the nearest router.

So a computer will have 1 link local address, 1 consistent and up to 7 privacy addresses.

JKnott

@Ulysses_ said in Need some instructions for getting started with IPv6:

A sound design would insulate the end user from this

How many end users worry about IPv4 addresses. Most of them wouldn't even know what an IP address is. There is also a nice little feature you might have heard of that handles this. It's called "DNS". You use host names to connect, not addresses. If you don't have DNS available, then there's always the hosts file.

How would you build a network where the infrastructure people work with IPv6 and users IPv4? I guess you don't remember the days when IPv4 and IPX were often used on the same network. Back when I was at IBM, there was also SNA to worry about. At least I did, as that was part of my job, but the average person knew nothing about it. They just wanted things to work.

BTW, back when I was at IBM, I had 5 global IPv4 address, one for my own computer and 4 for testing. I also similarly had 5 SNA addresses and I had memorized them all. My work IP address was 9.29.146.147, which I still remember after almost 20 years.

Ulysses_

Wasn't talking about the average person but the millions and millions of us trying to do things with firewalls, VPN's, local proxies, file sharing between our own computers and VM's and so on in order to improve security or privacy or even dabble with anonymity although the latter is really hopeless in the long term.

johnpoz

@Ulysses_ said in Need some instructions for getting started with IPv6:

dabble with anonymity although the latter is really hopeless in the long term.

If you think your little vpn you pay X dollars a month, because they don't log gets you anything other than slower internet.. Your kidding yourself..

It sure and the F does not get you actual anonymity... It might hide what p2p file you actually downloaded from your ISP, so they don't send you dcma notices.. But other than that in the big picture, it gets you nothing but a slower freaking connection.

And sure allows you to play wack-a-mole with geo circumvention with streaming providers..

And you can still do vpn over ipv6.. That doesn't change - in the big picture for the end user, its a longer address. But yes it can be a learning curve for those that are wanting to do actual networking in their homes.

In your typical scenario - the end user is using some isp device, and it uses 1 /64 behind it - since all the end users stuff is on 1 flat network... These are not the people I am talking about having to learn anything.. Its the people that are wanting to do more than that - then yes there is a learning curve to be sure!!!

These are the people, if they are not willing to understand the changes and how to manage, secure, setup and administer IPv6 - they are prob better off just not using it until such time that they want to put in the learning. Because currently there is not actual "need" for it.. Name one resource you want to actually use that requires you to have an IPv6??

JKnott

@Ulysses_

Well, I've been working with computers and networks for a very long time. I've never had an issue with it, whether IPv4, IPv6, IPX or SNA and I've worked with them all. The point you seem to be missing is that IPv4 is crippling the Internet. As I mentioned, there are no more IPv4 addresses available in Europe and Middle East, and there are other parts of the world that are not far behind. What are they supposed to do? We already have people on carrier grade NAT and then using NAT again on their own networks. The only reason for this is the shortage of IPv4 addresses. So, the only viable solution is to move to IPv6. In addition to the unbelievably huge address space, there have been other changes to improve performance and security. Further, the address blocks have been allocated geographically, to minimize the size of routing tables. You may recall when there was a severe problem, several years ago, when routing tables became too big for some routers.

If you're doing things in such a way that you have to remember IP addresses, then you're doing things wrong. I've been using IPv6 for almost 10 years and remembering addresses has never been an issue.

Ulysses_

@johnpoz

Kind of off topic but couldn't resist: the VPN is not for anonymity but privacy and geo circumvention, TOR is for anonymity only, you're supposed to chain them, and I am using neither. :) Just proprietary tunnels inside tunnels. And looking into decentralized alternatives to TOR at the moment for the anonymity part cause TOR is centralized as hell. You've got any advise on those, such as I2P and blockchain-based ZeroNet?

JKnott

@johnpoz said in Need some instructions for getting started with IPv6:

Because currently there is not actual "need" for it.. Name one resource you want to actually use that requires you to have an IPv6??

Perhaps you could ask someone in Europe, who can no longer get an IPv4 address. That problem will not go away, until the world switches to IPv6. The sooner that happens, the better.

johnpoz

That is not the point if the end user can not get an IPv4... Can freaking promise you the end user ISP has given them some way to get to IPv4.. Because sorry - at best there is 30% of the top websites on the world that even support IPv6...

https://whynoipv6.com/
Out of the top 1000 Alexa sites, only 361 has IPv6 enabled, and 770 of them use nameservers with IPv6 enabled.
Of the total 902708 sites only 24% of them have IPv6. This is a huge shame!

Where in Europe? Exactly... Just because ripe has no more IPv4 to assign, doesn't mean the ISPs don't have IPv4 to use still... Shit the European company I work for is sitting on MILLIONS of IPv4 that is not currently being used.

And they are too lazy to transfer space to arin for an upcoming project to use.. I have to assign a /22 out of our ipv4 space that is not actively being used, etc..

While yes some new company can not just go to their RIR and get a /X - its not like there is not IPv4 space to use.. There are millions and millions of IPs that are not actively being used and could be if actually required..

In the last couple of years we have sold off most of our /16.. But with the /19 we have left.. Most of that is not actively being used at all.

JKnott

@johnpoz said in Need some instructions for getting started with IPv6:

That is not the point if the end user can not get an IPv4... Can freaking promise you the end user ISP has given them some way to get to IPv4.. Because sorry - at best there is 30% of the top websites on the world that even support IPv6...

Well, my cell phone uses 464XLAT to access IPv4 sites. Beyond that, it's IPv6 exclusively. There are also ISPs, such as Comcast that use carrier grade NAT or other transition methods to provide IPv4 to what are otherwise IPv6 only customers. When everyone's switched to IPv6, there will be no need for IPv4 on the Internet.

Yes, I know some people will still have IPv4 only hardware, but that's no excuse to not move the world to IPv6. Take a look at what's happened with cell phones. Back in the '80s, they were analog only. Then came the 2G phones, then 3G, etc.. Now analog is long gone and 2G almost gone. Sure some people griped when their phone became obsolete, but look at what we can do with our phones now, compared to what we had 30 years ago.

JKnott

@johnpoz said in Need some instructions for getting started with IPv6:

Where in Europe? Exactly... Just because ripe has no more IPv4 to assign, doesn't mean the ISPs don't have IPv4 to use still... Shit the European company I work for is sitting on MILLIONS of IPv4 that is not currently being used.
And they are too lazy to transfer space to arin for an upcoming project to use.. I have to assign a /22 out of our ipv4 space that is not actively being used, etc..

Regardless of what's done to extend use of IPv4, it will run out soon. There aren't even enough address in the entire IPv4 address space to handle just the mobile devices. Instead of putting off moving to IPv6, ISPs and customers should be moving to it. Otherwise we'll have more NAT being used, more people unable to reach their own networks because they're on carrier grade NAT, more shuffling addresses around, etc. Why not just fix the problem properly, instead of prolonging it?
IPv6 has been "officially" available for 7.5 years. Every operating system currently being produced supports it (going back to XP SP3), as does more & more hardware.

JKnott

@johnpoz said in Need some instructions for getting started with IPv6:

That is not the point if the end user can not get an IPv4... Can freaking promise you the end user ISP has given them some way to get to IPv4.. Because sorry - at best there is 30% of the top websites on the world that even support IPv6...

Here's an article, in today's Toronto Star, that seems to imply IPv6 will be needed on cell phones:

Internet-based 911 calling on the horizon in Canada

"Essentially, every connected phone will have an internet protocol address, which will be cross-referenced with key data sets mostly supplied by municipalities. The database will comprise every street address in an area and the entry location of buildings. Emergency service boundaries will also be accessible to ensure the right responders are dispatched.

The result should allow the 911 system to pinpoint the location of callers to within centimetres."

I haven't found much in the way of details, but giving phones unique addresses will probably require IPv6.

I also don't understand how they'll be able to determine location within centimetres.

There is this document, which has on page 68, page 3 of Appendix 2:

"North American Network Operators Group (NANOG)

A governing body that provides guidance and instructions for the design of an IP network. NANOG is typically involved in the best current operational practices for IPv6 planning."

This system is apparently supposed to be implemented all over Canada and U.S. My Pixel 2 certainly gets IPv6 from my carrier, but not all phones or carriers support it yet.