Re: [DNG] IPv6 for dummies by a dummy (was: Configuring ethernet port for IPv6)
Following up from this old thread, over on an IETF list I’ve come across this resource for learning IPv6. https://afrinic.academy/ I’ve not looked at the content or quality - but the headings seem logical and it’s free. Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] IPv6 for dummies by a dummy (was: Configuring ethernet port for IPv6)
o1bigtenor via Dng wrote: > I hope that others might also contribute even questions and thereby > a document in the 'how to' class is created. In many ways that’s a better way - there’s only so much generic stuff you can throw at someone before they get overwhelmed. If anyone does have specific question then I’ll try and help. >> You will want to configure an IPv6 firewall. I used Shorewall for this - >> it’s an amazing package. It’s still usable, but it’s time is now limited as >> it’s deeply entangled with iptables which is now deprecated and replaced >> with nftables. I imagine that at some point the iptables compatibility shim >> will go away and that will stop Shorewall. >> > I am looking at (have the hardware waiting for pickup) running something > like Pfsense or Opnsense for a firewall. It seems that either support > ipv6 as well. I would imagine either of those would do fine based on reputation - I’ve not used either. > Wondering about physical setup. > > I had thought of running my network (part of it at least) like this: > > WAN == router == firewall == managed switch == complicated network > > It has been suggested to me that I should combine the router and > the firewall functions into the same machine. Which option (combining > functions or separating functions) gives a more robust network? You can run it as you’ve drawn, but the firewall will inherently end up doing internal routing functions - effectively you’ve mane the router-firewall link there analogous to the ISP provided Wan link for your firewall. To elaborate, assuming you end up with multiple networks, traffic between them will need to be routed and managed. What you don’t want to do (and it would be tricky to configure anyway) is to route traffic out to the router only for it to be sent back in - passing through the firewall twice. So internal inter-network traffic could pass through the firewall just once, coming in through on VLAN interface, and being passed out via another one. In theory the single ethernet link between firewall and switch can be a bottleneck if there’s lots of traffic between networks, but I suspect few home networks will find that a problem, and you can always add extra ethernet ports (either as separate connection or aggregated as a bonded interface) for more bandwidth. > Where would a pihole function in this scenario? Pretty well anywhere it’s convenient ! All you need to do it to direct internal devices to use the Pihole for their DNS - and block outbound DNS queries from anything but your internal DNS service. As long as clients can reach it, it doesn’t matter where in the network you put it. According to a comment I read on a different mailing list, you may have to redirect “unauthorised” network traffic with firewall rules - so that devices which use hardcoded external DNS servers can use your internal service. > How secure can a system be made using firewall(s)? Probably the only totally secure system is one that’s been shredded, the threads incinerated, and the resulting bits mixed into lumps of concrete which are dropped into the deepest trench in the ocean - but that’s not all that useful :D If your firewall is reasonably secure in itself, then you can do a lot with a “block everything that’s not allowed” policy. There’s massive scope for tradeoffs between the effort you put into setting up and maintaining the system and the ease of using it. I suspect that for most of us, it’s not too hard to reach a point where the effort needed to break in puts you into “there are simpler ways for those sufficiently resourced to get at you”. Blocking individual sites gets a bit more tricky, especially these days when there can be so many sites sharing addresses - which change (with the various hosting proxy services). The Pihole does that at the DNS level, or you’d need to setup and use a proxy server - which only works for HTTPS sites if you are able to install your own root certificate on each client. Obligatory XKCD https://xkcd.com/538/ Steve Litt wrote: > Very soon I'll build myself an OpenBSD/pf firewall/router. At that time > I might set up something like the following: > > 11.22.33.440.0/24100.0/24 > INTERNET==SPECTRUM_MODEM_FW/ROUTERBSD/PF==WIRED_LAN >\\ > \=WIFI_ACCESS_POINT=Laptops > 0.0/240.0/24 > > The preceding leaves the Spectrum modem/firewall/router/wifi open to > the 20005 attack, but that attack can't go anywhere easily. I'll try > very hard to disable the Spectrum's wifi. The OpenBSD/pf will protect > the wired network from packets initiated from the Internet or from the > wifi laptops. I might leave ports 80 and 22 open to the laptops so they > can get house websites or ssh in. Also, I'll need to have them receive > DHCP from somewhere, and try to configure the DHCP to specific MAC > addresses. That’s one way of doing
Re: [DNG] IPv6 for dummies by a dummy (was: Configuring ethernet port for IPv6)
tempforever said on Mon, 31 Jan 2022 21:11:55 -0500 >o1bigtenor via Dng wrote: >> Wondering about physical setup. >> I had thought of running my network (part of it at least) like this: >> >> WAN == router == firewall == managed switch == complicated network >> >> It has been suggested to me that I should combine the router and >> the firewall functions into the same machine. Which option (combining >> functions or separating functions) gives a more robust network? >> >> Where would a pihole function in this scenario? >> >> >My home network: > >WAN (modem) == router/firewall == switch == uncomplicated network > >The pihole resides as part of the uncomplicated network, plugged into >the switch. > >My consumer router/firewall has unused ports; it could have gone in one >of them. > >In any case, I'd recommend it being inside the firewall with the rest >of the network. Very soon I'll build myself an OpenBSD/pf firewall/router. At that time I might set up something like the following: 11.22.33.440.0/24100.0/24 INTERNET==SPECTRUM_MODEM_FW/ROUTERBSD/PF==WIRED_LAN \\ \=WIFI_ACCESS_POINT=Laptops 0.0/240.0/24 The preceding leaves the Spectrum modem/firewall/router/wifi open to the 20005 attack, but that attack can't go anywhere easily. I'll try very hard to disable the Spectrum's wifi. The OpenBSD/pf will protect the wired network from packets initiated from the Internet or from the wifi laptops. I might leave ports 80 and 22 open to the laptops so they can get house websites or ssh in. Also, I'll need to have them receive DHCP from somewhere, and try to configure the DHCP to specific MAC addresses. SteveT Steve Litt Spring 2021 featured book: Troubleshooting Techniques of the Successful Technologist http://www.troubleshooters.com/techniques ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] IPv6 for dummies by a dummy (was: Configuring ethernet port for IPv6)
o1bigtenor via Dng wrote: > Wondering about physical setup. > I had thought of running my network (part of it at least) like this: > > WAN == router == firewall == managed switch == complicated network > > It has been suggested to me that I should combine the router and > the firewall functions into the same machine. Which option (combining > functions or separating functions) gives a more robust network? > > Where would a pihole function in this scenario? > > My home network: WAN (modem) == router/firewall == switch == uncomplicated network The pihole resides as part of the uncomplicated network, plugged into the switch. My consumer router/firewall has unused ports; it could have gone in one of them. In any case, I'd recommend it being inside the firewall with the rest of the network. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] IPv6 for dummies by a dummy (was: Configuring ethernet port for IPv6)
I hope that others might also contribute even questions and thereby a document in the 'how to' class is created. On Mon, Jan 31, 2022 at 5:03 PM Simon wrote: > > o1bigtenor via Dng wrote: > > > Not only do I want to echo mr Joel but for mr Simon. > > This gives great information - - - all together AND in a fashion that > > I think I may even be understanding this. > > Thanks, that makes it worthwhile having written it. > As you might have guessed, I’m in the IPv6 is good camp. Frustratingly my ISP > ran IPv6 trials several years ago but has since gone quiet - even though > their parent company (a larger ISP) rolled out IPv6 by default several years > ago ! > > > Please would you fashion perhaps 2 or three more messages for > > intermediate and maybe even extend this into more of the > > 'advanced' networking country. > > I’m not sure there’s all that much I can add. One of the problems of not > using it often enough is that I’ve forgotten a lot of what I learned when I > worked through the tunnelbroker certification - which BTW will (if it’s still > part of the deal) will get you what must be one of the geekiest tee shirts > ever created ! > snip > You will want to configure an IPv6 firewall. I used Shorewall for this - it’s > an amazing package. It’s still usable, but it’s time is now limited as it’s > deeply entangled with iptables which is now deprecated and replaced with > nftables. I imagine that at some point the iptables compatibility shim will > go away and that will stop Shorewall. > I am looking at (have the hardware waiting for pickup) running something like Pfsense or Opnsense for a firewall. It seems that either support ipv6 as well. snip > > > I am not needing ipv6 at present but likely this spring fiber optics > > are happening (finally some decent speed options) and they are > > in the process of moving to ipv6 likely within a year or so. I would > > prefer to know at least some more before I 'need' it. > > Good news then - the more ISPs do IPv6 the better. The main thing to remember > is that IPv4 vs IPv6 is orthogonal to the rest of the stack - the physical > layer underneath (fibre, ethernet, xDSL, cable, dial-up, damp string, carrier > pigeon, ...) and the session layers higher up (DNS, HTTP, SMTP, ...). > Things are not completely disconnected as things need to support the > differences - e.g. handling 128 bit long addresses, doing lookups as > well as A, and so on. But (and not speaking as someone who’s had to deal with > that), I think a lot of that is handled by the standard libraries. > Wondering about physical setup. I had thought of running my network (part of it at least) like this: WAN == router == firewall == managed switch == complicated network It has been suggested to me that I should combine the router and the firewall functions into the same machine. Which option (combining functions or separating functions) gives a more robust network? Where would a pihole function in this scenario? An air gapped machine is considered the most secure. Doing this makes updating the system more difficult and could make some tasks more difficult. (Business reasons for wanting as high a security as possible.) How secure can a system be made using firewall(s)? TIA ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] IPv6 for dummies by a dummy (was: Configuring ethernet port for IPv6)
o1bigtenor via Dng wrote: > Not only do I want to echo mr Joel but for mr Simon. > This gives great information - - - all together AND in a fashion that > I think I may even be understanding this. Thanks, that makes it worthwhile having written it. As you might have guessed, I’m in the IPv6 is good camp. Frustratingly my ISP ran IPv6 trials several years ago but has since gone quiet - even though their parent company (a larger ISP) rolled out IPv6 by default several years ago ! > Please would you fashion perhaps 2 or three more messages for > intermediate and maybe even extend this into more of the > 'advanced' networking country. I’m not sure there’s all that much I can add. One of the problems of not using it often enough is that I’ve forgotten a lot of what I learned when I worked through the tunnelbroker certification - which BTW will (if it’s still part of the deal) will get you what must be one of the geekiest tee shirts ever created ! One thing I didn’t cover is addressing, and how they are represented. https://en.wikipedia.org/wiki/IPv6_address gives a fairly decent overview - apart from perpetuating the myth that EUI-64 addresses are still common - they were deprecated a while ago. Then I can perhaps outline what you need to do to set up your own router supporting IPv6. On the ISP end you need the appropriate interface and software. So this may be PPPoE, or direct Ethernet with one of a number of configuration protocols, or ... So the first thing to do is sort out whatever combination of bits will get you connected. One of the problems is that there are a number of different components, that can be used in different combinations - so you’ll need to find out exactly what your ISP uses/supports. This is all from memory, so can’t rule out errors :-( In my case, it was a case of using a DSL modem and running PPPoE over an ethernet link. With PPP, LCP (Link Control Protocol) will negotiate the session with the far end PPP service, then the PPP package will configure the protocols you tell it to - IPCP (IP Config Protocol) for IPv4, IPv6CP for IPv6. Checking my notes, I then had to run a DHCPv6 client to get an IPv6 delegation - in this case asking for a /56 prefix. I manually/statically configured all this with scripts for expedience (we got static IPv6 allocations) - it’s possible to automate steps using features in some of the software, which has generally advanced since I last did this. So now we should have a working IPv6 link to the ISP and an IPv6 prefix. The link may just have a link-local address (starting fe80:) or it may also have a GUA (Globally Unique Address) as well - depends on the ISP setup and your own setup. So my script then added a GUA address to the PPP interface, a route to the internet via that link, and a different GUA to the internal interface. At this point, you should have a system that can route packets between an internal device and the internet. You will want to configure an IPv6 firewall. I used Shorewall for this - it’s an amazing package. It’s still usable, but it’s time is now limited as it’s deeply entangled with iptables which is now deprecated and replaced with nftables. I imagine that at some point the iptables compatibility shim will go away and that will stop Shorewall. You now need to configure devices on that internal network. You can do it statically - but that’s a p.i.t.a. So configure and start an RA daemon. Again, as this was a trial and we had static allocations, I just put the prefix in the config file and had my script bring up radvd. This is perhaps one of the steps that would be harder to automate since you need to pick a /64 prefix out of your (hopefully) larger delegation. And you also have the ability to run multiple internal networks with different prefixes. Once you startup the RA daemon, you should see clients auto-configure and be able to use your new IPv6 service. > I am not needing ipv6 at present but likely this spring fiber optics > are happening (finally some decent speed options) and they are > in the process of moving to ipv6 likely within a year or so. I would > prefer to know at least some more before I 'need' it. Good news then - the more ISPs do IPv6 the better. The main thing to remember is that IPv4 vs IPv6 is orthogonal to the rest of the stack - the physical layer underneath (fibre, ethernet, xDSL, cable, dial-up, damp string, carrier pigeon, ...) and the session layers higher up (DNS, HTTP, SMTP, ...). Things are not completely disconnected as things need to support the differences - e.g. handling 128 bit long addresses, doing lookups as well as A, and so on. But (and not speaking as someone who’s had to deal with that), I think a lot of that is handled by the standard libraries. Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng