donnachangstein 2 days ago

Globally routable doesn't mean you don't have firewalls in between filtering and blocking traffic. You can be globally routable but drop all incoming traffic at what you define as a perimeter. E.g. the WAN interface of a typical home network.

The concept is frequently misunderstood in that IPv4 consumer SOHO "routers" often combine a NAT and routing function with a firewall, but the functions are separate.

2
rerdavies 2 days ago

It is widely understood that my SOHO router provides NAT for IPV4, and routing+firewall (but no NAT) for IPV6. And provides absolutely no configuability for the IpV6 firewall (which would be extremely difficult anyway) because all of the IPV6 addresses allocated to devices on my home network are impermanent and short-lived.

1 reply
vel0city 1 day ago

You can make those IPv6 IP addresses permanent and long-lived. They don't need to be short-lived addresses.

Also, I've seen lots of home firewalls which will identify a device based on MAC address for match criteria and let you set firewall rules based on those, so even if their IPv6 address does change often it still matches the traffic.

1 reply
mixmastamyk 1 day ago

There’s something about ip6 addresses being big as a guid that makes them hard to remember. Seem like random gibberish, like a hash. But I can look at an ip4 address like a phone number, and by looking tell approximately its rules.

Maybe there’s a standard primer on how to grok ip6 addresses, and set up your network but I missed it.

Also devices typically take 2 or 4 ip6 addresses for some reason so keeping on top of them is even harder.

2 replies
vel0city 1 day ago

A few tips:

When just looking at hosts in your network with their routable IPv6 address, ignore the prefix. This is the first few segments, probably the first four in most cases for a home network (a /64 network) When thinking about firewall rules or having things talk to each other, ignore things like "temporary" IP addresses.

So looking at this example:

   Connection-specific DNS Suffix  . : home.arpa
   IPv6 Address. . . . . . . . . . . : 2600:1700:63c9:a421::2000
   IPv6 Address. . . . . . . . . . . : 2600:1700:63c9:a421:e17f:95dd:11a:d62e
   Temporary IPv6 Address. . . . . . : 2600:1700:63c9:a421:9d5:6286:67d9:afb7
   Temporary IPv6 Address. . . . . . : 2600:1700:63c9:a421:4471:e029:cc6a:16a0
   Temporary IPv6 Address. . . . . . : 2600:1700:63c9:a421:91bf:623f:d56b:4404
   Temporary IPv6 Address. . . . . . : 2600:1700:63c9:a421:ddca:5aae:26b9:a53c
   Temporary IPv6 Address. . . . . . : 2600:1700:63c9:a421:fc43:7d0a:7f8:e4c8
   Link-local IPv6 Address . . . . . : fe80::7976:820a:b5f5:39c3%18
   IPv4 Address. . . . . . . . . . . : 192.168.20.59
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::ec4:7aff:fe7f:d167%18
                                       192.168.20.254
Ignore all those temporary ones. Ignore the longer one. You can ignore 2600:1700:63c9:a421, as that's going to be the same for all the hosts on your network, so you'll see it pretty much everywhere. So, all you really need to remember if you're really trying to configure things by IP address is this is whatever-is-my-prefix::2000.

But honestly, just start using DNS. Ignore IP addresses for most things. We already pretty much ignore MAC addresses and rely on other technologies to automatically map IP to MAC for us. Its pretty simple to get a halfway competent DNS setup going on, so many home routers will have things going by default, and its just way easier to do things in general. I don't want to have to remember my printer is at 192.168.20.132 or 2600:1700:63c9:a421::a210 I just want to go to http://brother or ipp://brother.home.arpa and have it work.

1 reply
mixmastamyk 1 day ago

Helps, thanks a lot!

But as you can see this is still an explosion of complexity for the home user. More than 4x (32 --> 128), feels like x⁴ (though might not be accurate).

I like your idea of "whatever..." There should be a "lan" variable and status could be shown factored, like "$lan::2000" to the end user perhaps.

I do use DNS all the time, like "printer.lan", "gateway.lan", etc. But don't think I'm using in the router firewall config. I use openwrt on my router but my knowledge of ipv6 is somewhat shallow.

bombela 1 day ago

At home, with both ip v4 and v6. For any device exposed on the Internet, I add a static IPv6 address with the host part the same as the IPv4 adress.

example: 2001:db8::192.168.0.42

This makes it very easy to remember, correlate and firewall.

1 reply
mixmastamyk 1 day ago

Ok, that parses somehow in Python, matches, and is apparently legit. ;-)

    >>> from ipaddress import IPv6Address as address
    >>> address('2001:db8::192.168.0.42')
    IPv6Address('2001:db8::c0a8:2a')
    >>> int('2a', 16)
    42
Openwrt doesn't seem to make ipv6 static assignment easy unfortunately.

ryanisnan 2 days ago

That makes sense. I do love the idea of living in a world without NAT.

1 reply
fiddlerwoaroof 2 days ago

I don’t: NAT may have been a hack at first, but it’s my favorite feature provided by routers and why I disable ipv6 on my local network

1 reply
TheDong 2 days ago

Why do you like NAT?

Does your router being slower and taking more CPU make you feel happy?

Do you enjoy not seeing the correct IP in remote logs, thus making debugging issues harder?

Do you like being able to naively nmap your local network fairly easily?

2 replies
fiddlerwoaroof 1 day ago

I like all the computers in my house appearing to remote servers as a single remote host. Avoids leaking details about my home network.

mixmastamyk 1 day ago

Perf concerns over 32bit numbers ended in the nineties. Who at home cares about remote logs?