Author Topic: Is IPv6 important at home?  (Read 5465 times)

0 Members and 1 Guest are viewing this topic.

Offline ZuccaTopic starter

  • Supporter
  • ****
  • Posts: 4298
  • Country: it
  • EE meid in Itali
Is IPv6 important at home?
« on: November 21, 2019, 03:03:31 pm »
With my new ISP Modem, I finally got an IPv6/64 address.
Unfortunately that modem with IPv6 do not play well with my pfSense and my Home VPN Server do not work anymore.

I can easily go back to IPv4 but once it is done my ISP do not let me revert to IPv6 ( :palm:).

I am pondering what to do:

1) Following the rabbit IPv6 hole and try to understand what is going on: learning experience for sure.
2) Bugger off the IPv6 jazz and 5 minute later have a working PfSense system as before.

I need a strategic decision: do you think an IPv6 is so important in 2019? Should I spend my time to get an IPv6 System up and running?

I mean, I was using an IPv4 until yesterday with no problem.
Can't know what you don't love. St. Augustine
Can't love what you don't know. Zucca
 

Offline borjam

  • Supporter
  • ****
  • Posts: 908
  • Country: es
  • EA2EKH
Re: Is IPv6 important at home?
« Reply #1 on: November 21, 2019, 03:17:57 pm »
Not yet, but it mostly depends on your ISP.

That said, if you have IPv6 at home (I do) you will notice that many big services (Google, Netflix to name a few) prefer to serve over IPv6. There is no shortage of IPv6 addresses, which makes their life much easier.

Even EEVBlog is accessed over IPv6 if you have it, because its anti DDoS provider (Cloudflare) uses it.

IPv6 is most important for the deployment of large new services. And in case a new Google appeared your access may be impaired if you were using IPv4 due to increased complexity (address translation, etc).

On the other hand, IPv6 comes with its own security issues. Old NAT allows you to be very sloppy when setting up your network. Not that it's a good thing but it's a fact.

pfSense should work with IPv6. What's the problem?
 

Offline NivagSwerdna

  • Super Contributor
  • ***
  • Posts: 2495
  • Country: gb
Re: Is IPv6 important at home?
« Reply #2 on: November 21, 2019, 03:20:54 pm »
 

Offline madires

  • Super Contributor
  • ***
  • Posts: 7695
  • Country: de
  • A qualified hobbyist ;)
Re: Is IPv6 important at home?
« Reply #3 on: November 21, 2019, 04:24:15 pm »
I need a strategic decision: do you think an IPv6 is so important in 2019? Should I spend my time to get an IPv6 System up and running?

Yes, IPv6 is important. There will more and more servers/services only reachable by IPv6 because of the lack of IPv4 addresses.

Back to your problem. For dual stack access most ISPs provide an IPv4 address (via PPP), an IPv6 /64 transfer network (via DHCPv6) and an IPv6 prefix for your LAN (Prefix Delegation via DHCPv6). Some ISPs use the change to dual stack for rolling out DS-lite or CGNAT for IPv4. So the first step is to figure out what your ISP actually supports.
 

Offline ZuccaTopic starter

  • Supporter
  • ****
  • Posts: 4298
  • Country: it
  • EE meid in Itali
Re: Is IPv6 important at home?
« Reply #4 on: November 21, 2019, 04:41:33 pm »
I have Vodaphone Kabel-Deutschland.
They support DS-lite (which is a poor solution in my eyes) and that stupid modem won't let me use my VPN in Pfsense anymore.

If I go with a Bridge modem, the IPv6 will not be supported and I go back to IPv4 forever.  :palm:

Here the Details since you are German:
https://forum.vodafone.de/t5/Internet-Ger%C3%A4te/Ich-m%C3%B6chte-IPV6-im-mein-Netz-aktivieren-haben/td-p/1870091

Real Dual Stack is offered only for business customer as I unterstood.

What about a ipv4 system with a pfsense tunnel to IPV6?
Can't know what you don't love. St. Augustine
Can't love what you don't know. Zucca
 

Offline mk_

  • Regular Contributor
  • *
  • Posts: 225
  • Country: at
Re: Is IPv6 important at home?
« Reply #5 on: November 21, 2019, 04:45:52 pm »

I can easily go back to IPv4 but once it is done my ISP do not let me revert to IPv6 ( :palm:).


regardless of IP4 or IP6 - I would change provider as soon as possible...
 

Offline ZuccaTopic starter

  • Supporter
  • ****
  • Posts: 4298
  • Country: it
  • EE meid in Itali
Re: Is IPv6 important at home?
« Reply #6 on: November 21, 2019, 04:46:09 pm »
pfSense should work with IPv6. What's the problem?

Give me some time I need to draw a picture so you will understand.
Can't know what you don't love. St. Augustine
Can't love what you don't know. Zucca
 

Offline ZuccaTopic starter

  • Supporter
  • ****
  • Posts: 4298
  • Country: it
  • EE meid in Itali
Re: Is IPv6 important at home?
« Reply #7 on: November 21, 2019, 04:47:36 pm »
regardless of IP4 or IP6 - I would change provider as soon as possible...

It is unfortunately the only one which go to 400MB all the others are VDSL max 100MB.

 :horse:
Can't know what you don't love. St. Augustine
Can't love what you don't know. Zucca
 

Offline madires

  • Super Contributor
  • ***
  • Posts: 7695
  • Country: de
  • A qualified hobbyist ;)
Re: Is IPv6 important at home?
« Reply #8 on: November 21, 2019, 05:13:01 pm »
They support DS-lite (which is a poor solution in my eyes) and that stupid modem won't let me use my VPN in Pfsense anymore.

The VPN would work via IPv6.

What about a ipv4 system with a pfsense tunnel to IPV6?

That shouldn't be any problem. IIRC, HEnet still offers a free 6in4 service.
 

Offline james_s

  • Super Contributor
  • ***
  • Posts: 21611
  • Country: us
Re: Is IPv6 important at home?
« Reply #9 on: November 21, 2019, 05:19:06 pm »
The proliferation of NAT has made IPV6 unnecessary in most cases. The days of giving every device on the entire internet a unique IP address are long over, you'd be crazy to put all your stuff directly out there accessible to anybody, you need some kind of firewall anyway, might as well just use NAT and only forward the ports needed.
 

Offline Mr. Scram

  • Super Contributor
  • ***
  • Posts: 9810
  • Country: 00
  • Display aficionado
Re: Is IPv6 important at home?
« Reply #10 on: November 21, 2019, 05:20:06 pm »
Not yet, but it mostly depends on your ISP.

That said, if you have IPv6 at home (I do) you will notice that many big services (Google, Netflix to name a few) prefer to serve over IPv6. There is no shortage of IPv6 addresses, which makes their life much easier.

Even EEVBlog is accessed over IPv6 if you have it, because its anti DDoS provider (Cloudflare) uses it.

IPv6 is most important for the deployment of large new services. And in case a new Google appeared your access may be impaired if you were using IPv4 due to increased complexity (address translation, etc).

On the other hand, IPv6 comes with its own security issues. Old NAT allows you to be very sloppy when setting up your network. Not that it's a good thing but it's a fact.

pfSense should work with IPv6. What's the problem?
The impact of IPv6 on NAT and the security of your network is important to understand.
 

Offline madires

  • Super Contributor
  • ***
  • Posts: 7695
  • Country: de
  • A qualified hobbyist ;)
Re: Is IPv6 important at home?
« Reply #11 on: November 21, 2019, 05:49:08 pm »
The proliferation of NAT has made IPV6 unnecessary in most cases. The days of giving every device on the entire internet a unique IP address are long over, you'd be crazy to put all your stuff directly out there accessible to anybody, you need some kind of firewall anyway, might as well just use NAT and only forward the ports needed.

Sorry, but NAT isn't a security feature:
- https://blog.webernetz.net/why-nat-has-nothing-to-do-with-security/
- https://www.f5.com/services/resources/white-papers/the-myth-of-network-address-translation-as-security

Your CPE or SOHO router includes a firewall anyway. The basic setup of the firewall is to allow everything out and nothing in, besides traffic for established connections. When your CPE supports IPv6 it does the same for IPv6.

You need IPv6. If I would add 10k servers to my data center I wouldn't get 10k IPv4 addresses, because there are almost none available from the RIRs. And NAT wouldn't be able to solve that.
 

Offline james_s

  • Super Contributor
  • ***
  • Posts: 21611
  • Country: us
Re: Is IPv6 important at home?
« Reply #12 on: November 21, 2019, 07:14:53 pm »
Keep in mind this thread is about *home* networks, not a company that has an IT department and people whose job it is to set this stuff up. The average home user is just going to buy a device, plug it into their network and call it done. NAT on its own is not going to provide a lot of security but it does isolate all the stuff they plug in internally from the outside world and all of the home routers that provide NAT also have a firewall.

Either way I don't see IPv4 and NAT going away any time soon. All the hacks and workarounds to make it work are already in place, there is little incentive for most people to change it.
 

Offline ZuccaTopic starter

  • Supporter
  • ****
  • Posts: 4298
  • Country: it
  • EE meid in Itali
Re: Is IPv6 important at home?
« Reply #13 on: November 21, 2019, 09:20:29 pm »
pfSense should work with IPv6. What's the problem?

Here my working (but no VPN) IPv4 Network with the new modem:



and here what I am trying to deal with (sorry for the German):



my questions are:

1) What is the right IPv6 cinfiguration for the WAN PfSense and the LAN Pfsense, those are my choices:



2) Do I have to set up a Gateway [GW] IPv6 in PfSense?

I should have post this in the pfSense forum, if you can help you are a Legend.  :-+

 
Can't know what you don't love. St. Augustine
Can't love what you don't know. Zucca
 

Offline borjam

  • Supporter
  • ****
  • Posts: 908
  • Country: es
  • EA2EKH
Re: Is IPv6 important at home?
« Reply #14 on: November 21, 2019, 10:43:15 pm »
Sorry, but NAT isn't a security feature:
- https://blog.webernetz.net/why-nat-has-nothing-to-do-with-security/
- https://www.f5.com/services/resources/white-papers/the-myth-of-network-address-translation-as-security
Of course not. It’s a horrible kludge. But as a side effect it has prevented lots of incidents and it offers some privacy advantages compared to IPv6.

Sorry in Spanish (and I had very little time to write it, so not exactly a good read)

https://www.esnog.net/gore19/gore19-files/DireccionesEfimerasIPv6.pdf

 

Offline madires

  • Super Contributor
  • ***
  • Posts: 7695
  • Country: de
  • A qualified hobbyist ;)
Re: Is IPv6 important at home?
« Reply #15 on: November 22, 2019, 12:29:49 pm »
Regarding DS lite and IPv4 some source says that Vodafone / Kabel Deutschland will roll out PCP (https://en.wikipedia.org/wiki/Port_Control_Protocol) next year 'til summer. PCP allows you to request a port forwarding by the CGN box.
 

Offline gmb42

  • Frequent Contributor
  • **
  • Posts: 294
  • Country: gb
Re: Is IPv6 important at home?
« Reply #16 on: November 22, 2019, 01:34:19 pm »
I don't know pfSense, but in general use SLAAC.

The modem should be sending out IPv6 Router advertisements that will contain your ISP assigned IPv6 prefix and the gateway IP which will allow pfSense to configure the WAN interface.
 

Offline Berni

  • Super Contributor
  • ***
  • Posts: 4922
  • Country: si
Re: Is IPv6 important at home?
« Reply #17 on: November 22, 2019, 02:14:13 pm »
I don't have IPv6 yet but i am interested in seeing what this is all about so that i will be ready.

So if i understand correctly the ISP will only assign you the first part of your IP, allowing you to use all IPs within that IP range. The router will then DHCP assign these IPs to all the devices inside your LAN. No complex TCP/IP routeing will be needed by the router because packets will come from the internet destined at the devices IP.

Then firewall has to specifically be set up so that it doesn't just let any packet from the internet into the LAN onto those internal IPs, but allow all traffic between these IPs inside the LAN. Otherwise you could end up in a situation similar to plugging your PC directly into a modem without routeing and exposing all of your ports to the entire internet.

Did i get it right?
 

Offline borjam

  • Supporter
  • ****
  • Posts: 908
  • Country: es
  • EA2EKH
Re: Is IPv6 important at home?
« Reply #18 on: November 22, 2019, 04:19:46 pm »
I don't have IPv6 yet but i am interested in seeing what this is all about so that i will be ready.

So if i understand correctly the ISP will only assign you the first part of your IP, allowing you to use all IPs within that IP range. The router will then DHCP assign these IPs to all the devices inside your LAN. No complex TCP/IP routeing will be needed by the router because packets will come from the internet destined at the devices IP.

Yes. It's more complicated than IPv4 because there are some rules. A local area network should have a /64 prefix assigned so that the IPv6 address assignment mechanisms (for example, SLAAC based on the MAC address) work. If you want to create more networks you should request more /64 segments. Some corporate ISPs assign, for example, /48 prefixes which you can split into /64's in order to use them for several nets.

Indeed, there is no need for NAT. Every device in your network can have its own IP address. Even every service in your network can have its own IPv6 address.


Quote
Then firewall has to specifically be set up so that it doesn't just let any packet from the internet into the LAN onto those internal IPs, but allow all traffic between these IPs inside the LAN. Otherwise you could end up in a situation similar to plugging your PC directly into a modem without routeing and exposing all of your ports to the entire internet.

Did i get it right?
Yes and no. Filtering incoming connections is going to be very important of course. Also, the failure mode is different from the IPv4 NAT router. In IPv4 with NAT a misconfigured router is more likely to prevent any incoming connection. So your crappy webcam, baby monitor, etc, will be "safe" from the Internet.

With IPv6, a misconfigured router with no filtering might leave everything open.

On the other hand, the IPv6 address space is so huge there are no address scans. I have been monitoring my line for two years (a whole /48) and I haven't seen any scans yet.

However, remember that when you visit a website (which could be a malicious website, for example, linked from a spam email message) you are making your IPv6 address known and you might receive a port scan.

I like to make a warfare analogy to compare IPv4 and IPv6. If IPv4 is like land warfare, in which your position is likely known and you rely on trenches, armor, etc, IPv6 is more like war at sea. You can hide in such a vast place and you can be really difficult to find. However, you can reveal your position by transmitting a radio signal.

As it happens in naval warfare, with IPv6 you can do the equivalent of scattering your ships, though. Imagine that your computer has some file sharing application to use at home and, at the same time, you are browsing the web. You can use randomly generated throw-away IPv6 addresses for web browsing, while your file sharing service listens on a different address. If properly generated (ie, not guessable) and your service doesn't listen on the temporary addresses, it won't be feasible to find your file sharing service doing an address scan, so for all practical purposes it will be reasonably secure without a firewall.

The throw away addresses for outgoing connections are already standard behavior, but in my article linked some posts ago I propose to tweak that mechanism so that those temporary addresses are not available for sockets listening on INADDR6_ANY.

« Last Edit: November 22, 2019, 04:24:41 pm by borjam »
 

Offline rrinker

  • Super Contributor
  • ***
  • Posts: 2046
  • Country: us
Re: Is IPv6 important at home?
« Reply #19 on: November 22, 2019, 08:09:07 pm »
The proliferation of NAT has made IPV6 unnecessary in most cases. The days of giving every device on the entire internet a unique IP address are long over, you'd be crazy to put all your stuff directly out there accessible to anybody, you need some kind of firewall anyway, might as well just use NAT and only forward the ports needed.

 While true, back in the early days there were far too many class A blocks given out, and if you think companies that have had a class A block since the earliest days are willing to give them up....

I STILL run in to people who do things like use a publicly routable subnet as their internal network (not a block they own, either), or use an internal DNS domain name they do not own and then wonder why they can't buy SSL certificates to secure it...
 

Offline madires

  • Super Contributor
  • ***
  • Posts: 7695
  • Country: de
  • A qualified hobbyist ;)
Re: Is IPv6 important at home?
« Reply #20 on: November 22, 2019, 08:46:38 pm »
Neither can you get an SSL cert for private addresses (RFC1918 and RFC4193). ;D
 

Offline ZuccaTopic starter

  • Supporter
  • ****
  • Posts: 4298
  • Country: it
  • EE meid in Itali
Re: Is IPv6 important at home?
« Reply #21 on: November 24, 2019, 06:39:15 pm »
Ok I give up...

I set the modem in bridge mode and got IPV4 only as expected.

VPN works and everything is back to normal.
Lesson learned: as long the ISP does not provide an IPV6 WITH a modem in bridge mode... run forrest run.

A modem not in bridge mode or with no DMZ option is just a pain in the ass with Pfsense.
« Last Edit: November 25, 2019, 07:51:26 am by zucca »
Can't know what you don't love. St. Augustine
Can't love what you don't know. Zucca
 
The following users thanked this post: NivagSwerdna

Offline borjam

  • Supporter
  • ****
  • Posts: 908
  • Country: es
  • EA2EKH
 

Offline SilverSolder

  • Super Contributor
  • ***
  • Posts: 6126
  • Country: 00
Re: Is IPv6 important at home?
« Reply #23 on: November 26, 2019, 02:43:03 pm »

Keeping things simple and reliable is always the best long term solution...
 

Offline madires

  • Super Contributor
  • ***
  • Posts: 7695
  • Country: de
  • A qualified hobbyist ;)
Re: Is IPv6 important at home?
« Reply #24 on: November 26, 2019, 03:32:06 pm »
IPv6 comes with new concepts and some users might be afraid of the changes, but IPv6 is a necessity and will stay for quite a while. The big problem with deploying IPv6 is that a lot of ISPs, companies and users are holding on IPv4 and delaying things, despite they had more than enough time (two decades) to get used to it. Now we are running out of IPv4 address space and soon all those mentioned will be forced to deploy IPv6 in a hurry. What could possibly go wrong? >:D Same story for CPE manufacturers. Only a few sell CPEs with proper IPv6 support. A lot of CPEs come with half-baked IPv6. BTW, OpenWrt does IPv6 quite well (some minor quirks with PD).
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf