Adding IPV6 to my home network - and putting on the brakes

[depontius]

First I'll say that after years of participating here, I've been generally absent for a bunch of years as well. Now I need help, and this is probably the best place to get it. In return I'll try to be helpful to others - I believe I used to be and can do it again.

Recently my front-line appliance router needed replacement - they seem to be one of the less reliable parts. In the process I discovered that my cable modem was obsolete, so I ended up replacing it as well. While wandering through both I discovered that both are IPV6-ready. So this morning I installed the latest'n'greatest gentoo-sources and enabled IPV6. Then I took "-ipv6" out of make.conf and am rebuilding my main system to be IPV6-ready. (It's still running, 80 of 103, because it includes the generaly weekly updates as well as IPV6.) Then I started looking harder at the IPV6 section of the router manual.

My router doesn't really have an SPI firewall. It has a few firewall functions for things like SYN floods and a few other attacks, but in general it's just got NAT for protection. If I were to turn on IPV6 my home network would be out there with no firewall at all. So that aspect is being delayed. In the meantime, I think I'll keep it enabled for learning purposes.

Question one... I run my network with sort-of static IP served through DHCP. I have a pool for dynamic addresses, but for most of my systems I have the MACs coded into dhcpd.conf and fetch the IP from the local zone of my BIND nameserver to hand out. The MACs are coded into one file, the IPs are coded into two - the forward and reverse zone files. At some point in this IPV6 journey it would be nice to have those addresses properly resolve to names and vice versa. However I'd want this only on my home network, I don't think I could push my names out to the internet even if I wanted to. The odd thing is though that once IPV6 is working properly, it looks like the upper half (or so) of the address will be coming from Comcast and the lower half (or so) from my local configuration. Can someone explain how the two halves get married together in BIND? I see things about router advertisements and multicast channels for pushing the prefix around, but I'm not sure how they get married together for local DNS to work. Or is this a silly question and no one would want to do this anyway?

My old network architecture had an appliance firewall with a subnet behind it, then a bastion host acting as a second firewall and my home network behind that. I may have to go back to that configuration, or maybe I just have the wrong appliance firewall. It's hard to find wired-only home routers these days.
_________________
.sigs waste space and bandwidth

[pietinger]

depontius,

please allow me to make some general recommendations:

a) I dont know if you use iptables or nftables for your firewalls; with a dual stack I recommend nftables (better than iptables+ip6tables). Maybe this link could be helpful:
https://wiki.nftables.org/wiki-nftables/index.php/Main_Page
https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables

b) You will need some knowledge about IPv6. Maybe this link could be helpful:
https://tldp.org/HOWTO/Linux+IPv6-HOWTO/

(see also here: https://tldp.org/HOWTO/Linux+IPv6-HOWTO/ch18s05.html )

c) IPv6 adresses have a part called "prefix" (this is the "first half" of your IPv6 address; some other provider will use only 48 bit). It is set by your internet provider. The other half is for you. You can use all these addresses for your stations in your local network (more than you ever will need).

d) I always recommend to use a personal firewall (at minimum on every server in your DMZ) - additionally - even if you have a network firewall.

I am sorry I cant help with your questions to DHCP because I would need many more informations.

[NeddySeagoon]

depontius,

An IPv6 /64 is the smallest that is supposed to be allocated to a network. You can subnet it, but you are not supposed to.
My provider gives me a /64 for my uplink, which is PPPoE, so at most, it uses 2 IP addresses from that entire /64.
Then I get a separate delegated /48 prefix for my home network. That's 65,536 /64 prefixes.

When I signed up the the trial, they asked if a /48 would be enough for my subnets :)

My /48 was statically assigned. Now its dynamic, The range never changes but my ISP drops my unused /64 at their boundary, instead of passing rubbish to me.
Not that there every was very much, the IPv6 address space is almost empty, so port scanning is rare.

My setup is described on the wiki.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

[depontius]

[NeddySeagoon]

depontius,

IPv6 addresses starting with digit 2 or 3 are public. That's the big bad internet delivered right to your system.

IPv6 also has site local and link local addressing, much like IPv4.
Like IPv4, its a convention. Your boundary router is supposed to not route outbound packets in these address ranges. Nobody else will route them either.
It should be safe to play with IPv6 using the site local address range.

The worst that can happen is that your ISP asks you not to sent them any site local packets. :)
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

[depontius]

[szatox]

Do you even need firewall on router when using local addresses?
I mean, nobody will be able to call your machine through NAT anyway unless you explicitly redirect a port, right?
And if you set up an actual server, with a routable address, you should absolutely configure a firewall directly on that machine anyway, making a firewall on your router redundant.

[depontius]

[szatox]

[depontius]

[szatox]

Huh, that's weird.
My rpi replies to ping6 ff02::1 on both interfaces, directly attached ethernet, and over wifi going through a SOHO router, and it uses link-local addresses.
AFAIR the router itself is older than ipv6, so no wonder it does not respond itself.

Perhaps there is something else wrong with your setup. Say, wired interface has higher priority and multicasts will be sent there instead of wifi whenever its flagged UP and LOWER_UP.
Also, link-local unicast does not know which network device it should use, so you often must explicitly name the interface.
You've got yourself quite a complicated situation there. I wonder what the actual problem is, it's not supposed to behave they way you report it. BTW, can avahi discover stuff on your network? It might at least provide some information...
I would still try to put IOT things on link-local, I suppose they are internal-use-only and you're just cutting costs by putting them on the same LAN as everything else.

[depontius]

[NeddySeagoon]

depontius,

Being old, cynical and paranoid, I've always had trusted and untrusted devices on their own subnets on their own wires.
Until recently, that split nicely into wired and wifi. That continued with IPv6, so they have their own public IPv6 /64s

Trusted == Gentoo
Untrusted == Android, Windows, TVs and Blue ray.

The amount of outgoing junk from Android that my firewall drops, trying to establish its own VPN with Google ...
My work Windows laptop does the same thing with Microsoft but if I drop that, some things don't work.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

[depontius]

[szatox]

I guess that ip command was ip neigh
I think it only shows neighbors you already talked to. Not sure, I haven't looked too deep into this one.

Pinging a multicast address on the other hand effectively requests your neighbors to introduce themselves. Chances are ip n will report more entries afterwards.
And yes, % specifies the interface. And some programs will even accept an IP with %if appended and will force the outgoing traffic via the explicitly named interface.