OT - "open source" firewalls and hardware.
Flame retardant thermal ware in place. In the Dim Time, I used IPCop for a few years. When support for that faded, I opted for a hardware unit provided by a vendor I was a "partner" with. They discontinued that platform and will not support it in the future. I'm facing pursuing upgrading with them or returning to the open source playground on either existing hardware or an APU1 or APU2 type box. Suggestions? Pointers to current "best in class" information?
On 2022-12-19 16:29, joe a wrote:
Flame retardant thermal ware in place. In the Dim Time, I used IPCop for a few years. When support for that faded, I opted for a hardware unit provided by a vendor I was a "partner" with. They discontinued that platform and will not support it in the future.
I'm facing pursuing upgrading with them or returning to the open source playground on either existing hardware or an APU1 or APU2 type box.
Suggestions? Pointers to current "best in class" information?
I've been using pfSense for almost 7 years, running for the past couple on a Qotom mini PC with i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports. It works very well. I used to run a firewall based on openSUSE Linux, but switched to pfSense to get support for DHCPv6-PD, which is used to provide IPv6 prefixes. I have my network configured with a main LAN, with VLAN for guest WiFi, a test LAN, connection to a Cisco router and and OpenVPN. I also run DNS resolver and NTP server on it.
On 12/19/2022 4:46 PM, James Knott wrote:
On 2022-12-19 16:29, joe a wrote:
Flame retardant thermal ware in place. In the Dim Time, I used IPCop for a few years. When support for that faded, I opted for a hardware unit provided by a vendor I was a "partner" with. They discontinued that platform and will not support it in the future.
I'm facing pursuing upgrading with them or returning to the open source playground on either existing hardware or an APU1 or APU2 type box.
Suggestions? Pointers to current "best in class" information?
I've been using pfSense for almost 7 years, running for the past couple on a Qotom mini PC with i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports. It works very well. I used to run a firewall based on openSUSE Linux, but switched to pfSense to get support for DHCPv6-PD, which is used to provide IPv6 prefixes.
I have my network configured with a main LAN, with VLAN for guest WiFi, a test LAN, connection to a Cisco router and and OpenVPN. I also run DNS resolver and NTP server on it.
Thanks. It appears pfSense will still run on an APU1c I just dusted off. I'll play with that for a while.
On 12/19/22 15:29, joe a wrote:
Flame retardant thermal ware in place. In the Dim Time, I used IPCop for a few years. When support for that faded, I opted for a hardware unit provided by a vendor I was a "partner" with. They discontinued that platform and will not support it in the future.
I'm facing pursuing upgrading with them or returning to the open source playground on either existing hardware or an APU1 or APU2 type box.
Suggestions? Pointers to current "best in class" information?
For openSUSE, I've been more than happy with firewalld that comes with the distro. For servers on Arch I just use plain IP-tables. There are tools that automate adding an removing entries from IP-tables like fail2ban, and other firewalls that use IP-tables like shorewall. All are quite effective, you just pay the entry fee by learning how to use the one of your choice and it will serve your needs. -- David C. Rankin, J.D.,P.E.
On 2022-12-19 18:26, David C. Rankin wrote:
For openSUSE, I've been more than happy with firewalld that comes with the distro. For servers on Arch I just use plain IP-tables. There are tools that automate adding an removing entries from IP-tables like fail2ban, and other firewalls that use IP-tables like shorewall.
Unless there have been significant changes, it's unusable for IPv6. Most ISPs use DHCPv6-PD to assign a prefix to the users. I get a /56, which provides 2^72 addresses. I switched to pfSense solely for that reason. Prior to my ISP providing IPv6, I obtained it with a 6in4 tunnel, which did work well with SUSE.
On 12/19/22 19:06, James Knott wrote:
On 2022-12-19 18:26, David C. Rankin wrote:
For openSUSE, I've been more than happy with firewalld that comes with the distro. For servers on Arch I just use plain IP-tables. There are tools that automate adding an removing entries from IP-tables like fail2ban, and other firewalls that use IP-tables like shorewall.
Unless there have been significant changes, it's unusable for IPv6. Most ISPs use DHCPv6-PD to assign a prefix to the users. I get a /56, which provides 2^72 addresses. I switched to pfSense solely for that reason. Prior to my ISP providing IPv6, I obtained it with a 6in4 tunnel, which did work well with SUSE.
Point well-taken James, I still live in an IPv4 world.... -- David C. Rankin, J.D.,P.E.
On 2022-12-21 00:55, James Knott wrote:
On 2022-12-20 18:51, David C. Rankin wrote:
I still live in an IPv4 world....
WOW!
I've had IPv6 on my home network for over 12.5 years.
I know, but your are fortunate. A lot of the world lives on IPv4 and has no plan to upgrade to IPv6. What ISPs are doing is switching to Carrier Grade NAT. Problem solved as far as they are concerned. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 2022-12-21 07:34, Carlos E. R. wrote:
I know, but your are fortunate. A lot of the world lives on IPv4 and has no plan to upgrade to IPv6.
What ISPs are doing is switching to Carrier Grade NAT. Problem solved as far as they are concerned.
It's still possible to use a tunnel to get IPv6. I used one for almost 6 years. Hurricane Electric, he.net, is one source that's all over the world. NAT is bad enough, but CGNAT is a disgrace. Any carrier that deploys it, without also providing IPv6 has no respect for it's customers.
On 2022-12-21 14:07, James Knott wrote:
On 2022-12-21 07:34, Carlos E. R. wrote:
I know, but your are fortunate. A lot of the world lives on IPv4 and has no plan to upgrade to IPv6.
What ISPs are doing is switching to Carrier Grade NAT. Problem solved as far as they are concerned.
It's still possible to use a tunnel to get IPv6. I used one for almost 6 years. Hurricane Electric, he.net, is one source that's all over the world.
I tried and failed.
NAT is bad enough, but CGNAT is a disgrace. Any carrier that deploys it, without also providing IPv6 has no respect for it's customers.
They are the majority. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 2022-12-21 08:16, Carlos E. R. wrote:
NAT is bad enough, but CGNAT is a disgrace. Any carrier that deploys it, without also providing IPv6 has no respect for it's customers.
They are the majority.
Yet, I get two real IPv4 addresses from my ISP. Also, with their 8 Gb fibre service, they include a 10 Gb switch, and any device plugged directly into the switch gets it's own IPv4 addresses. Any idea why he.net failed for you? Plenty of people use it, though I haven't. Or is your ISP one of those that provides CGNAT?
On 2022-12-21 15:07, James Knott wrote:
On 2022-12-21 08:16, Carlos E. R. wrote:
NAT is bad enough, but CGNAT is a disgrace. Any carrier that deploys it, without also providing IPv6 has no respect for it's customers.
They are the majority.
Yet, I get two real IPv4 addresses from my ISP. Also, with their 8 Gb fibre service, they include a 10 Gb switch, and any device plugged directly into the switch gets it's own IPv4 addresses.
Any idea why he.net failed for you? Plenty of people use it, though I haven't.
I don't remember, sorry. I don't personally need IPv6, so I did not do a lot of effort :-)
Or is your ISP one of those that provides CGNAT?
On fibre, I get a public but dynamic IPv4 address. On the mobile phone, it is CGNAT, which means I get it on the computer when I tether. "Lesser" ISPs also use GCNAT on land connections. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 2022-12-21 10:00, Carlos E. R. wrote:
On fibre, I get a public but dynamic IPv4 address. On the mobile phone, it is CGNAT, which means I get it on the computer when I tether.
On my cell phone, I also get CGNAT for IPv4, but I get a /64 prefix for IPv6. This means when I tether, the device gets a public address. Does your cell carrier not provide IPv6? It's mandatory for LTE (4G).
On 2022-12-21 16:03, James Knott wrote:
On 2022-12-21 10:00, Carlos E. R. wrote:
On fibre, I get a public but dynamic IPv4 address. On the mobile phone, it is CGNAT, which means I get it on the computer when I tether.
On my cell phone, I also get CGNAT for IPv4, but I get a /64 prefix for IPv6. This means when I tether, the device gets a public address. Does your cell carrier not provide IPv6? It's mandatory for LTE (4G).
I'll check. I put my phone on mobile network, disabling the WiFi. And I have... 10.0.83.106 only. When I connect back the WiFi, I get a LAN address, also a LAN IPv6. Phone is 4G, has no 5G. I have no idea if I an on LTE, dunno how to find out. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 2022-12-21 10:13, Carlos E. R. wrote:
Phone is 4G, has no 5G. I have no idea if I an on LTE, dunno how to find out.
LTE (Long Term Evolution) is what 4G was initially called, as it didn't meet the full 4G specs. You say you get an IPv6 address, is that a public "GUA" address or just link local, which starts with fe80? You can test your connection at test-ipv6.com.
On 2022-12-21 16:36, James Knott wrote:
On 2022-12-21 10:13, Carlos E. R. wrote:
Phone is 4G, has no 5G. I have no idea if I an on LTE, dunno how to find out.
LTE (Long Term Evolution) is what 4G was initially called, as it didn't meet the full 4G specs. You say you get an IPv6 address, is that a public "GUA" address or just link local, which starts with fe80?
Link local when WiFi is active.
You can test your connection at test-ipv6.com.
-- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 2022-12-21 17:22, James Knott wrote:
On 2022-12-21 11:21, Carlos E. R. wrote:
Link local when WiFi is active.
All IPv6 capable devices get one of those, even if there is no other IPv6.
I know. But not when I am with the ISP network. Only when I am with my LAN. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
Carlos E. R. wrote:
On 2022-12-21 17:22, James Knott wrote:
On 2022-12-21 11:21, Carlos E. R. wrote:
Link local when WiFi is active.
All IPv6 capable devices get one of those, even if there is no other IPv6.
I know.
But not when I am with the ISP network. Only when I am with my LAN.
It is independent of which network you're on. Unless you have explicitly disabled IPv6 on a machine, as James says, all IPv6 capable devices get one of those. -- Per Jessen, Zürich (13.2°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 2022-12-22 11:12, Per Jessen wrote:
Carlos E. R. wrote:
On 2022-12-21 17:22, James Knott wrote:
On 2022-12-21 11:21, Carlos E. R. wrote:
Link local when WiFi is active.
All IPv6 capable devices get one of those, even if there is no other IPv6.
I know.
But not when I am with the ISP network. Only when I am with my LAN.
It is independent of which network you're on. Unless you have explicitly disabled IPv6 on a machine, as James says, all IPv6 capable devices get one of those.
It just doesn't happen on my Android phone, and I have done absolutely nothing to it. When WiFi is disabled, I get the IP my ISP gives me, it is a 10.***, and there is no IPv6 of any kind listed. I just tried on my previous mobile phone, and it doesn't get any IP of any kind. It connects on 3G. Dunno if this is temporary. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
Carlos E. R. wrote:
On 2022-12-22 11:12, Per Jessen wrote:
Carlos E. R. wrote:
On 2022-12-21 17:22, James Knott wrote:
On 2022-12-21 11:21, Carlos E. R. wrote:
Link local when WiFi is active.
All IPv6 capable devices get one of those, even if there is no other IPv6.
I know.
But not when I am with the ISP network. Only when I am with my LAN.
It is independent of which network you're on. Unless you have explicitly disabled IPv6 on a machine, as James says, all IPv6 capable devices get one of those.
It just doesn't happen on my Android phone, and I have done absolutely nothing to it.
Both of mine have LL addresses, but maybe Android behaviour is a bit off-topic here.
When WiFi is disabled, I get the IP my ISP gives me, it is a 10.***, and there is no IPv6 of any kind listed.
I have just disabled wifi on one of mine, I get a 100.97.xx.xx address, and indeed no LL address. I wonder if it is related to the phone not having a MAC address ? That would explain why it doesn't generate an LL address. -- Per Jessen, Zürich (12.8°C)
On 2022-12-22 12:43, Per Jessen wrote:
When WiFi is disabled, I get the IP my ISP gives me, it is a 10.***, and there is no IPv6 of any kind listed. I have just disabled wifi on one of mine, I get a 100.97.xx.xx address, and indeed no LL address. I wonder if it is related to the phone not having a MAC address ? That would explain why it doesn't generate an LL address.
I just checked my Pixel 6 on both Wifi and cell networks. On Wifi it has a link local address, but not on the cell network. I expect this is due to the network type. Wifi is intended to be a shared, multiple access network, but the cell network isn't. I don't know enough about the cell network to know what the situation is there. Also, on Wifi, my phone gets an address from my LAN, but on the cell network it gets 192.0.0.4, which is used for 464XLAT, the protocol used to provide IPv4 over an IPv6 only network. Also, on the cell network I get a single global address, but on Wifi, I get 2 global addresses, one a "privacy" address and one consistent. I get the same with unique local addresses.
James Knott wrote:
On 2022-12-22 12:43, Per Jessen wrote:
When WiFi is disabled, I get the IP my ISP gives me, it is a 10.***, and there is no IPv6 of any kind listed. I have just disabled wifi on one of mine, I get a 100.97.xx.xx address, and indeed no LL address. I wonder if it is related to the phone not having a MAC address ? That would explain why it doesn't generate an LL address.
I just checked my Pixel 6 on both Wifi and cell networks. On Wifi it has a link local address, but not on the cell network. I expect this is due to the network type. Wifi is intended to be a shared, multiple access network, but the cell network isn't.
+1. My thoughts exactly. -- Per Jessen, Zürich (10.2°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 2022-12-22 18:43, Per Jessen wrote:
Carlos E. R. wrote:
On 2022-12-22 11:12, Per Jessen wrote:
Carlos E. R. wrote:
On 2022-12-21 17:22, James Knott wrote:
It just doesn't happen on my Android phone, and I have done absolutely nothing to it.
Both of mine have LL addresses, but maybe Android behaviour is a bit off-topic here. The conversation has drifted a bit, as usual :-)
I commented when James said that he had been on IPv6 for over 12.5 years that IPv6 is not progressing any more, that «A lot of the world lives on IPv4 and has no plan to upgrade to IPv6. What ISPs are doing is switching to Carrier Grade NAT. Problem solved as far as they are concerned.» Thus my landline is on traditional dynamic public IPv4, and my phone is on CGNAT, getting a 10.*** address. James said that the ISP provider must provide an IPv6 address when the use CGNAT, but mine doesn't. This is on interest because I use the phone to tether my laptop when needed, so my laptop gets a CGNAT address as well, not an IPv6. So we were looking at the addresses my two mobiles get :-) I have another machine on a GSM router on a lesser ISP, also on CGNAT. I have not used it in a month, but I fear it will not work at all because the 3G network is being decommissioned. Even my secondary phone, which is my previous mobile, does not get an IP at all when not via WiFi. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
Carlos E. R. wrote:
On 2022-12-22 18:43, Per Jessen wrote:
Carlos E. R. wrote:
On 2022-12-22 11:12, Per Jessen wrote:
Carlos E. R. wrote:
On 2022-12-21 17:22, James Knott wrote:
It just doesn't happen on my Android phone, and I have done absolutely nothing to it.
Both of mine have LL addresses, but maybe Android behaviour is a bit off-topic here.
The conversation has drifted a bit, as usual :-)
I commented when James said that he had been on IPv6 for over 12.5 years that IPv6 is not progressing any more, that «A lot of the world lives on IPv4 and has no plan to upgrade to IPv6.
Yeah, I saw that, I'm just not sure you're right. We _have_ run out of IPv4 addresses, anyone with a spare range can make a very decent profit. I think in particular the developing world (Africa, Asia) is seeing a lot of IPv6 deployment, but also in Europe - yesterday, 52% of all German mirror traffic to my mirror were IPv6. 43% of all French. 40% of all Belgian. Otoh, only 4% of Italian and 6.8% of Spanish traffic.
What ISPs are doing is switching to Carrier Grade NAT. Problem solved as far as they are concerned.»
Well, again, I don't think that is true, but I probably have no more data than you do, and as it's really off-topic, I refrained from commenting.
James said that the ISP provider must provide an IPv6 address when the use CGNAT, but mine doesn't.
You are presumably still looking at the Android example.
This is on interest because I use the phone to tether my laptop when needed, so my laptop gets a CGNAT address as well, not an IPv6.
Hmm, I don't think so. When you set up your phone as a hotspot, you usually configure a dhcp range, your laptop will just get a 192.168.1.x address, I expect. and most likely an LL too :-)
I have another machine on a GSM router on a lesser ISP, also on CGNAT. I have not used it in a month, but I fear it will not work at all because the 3G network is being decommissioned. Even my secondary phone, which is my previous mobile, does not get an IP at all
Does telephony work? -- Per Jessen, Zürich (11.6°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 2022-12-22 21:24, Per Jessen wrote:
Carlos E. R. wrote:
On 2022-12-22 18:43, Per Jessen wrote:
Carlos E. R. wrote:
On 2022-12-22 11:12, Per Jessen wrote:
Carlos E. R. wrote:
On 2022-12-21 17:22, James Knott wrote:
...
James said that the ISP provider must provide an IPv6 address when the use CGNAT, but mine doesn't.
You are presumably still looking at the Android example.
This is on interest because I use the phone to tether my laptop when needed, so my laptop gets a CGNAT address as well, not an IPv6.
Hmm, I don't think so. When you set up your phone as a hotspot, you usually configure a dhcp range, your laptop will just get a 192.168.1.x address, I expect. and most likely an LL too :-)
No, I don't configure anything, it is on automatic. I just tell the phone to provide an access point. Ah, yes, I assign the password and name. Yes, it is true the laptop gets a LAN address. But the "external" IP is another NAT address, this time the CGNAT. And this carrier LAN has its own gateway that conducts to the true external, public, IP. Everybody on the provider getting a single external IP, or a small pool of them. They never give me an IPv6, as they should. I have seen some providers in Spain that do, I forget which. Some lesser ISP. Not Telefónica, they have a lot of IPv4 addresses to use with their landline clients. No issues. No plans at all to even provide optional IPv6. When asked, they answer with evasive tactics. Other providers use CGNAT even on landline.
I have another machine on a GSM router on a lesser ISP, also on CGNAT. I have not used it in a month, but I fear it will not work at all because the 3G network is being decommissioned. Even my secondary phone, which is my previous mobile, does not get an IP at all
Does telephony work?
On the old mobile, Yes. On the (new) GSM router, it doesn't have a telephone. It can send SMS messages, but as the contract is data only, it can't send SMS. I still have to go there and check things properly. The router itself is 4G, but the provider is a secondary ISP and most of them were using the cheaper 3G network. <https://www.pccomponentes.com/tp-link-tl-mr6400-v530-router-4g-lte-300mbps> TP-Link TL-MR6400 V5.30 Router 4G LTE 300Mbps I have to go and see. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 19/12/2022 21:29, joe a wrote:
Flame retardant thermal ware in place. In the Dim Time, I used IPCop for a few years. When support for that faded, I opted for a hardware unit provided by a vendor I was a "partner" with. They discontinued that platform and will not support it in the future.
I'm facing pursuing upgrading with them or returning to the open source playground on either existing hardware or an APU1 or APU2 type box.
Suggestions? Pointers to current "best in class" information?
I use ipfire. Been fine for me, just runs on a dedicated spare box.
participants (6)
-
Carlos E. R. -
David C. Rankin -
G McAlister -
James Knott -
joe a -
Per Jessen