Search

If you have an outdoor Ethernet port—in my case with a WiFi AP connected—how can you go about protecting your network from somebody jacking in?

Is there a way to bind that port to only an approved device? I figured a firewall rule to only allow traffic to and from the WiFi AP IP address, but would that also prevent traffic from reaching any wireless clients connected to the AP?

Edit: For more context, my router is a Ubiquiti UDM and the AP is also Unifi AP

Given there's been a bit of talk about IPv6 around here recently, I gave it a really good shot at implementing this past week. I spent 3 days getting up to speed, reading loads and trying various different things. But I am now back to IPv4 only because I just can't get IPv6 to do what I want and no amount of searching has made me think what I want to do is even possible.

Some background about the IPv4 network I run at home: I run opnsense on a Proxmox server. I have a few services publicly available using port forwarding. I run several VLANs for IoT, VoIP, Cameras etc. I use a bunch of firewall rules that are specific client devices on the network. So for example I have a rule that blocks youtube from the kids tablets and the TV. I have a special rule around DNS for the wife as she doesn't want to use the pihole blocking features. These rules are made possible because the DHCP server is set to give them a fixed IP and I can create a firewall alias and rule based on that.

None of these things on my existing network are particularly difficult to configure, they run really well.

What I want from IPv6 is:

1. All devices to use IPv6 including android devices.
2. To have the same firewall rules configured and not have them be easily bypassed.
3. To use privacy addresses as I don't want to make every device uniquely trackable over the internet.
4. To be able to cope with changes to the ISP provided /48 prefix seamlessly.
5. Have internal DNS make accessing intranet devices easy.
6. To ensure the privacy of individual devices on my network by avoiding individual device tracking.

What I've tried:

1. Using DHCPv6, but this excludes android devices. So that's out.
2. Using a NAT (to avoid tracking of individual devices) and fd00/8 addresses, but this is pointless as those addresses are lower priority than IPv4 (FFS!)
3. SLACC just seems a non-starter.

Additional: I don't think I have a problem with "thinking about it all wrong for IPv6". I may have a skill issue, hence this question.

As far as I can tell to achieve requirement 1) you must use SLAAC. SLAAC without privacy extensions doesn't allow for 6).

Changes to external ISP prefix assignment impacts MY INTERNAL NETWORK (this just seems insane). And as far as I can tell there's no easy way around this, especially if I have static addresses configured for servers which would (if using SLAAC) have to be manually configured.

I can't see how DNS would be updated either, either Unbound running on Opnsense, or to the pihole. If I go for SLAAC with privacy extensions and I keep paying for a static IP (v4 & v6) to my ISP then I can't implement any firewall rules for specific devices as devices will change their IP regularly. And its even worse if I don't pay for a static IPv6 prefix.

I don't think anything I'm trying to do is particularly strange or unusual but 26 years after its introduction I don't see that IPv6 can meet these requirements. And one of the leading firewall routers, especially in the homelab doesn't have answers to these questions either.

Can you suggest a way to meet all 6 requirements I have with IPv6?

Basically, I’m running Tailscale on most of my devices and using subnet routing on a Raspberry Pi for non-Tailscale devices.

My problem is that while using an exit node streaming video from cameras in the iOS/macos Home apps is entirely too slow. I can see from App Privacy Report that it attempts to connect to my home network’s WAN address, so I’ve set up subnet routing to bring in any traffic to any of ISP’s networks through the Raspberry Pi at home (this also makes it possible to use said ISP’s streaming app on Apple TV as if I were at home).

I know that Home doesn’t connect to the cameras locally at all, because I can tear down all the Tailscale stuff and not see any traffic between the client and the camera on the LAN.

Has anyone have a clue how to go about configuring this? Thanks in advance!

I mean on a technical level. Are the devices that make up the infrastructure of the internet hardwired with IPv4? Is the firmware on these devices impossible to upgrade remotely?

If it's just a matter of software or firmware then adoption should only take like a year but clearly that isn't the case. So what specifically is stopping us?

[I hope this belongs here - if not, lmk and I'll delete the post. I've been mainly lurking here so far]

In a month I'll be in charge of "IT-stuff" in a small office. People are generally happy if there is internet and VoIP is working. I'd like to take the opportunity to learn what I can, while I have the chance. And maybe/hopefully contribute to make it a bit better. For now I want to look into how I should configure wifi and access for office/guests (and devices that are used obv.) Thing is, I don't know where to start and what I actually can do. Do I just google "how to configure wifi in the office?" and go from there? (I'm a bit hesitant to do that since I'll not be able to tell if what I find is good) Is there any good reference material you would suggest? Any suggestions are appreciated.

I studied business informatics (but it's been a while) so I'm not completely clueless (but still clueless hehe).

Edit: Whoops I just read that networking@sh.itjust.works is for enterprise networks? I hope my small homelab question doesn't break the rules? If so I will redirect my question.

---

Hi everyone !

I'm scratching my head in finding an actual answer on how virtual networking in docker actually works (mostly on the packets/frame level) or some good documentation to improve my understanding on how everything fits together.

Because I'm probably lacking the correct network terminology I made a simple network topology of my network. Don't hesitate to correct any network mistake.

!

In my scenario, my docker container with the virtual interface veth2b22c98 and the following ip (10.0.0.8) connects to bridge network br-b1de95b5ea89. When I curl, from my conntainer, lemmy.ml the packets/frame is send to my enp4s0 and goes through my wireguard tunnel to my VPN provider which sends back the packet/frame/handshake...

I probed every interface with tcpdump (enp4s0, wg0, br-b1,veth2b):

• enp4s0: Every packet/frame is encapsulated into the wireguard protocol with my physical interface's IP (192.168.1.30) and no DNS is visible on that interface (like expected) and sends it out to my ISP's public IP.

• wg0: Shows every packet/frame with the actual protocol with my wireguard's interface IP (192.168.2.1) with the destination IP of lemmy.ml (Dst: 54.36.178.108)

• br-b1: Shows every packet/frame with the actual protocol with my containers IP (10.0.0.8) with the destination IP of lemmy.ml (Dst: 54.36.178.108)

---

I know there is a mix of 2 different concepts in my scenario (wireguard tunnel and virtual networking) but I really do not understand how the frame gets back to my docker container. When I look at the frames on wg0, there is no mention of either the MacAddress of my container or the actual IP of my container.

How/when/what ? is exactly happening to my frame so that it gets to the correct target between my physical interface, virtual interface, bridge ? I mean with VLAN's there's a VLAN tag on the frame, so you can easily identify with Wireshark where it should go. But here, I cannot find any clue who or what is doing the magic so the frame finds it's way back to my docker container.

What is encapsulated into the frame that makes everyone understand: "OHHH that's for 10.0.0.8, your docker container on bridge network br-b1de on the veth2b interface !!! "

Sorry for my broken English and lack of networking terminology and thank you for those who beared with me and are willing the give me some hints/proper networking lesson.

---

Edit: Changed something on my network diagram (wireguard is not in a container it's bare bone on the server) and some typo.