Date: Thu, 20 Jun 2019 07:51:42 -0700 (PDT) From: "Rodney W. Grimes" <freebsd-rwg@gndrsh.dnsmgr.net> To: Michael Sierchio <kudzu@tenebras.com> Cc: Jan Bramkamp <crest@rlwinm.de>, "freebsd-ipfw@freebsd.org" <freebsd-ipfw@freebsd.org> Subject: Re: Look for an ipfw example using NPTv6 Message-ID: <201906201451.x5KEpgJq023626@gndrsh.dnsmgr.net> In-Reply-To: <CAHu1Y70oavnHz0sL05J8v9BeKHV_Rs%2Bu6NUEXEiT0qVJXn8USQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> Oh, the problem is simply that my ISP assigns me a ::/64 but there is no > guarantee that it's mine for the duration. > > I'm in the process of securing my own IPv6 block, but was hoping for an > interim solution. > > One that occurred to me is to use a public ::/56 that's allocated (but > unused) to me in an AWS VPC. Route advertisements from them would make > them unusable directly, but then NPTv6 would work. > > Open to any suggestions.... ;-) Go to the he.net tunnel broker (https://tunnelbroker.net/), get a tunnel, get a /48, put that behind your NPTv6. Be Happy. :-) > ? M > > On Thu, Jun 20, 2019 at 2:57 AM Jan Bramkamp <crest@rlwinm.de> wrote: > > > On 18.06.19 22:00, Michael Sierchio wrote: > > > I'm looking for a simple firewall example using nptv6 to translate > > > link-local addresses to match the prefix assigned by my ISP. I'll be > > using > > > stateful rules and allowing only outbound traffic. > > > > > > If you have a snippet, I'l be grateful. Thanks. > > > > > This sounds like you're trying to force IPv6 to behave like IPv4 with > > longer addresses and just replaced RFC1918 addresses with link local > > addresses. This isn't going to work because the differences are larger > > than just the addresses length. Link local addresses are just what the > > name says: they are local to the link. A link local address isn't even > > unique within a host e.g. you can have fe80::1234%em0 and fe80::1234%em1 > > on the same host. > > > > In theory you can get very close to NAT between global unicast addresses > > and private addresses by configuring NPTv6 between global unicast > > addresses and unique local addresses, but that would be a terrible > > choice. One of the great advantages of IPv6 it removes the address > > scarcity that forced NAT upon us. Each IPv6 device have as many global > > IPv6 unicast addresses as required. > > > > Would you feel comfortable to describe the constrains shaping your > > design to us? > > > > _______________________________________________ > > freebsd-ipfw@freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > > > -- > > "Well," Brahm? said, "even after ten thousand explanations, a fool is no > wiser, but an intelligent person requires only two thousand five hundred." > > - The Mah?bh?rata > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > -- Rod Grimes rgrimes@freebsd.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201906201451.x5KEpgJq023626>