Date: Sat, 22 Jun 2019 13:29:18 -0700 From: Michael Sierchio <kudzu@tenebras.com> To: "freebsd-ipfw@freebsd.org" <freebsd-ipfw@freebsd.org> Subject: Re: Look for an ipfw example using NPTv6 Message-ID: <CAHu1Y70jvtNMhVJ2eR5o5BQMkrk1Hqxr7nD9SjrKwoVcoijNAw@mail.gmail.com> In-Reply-To: <201906201451.x5KEpgJq023626@gndrsh.dnsmgr.net> References: <CAHu1Y70oavnHz0sL05J8v9BeKHV_Rs%2Bu6NUEXEiT0qVJXn8USQ@mail.gmail.com> <201906201451.x5KEpgJq023626@gndrsh.dnsmgr.net>
index | next in thread | previous in thread | raw e-mail
I'm currently running 11.2. What's the recommended dhcpd for ipv6 (or both ipv4 and ipv6)? On Thu, Jun 20, 2019 at 7:51 AM Rodney W. Grimes < freebsd-rwg@gndrsh.dnsmgr.net> wrote: > > Oh, the problem is simply that my ISP assigns me a ::/64 but there is no > > guarantee that it's mine for the duration. > > > > I'm in the process of securing my own IPv6 block, but was hoping for an > > interim solution. > > > > One that occurred to me is to use a public ::/56 that's allocated (but > > unused) to me in an AWS VPC. Route advertisements from them would make > > them unusable directly, but then NPTv6 would work. > > > > Open to any suggestions.... ;-) > > Go to the he.net tunnel broker (https://tunnelbroker.net/), > get a tunnel, get a /48, put that behind your NPTv6. Be Happy. :-) > > > ? M > > > > On Thu, Jun 20, 2019 at 2:57 AM Jan Bramkamp <crest@rlwinm.de> wrote: > > > > > On 18.06.19 22:00, Michael Sierchio wrote: > > > > I'm looking for a simple firewall example using nptv6 to translate > > > > link-local addresses to match the prefix assigned by my ISP. I'll be > > > using > > > > stateful rules and allowing only outbound traffic. > > > > > > > > If you have a snippet, I'l be grateful. Thanks. > > > > > > > This sounds like you're trying to force IPv6 to behave like IPv4 with > > > longer addresses and just replaced RFC1918 addresses with link local > > > addresses. This isn't going to work because the differences are larger > > > than just the addresses length. Link local addresses are just what the > > > name says: they are local to the link. A link local address isn't even > > > unique within a host e.g. you can have fe80::1234%em0 and > fe80::1234%em1 > > > on the same host. > > > > > > In theory you can get very close to NAT between global unicast > addresses > > > and private addresses by configuring NPTv6 between global unicast > > > addresses and unique local addresses, but that would be a terrible > > > choice. One of the great advantages of IPv6 it removes the address > > > scarcity that forced NAT upon us. Each IPv6 device have as many global > > > IPv6 unicast addresses as required. > > > > > > Would you feel comfortable to describe the constrains shaping your > > > design to us? > > > > > > _______________________________________________ > > > freebsd-ipfw@freebsd.org mailing list > > > https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org > " > > > > > > > > > -- > > > > "Well," Brahm? said, "even after ten thousand explanations, a fool is no > > wiser, but an intelligent person requires only two thousand five > hundred." > > > > - The Mah?bh?rata > > _______________________________________________ > > freebsd-ipfw@freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > > > > -- > Rod Grimes > rgrimes@freebsd.org > -- "Well," Brahmā said, "even after ten thousand explanations, a fool is no wiser, but an intelligent person requires only two thousand five hundred." - The Mahābhāratahelp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHu1Y70jvtNMhVJ2eR5o5BQMkrk1Hqxr7nD9SjrKwoVcoijNAw>