pfSense (or other dedicated router) questions

[KenZ71]

I have to ask a silly question- given all the hassles what does IPv6 bring to the table that makes it worth the headaches?

 

[garyd9]

I have to ask a silly question- given all the hassles what does IPv6 bring to the table that makes it worth the headaches?

For me and you? Not much of anything whatsoever. For "The Internet" at large, however, it brings about the ability to continue to exist.

Right now, today, there are no more IPv4 addresses available for assignment in the global internet. That means that if you form a new company and want a few publicly accessible servers, you had better hope that your internet provider has a couple left-over IPv4 addresses to assign to you. If they don't, you'll have to sit behind a NAT and deal with limitations related to that.

IPv6 solves the problem by making the address space MUCH larger. It does quite a few other things as well, but the address space is the most significant reason that end-users will notice right now.

 

[Nullity]

For me and you? Not much of anything whatsoever. For "The Internet" at large, however, it brings about the ability to continue to exist.

Right now, today, there are no more IPv4 addresses available for assignment in the global internet. That means that if you form a new company and want a few publicly accessible servers, you had better hope that your internet provider has a couple left-over IPv4 addresses to assign to you. If they don't, you'll have to sit behind a NAT and deal with limitations related to that.

IPv6 solves the problem by making the address space MUCH larger. It does quite a few other things as well, but the address space is the most significant reason that end-users will notice right now.

I think the question was aimed towards your usage of IPv6 in your LAN.

 

[garyd9]

I think the question was aimed towards your usage of IPv6 in your LAN.

In my own LAN?

I'm an engineer. My "home" network is a test bed for pushing my own knowledge and limitations. Tomorrow is IPv6, so I need to be ready for it today. How can I write s/w and f/w that properly handles IPv6 if I can't even set up a LAN that uses it?

It's the same reason that I have a Windows 2012 R2 server running an Active Directory (with a whopping 4 user accounts.) And that my primary wifi authentication/encryption is using EAP/PEAP via RADIUS.... (and that I often load a self compiled firmware on my R700 wireless router so I can do odd things like using null characters in wifi SSIDs to see what breaks and what properly handles the spec.)

Of course, then there's also the geek factor... When the rest of the world catches up and switches to using IPv6 as a primary addressing method, I'll have already been there, done that, and will be playing with the next thing to happen.

 

[KenZ71]

Yes, question was why would a home or small business want to bother with the headaches of IPV6.

Through the magic of NAT most can use IPV4 and be quite happy. As noted, remembering or typing and IPV6 is more than a challenge.

 

[garyd9]

Through the magic of NAT most can use IPV4 and be quite happy.

"Most" would be quite happy, and completely oblivious to IPv6 even existing. A company I work with is like that, and they refuse to enable IPv6 (even using only ULA's.) Their perspective is that if it isn't broke, don't fix it. (I keep trying to tell them that just because it isn't broken for them today, it WILL be broken for them tomorrow.)

People like them depend on people like me to "test the waters" with newer technologies and discover how they can be used, abused, worked with, worked around, etc.

I'm like one of those other people in many areas of my life. For example, I expect my car to just work. I don't care, honestly, if it's using direct injection, fuel injectors, or even an old carburetor. I'm content knowing how to change the oil and do a basic tune up.

The massive difference is that if I'm using fuel injectors when direct injection is the newest tech, I don't have to worry about my car not working in a few years just because fuel injectors aren't used anymore. Someone will always be making replacement injectors (just as people are still making carburetors for older cars) and the same gasoline will still work.

In contrast, those who are desperately trying to ignore IPv6 are running the risk that their networks will suddenly one day be unable to get a new global IP address or that they'll be unable to access newer internet resources that might ONLY work with ipv6.

 

[Nullity]

"Most" would be quite happy, and completely oblivious to IPv6 even existing. A company I work with is like that, and they refuse to enable IPv6 (even using only ULA's.) Their perspective is that if it isn't broke, don't fix it. (I keep trying to tell them that just because it isn't broken for them today, it WILL be broken for them tomorrow.)

People like them depend on people like me to "test the waters" with newer technologies and discover how they can be used, abused, worked with, worked around, etc.

I'm like one of those other people in many areas of my life. For example, I expect my car to just work. I don't care, honestly, if it's using direct injection, fuel injectors, or even an old carburetor. I'm content knowing how to change the oil and do a basic tune up.

The massive difference is that if I'm using fuel injectors when direct injection is the newest tech, I don't have to worry about my car not working in a few years just because fuel injectors aren't used anymore. Someone will always be making replacement injectors (just as people are still making carburetors for older cars) and the same gasoline will still work.

In contrast, those who are desperately trying to ignore IPv6 are running the risk that their networks will suddenly one day be unable to get a new global IP address or that they'll be unable to access newer internet resources that might ONLY work with ipv6.

This seems more like IPv6 evangelism rather than technical curiosity...

 

[garyd9]

This seems more like IPv6 evangelism rather than technical curiosity...

I'm not claiming mere curiosity. My home is my professional testbed and where I learn things.

On the other hand, I wouldn't go so far as using the term evangelism. Unless someone asks for my advice (or I'm somehow responsible for the network), I don't push IPv6 on others. In the example I gave, I'm responsible for some systems, and those systems COMPLETELY break with ipv6... Some of those systems have to interact with other companies who ARE actively migrating to IPv6, so it's a big concern for me.

Keep in mind that a person who does software development MUST either stay ahead of the curve, or risk spending their career doing nothing but maintaining legacy systems.

 

[Nullity]

I'm not claiming mere curiosity. My home is my professional testbed and where I learn things.

On the other hand, I wouldn't go so far as using the term evangelism. Unless someone asks for my advice (or I'm somehow responsible for the network), I don't push IPv6 on others. In the example I gave, I'm responsible for some systems, and those systems COMPLETELY break with ipv6... Some of those systems have to interact with other companies who ARE actively migrating to IPv6, so it's a big concern for me.

Keep in mind that a person who does software development MUST either stay ahead of the curve, or risk spending their career doing nothing but maintaining legacy systems.

I guess I am confused by your goals. Originally, I thought you had a task that needed to be solved (your son's Android device put on a schedule). So we all tried to solve your stated problem(s).


Then later I see that was not the true goal. Your actual goal was to experiment with no real objective but the experiment itself. This explains the nonsensical stubbornness you had earlier (about trying different network setups, disabling IPv6, or doing ANYthing but what you wanted to experiment with).

I wish you had explained this much earlier. I think it's unfair that you neglected to mention it. It kinda pisses me off. I thought you wanted to solve a problem, but no.

 

[garyd9]

I wish you had explained this much earlier. I think it's unfair that you neglected to mention it. It kinda pisses me off. I thought you wanted to solve a problem, but no.

Originally, I did want to solve a problem. Go back and read the very first post in this thread. Actually, I _STILL_ want to solve that problem. So far, the closest I've come is ntopng, but that has shortcomings. So, it's still unsolved in regards to pfSense (and based on checking dozens of other router/firewall products, there is no good solution that checks all the boxes I want.)

In regards to my son, I think if you go back and read, you'll notice that my son and schedules was just one example of a reason why MAC filtering is useful. The MAC filtering aspect wasn't even introduced until post 57. That, by the way, might be handled via ipfw and cron.

At the same time, I'm experimenting, learning and so on. I've made that clear a few times in this thread. Most recently (yesterday?), I posted a long comment where I very clearly stated in the top of the post that I was heading into philosophical discussion and rambling.

I'm sorry if you latched onto ONE example issue and ignored the rest of the thread that has been going on for quite some time and has reached a lot of different topics. I do appreciate the help and comments that you and others have offered, however.

Edit: In fact, in regards to the "learning" - You should be very well aware of this, as you replied to one of those posts with a comment that "not everyone wants to be your teacher for free." So... if your pissed about spending time in this thread since then, you should only be angry at yourself.

 

[Nullity]

Originally, I did want to solve a problem. Go back and read the very first post in this thread. Actually, I _STILL_ want to solve that problem. So far, the closest I've come is ntopng, but that has shortcomings. So, it's still unsolved in regards to pfSense (and based on checking dozens of other router/firewall products, there is no good solution that checks all the boxes I want.)

In regards to my son, I think if you go back and read, you'll notice that my son and schedules was just one example of a reason why MAC filtering is useful. The MAC filtering aspect wasn't even introduced until post 57. That, by the way, might be handled via ipfw and cron.

At the same time, I'm experimenting, learning and so on. I've made that clear a few times in this thread. Most recently (yesterday?), I posted a long comment where I very clearly stated in the top of the post that I was heading into philosophical discussion and rambling.

I'm sorry if you latched onto ONE example issue and ignored the rest of the thread that has been going on for quite some time and has reached a lot of different topics. I do appreciate the help and comments that you and others have offered, however.

Edit: In fact, in regards to the "learning" - You should be very well aware of this, as you replied to one of those posts with a comment that "not everyone wants to be your teacher for free." So... if your pissed about spending time in this thread since then, you should only be angry at yourself.

Regarding my confusion, I thought you had a legitimate need for IPv6 beyond simply wanting to use it.

As others have hinted, IPv6 seems to be causing more problems than it solves (in your case), yet you continue to use it simply for the experience. I am just saying, if the objectives were more clear from the beginning, I would have been trying to attack this problem in a different manner.


I'm not pissed, just frustrated that my (and others?) help was less useful because we did not have the same goal as you.

 

[Nullity]

@garyd9

(Earlier you asked about the matching traffic via source-OS feature.)

You can find on the standard install of pfSense. Create a firewall rule and scroll to the bottom and click "Advanced Options". IIRC, you can see an example of it's capabilities by looking up the "p0f" project, which is the stand-alone version. That site even has an interactive example of it's traffic fingerprinting capabilities.

 

[garyd9]

@garyd9 and click "Advanced Options". IIRC, you can see an example of it's capabilities by looking up the "p0f" project, which is the stand-alone version.

That is really cool! Thank you.

BTW, I just completely broke my LAN today while moving some interfaces around. It literally took me an hour to realize that when I re-created an interface in pfSense, that I forgot to change the netmask from the default /32 to /24. I was going absolutely nuts trying to figure out why NO traffic would move from or to a newly created interfaces network.

I really, really, really, really, REALLY wish they'd change that default.. or at least move it MUCH closer to the place where the static IPv4 is configured (instead of aligned at the right side of the page where it's easily overlooked.) Even better, change the default to an invalid value, and then when the user goes to save the page without fixing it, an error pops up saying something about it.