On 9/2/23 06:39, gene heskett wrote:
On 2/8/23 16:29, jeremy ardley wrote:
On 9/2/23 04:54, gene heskett wrote:
My several machine home net is behind a dd-wrt install, NAT'ed so
that any machine here has access to the net via the ipv4 address my
router obtains from them. That legally is a dynamic address but
hasn't changed in the decade and a half since I last switched isp's
to one that just worked courtesy of cloning the mac from one router
to its backup.
So now my question is, can I maintain the same level of security if
I start using an ipv6 address in my router?
And if so, how do I maintain the NAT, & how would I do it? Or am I
better off to not kick this sleeping dog called ipv6?
Thanks Jeremy. but in the back of my mind is the need for a firewall.
I've not setup a new one since bullseye moved in a year plus ago.
dd-wrt reflashing my now elderly buffalo router handles all that.
Lets look at the different cases.
First, you have IPv4 and NAT. Your firewall will allow (and NAT) any
outbound trafffic, and will accept any incoming trafic related to
outgoing traffic and inverse NAT it and send to the internal host. You
are relatively safe in this scenario as external baddies can't scan your
LAN and can't make unsolicited connections to your LAN devices.
In the case of adding IPv6 without NAT, then without a firewall,
external baddies can connect unsolicited to your internal devices. Some
of your devices will have their own personal firewalls already, e.g. any
windows machine. Some won't, e.g. a printer. In the printer case it
would be unfortunate if your printer suddenly started printing out
obscenites.. You get the picture.
Net result is with IPv6 you need a firewall on your internet connection
to disallow any unsolicited connections to internal devices. It's really
easy in ip6tables. It is probably very easy in dd-wrt. It is certain to
be in any off-the shelf dual-stack modem/router.
The other option of NAT for your IPv6 is frowned on
Another problem is internal names. As with IPv4 you need a directory
service to say what devices are at what IPv4 or IPv6 addresses in your
LAN. In my case I run a DNS server linked to my DHCP server for the IPv4
and IPv6 addresses. It uses a combination of DHCP registration data, and
static records to give IPv4 and IPv6 addresses internally to the LAN.
Of note, in my LAN which runs IPv4 and IPv6, most traffic between
devices is IPv6 because modern Debian/Linux applications default to IPv6
and only fall back to IPv4 as necessary.
Jeremy
