Look for an ipfw example using NPTv6

Michael Sierchio kudzu at tenebras.com
Sat Jun 22 20:29:57 UTC 2019 

I'm currently running 11.2.  What's the recommended dhcpd for ipv6 (or both
ipv4 and ipv6)?

On Thu, Jun 20, 2019 at 7:51 AM Rodney W. Grimes <
freebsd-rwg at gndrsh.dnsmgr.net> wrote:

> > Oh, the problem is simply that my ISP assigns me a ::/64 but there is no
> > guarantee that it's mine for the duration.
> >
> > I'm in the process of securing my own IPv6 block, but was hoping for an
> > interim solution.
> >
> > One that occurred to me is to use a public ::/56 that's allocated (but
> > unused) to me in an AWS VPC.  Route advertisements from them would make
> > them unusable directly, but then NPTv6 would work.
> >
> > Open to any suggestions.... ;-)
>
> Go to the he.net tunnel broker (https://tunnelbroker.net/),
> get a tunnel, get a /48, put that behind your NPTv6.  Be Happy.  :-)
>
> > ? M
> >
> > On Thu, Jun 20, 2019 at 2:57 AM Jan Bramkamp <crest at rlwinm.de> wrote:
> >
> > > On 18.06.19 22:00, Michael Sierchio wrote:
> > > > I'm looking for a simple firewall example using nptv6 to translate
> > > > link-local addresses to match the prefix assigned by my ISP.  I'll be
> > > using
> > > > stateful rules and allowing only outbound traffic.
> > > >
> > > > If you have a snippet, I'l be grateful.  Thanks.
> > > >
> > > This sounds like you're trying to force IPv6 to behave like IPv4 with
> > > longer addresses and just replaced RFC1918 addresses with link local
> > > addresses. This isn't going to work because the differences are larger
> > > than just the addresses length. Link local addresses are just what the
> > > name says: they are local to the link. A link local address isn't even
> > > unique within a host e.g. you can have fe80::1234%em0 and
> fe80::1234%em1
> > > on the same host.
> > >
> > > In theory you can get very close to NAT between global unicast
> addresses
> > > and private addresses by configuring NPTv6 between global unicast
> > > addresses and unique local addresses, but that would be a terrible
> > > choice. One of the great advantages of IPv6 it removes the address
> > > scarcity that forced NAT upon us. Each IPv6 device have as many global
> > > IPv6 unicast addresses as required.
> > >
> > > Would you feel comfortable to describe the constrains shaping your
> > > design to us?
> > >
> > > _______________________________________________
> > > freebsd-ipfw at freebsd.org mailing list
> > > https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org
> "
> > >
> >
> >
> > --
> >
> > "Well," Brahm? said, "even after ten thousand explanations, a fool is no
> > wiser, but an intelligent person requires only two thousand five
> hundred."
> >
> > - The Mah?bh?rata
> > _______________________________________________
> > freebsd-ipfw at freebsd.org mailing list
> > https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
> >
> >
>
> --
> Rod Grimes
> rgrimes at freebsd.org
>


-- 

"Well," Brahmā said, "even after ten thousand explanations, a fool is no
wiser, but an intelligent person requires only two thousand five hundred."

- The Mahābhārata

More information about the freebsd-ipfw mailing list