[VicPiMakers General] falling into IPv6 rabbit hole, never to be seen again? Can Frodo make the journey with help of Shaw support techs?

Peter Sprague peter.geovision at shaw.ca
Tue Dec 13 15:46:45 EST 2022 

Craig,

Alas Shaw continued with their foot dragging and business support staff 
who were completely out of their element with IPv6.

Here is my static ip WAN interfact status that clearly show IPv6:

IPv4 Address
    184.71.17.82 //
Subnet mask IPv4
    255.255.255.252 //
Gateway IPv4
    184.71.17.81 //
IPv6 Link Local
    fe80::208:a2ff:fe0d:47dc%igb0 //
IPv6 Address
    2604:3d08:0:1b:e942:b77e:de6e:1e8d //
Subnet mask IPv6
    128 //
Gateway IPv6
    fe80::201:5cff:feab:4e45%igb0 //
DNS servers
    2001:4e8:0:400b::13 //

    2001:4e8:0:4008::6 

Dragged out an old WRT54GSv2 with 8mb flash & 32mb ram.  Was using 
DD-WRT, but reflashed with OpenWRT V22.03.2.

Idea was to use an open port on my Shaw modem to only pass IPv6 to a 
isolated IPv6 only experimental/learning LAN.  Not happening.

This morning went with a Hurricane Electric tunnel across my Shaw IPv4, 
and now have a /48 IPv6 network with an old laptop using Fedora 36 with 
its firewall tightened down.

Now what?  Got all this modern network but not sure what to play with 
next?  IPv6 firewalling?  Secure webserving?  Maybe a IPv6 Matrix 
Synapse server on FreeBSD Pi3?  ???

---------------------------------------------------------------------------------------
Sounds like the block is at Shaw for any serious IPV6 networking and usage.


Been using PFSense going on 20 years, so I can fudge my way around. Not 
an expert by a long shot, but can usually get the job done with some 
effort on my relatively simple LAN.  Run 3 distinct LANs off my 2 
PFsense routers from the Shaw modem.  Static IPV4 for public webserver, 
API, etc.  Shaw dynamic IPV4 for internal household. Modem router did 
show some sort of IPV6 allocation on the dynamic side, but I have 
bypassed the Shaw router to go straight through into my low powered 
PFsense router for our personal house LAN after constantly wrestling 
with the Shaw router.  Shaw tech said that was his preferred way for 
small business networks.

Used OpenWRT in many years past, but it is only on one of my old Linksys 
54G AP points and is very out of date.

My starting goal was to just dabble on non-critical infrastructure to 
learn and be prepared when I need to more fully move to IPV6. Powers to 
be seem to be making that an almost impossible task with no support.

One option might be is to set up another experimental LAN that is IPV6 
only off the Shaw modem router.  Not sure if that would even be feasible 
with my current configuration, but will review.  I also have a spare 
PFsense router that was intended to be a fall-over router, but is not 
being used.  Pretty sure I have another 54G w/ OpenWRT laying around 
that sounds like I might be better to start with as long as its updated 
and can support IPV6.

Have a good Sunday,

Peter Sprague MSc.
GeoVision Environmental Informatics
peter.sprague at geovisionenvironmental.ca
250-412-3444 Victoria

On 2022-12-11 12:13, Craig Miller wrote:
> Hi Peter,
>
> I have a couple of comments. I am sorry to hear you didn't have much 
> success getting IPv6 to work with pfsense. pfsense is not for 
> beginners, and IPv6 really is a different protocol, and we shouldn't 
> assume it works just like IPv4, because it doesn't. I have heard that 
> pfsense has issues with doing prefix delegation downstream (to any 
> other routers you may have on your network).
>
> Shaw is basically worthless when it comes to IPv6. They only support 
> it on their top-tier service, and even then they only give the 
> customer a single /64, which is not in accordance with best practices 
> (BCOP 690). I look forward to the Rogers guys taking over, as they 
> have been doing IPv6 well for years now in Ontario.
>
> https://www.ripe.net/publications/docs/ripe-690
>
> Telus is "better" in that they will give you a /56, but they don't 
> give you a static prefix, which means you will get a different /56 
> every time you connect (also doesn't follow BCOP 690).
>
> I can't speak to pfsense, but if you would like to see OpenWrt in 
> action (the defaults work great for IPv6), please consider coming to 
> one of our VicPiMakers meetings where I have an OpenWrt router doing a 
> wireguard VPN tunneling IPv6 back to my DMZ at my house. I will be 
> happy to talk to you about IPv6 and OpenWrt.
>
> http://www.makikiweb.com/ipv6/wireguard_on_openwrt.html
>
> warm regards,
>
> Craig...
>
> On 12/9/22 16:26, Peter Sprague wrote:
>> Maybe we need a revisit of IPV6 in our regional context so that we 
>> can be more current, and possibly effective in our pursuit?
>>
>> I have tried dabbling across the great divide with my Pfsense 
>> firewalls and a couple of servers but stopped after trying to get 
>> information from the Shaw techs.  I apparently have some form of IPV6 
>> allocation available according to my modem, but the techs have no 
>> idea what I actual have available or how to use it. Pretty sure I can 
>> run dual IPV4/6 networks with my PFsense routers.  Just seemed like 
>> an ever enlarging bottomless rabbit hole with no positive 
>> outcomes/solutions beyond losing weeks of free-time from my life.  
>> That's were it got left.
>>
>> Trying to be a responsible citizen, but the trail just doesn't seem 
>> to exist unless one is quite conversant in IPV6.  Opted to spend time 
>> learning how to build Stratum 1 time servers for my LAN and ham radio 
>> use, way more fun.
>>
>> Peter Sprague MSc.
>> GeoVision Environmental Informatics
>> peter.sprague at geovisionenvironmental.ca
>> 250-412-3444 Victoria
>>
>> On 2022-12-09 15:59, Craig Miller wrote:
>>> Thanks Mark,
>>>
>>> I have had to give my response some thought. My first response is 
>>> kind of snarky, and goes like this:
>>>
>>> "Wow, a guy who  10 years after world IPv6 launch day, decides to 
>>> configure one machine for IPv6, and discovers that others also have 
>>> been slow to enable IPv6"
>>>
>>> But a kinder response, would be:
>>>
>>> Yes, there are many services which do not yet support native IPv6. 
>>> And therefore it is best practice to use a transition mechanism such 
>>> as DNS64/NAT64 so that IPv6 machines can communicate with IPv4-only 
>>> machines. There are even public DNS64 and NAT64 services, so that 
>>> you don't have to implement them yourself, if you don't mind sending 
>>> your traffic through them.
>>>
>>> More people should consider enabling IPv6 on their servers and home 
>>> networks so when "9dev" tries his experiment again in another 10 
>>> years, there will be more for him to see online </snark>
>>>
>>> My 2 cents,
>>>
>>> Craig....
>>>
>>>
>>> On 12/7/22 09:47, Mark G. wrote:
>>>> Hi Everybody,
>>>>
>>>> Since we are all familiar with IPv6, I thought this
>>>> discussion on Hacker News might interest some of
>>>> us.
>>>>
>>>> https://news.ycombinator.com/item?id=33894933
>>>>
>>>> Some highly charged opinions abound.
>>>>
>>>> Here's the preamble:
>>>>
>>>> "Our Hosting provider, Hetzner, has recently started charging for 
>>>> public IPv4 addresses - as they should! Those numbers started 
>>>> getting expensive. This prompted me to try and set up a new server 
>>>> cluster using IPv6 exclusively, and see how far I could get before 
>>>> having to give in and purchase an additional v4 address.
>>>>
>>>> The experiment ended much sooner than I had anticipated. Some of 
>>>> the road blocks I hit along the way:
>>>>
>>>>   - The GitHub API and its code load endpoints are not reachable 
>>>> via IPv6, making it impossible to download release artefacts from 
>>>> many projects, lots of which distribute their software via GitHub 
>>>> exclusively (Prometheus for instance).
>>>>   - The default Ubuntu key servers aren't reachable via IPv6, 
>>>> making it difficult to install packages from third-party 
>>>> registries, such as Docker or Grafana. While debugging, I noticed 
>>>> huge swaths of the GPG infrastructure are defunct: There aren't 
>>>> many key servers left at all, and the only one I found actually 
>>>> working via IPv6 was pgpkeys.eu.
>>>>   - BitBucket cannot deploy to IPv6 hosts, as pipelines don't 
>>>> support IPv6 at all. You can self-host a pipeline runner and 
>>>> connect to it via v6, BUT it needs to have a dual stack - otherwise 
>>>> the runner won't start.
>>>>   - Hetzner itself doesn't even provide their own API via IPv6 
>>>> (which we talk to for in-cluster service discovery. Oh, the irony.
>>>>
>>>> It seems IPv6 is still not viable, more than a decade after launch. 
>>>> Do you use it in production? If so, how? What issues did you hit?"
>>>>
>>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://vicpimakers.ca/pipermail/vicpimakers_vicpimakers.ca/attachments/20221213/890686f2/attachment.htm>

More information about the VicPiMakers mailing list