My isp does not provide ipv6, heh.
Tue Jan 16 2024 17:17:39 EST from IGnatius T FoobarI'm actively thinking about how I want to set up my VPN mesh as I shuffle things around.
And yet ... I might not need it at all. I'm slowly coming to the realization that just about every location has IPv6 now. My hosting front end has IPv6, my home network has IPv6, and my smartphone is native IPv6 (from which it is derived that my laptop has IPv6 when I tether).
What are the reasons to use a VPN? Reachability and privacy. IPv6 solves the reachability issue, and just about every protocol now has its own TLS encryption now anyway. So I might just go without!
Wouldn't that be the case for anyone who is behind a neighborhood NAT too? Or at your local coffee shop NAT.
At least effectively, since you cant get in from the outside.. ( or for us old timers, 'in thru the out door'... with luck you all get the reference )
Tue Jan 16 2024 18:24:52 EST from msgrhysMy isp does not provide ipv6, heh.
2024-01-16 19:00 from Nurb432
Wouldn't that be the case for anyone who is behind a neighborhood NAT
too? Or at your local coffee shop NAT.
At least effectively, since you cant get in from the outside.. ( or
for us old timers, 'in thru the out door'... with luck you all get
the reference )
Chances are, people behind CG-NAT is actually conncting to the Internet over DS-Lite or a similar hellspawned invention.
In DS-Lite your routing gear connects to the ISP using Ipv6 ONLY, then some router upstream gives you a NAT ipv4 tunnel to the outside world.
its been a few years, as the 2nd day i moved to fiber i got my dedicated IP ( a previous story )
But i think i had both a v4 and v6 address. I know i had v4 as is that is what i had/have setup for DNS, and of course it failed at first. Of course only visible to my neighbors ( i assume. i didnt test.. ) This "neighborhood NAT" stuff was new to me so i just called to complain and didnt play with it any. I guess i should add the v6 address too someday soon?
Wed Jan 17 2024 03:12:37 EST from darknetuserIn DS-Lite your routing gear connects to the ISP using Ipv6 ONLY, then some router upstream gives you a NAT ipv4 tunnel to the outside world.
Still no IPv6 where I'm at (CableVision) unless you count anycast 6to4, which probably causes more problems than it's worth if you turn it on.
In DS-Lite your routing gear connects to the ISP using Ipv6 ONLY, then
some router upstream gives you a NAT ipv4 tunnel to the outside world.
That's how my phone is connected. T-Mobile moved to an all-IPv6 network, with NAT64 at their network edge. Android handsets as well as their "home internet" gateways handle the NAT46 side internally. Apple devices have some horrifying thing embedded in the system libraries.
It's just fine for an access device, but I wouldn't want it at home if I wanted to run servers.
Subject: DynV6: dynamic DNS for IPv6 done right!
Ok, this is cool. Dynamic DNS for IPv6 done right.
[ https://dynv6.com/ ]
It isn't just regular IPv6 DDNS. For starters, you can use any of their domains, or you can delegate one of your own (I'm using v6.citadel.org for example). But that's not the really cool part:
In your subdomain, you can put MAC addresses instead of IPv6 addresses for all of your hosts. This assumes, of course, that you're using EUI64 SLAAC addressing. Now, if your dynamic IPv6 prefix changes, you only have to make ONE API CALL to their service, and it updates ALL of your AAAA records.
So now you don't need to have a dynamic DNS client on every machine! As long as they're using EUI64 SLAAC addressing, everything changes at once.
I enrolled a couple of my machines plus my printer, which can't run a DDNS client because it's a printer.
And as an added bonusfest, they open sourced the whole thing, so you can run it yourself if you don't want to use theirs.
Subject: Re: DynV6: dynamic DNS for IPv6 done right!
Subject: Re: DynV6: dynamic DNS for IPv6 done right!
2024-02-08 23:25 from IGnatius T Foobar
Subject: DynV6: dynamic DNS for IPv6 done right!
This brings the question: how are big boys dealing with assining names and DNS entries to Ipv6 connected hosts?
Because the obvious answer would be to grant a static ipv6 lease to each host and then create an static DNS entry for it, but that kind of defeats the purpose of ipv6 and it does not sound like it scales much.
Also, since your available ipv6 addresses depenbd of your i2p, if your ISP is one of those that rotates your prefix then you can't even do static.
Subject: Re: DynV6: dynamic DNS for IPv6 done right!
My prefix hasn't changed since I started using it, except at the very beginning when I deliberately released it to see if I'd get the same one back the next time (I didn't).
Other than that, residential access providers are doing the same thing for IPv6 that they did for IPv4: your addresses are dynamic, there is no DNS integration, and if you want static addresses you ought to be paying for commercial grade service anyway.
The problem of course, is that it's troublesome to have your entire internal network get renumbered when the prefix changes. This means you could potentially end up using NAT66, which is monumentally stupid, but at least you still get a 1:1 Static NAT for each host instead of shoving everything through a single address. But it's still better than the dimbulbs who run the network at ${dayjob} who thought it was a good idea to SNAT all outbound IPv6 traffic through a single address. They haven't figured out that it's a bad idea to apply IPv4 practices to IPv6, that there's more to IPv6 than simply a bigger address space. These are the same dimbulbs who think that it's fine to assign a /120 to a hosting network because it's the same number of addresses as an IPv4 /24, and that's generous, right? They haven't figured out that SLAAC (1) *works* and (2) makes cloud scale deployment easier to manage. They're stuck in the data center of 2O011.
Not a lot of details yet, but just today found out that if you install most current docker.ce on Debian ( and i think Ubuntu ) it modifies your routing and in the process kills internet access for your host. But local network still functions fine ( might kill DNS too, i have mine off my router so it still worked )
Not just me, i see others asking what the hell is up too.
Not yet looked to see what is going on.. but removed it, and networking is back. I guess now i have a task for Sunday.
Grrrr
2024-03-02 13:41 from Nurb432
Not a lot of details yet, but just today found out that if you
install most current docker.ce on Debian ( and i think Ubuntu ) it
modifies your routing and in the process kills internet access for
your host. But local network still functions fine ( might kill DNS
too, i have mine off my router so it still worked )
That is something that always irked me the wrong way about tools that deal with namespaces. They don't isolate your application: they run the application in a virtual environment with its own rules.
Which means if you have a firewall set up, and then start some application inside of a firejail, you may latter discover that your firejailed application has a different firewall configuration than the rest of the host because its virtual environment comes with a wildly different configuration.
I know it is not exactly the same case, but I can't stop noticing the similarities: install some sandboxing tool, have the sandboxing cause unintended consequences in your network configuration.
I personally prefer to set the default network to something unused and then create my containers in a bridge network so they share the address space of the underlying network. The only problem is that they can communicate with other containers and with the host network, but not with the host itself.
Supposedly this was done deliberately to prevent rogue containers from breaking out of their jails.
What is odd, is i blew away the box last night.. Setup PVE on it so i could play with this on VMs to make it easier to work with. ( snapshots and such between me dinking around with stuff )
The first test VM is working like it should be.. grrrr Well after i loaded the correct version of Debian on. seems i cant read.. i installed the previous version the first round and didnt notice until i tried to install it " bla bla library version isn't available.. DOH" . I keep an old ISO around just in case..
I also noticed if i install lxde on a PVE host it does the same thing, routing to the outside is hosed.. but not if i install xfce4. lxde has some extra network management stuff it installs.. a pattern at least.
I also noticed if i install lxde on a PVE host it does the same
thing, routing to the outside is hosed.. but not if i install xfce4.
lxde has some extra network management stuff it installs.. a
pattern at least.
Why would you install a desktop environment on a PVE Host? You are not supposed to run services directly on the metal.
Standalone development machine. Just enough to get a browser to work.
Yes, an exception, not a rule.
Wed Mar 06 2024 04:16:46 EST from darknetuserI also noticed if i install lxde on a PVE host it does the same
thing, routing to the outside is hosed.. but not if i install xfce4.
lxde has some extra network management stuff it installs.. a
pattern at least.
Why would you install a desktop environment on a PVE Host? You are not supposed to run services directly on the metal.
its tempting just out of curiosity.
Last week, Meta, LinkedIn, and Comcast all experienced outages lasting between 1-2 hours that impacted users’ abilities to access widely used apps and services, including Webex, Salesforce, and Amazon Web Services. Join our webinar tomorrow as our Internet experts will walk through these events as seen in the ThousandEyes platform. For each outage, we’ll cover:
I also noticed if i install lxde on a PVE host it does the same
thing, routing to the outside is hosed.. but not if i install xfce4.
lxde has some extra network management stuff it installs.. a
pattern at least.
On my machine, LXC containers are bridged to the host network on br0, br1, and br2. br0 is the untagged network. When I installed Docker it created a non-empty iptables configuration and LXC stopped working. My workaround for now is probably a bit too broad, but it works:
iptables -A FORWARD -i br0 -j ACCEPT
iptables -A FORWARD -o br0 -j ACCEPT
Why would you install a desktop environment on a PVE Host? You are not
supposed to run services directly on the metal.
I'd be more interested in running a desktop environment inside an LXC container.
Can you do that? Yes I know, you're not supposed to do that, but I wonder if it's possible.
I dont see why you couldn't. I was going to try it before i posted an answer, but of course the damned network was hosed on the container i just created. ( grr! ) and i dont have time to f- with it. Not sure 100% how the video would work on console, but you can always install xrdp, x2goserver ( my preference for remote desktop access ), or even VNC.
For what its worth - Reason i had the 'minimal desktop' on the host was so it was 100% standalone/portable, but with option to use PVE backup server across VPN. I can use the native browser to get spice/vnc sessions, remote Xterm, or just ssh, to access desktops in a vm. and the browser to manage the host. And no, i dont normally do that. This was an exception case as it needed to be portable and still have access to my backups, tho i have heard of people doing it on a regular basis. But i would think virt-manager + kvm would be better in most cases.
Tue Mar 12 2024 09:04:57 EDTfrom IGnatius T FoobarI'd be more interested in running a desktop environment inside an LXC container.
Can you do that? Yes I know, you're not supposed to do that, but I wonder if it's possible.