I am amazed at the technical depth of the people in this forum. So, after doing some research and not finding what I expected, I’m going to see if some of you might know.
My ISP fully supports IPv6. Even to the extent that they provide me my own subnet to use as I please. This got me to thinking that I could save a lot of hassle by transitioning fully to IPv6 in my house. That turned out to be a bad idea since my Roku doesn’t support IPv6 at all (I don’t know about the Tablo).
The Roku discovery turned the rest of this into more of a theoretical exercise but I only learned about it after doing quite a bit of research into commercial home firewall/routers and discovering that when it comes to IPv6, they all suck.
I’ve got an old Lynksys (don’t have the model number handy) that claims IPv6 support. It does work in so much as it gets the IPv6 address from the ISP and also properly propagates the IPv6 prefix (IPv6 version of a subnet) to my internal systems. The Windows 10, FreeBSD, Linux, and MacOS systems all correctly auto-configure with the prefix (yay!). Nice easy setup.
This leads to a new challenge. With IPv4 we use PAT (called NAT in the router config) to pass ports inbound through the firewall and can configure filters to restrict outbound traffic on IPv4. However, IPv6 doesn’t need NAT, my internal IPv6 addressing is fully routeable. And, guess what. It all routes properly.
Sounds good, right? Except this also means that an outsider can connect via IPv6 to all of my internal systems as if there was no firewall to protect them. Why? Because there isn’t. The Lynksys has no IPv6 filtering capabilities (at least nothing in the config interface to let me). Admittedly it is now many years old.
So, I looked at newer options. The Lynksys firmware hasn’t improved any. Even newer models still don’t appear to have any way to write firewall rules for IPv6 (from what I could find on the websites). The Archer C7 and C8 also support IPv6 and likewise don’t seam to have any way to filter and do all the things that a firewall should do.
Does anyone know of a reasonable firewall with integrated switch and WiFi AP that actually firewalls IPv6?
They have IPv6 clients and servers. Some models have 802.11ac. And VPN server.
The one I used was the RV134 in Seattle, the router had both, IPv4 and IPv6 assigned to it and served as a IPv6 DHCP server on the LAN as well.
I am not affiliated in any way with Cisco, just my own preference.
@eek@lbarouf
I am a disabled vet learning all I can about this technical revolution we live in and will except any advice on this. ASUS RT AC68 U Router
For IPv6 my router has the choice for pass-through, disable or 6 to 4 tunnel which one should I choose or just use IPv4 only?
@Tom_C IPs are similar to phone numbers. The fact that we were running out of public IPs using IPv4, they created these very long IPv6 addresses. For your private LAN, I see no advantage of using IPv6. Nonewhatsoever. Your modem would get an IP from the provider. May it be IPv4 or IPv6, I see no real advantage. It’s like a line out in an office. If you don’t plan on receiving calls, what do you care what phone number you are using to call out? In short, unless you run web servers, mail servers, or some internet accessible service, IPv4 is just fine. I would disable IPv6 from the Modem, router and machines. Having an extra protocol does no good if unused.
If you want to know what the other options do, pass-through will have the modem send the PUBLIC ip assignment to one of the devices. So, say you have a modem, and router plugged into it. The IP would go to your router. As for the teredo tunnel, aka 4to6… it converts IPv6 traffic to IPv4, and the reverse. So in case you get on a IPv6 network only, your older not IPv6 agnostic machine can still talk to the network.
In short, disabled is the best, it won’t bring any performance nor features that I can think of.
My modem and router are both ipv6 compatible, and my ISP, COX, has a dual network that’s using both ipv4 and ipv6, but I’m still using ipv4… no compelling reason to switch as long as ipv4 is supported, and it probably will be for a good while yet.
I haven’t heard of them before. Looks more like enterprise level gear. If I were going to that level, I would probably go with Sonicwall or Cisco gear.
Although, there are some very interesting WiFi devices on the Ubiquiti website. I can’t make use of them at home, but definitely interesting.
@PiX64 Might be an overkill. I have tried their backhaul and mesh solutions back when they launched. I chose Orinoco in the end. The consumer products I never looked at. I see they now have wall outlet APs, I like that idea, POE, wireless and wired. Neat product.
ive been running the USG with 2 unifi APACPRO access points for some time (after my pfsense needed an upgraded and I decided that the USG was worth the price compared to building a new pfsense box) and all is well. Great speed, event better coverage, app for management, etc.
The wireless backhaul used on a mesh is sorta… why? I mean if you have the ability to wire multliple access points that work together to create a larger network, is really the same thing. I mean the MESH is primarily used for backhaul communication over the air. The orbi for example has a dedicated 5ghz radio specifically for satellite orbi to orbi router data transfer.