Chaining routers and GUA IPv6 addresses
Chaining routers and GUA IPv6 addresses
Hey fellow self-hosting lemmoids
Disclaimer: not at all a network specialist
I'm currently setting up a new home server in a network where I'm given GUA IPv6 addresses in a 64 bit subnet (which means, if I understand correctly, that I can set up many devices in my network that are accessible via a fixed IP to the oustide world). Everything works so far, my services are reachable.
Now my problem is, that I need to use the router provided by my ISP, and it's - big surprise here - crap. The biggest concern for me is that I don't have fine-grained control over firewall rules. I can only open ports in groups (e.g. "Web", "All other ports") and I can only do this network-wide and not for specific IPs.
I'm thinking about getting a second router with a better IPv6 firewall and only use the ISP router as a "modem". Now I'm not sure how things would play out regarding my GUA addresses. Could a potential second router also assign addresses to devices in that globally routable space directly? Or would I need some sort of NAT? I've seen some modern routers with the capability of "pass-through" IPv6 address allocation, but I'm unsure if the firewall of the router would still work in such a configuration.
In IPv4 I used to have a similar setup, where router 1 would just forward all packets for some ports to router 2, which then would decide which device should receive them.
Has any of you experience with a similar setup? And if so, could you even recommend a router?
Many thanks!
Not a professional networking guy either but here's my opinion.
What I would do is use the ISP router as is, open all ports on it (except to itself, hopefully it doesn't do that...), and put a firewall in between the router and everything else that controls the actual access to everything behind it (in bridge mode between the two network interfaces of the firewall, so you only have the one network).
Could a potential second router also assign addresses to devices in that globally routable space directly?
Devices in IPv6 assign addresses themselves via SLAAC, you just need one device advertising the prefix which the ISP router should already do. The firewall should be able to just purely be there for packet filtering. If you need fixed addresses for public facing servers I would just assign them manually to the respective boxes as you likely also need to add them to public DNS manually anyway.
Thank you! Do you have an example for such a firewall device? Could something like the TP-Link Archer AX55 in IPv6 "pass-through" mode do the job? Or would you go for a standalone firewall? My budget is around a hundret bucks.
I'd recommend something that you can put openwrt or opnsense/pfsense on. I think the tplink archers support openwrt at least.
The ISP router opening things at a port level instead of a host level is kinda insane. Do they only support port forwarding? Or when you open a port range can you actually send packets from the WAN to any LAN address at that port.
Can you just buy your own modem, and then also use your own router? (If the reason you need the ISP router is that it also acts as a modem).
Does the ISP router also provide your WiFi? If it does you should definitely go with a second router/access point and then disable the one on the ISP router.
Most computers with (at least) two network interfaces will do. If it's something too crappy your throughput will be limited by CPU speed but I can't tell you exact recommendations here. Here's OPNsense's hardware recommendations for example, they're not high at all. Off-the-shelf devices that allow you to do this should probably be fine too.
I'd put Linux on it and use nftables but BSD PF seems to be very popular for firewalls (OPNsense/pfSense are built on this) which I have never used so consider that too.