this post was submitted on 29 Oct 2024
14 points (100.0% liked)

Selfhosted

40113 readers
799 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Hey fellow self-hosting lemmoids

Disclaimer: not at all a network specialist

I'm currently setting up a new home server in a network where I'm given GUA IPv6 addresses in a 64 bit subnet (which means, if I understand correctly, that I can set up many devices in my network that are accessible via a fixed IP to the oustide world). Everything works so far, my services are reachable.

Now my problem is, that I need to use the router provided by my ISP, and it's - big surprise here - crap. The biggest concern for me is that I don't have fine-grained control over firewall rules. I can only open ports in groups (e.g. "Web", "All other ports") and I can only do this network-wide and not for specific IPs.

I'm thinking about getting a second router with a better IPv6 firewall and only use the ISP router as a "modem". Now I'm not sure how things would play out regarding my GUA addresses. Could a potential second router also assign addresses to devices in that globally routable space directly? Or would I need some sort of NAT? I've seen some modern routers with the capability of "pass-through" IPv6 address allocation, but I'm unsure if the firewall of the router would still work in such a configuration.

In IPv4 I used to have a similar setup, where router 1 would just forward all packets for some ports to router 2, which then would decide which device should receive them.

Has any of you experience with a similar setup? And if so, could you even recommend a router?

Many thanks!

you are viewing a single comment's thread
view the rest of the comments
[–] robber@lemmy.ml 1 points 1 week ago (1 children)

And openwrt is capable enough?

Yeah it's insane right? Every address is reachable when I open a port range. And it's like there are ~ 10 predefined services (HTTP/S, SMTP, ...) and the category "All other ports" where also 22 is part of. So I really have the choice to either keep everything shut or leave everything wide open.

I think I can't use my own modem but I'll have to double check with my ISP. But yes the Wi-Fi is also provided by that router and it's also quite crappy.

[–] maxwellfire@lemmy.world 2 points 1 week ago* (last edited 1 week ago) (1 children)

Yeah openwrt should be great. It uses nftables as a firewall on a Linux distribution. You can configure it through a pretty nice ui, but you also have ssh access to configure everything directly if you want.

The challenge is going to be what the ISP router supports. If it supports bridge mode then things are easy. You just put your router downstream of it and pretend like it's a modem. Then you configure openwrt like it's the only router in the network. This is the opposite of what you've suggested, using the upstream ISP router in pass through and relying on the openwrt router to get the ipv6 GUA prefix. (You might even be able to get a larger prefix delegated if you set the settings to ask for it)

If you don't have bridge mode then things are harder. There's some helpful information here https://forum.openwrt.org/t/ipv6-only-slaac-dumb-aps/192059/19 even though the situation is slightly different since they also don't want a firewall. But you probably need to configure your upstream side on the openwrt router similarly.

Also looking more, the tplink ax55 isn't supported by openwrt. If you don't already have it, I'd get something that does. (Or if the default software on the ax55 supports what you want, that's fine too. I just like having the full control openwrt and similar gives)

[–] robber@lemmy.ml 1 points 1 week ago

That's really helpful, thank you. I've ordered an AX23 which will arrive tomorrow. I'll try to figure it out in the next few days and report back.