Post AitGfWvHmQJC4TaQOO by selea@social.linux.pizza
 (DIR) More posts by selea@social.linux.pizza
 (DIR) Post #AitGfVmO21b0WaPnsm by Szwendacz@social.linux.pizza
       2024-06-13T14:41:36Z
       
       0 likes, 0 repeats
       
       I have now fully set up ipv4/ipv6 dualstack for my devices, my vps servers, and for my k8s cluster (using "public" ipv6 ranges).Only postfix (in k8s) is currently configured to use just ipv4, since mail servers rather reject mails from ip without PTR DNS record.#networking #homelab #selfhosted
       
 (DIR) Post #AitGfWvHmQJC4TaQOO by selea@social.linux.pizza
       2024-06-13T16:31:03Z
       
       0 likes, 0 repeats
       
       @Szwendacz A common misstake when doing IPv6, since IPv6 does not use NAT - firewalling is crucial.
       
 (DIR) Post #AitGmsvkM5cmLxJEQ4 by Szwendacz@social.linux.pizza
       2024-06-13T16:32:24Z
       
       0 likes, 0 repeats
       
       @selea what mistake?
       
 (DIR) Post #AitGstL7kKxZMO2kca by selea@social.linux.pizza
       2024-06-13T16:33:29Z
       
       0 likes, 0 repeats
       
       @Szwendacz Forgetting that there is no NAT with IPv6, compared to IPv4. So your router will by default - let all the traffic thru (in most cases)
       
 (DIR) Post #AitH8DvpT4nHZKWTj6 by Szwendacz@social.linux.pizza
       2024-06-13T16:36:17Z
       
       0 likes, 0 repeats
       
       @selea Yeah, I did not forgot, and my setup is very custom, i basically tunnel ipv6 through vpn, and on the way to the k8s there is more than one firewall in whitelist mode, not counting the NetworkPolicy objects in k8s itself.
       
 (DIR) Post #AitHe502DGfV8IgDyq by selea@social.linux.pizza
       2024-06-13T16:42:01Z
       
       0 likes, 0 repeats
       
       @Szwendacz I did not say that you did not think of it, I have seen so many people implement IPv6 and exposed their entire internal network because of that. x)What do you use to tunnel to your kubernetes-cluster?
       
 (DIR) Post #AitHkeW14x5D1Lm0ps by Szwendacz@social.linux.pizza
       2024-06-13T16:43:14Z
       
       0 likes, 0 repeats
       
       @selea My "network infrastructure" stack is wireguard + nftables.
       
 (DIR) Post #AitIYOKzVAirKEKkoi by selea@social.linux.pizza
       2024-06-13T16:52:11Z
       
       0 likes, 0 repeats
       
       @Szwendacz Oh I meant if you used some "pre-packaged" solution?
       
 (DIR) Post #AitJ4iHOtQamRQ4BRg by Szwendacz@social.linux.pizza
       2024-06-13T16:58:02Z
       
       0 likes, 0 repeats
       
       @selea No, both wireguard and nftables configs are handmade. That is probably  partially due to the fact, that this setup was slowly evolving from very simple setup, to this current thing. Also am not sure what tools would let me do every trick and config I did there, while being easy to understand and verify. Only the k8s is simplified for me by using k3s.