Post AoLU4gGXVEKoZCm0Aq by kmj@mastodon.ctseuro.com
(DIR) More posts by kmj@mastodon.ctseuro.com
(DIR) Post #AoLMHYMtNTH2CjN7Q0 by kmj@mastodon.ctseuro.com
2024-11-23T19:06:24Z
0 likes, 0 repeats
While trying to add all mobiles into the home LAN #IPv6 it comes out that LineageOS/Android only supports #SLAAC and not #DHCPv6. :-( Looks like we will keep the mobiles on #IPv4 till there is a solution. I want full control over addressing clients so SLAAC is no option in the LAN. Otherwise I would need a extra VLAN for mobiles activating SLAAC within this VLAN. Not good.
(DIR) Post #AoLO1WaqPPtLyTNmWe by goetz@chaos.social
2024-11-23T19:25:54Z
0 likes, 0 repeats
@kmj SLAAC and #IPv6only is the way to go for mobile devices. For what do you need designated addresses? As the best pratice is that they use temp addresses anyway.
(DIR) Post #AoLPvU0vHn0c94pMyO by kmj@mastodon.ctseuro.com
2024-11-23T19:47:15Z
0 likes, 0 repeats
@goetz @lucasmz I need some static addresses for the devices to be able to control them in the firewall, especially who is allowed to route out via different VPNs and more. Furthermore how do you send all the options, dns, ntp, sip stuff , .... with SLAAC. Building it up with dhcpv6 is more work, but you also get more security, finding not allowed clients in the net aso. SLAAC is ok in public nets where everybody is allowed to do the same, but nothing for my requirements.
(DIR) Post #AoLQeiOydeKznfeAl6 by kmj@mastodon.ctseuro.com
2024-11-23T19:55:25Z
0 likes, 0 repeats
@lucasmz @goetz i run HA pfsense with OSPF routing here. have a /48 at another location, routing a /64 to here, using 2 /64 for the HA routing. this all works great and you know which addresses are inside your net. Unsure about the static possibility in SLAAC. Never was going to deep in it because I miss things I want here. And I want to manage my networks the way i decided to to it. So its really bad Androis is that buggy with IPv6 and missing dhcpv6 support..
(DIR) Post #AoLRSG1SQUqwGKGlbE by goetz@chaos.social
2024-11-23T20:04:22Z
0 likes, 0 repeats
@kmj @lucasmz You can only control the whole /64 subnet per routing. The devices get there configuration with the RA / RDNSS or with stateless #DHCPv6, but no static addresses for mobile devices, as it is best practice using temp addresses.Monitoring should happen with Neighbor Discovery and also implement RA Guard etc.https://academy.ripe.net/enrol/index.php?id=12
(DIR) Post #AoLU4gGXVEKoZCm0Aq by kmj@mastodon.ctseuro.com
2024-11-23T20:33:44Z
0 likes, 0 repeats
@goetz @lucasmz still means you can not create firewall rules for different mobile devices and to solve the requirements one must stay on IPv4. otherwise you woule need a vlan per required rule or some other dirty unmanageable solution. sad but one has to accept that and hope for linux on mobile.. already had a cool ubports setup on a fairphone but had to go back to lineageos because there was no device encryption available and a unencrypted device is a no go.
(DIR) Post #AoLVIjWsGXyIhFg7k0 by litchralee_v6@ipv6.social
2024-11-23T20:47:25Z
0 likes, 0 repeats
@kmj @goetz @lucasmz I can understand a need to pass DHCP options -- except DNS, since RDNSS exists now -- but the security aspect would suggest already having the ability to monitor unexpected L2 traffic, such as for uninvited devices. But in that case, that same capability would also be sufficient to discover SLAAC self-assigned addresses, even when privacy extensions are enabled. SDN does exactly this, coupled with per-user VLANs, but that's a bit much.Are you sure DHCPv6 is indicated here?
(DIR) Post #AoLgGhtuRrwYYwgndw by harald@mementomori.social
2024-11-23T22:50:19Z
0 likes, 0 repeats
@kmj make firewall rules matching the mac address.
(DIR) Post #AoOhItfbW466Mcx76e by kmj@mastodon.ctseuro.com
2024-11-25T09:46:05Z
0 likes, 0 repeats
@lucasmzFully degoogled but rooted here but will checkout for a foss dhcp6client. @goetz
(DIR) Post #AoRb49st3GW22efB1U by kmj@mastodon.ctseuro.com
2024-11-26T19:20:19Z
0 likes, 0 repeats
@lucasmz @goetz to bad, this project is dead and LOS 21 needs another solution