this post was submitted on 29 Oct 2024
14 points (100.0% liked)

Selfhosted

40183 readers
497 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Hey fellow self-hosting lemmoids

Disclaimer: not at all a network specialist

I'm currently setting up a new home server in a network where I'm given GUA IPv6 addresses in a 64 bit subnet (which means, if I understand correctly, that I can set up many devices in my network that are accessible via a fixed IP to the oustide world). Everything works so far, my services are reachable.

Now my problem is, that I need to use the router provided by my ISP, and it's - big surprise here - crap. The biggest concern for me is that I don't have fine-grained control over firewall rules. I can only open ports in groups (e.g. "Web", "All other ports") and I can only do this network-wide and not for specific IPs.

I'm thinking about getting a second router with a better IPv6 firewall and only use the ISP router as a "modem". Now I'm not sure how things would play out regarding my GUA addresses. Could a potential second router also assign addresses to devices in that globally routable space directly? Or would I need some sort of NAT? I've seen some modern routers with the capability of "pass-through" IPv6 address allocation, but I'm unsure if the firewall of the router would still work in such a configuration.

In IPv4 I used to have a similar setup, where router 1 would just forward all packets for some ports to router 2, which then would decide which device should receive them.

Has any of you experience with a similar setup? And if so, could you even recommend a router?

Many thanks!

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 1 points 2 weeks ago (2 children)

Thank you! Do you have an example for such a firewall device? Could something like the TP-Link Archer AX55 in IPv6 "pass-through" mode do the job? Or would you go for a standalone firewall? My budget is around a hundret bucks.

[–] [email protected] 3 points 2 weeks ago (1 children)

I'd recommend something that you can put openwrt or opnsense/pfsense on. I think the tplink archers support openwrt at least.

The ISP router opening things at a port level instead of a host level is kinda insane. Do they only support port forwarding? Or when you open a port range can you actually send packets from the WAN to any LAN address at that port.

Can you just buy your own modem, and then also use your own router? (If the reason you need the ISP router is that it also acts as a modem).

Does the ISP router also provide your WiFi? If it does you should definitely go with a second router/access point and then disable the one on the ISP router.

[–] [email protected] 1 points 2 weeks ago (1 children)

And openwrt is capable enough?

Yeah it's insane right? Every address is reachable when I open a port range. And it's like there are ~ 10 predefined services (HTTP/S, SMTP, ...) and the category "All other ports" where also 22 is part of. So I really have the choice to either keep everything shut or leave everything wide open.

I think I can't use my own modem but I'll have to double check with my ISP. But yes the Wi-Fi is also provided by that router and it's also quite crappy.

[–] [email protected] 2 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

Yeah openwrt should be great. It uses nftables as a firewall on a Linux distribution. You can configure it through a pretty nice ui, but you also have ssh access to configure everything directly if you want.

The challenge is going to be what the ISP router supports. If it supports bridge mode then things are easy. You just put your router downstream of it and pretend like it's a modem. Then you configure openwrt like it's the only router in the network. This is the opposite of what you've suggested, using the upstream ISP router in pass through and relying on the openwrt router to get the ipv6 GUA prefix. (You might even be able to get a larger prefix delegated if you set the settings to ask for it)

If you don't have bridge mode then things are harder. There's some helpful information here https://forum.openwrt.org/t/ipv6-only-slaac-dumb-aps/192059/19 even though the situation is slightly different since they also don't want a firewall. But you probably need to configure your upstream side on the openwrt router similarly.

Also looking more, the tplink ax55 isn't supported by openwrt. If you don't already have it, I'd get something that does. (Or if the default software on the ax55 supports what you want, that's fine too. I just like having the full control openwrt and similar gives)

[–] [email protected] 1 points 2 weeks ago

That's really helpful, thank you. I've ordered an AX23 which will arrive tomorrow. I'll try to figure it out in the next few days and report back.

[–] [email protected] 2 points 2 weeks ago (1 children)

Most computers with (at least) two network interfaces will do. If it's something too crappy your throughput will be limited by CPU speed but I can't tell you exact recommendations here. Here's OPNsense's hardware recommendations for example, they're not high at all. Off-the-shelf devices that allow you to do this should probably be fine too.

I'd put Linux on it and use nftables but BSD PF seems to be very popular for firewalls (OPNsense/pfSense are built on this) which I have never used so consider that too.

[–] [email protected] 1 points 2 weeks ago

Thank you! I'll evaluate and report back.