jmwills 284 Posted October 1, 2015 Share Posted October 1, 2015 Good discussion. We are all being subnetted from our ISP and I can see new construction in very large neighborhoods being allocated IPV6 addresses but you're still only getting one address, be it 4 or 6 which resolve back to the same address. We will never run out of v6 addresses, something about there are more v6 addresses than stars in the sky, so as long as it works, it doesn't really matter to me on the exterior, but for simplification I would only ever use v4 on the inside. Link to post Share on other sites
GotNoTime 219 Posted October 1, 2015 Share Posted October 1, 2015 you're still only getting one address, be it 4 or 6 which resolve back to the same address.No. You don't get a single IPv6 address. You usually get a /64 IPv6 prefix assigned for your LAN devices. It is specifically a /64 at a minimum because it allows you to generate a static IPv6 address based on the MAC address of your interfaces. If you wish to statically assign addresses using manual configuration then you've got 2^64 address available to use. Link to post Share on other sites
Andne 13 Posted October 1, 2015 Share Posted October 1, 2015 My ISP provides 6RD (wish they had dual stack, was a pain to set up the tunnel) so I have both IPv6 and IPv4 running inside my network. I suspect that running IPv4-only on one side of a router and IPv6-only on the other side wouldn't work well at all, since then every client would need to know how to tunnel one protocol into the other. Long term I hope that IPv4 goes offline entirely and networks become IPv6-only, but given how long it's taking to get dual-stack setups from some ISP's, I don't know that I see that happening anytime remotely soon. After some digging, it looks like the ISPs are expected by ARIN and RIPE to provide a /48 to most home and business subscribers when using IPv6 (found the RIPE guidelines here: http://meetings.ripe.net/ripe-49/presentations/ripe49-ipv6-guidelines.pdf). Inthat case, there should be no reason for the router to perform NAT, instead it can just assign IP's within the provided prefix. Just because these are publicly routable IP's doesn't mean that they are accessible, I only allow traffic through to the specific addresses that are supposed to be accessible and have the router blocking any other traffic that tries to enter the network. It does mean that there have to be specific rules for this, but those should be easy for even a consumer-level router to include. I use pfSense for my router, so I had to actually add the rules but it was easy to do. At work we don't have IPv6 active on the internal network, so maybe it still is something that's more for people to play with for now. I would be hard pressed to believe that there aren't parts of the internal network that do run IPv6 (dual stack at least if not only) as a test environment so that when things do start to switch they know how to deploy it correctly. So far it's not active on the client computer network (I'm not in the IT department, work in product design). Link to post Share on other sites
ShadowPeo 81 Posted November 12, 2015 Share Posted November 12, 2015 Shadowpeo: One good thing to do with a guest network like that is to set a traffic rule on your firewall (if you have one advanced enough) to limit bandwidth on the guest wireless. That way, even if guests connect to your network (or find your SSID), they can't chew your bandwidth up attempting HD Youtube or Netflix streams. I would love to, but compared to the rest of the gear in the network, the firewall is a little old and decrepit. Link to post Share on other sites
itGeeks 187 Posted March 7, 2017 Share Posted March 7, 2017 An old thread but a topic of my own interest, I am building out my daughters network and wanted to share my updated IP scheme. My IP addressing scheme using a private /24 mask: 10-19 - Smart Switches 20-29 - Access Points 30-39 - Servers and VM host 40-49 - RACK/iLO/IPMI/KVM/UPS Management Card 50-59 - Printers 60-79 - Phones/Tablets 80-99 - Computer/Laptops 100-109 - Digital Picture Frames 110-119 - Smart TV's 120-129 - Fixed Media Streamers. Example Roku, NVIDIA Shield, Fire Stick. 130-139 - Blu-ray/DVD Players 140-149 - Gaming Consoles 150-169 - IP Cameras (This will be put on a VLAN at some point) 170-189 - Reserved for the unknown 190-229 - Reserved for Home Automation Stuff. 230-254 - DHCP range for guests and newly added devices not yet added with static IP Service providers (CPE) Cable boxes (STB) and router are on its own network, I like to keep it separate on its own Subnet to keep from prying eyes. I hang my router off a DMZ on the service providers router, (This may soon change as I want to make my router first inline and hang the service providers router off a DMZ) Further testing is needed to make sure the TV service does not brake. Schoon tag your it, You ask the question now would you mind telling us what you do? Link to post Share on other sites
Jason 84 Posted March 7, 2017 Share Posted March 7, 2017 Thanks for sharing this. Incidentally I have no convention to my LAN. Not ideal. Just a range of 192.168.0.10-192.168.0.100. With random consecutive devices in between. Is there any way to create a reservation in Windows DHCP for a specific LAN IP? Without having to right click on a lease and create a reservation (with that device's currently assigned IP address)? Sent from my iPhone using Tapatalk Link to post Share on other sites
schoondoggy 890 Posted March 7, 2017 Author Share Posted March 7, 2017 Still a work in progress. Home address range 192.168.1.1-255 Lab address range 192.168.2.1-255 Home: 1-20 Networking/Firewall 30-43 PC/Laptop 49-68 Home Automation 100-149 DHCP range 180-185 Printers/Scanners 190-225 Audio/Video/Media/Gaming 235-254 Servers/VM's Link to post Share on other sites
Jason 84 Posted March 7, 2017 Share Posted March 7, 2017 Wondering whether I should just be using the DHCP server built into my router instead of Windows DHCP server? What do others here do? Instead I create a reservation on Windows DHCP, mirror that IP definition in Sophos UTM, then add to a Sophos UTM https exception list. More steps than I probably need? Sent from my iPhone using Tapatalk Link to post Share on other sites
jmwills 284 Posted March 7, 2017 Share Posted March 7, 2017 Too many points of failure. I'd just use the DHCP function of the router. Link to post Share on other sites
Jason 84 Posted March 7, 2017 Share Posted March 7, 2017 Good point. When I move away from Sophos UTM, I'll revert back to router DHCP only. Possibly DNS also. Sent from my iPhone using Tapatalk Link to post Share on other sites
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now