Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Weaver]

A recent software update ‘Davies’ has given the Firebrick routers the capability to be an NTP server. Before they could themselves sync up to an NTP client but that was all.

Now I am going to have to root out some of my machines and give them the news. I read something somewhere about publicising the location of a preferred NTP server by handing it out in DHCPv4. I think the Brick does this now.

Does anyone know if any kit listens out for that DHCP option?

How does it work, does a DHCP advertisement packet just get longer and longer with more random FYIs getting included in it? There will be a possible problem when you hit the MTU? unless DHCP uses fragments, which is not ideal but perhaps no problem since it’s only going just across the LAN, no further.

What happens with IPv6 tho?

Couldn’t people use the preferred well-known addresses for these servers ?

Some of my machines could be made to do the right thing and pick up the change because I had told them to access an NTP server by domain name ntp.weaver.example.com or whatever and I simply redefined the domain name to point at the Firebrick instead of at my ISP’s NTP servers.

[Weaver]

I’ve just installed the second version of it v1.51.010, the first factory release was .001. A few bug fixes, it says.

[Chrysalis]

no idea, I dont use that dhcp option, instead I just manually configure my devices to use the local ntp server.

But after reading your post I am going to do what I did on dns queries, which is to force forward any internet bound ntp queries to my firewall, that would mean even devices like my smartphones where its not configured would just be forced to use my local ntp server.

[Alex Atkin UK]

On pfSense I just port forward any requests to 123 to the firewall itself, as I do with DNS.

[Chrysalis]

I have done that, but also set external ipv6 dns that isnt from the firewall itself to reject to prevent leaks via ipv6 since that cant be forwarded.

[Weaver]

In fact, why didn’t I just do that?

[Chrysalis]

yeah if you can do outbound nat, then thats a super lazy way to basically force your entire lan on ipv4 to use the LAN NTP server.

[Alex Atkin UK]

I still have IPv6 disabled on the LAN (its enabled on the WAN just so the router gets to use IPv6 DNS servers) because IMO its completely unfit for purpose when it comes to monitoring and firewall rules.

The Xbox One changes its UUID every boot so you can't set a static IP on DHCP6 as it simply changes next time.  So how am I supposed configure the firewall to allow WAN traffic to my Xbox One if its IP changes every time?

Just simply allowing incoming connections from everywhere is not an option as its an administration nightmare, especially with IoT devices that you can't trust to be safely firewalled themselves.

Then there is the fact I had all sorts of random failures on Android devices with IPv6 enabled.

[Weaver]

I have static /48 of which a /64 is set to my main LAN. I don’t have a DHCPv6 server.

[Chrysalis]

I agree android is deffo flaky on ipv6.

Older android if you disable radvd (whilst keeping dhcpv6 enabled) would prevent them from using ipv6 with rest of your lan enabled, not so sure about latest android.

However I noticed when I configured vlans on my network the ipv6 on the 2nd vlan, was making my android loop the wifi on and off.  No such issues on windows machines, so that vlan at the moment is single stacked.

The xbox one situation is clearly stupid, did you report it?

PS4 doesnt even support ipv6 yet, sony in the stone ages.

I do agree tho there is some oversights with ipv6.  There has been assumptions made about things like NAT (assumptions its only purpose was to port forward for lack of ipv4), and as a result features are missing on ipv6 that would be useful.  Although this isnt necessarily a ipv6 spec problem but rather how it gets implemented in software e.g. the lack of NAT support for it on pfsense and lack of static DUID on xbox one.

[Alex Atkin UK]

I just don't get the way you can't control incoming traffic with the firewall because not all clients will support a static IP address.

I mean sure, in an ideal world every client will have their own firewall (in practice that's a horrible assumption to make, especially with IoT), but where is the logic in allowing WAN traffic to make it that far to clients that DON'T need incoming connections from the Internet in the first place?

[Weaver]

> So how am I supposed configure the firewall to allow WAN traffic to my Xbox One if its IP changes every time?

Nightmare. You are quite right.

With the Firebrick I can do certain things, and indeed sometime have to do certain things, by specifying MAC addresses. Its rules are not completely confined to being IP-address based. Luckily it has had the functions I need, so far. So the Firebrick can behave a bit more like a WAP. As an example: unknown MAC addresses - those not in a whitelist - can either be banned by the Firebrick from talking to the Internet or those devices can be speed-restricted. The latter is the current state.

[Chrysalis]

I just don't get the way you can't control incoming traffic with the firewall because not all clients will support a static IP address.

I mean sure, in an ideal world every client will have their own firewall (in practice that's a horrible assumption to make, especially with IoT), but where is the logic in allowing WAN traffic to make it that far to clients that DON'T need incoming connections from the Internet in the first place?

You can do it but will need a script do it in CLI, the underlying PF/FreeBSD can do it just fine, if you interested I will cook something up for you that you can configure on pfsense and it would survive reboots, backups/restores etc.

I think trying to get pfsense developers to implement support on the gui will be very tough as they will just say you have a poor ipv6 implementation to need such a feature.

Someone like martin might be able to get supported added to opnsense (he is the one who got sky's ipv6 working on pfsense), although that was by comparison easier, this would require adding all the NAT framework for ipv6 a bigger job.

[Weaver]

 Oils we perhaps split off Alex’ interesting thread and give it a title