Stupid ISP tricks - DHCP ranges

[sfx2000]

Fun stuff - I should see if this works, given my recent frustration with their ipv6 deployment...

$ ssh admin@192.168.1.1
Password for admin@router.<hidden>:
*** Welcome to pfSense 2.3.1-RELEASE-p5 (amd64 full-install) on router ***
WAN (wan) -> igb0 -> v4/DHCP4: xx.yy.zz.102/23 <-- see this!
LAN (lan) -> igb1 -> v4: 192.168.1.1/24

Pretty cool - are they really giving me 512 addresses - take away the network and broadcast addresses, that's more than enough for my LAN... and those are public IP's, not CNAT'ed...

 

[L&LD]

Fun stuff - I should see if this works, given my recent frustration with their ipv6 deployment...

$ ssh admin@192.168.1.1
Password for admin@router.<hidden>:
*** Welcome to pfSense 2.3.1-RELEASE-p5 (amd64 full-install) on router ***
WAN (wan) -> igb0 -> v4/DHCP4: xx.yy.zz.102/23 <-- see this!
LAN (lan) -> igb1 -> v4: 192.168.1.1/24

Pretty cool - are they really giving me 512 addresses - take away the network and broadcast addresses, that's more than enough for my LAN... and those are public IP's, not CNAT'ed...

How can we test this on a router running RMerlin? Please!!!

 

[sfx2000]

I'll have to give them a call - I guess this'll stump the heck out of the tier 1 folks...

 

[sfx2000]

Thought I would post this thread as an experiment - in all due actuality, it just says that I'm part of a really big block, but with some advanced/mad skills - I could seize a few IP's out of that block that aren't in use - and doing some recon - there's only about 40 or so in use - so this is something of interest...

But where it's scary - is that it's a big block of addresses - and there's quite a few consumer grade router/AP's out there...

Not saying much more - surf safely, and TLS is your very best favorite friend...

 

[yorgi]

Fun stuff - I should see if this works, given my recent frustration with their ipv6 deployment...

$ ssh admin@192.168.1.1
Password for admin@router.<hidden>:
*** Welcome to pfSense 2.3.1-RELEASE-p5 (amd64 full-install) on router ***
WAN (wan) -> igb0 -> v4/DHCP4: xx.yy.zz.102/23 <-- see this!
LAN (lan) -> igb1 -> v4: 192.168.1.1/24

Pretty cool - are they really giving me 512 addresses - take away the network and broadcast addresses, that's more than enough for my LAN... and those are public IP's, not CNAT'ed...

According to IPv6 everyone in the world can have as many ip addresses as they want.
the numbers are crazy. I wish everything goes to ipv6 this way no more NAT crap and things will be safer.
/me waits for the day
a little Mirc in there LOL

 

[yorgi]

ipv4 total 2^32 = 4,294,967,296

ipv6 total 2^128 = 340,282,366,920,938,463,463,374,607,431,768,211,456

improvements in ipv6
- No more NAT (Network Address Translation)
- Auto-configuration
- No more private address collisions
- Better multicast routing
- Simpler header format
- Simplified, more efficient routing
- True quality of service (QoS), also called "flow labeling"
- Built-in authentication and privacy support
- Flexible options and extensions
- Easier administration (say good-bye to DHCP)

that's sick

 

[tim]

All very interesting but if we lose NAT with it's firewall effect (talking home routers here) doesn't that leave the computers naked to the horrors of the open internet?
Hackers will think it's xmas big time!

 

[yorgi]

All very interesting but if we lose NAT with it's firewall effect (talking home routers here) doesn't that leave the computers naked to the horrors of the open internet?
Hackers will think it's xmas big time!

All I know is my asus 87u is ready for ipv6 all the way
bring it on home baby!!!!
hehe

 

[sfx2000]

All very interesting but if we lose NAT with it's firewall effect (talking home routers here) doesn't that leave the computers naked to the horrors of the open internet?
Hackers will think it's xmas big time!

netfilter still comes into play - so for most vendors, SPI Firewalls are still in place - and most end-points, esp. Win/Mac/Linux have firewall solutions there as well - so belt and suspenders...

 

[yorgi]

netfilter still comes into play - so for most vendors, SPI Firewalls are still in place - and most end-points, esp. Win/Mac/Linux have firewall solutions there as well - so belt and suspenders...

True but before long all ipv4 addresses are going to be the thing of the past.
never said it would happen over night but its starting

 

[sfx2000]

True but before long all ipv4 addresses are going to be the thing of the past.
never said it would happen over night but its starting

IPv4 isn't going anywhere, anytime soon - and you'll see increasing levels of NAT going on at the last mile (Carrier Grade NAT).

But one should look to get savvy on IPv6 in any event...

 

[System Error Message]

In configurable routers like mikrotik NAT is just a firewall feature for ipv4 which is implemented via sourcenat with action masquerade but when you configure the security you dont do anything related to masquerade which is what a NAT does in every home router. As long as you can do SNAT and DNAT filters you can hide your devices similarly to NAT by dropping traffic that is headed for something that isnt related. One of the simple things you could do on the simple firewall filter is just drop forwarding traffic heading to your network below port 1024.

When it comes to ISPs and VPNs doing NAT that isnt really the right way to do things. On the case of small ISPs (like bt openzone and ISPs for educational and government institutes) that is different.

While ip4 only has 4 billion with population at double at least, there are still not enough people with internet than there are IP addresses. A lot of people however share IPs like in homes, schools and small places so theres still IPs available.

 

[sfx2000]

When it comes to ISPs and VPNs doing NAT that isnt really the right way to do things. On the case of small ISPs (like bt openzone and ISPs for educational and government institutes) that is different.

While ip4 only has 4 billion with population at double at least, there are still not enough people with internet than there are IP addresses. A lot of people however share IPs like in homes, schools and small places so theres still IPs available.

One of the problems with IPv4 is regional - in that some countries have a pretty small allocation of IPv4 ranges, so we're seeing more Carrier-Grade NAT's being deployed... esp. in Residential Access sectors, as it solves basically two problems...

1) IPv4 re-usage - C-NAT's allow ASN's to do better IP management inside their network without having to worry about public IP ranges

2) Disabling Servers - most operators don't allow servers on their residential accounts, and the double-NAT there makes it even more secure for the carrier, not counting the customer experience for advanced folks, and it does cause some issues for gaming consoles (which are pretty brain-dead there in any event).

It's going to be interesting as IoT takes off - and then one needs to consider everything there - going from a handful of clients on a home network to having dozens - and some might be carrier/application provider managed, and some might be home managed...