| ▲ | When Every Network is 192.168.1.x(netrinos.com) |
| 44 points by pcarroll 6 hours ago | 37 comments |
| |
|
| ▲ | eqvinox an hour ago | parent | next [-] |
| They clearly haven't talked to a telco or network device vendor, they would've sold them a VRF/EVPN/L3VPN based solution… for a whole bunch of money :) You can DIY that these days though, plain Linux software stack, with optional hardware offload on some specific things and devices. Basically, you have a traffic distinguisher (VXLAN tunnel, MPLS label, SRv6, heck even GRE tunnel), keep a whole bunch of VRFs (man ip-vrf) around, and have your end services (server side) bind into appropriate VRFs as needed. Also, yeah, with IPv6 you wouldn't have this problem. Regardless of whether it's GUAs or ULAs. Also-also, you can do IPv6 on the server side until the NAT (which is in the same place as in the article), and have that NAT be a NAT64 with distinct IPv6 prefixes for each customer. |
|
| ▲ | rtkwe an hour ago | parent | prev | next [-] |
| I recently just changed my default subnet to 10.X.Y.... rolling two random numbers to make it highly unlikely my home subnet through wireguard would conflict with the subnet where I am connecting from. |
| |
| ▲ | trollbridge 31 minutes ago | parent [-] | | I just use /24s in the lower-middle range of 172.16. Very unlikely to have a conflict there. | | |
| ▲ | pclmulqdq 7 minutes ago | parent | next [-] | | I often use 172.31/16 for subnets and have never seen a conflict. I have seen 172.24 and 172.16 used before, though. | |
| ▲ | EvanAnderson 9 minutes ago | parent | prev [-] | | I find a lot of Docker containers using subnets inside 172.16.0.0/16. |
|
|
|
| ▲ | 1970-01-01 5 hours ago | parent | prev | next [-] |
| Why not IPv6? Pretending that it doesn't exist?? https://en.wikipedia.org/wiki/List_of_IPv6_transition_mechan... |
| |
| ▲ | duskwuff an hour ago | parent | next [-] | | I wouldn't be surprised if a lot of the hardware under management (e.g. IP cameras, NVRs, cable modems) lacks support for IPv6, and/or the customer networks that it's resident on don't have working IPv6 transit. | | |
| ▲ | zokier 38 minutes ago | parent | next [-] | | The solution is to run ipv6 on the overlay and have the customer site gateway thing they have to translate it to target ipv4. Conveniently you can do the translation it more or less statefully and very easily because you can just embed the ipv4 addr in ipv6. For example you could grab a /64 prefix, assign 32 bits to customer/gateway id and other 32 bits to target ipv4 addr. | |
| ▲ | reactordev 44 minutes ago | parent | prev [-] | | It’s definitely on the software side… The human side. |
| |
| ▲ | lxgr 5 hours ago | parent | prev [-] | | IPv6 solves the addressing problem, not the reachability problem. Good luck opening ports in the stateful IPv6 firewalls in the scenarios outlined in TFA: > And that assumes a single NAT. Many sites have a security firewall behind the ISP modem, or a cellular modem in front of it. Double or triple NAT means configuring port forwarding on two or three devices in series, any of which can be reset or replaced independently. | | |
| ▲ | zamadatix an hour ago | parent | next [-] | | The article's proposed solution for IPv4 is a combination of VPN+NAT. The solution in IPv6 can be just VPN, sans NAT. | |
| ▲ | bigstrat2003 4 hours ago | parent | prev | next [-] | | I'm not really seeing a reason why it would be impossible to open firewalls in that scenario. More work, sure, but by no means impossible. In any case TFA says right up front that it is trying to solve the problem of overlapping subnets, which IPv6 solves nicely. | | |
| ▲ | throwway120385 33 minutes ago | parent | next [-] | | Then you've probably never worked in any serious networked embedded systems space. Getting people to open ports on the firewall and making the firewall configuration palatable to the end customer is like a quarter of what I think about when my team makes new features. | |
| ▲ | lxgr 3 hours ago | parent | prev | next [-] | | It's completely impossible if you simply don't have the necessary access. Not everybody can administer all firewalls upstream from them. Nor can everyone control whether their connection supports v6, unfortunately. | | |
| ▲ | digiown an hour ago | parent [-] | | Hole punching is a thing. Ports are not normally completely blocked. They allow replies, which can be exploited to do make a connection. Obviously this requires an out of band signaling mechanism. Tailscale does this, so does WebRTC, iirc. See: https://tailscale.com/blog/how-nat-traversal-works | | |
| ▲ | lxgr 43 minutes ago | parent [-] | | Yes, but I don't believe all firewalls support that, especially for TCP, and as you've mentioned, now you also need to maintain a handshaking mechanism. The complexity makes sense if you need to transport a lot of data peer-to-peer or the lowest possible latency, but if you don't, you might as well use that coordination server (which outbound-only clients are connecting to) for payload communication as well. |
|
| |
| ▲ | mschuster91 an hour ago | parent | prev [-] | | > I'm not really seeing a reason why it would be impossible to open firewalls in that scenario. Cheap ass ISP-managed routers. Got to be lucky for these rubbish bins to even somewhat reliably provide IPv6 connectivity to clients at all, or you run into bullshit like new /64's being assigned every 24 hours, or they may provide IPv6 but not provide any firewall control... | | |
| ▲ | themafia an hour ago | parent [-] | | > or you run into bullshit like new /64's being assigned every 24 hours It'd be nice if DNS servers supported this. Save the 64 host bits in the zone and just use whatever 64 prefix bits happen to be issued right now. Otherwise it makes a strong case for the continued use of "private networks" and the IPv6 ULA mechanism. | | |
| ▲ | lxgr 41 minutes ago | parent [-] | | > Otherwise it makes a strong case for the continued use of "private networks" and the IPv6 ULA mechanism. Let's please not. Even without inbound reachability, hole punching is significantly easier given globally routeable addresses. | | |
| ▲ | themafia 27 minutes ago | parent [-] | | You can have /both/ a ULA and a Globally Routable address. In practice it works just fine. My internal DNS points to the ULA for internal connectivity and my hosts use their global addresses for external connectivity. | | |
| ▲ | lxgr 4 minutes ago | parent [-] | | Ah, you mean for cases where you want both stable addresses (even if only internal) and globally reachable ones (even if non-constant)? Yeah, that works, but everything gets much easier if your internal DNS can just support the varying prefix natively, e.g. via integration with the external-facing DHCP or PPPoE or whatever other address configuration protocol you use, since then you can reach everything both locally and globally by name. |
|
|
|
|
| |
| ▲ | 1970-01-01 5 hours ago | parent | prev [-] | | With IPv6 you don’t forward ports at all. The device already has a public address. | | |
| ▲ | lxgr 3 hours ago | parent | next [-] | | That's why I said "open ports", not "forward ports". Stateful firewalls are very much a thing on v6. Many mobile ISPs don't allow incoming connections by default, for example. Many CPEs (home routers) also come with a v6 firewall (I'd guess it's probably more common than not?), and not everybody has admin access to theirs. | |
| ▲ | jlokier 3 hours ago | parent | prev [-] | | That's the addressing problem, although I have some bad news on that: NAT is used with IPv6 in some places. The reachability problem is, even with public addresses, sometimes you have to do the same thing to "configure port forwarding" with stateful IPv6 firewalls as with double or triple NAT IPv4. |
|
|
|
|
| ▲ | rpcope1 44 minutes ago | parent | prev | next [-] |
| The suggested solution involves using the CGNAT /10 in conjunction with a VPN, but I've actually seen someone do this, and still have problems with certain end users where their next hop for routing also involves a router with an IPv4 address in the same space, so it's not really bulletproof either. We may as well consider doing other naughty things like co-opting DoD non-routable /8s or the test net in the RFCs you're not supposed to use, because basically anything you pick is going to have problems. |
|
| ▲ | dgrin91 5 hours ago | parent | prev | next [-] |
| This is basically what I use tailscale & their magicdns feature for. I manage a few locally hosted jellyfin servers for myself and some family members, and its the same problem. I just added tailscale to them all and now I can basically do ssh parents.jellyfin.ts.net or inlaws.jellyfin.ts.net |
| |
| ▲ | venusenvy47 an hour ago | parent | next [-] | | I need to implement this type of thing for supporting networks of family members, but without the media server aspect - just computer/networking support. I'm looking for a cheap and reliable device that I can put in each home, to give the Tailscale "foothold". Do you happen to know of any tiny devices? I was thinking there must be something even cheaper than a Raspberry Pi to perform this single function at each location. | | |
| ▲ | digiown an hour ago | parent | next [-] | | An old micro pc from dell/hp/lenovo. They are often cheaper and more capable than Raspberry Pis. You can just put up a random Linux distro and it will work. | |
| ▲ | LTL_FTC 41 minutes ago | parent | prev | next [-] | | If they have an Apple TV, you can just install the app and use it as an exit node. I would check out the devices that are on their network currently, chances are you can use one of those. | |
| ▲ | Atotalnoob an hour ago | parent | prev [-] | | Use a pi zero it’s like $5 |
| |
| ▲ | BrandoElFollito 2 hours ago | parent | prev | next [-] | | I was about to say that. This is what I do too. The only drawback are routes - they won't work on the same CIDR (I mean the fact that you can say in Tailscale "if you want to reach the 192.168.16.13 device that does not support Tailscale, go through this Tailscale gateway"). For this I had to shift my parents' network to be able to access stuff like the printer, in a network that clashed with another one of mine. | |
| ▲ | nxobject 3 hours ago | parent | prev [-] | | In your experience, how often does Tailscale have to resort to an external relay server to traverse? I’ve had that out the kibosh on bandwidth/latency sensitive applications before. |
|
|
| ▲ | solaris2007 an hour ago | parent | prev | next [-] |
| > But the moment two sites share the same address range, you have an ambiguity that IP routing cannot resolve. Writing PF or nft rules to NAT these hyper-legacy subnets on the local side of the layer3 tunnel is actually super trivial, like 20 seconds of effort to reason about and write in a config manifest. Like written the article, a device on the customer site is required. At that point you might as well deploy a router that has a supportable software stack and where possible sober IP instead of legacy IP. . I have been running IPv6-only networks since 2005 and have been deploying IPv6-only networks since 2009. When I encountered a small implementation gap in my favorite BSD, I wrote and submitted a patch. Anyone who complained about their favorite open source OS having an IPv6 implementation gap or was using proprietary software (and then also dumb enough to complain about it), should be ashamed of themselves for doing so on any forum with "hacker" in the name. But we all know they aren't ashamed of themselves because the competency crisis is very real and the coddle culture let's such disease fester. There is no excuse to not deploy at minimum a dual-stack network if not an IPv6-only network. If you deploy an IPv4-only network you are incompetent, you are shitting up the internet for everyone else, and it would be better for all of humanity if you kept any and all enthusiasm you have for computers entirely to yourself (not a single utterance). |
| |
|
| ▲ | pixl97 4 hours ago | parent | prev | next [-] |
| One step beyond this is the multi-subnetted network on each side. You get the DNAT working, but then suddenly the app gets more complex over time and suddenly you're calling 192.168.2.x, which leads to async routes. Some traffic works, some traffic works one way, and other traffic disappears. Then you as the client/app manager pull your hair out as the network team tells you everything is working fine. |
|
| ▲ | DontBreakAlex 13 minutes ago | parent | prev | next [-] |
| Can we please just use ipv6? PLEASE |
|
| ▲ | perakojotgenije 5 hours ago | parent | prev [-] |
| Shameless plug - this is exactly the same problem that our team had when we had to maintain a bunch of our customer's servers. All of the subnets were same, and we had to jump through hoops just to access those servers - vpns, port forwarding, dynamic dns with vnc - we've tried it all. That is why we developed https://sshreach.me/ - now it's a click of a button. |
