As Google has effectively deprecated the Coral.ai accelerators, I can't recommend anyone use them going forward. See the Frigate docs for alternative GPU based detection solutions.
Thanks! Being a retired network engineer, I found your video relevant and accurate. You also taught this old dog some new tricks. I’ve setup a proxmox server and a opnsense firewall. Used your videos as a guide and reference. Thanks again
@@apalrdsadventures A fun one is adding a suitable WiFi adapter. Why? If your primary internet connection goes down, you have it failover to your phone operating as a hotspot. You'll likely want to restrict the failover to certain VLANs only (critical stuff), but basically if your primary ISP goes down, home still has internet through your phone.
I am just beginning to learn about working and your videos are really helping me a lot. There is a ton of information and I get the impression that you really know what you are talking about. A lot of videos are made by people who got something to work yesterday and are making a tutorial about it today, which is great and all, but the way they got things to finally work might not be an ideal solution.
Hey love the content. I am curious what you think of the new Proxmox SDN feature? I am mostly wondering if it is possible to migrate my Ceph storage network over to SDN? If I recall, that is how I had set up VSAN in the past.
I’ve been using SDN for about a year now in test clusters while it was in beta and it’s pretty great. A few little quirks around vmbr0 during transition to sdn. Also still some bugs in ipv6 handling in vxlan that im aware of, but vxlan and evpn are still in beta anyway. You don’t need it for Ceph though, SDN is purely for VM traffic not Proxmox cluster or ceph traffic.
I would love to see a video on how you configure DNS for IPv6. DHCP mapping works great with IPv4 and Unbound, but unmanaged IPv6 means my clients arbitrarily pick an address. Does that mean clients are now responsible for their own DNS records?
In general, v6 has a lot of attention to avoiding tracking - DHCPv6 cilents no longer supply their hostname or MAC as a unique ID, SLAAC clients generate multiple addresses with most of them being randomized for privacy, etc. which makes it very difficult to centrally guess what the IP of a client will be. Some DNS+DHCP servers like dnsmasq will calculate what the EUI-64 would have been for DHCPv4 clients and add that as an AAAA record, but this only works for OSes configured for EUI64 (generally just Linux server distros). So what I do now is copy+paste the IP into my public DNS console. If you do automated VM provisioning, you can pull the MAC from the hypervisor and generate the EUI64 address and use that, or query the guest utils in your automations. I've thought about doing NS delegation to something like home.apalrd.net -> my home DNS server, and then doing client-side dynamic DNS from there, but the number of hosts I have it's not a big deal to copy/paste their IP into the public DNS console. There's also the danger of accidentally becoming a public DNS server, so you have to be extremely careful to separate authoritative DNS hosting from forwarding / recursive DNS.
> Does that mean clients are now responsible for their own DNS records? They can be, via mDNS, and you may have your DNS server act as an mDNS proxy for a specfied domain name if you want your hosts to be accessible via names that don't end in `.local`. Alternatively, you may use a DNS server that dynamically adds/removes DNS records based on NDP activity. Depending on implementation, this may or may not require you to define the hostname for each MAC address that you want to have a name in the DNS. If your devices spoof their MAC address as a privacy feature, that would be a problem. There are some draft standards to add functionality similar to DHCP(v6)'s ability for hosts to declare their hostname when discovering/leasing an address.
My home network is split into a public facing (wifi, stream dongles, etc) and my labs separate network. My lab does get its internet through the public, but is sectioned off on its own subnet, with a complete separate ip range.
I want to use global ipv6 addresses, but ISPs being the horrible entities that they are, may decide to change your address/prefix at a whim. How can you setup firewall, subnets, and routing rules that don't break in the event that the ISP changes things?
In general, this is a troublesome problem to solve. The easiest way to work around the issue is to use NPTv6, so that your devices and firewall configurations use ULAs, and your edge routers convert between the ULA and GUA prefixes.
OPNsense uses tracking for this. When configured properly, OPNsense will re-address all your subnets when the ISP changes your prefix. OPNsense will also automatically modify firewall rules accordingly.
It should be noted that in convoluted situations you can have one subnet on multiple VLANs or you can also have multiple subnets on one VLAN. I don't think OPNsense natively supports wither. One subnet across multiple VLANs is actually useful because it lets you isolate physical devices from each other without requiring all traffic to go through the firewall. I don't think there's any _good_ reason for multiple subnets on the same VLAN but I do at home as a hack to deal with some hardcoded IPs. Actually multiple subnets on the same VLAN makes sense when they are different types. You can have one IPv4 private, one IPv6 GUA, one IPv6 ULA, and also multicast traffic.
A diagram for the wiring of the switch after you introduced it would have been helpful, as would the position of all devices. An explanation of why you need to have the "trunk" (port 1) as tagged, in every vlanid, and why the pvid needs setting and it's purpose would be helpful too. A mention of Firewall rules and why the lan can communicate to the camera (most users are aware the firewall blocks all traffic unless specified in the rules). the diagram would have helped to understand that you plugged the laptop into a different port to the lan port?
How are you setting the public IPv6 address to 2001:db9::/32? Isnt the prefix on public IPv6 addresses given by the RIR and the rest of the prefix bits set by the provider?
2001:db8 is the documentation prefix, for documentation, which is why I used it. You will get a v6 prefix delegation from your ISP over DHCPv6-PD usually, unless you have a business connection and then it might be static.
Great video but why are you assigning IP4 addresses with the VLan tag in the number and therefore creating multiple subnets? Isnt the VLAN TAG enough to separate traffic on 1 single subnet?
VLANs are a link-layer construct, not IP layer, so while they separate traffic on the link layer, we also need separate subnets on the IP layer if we want inter-network routing to work properly
@@apalrdsadventures I think the purpose of the layers is that you don’t have to duplicate separation. If you setup subnets the packets travel separate based on different IP addresses. Why would you still need VLANs. ? They could all travel as one VLAN and still be distinguishable. No?
You don't have to duplicate your firewall/... but a separate VLAN is like a separate physical network. It's a separate layer 2 domain, so clients need to know to go to their layer 3 router to get routed to the correct layer 3 subnet associated with a different layer 2 domain.
I would love a discussion on how to break a /64 prefix given to me by my ISP in to two (or more) /80s within a virtual lab environment. The end goal would be to have my primary lab environment that runs my services w/in the home, and then a secondary "play thing" type lab environment that is entirely virtualized that I have a OPNsense firewall in front of. So if you're inside that virtual environment, the OPNsense firewall would treat everything upstream of it (including my physical lab hardware such as my Jellyfin server) as "internet". I would of course like to run it as dual stack like my main physical lab network is, which means that any subnets in the virtual lab would not be able to function via prefix delegation before the OPNsense firewall gets a /64. So the connection path would look like this (Internet) --> (Modem) --> (Router/Firewall) --> (HomeLab Environment VLAN for VirtualLab) --> (OPNsense) --> ("Toy Land")
If you want to use SLAAC, you *_mustn't_* use a prefix longer than /64. If you have any Android devices on your network, you must support SLAAC. Technically, the IPv6 base standard also stipulates that all network segments mustn't use a prefix longer than /64, and several other standards that build on top of the base IPv6 standard (such as SLAAC) assume this behaviour. Having said that, if all hosts on your network segment support DHCPv6 and you aren't using any IPv6 features that require a host/interface ID section of at least 64 bits, then you can use e.g. a /80 and have DHCPv6 assign the final 48 bits to make a 128-bit address. The root of your problem is that your ISP *_should not_* just be giving you a /64. If they are in fact doing this, complain to them and tell them to refer to RIPE-690, which defines the best current operating practices for ISPs on how to number their IPv6 networks. They should *_at least_* be giving you a /60, *_hopefully_* be giving you a /56, and *_preferably_* be giving you a /48, though many ISPs reserve /48s for paying business customers, albeit usually unjustifably from a technical perspective; they just do it as an excuse to charge more to people who particularly have a need for the extra 8 bits downstream.
I want to add: It's possible that your ISP is actually reserving a shorter prefix / larger allocation than a /64 for you (e.g. a /56), but has supplied you with a router than only uses the first available /64 within that larger allocation. The router they supply to you may not support the use of additional subnets, in which case you will need to use your own router, e.g. as shown in this video with an OpnSense instance.
Perhaps I didn't make myself clear. My UDMSE is configured to get a /60. I then have several VLANs that each have their own /64. What I want to do is build a virtual network that takes one of those /64s and break it down even further to other VLANs houses within that virtual lab network.
@@travisaugustine7264 You still should avoid creating subnets with prefixes longer than /64 wherever possible. Again, if any devices on your network exclusively use SLAAC, they simply won't work on e.g. a /65. Your ISP has given you a /60, so you are able to create 2⁴ = 16 subnets of size /64. If you want more than that, you need to talk to your ISP or find a new one. Again, cite RIPE-690 to them, which says /56 ought to be the bare minimum for residential customers. IPv6 address space is plentiful; ISPs should not be short-changing customers like this.
@@JivanPal my ISP is giving me at least a /60 because I have 4 different VLANS that are each getting their own /64 through prefix delegation. I just want to be able to break one of those delegations into something smaller to experiment with DHCPv6 on that specific VLAN
As Google has effectively deprecated the Coral.ai accelerators, I can't recommend anyone use them going forward. See the Frigate docs for alternative GPU based detection solutions.
No fluff, no clickbait, just great content that explains the concepts and demonstatres how to implement them!
You channel is excellent!
Thanks! Being a retired network engineer, I found your video relevant and accurate. You also taught this old dog some new tricks. I’ve setup a proxmox server and a opnsense firewall. Used your videos as a guide and reference. Thanks again
Glad it was helpful! And thanks a bunch!
This is a really good video!!
I am very glad that you talk about ipv6 because most yt creators don't and people really need to know it
Most "network engineers" out there never once in their life have used IPv6. They literally are IPv6 incompetent.
One of the best sponsor segments I've seen in a while
Finally!!!!
Thank you for theses videos, I'm sure there are even more relevant that people realize!!
Yo dawg, love the Opnsense content. Please keep it up!
Glad you like it! I've got a few more OPNsense ideas coming
@@apalrdsadventures A fun one is adding a suitable WiFi adapter. Why? If your primary internet connection goes down, you have it failover to your phone operating as a hotspot. You'll likely want to restrict the failover to certain VLANs only (critical stuff), but basically if your primary ISP goes down, home still has internet through your phone.
Great video. I've just jumped into ipv6 from my ISP and I am hyped.
I am just beginning to learn about working and your videos are really helping me a lot. There is a ton of information and I get the impression that you really know what you are talking about. A lot of videos are made by people who got something to work yesterday and are making a tutorial about it today, which is great and all, but the way they got things to finally work might not be an ideal solution.
Finally. I watched so many Videos, but with your help everything makes sense now. Thanks for teaching me, you're doing a great job :D
Glad to help!
Really great content about opnsense and ipv6. Love it. ❤
would you be willing to do a full tutorial on OPNSense firewall rules? The way you explain everything is fantastic and I thank you.
I haven't done firewall rules, but I can add it to the todo list
Your videos are so good! I just wish TH-cams notifications worked properly cause I am so late 😅😭
TH-cam does that lol glad you still found it!
Your content is really great, thanks for your work as always
Okay, your video just convinced me to start playing with vlans. I was always against the idea, as I just used subnetting...
Hey love the content. I am curious what you think of the new Proxmox SDN feature? I am mostly wondering if it is possible to migrate my Ceph storage network over to SDN? If I recall, that is how I had set up VSAN in the past.
I’ve been using SDN for about a year now in test clusters while it was in beta and it’s pretty great. A few little quirks around vmbr0 during transition to sdn. Also still some bugs in ipv6 handling in vxlan that im aware of, but vxlan and evpn are still in beta anyway.
You don’t need it for Ceph though, SDN is purely for VM traffic not Proxmox cluster or ceph traffic.
Thanks!
Wow thanks!
Dude, your videos are so good
Really nice tutorial. Thanks.
excellent content!!
super accurate and useful, thank you😊
I would love to see a video on how you configure DNS for IPv6. DHCP mapping works great with IPv4 and Unbound, but unmanaged IPv6 means my clients arbitrarily pick an address. Does that mean clients are now responsible for their own DNS records?
In general, v6 has a lot of attention to avoiding tracking - DHCPv6 cilents no longer supply their hostname or MAC as a unique ID, SLAAC clients generate multiple addresses with most of them being randomized for privacy, etc. which makes it very difficult to centrally guess what the IP of a client will be. Some DNS+DHCP servers like dnsmasq will calculate what the EUI-64 would have been for DHCPv4 clients and add that as an AAAA record, but this only works for OSes configured for EUI64 (generally just Linux server distros).
So what I do now is copy+paste the IP into my public DNS console. If you do automated VM provisioning, you can pull the MAC from the hypervisor and generate the EUI64 address and use that, or query the guest utils in your automations.
I've thought about doing NS delegation to something like home.apalrd.net -> my home DNS server, and then doing client-side dynamic DNS from there, but the number of hosts I have it's not a big deal to copy/paste their IP into the public DNS console. There's also the danger of accidentally becoming a public DNS server, so you have to be extremely careful to separate authoritative DNS hosting from forwarding / recursive DNS.
Something else which is an option: multicast DNS aka mDNS, Apple Bonjour and open-source Avahi and Windows 10 supposedly supports mDNS.
> Does that mean clients are now responsible for their own DNS records?
They can be, via mDNS, and you may have your DNS server act as an mDNS proxy for a specfied domain name if you want your hosts to be accessible via names that don't end in `.local`.
Alternatively, you may use a DNS server that dynamically adds/removes DNS records based on NDP activity. Depending on implementation, this may or may not require you to define the hostname for each MAC address that you want to have a name in the DNS. If your devices spoof their MAC address as a privacy feature, that would be a problem. There are some draft standards to add functionality similar to DHCP(v6)'s ability for hosts to declare their hostname when discovering/leasing an address.
My home network is split into a public facing (wifi, stream dongles, etc) and my labs separate network. My lab does get its internet through the public, but is sectioned off on its own subnet, with a complete separate ip range.
Great video!
I want to use global ipv6 addresses, but ISPs being the horrible entities that they are, may decide to change your address/prefix at a whim.
How can you setup firewall, subnets, and routing rules that don't break in the event that the ISP changes things?
In general, this is a troublesome problem to solve. The easiest way to work around the issue is to use NPTv6, so that your devices and firewall configurations use ULAs, and your edge routers convert between the ULA and GUA prefixes.
OPNsense uses tracking for this. When configured properly, OPNsense will re-address all your subnets when the ISP changes your prefix. OPNsense will also automatically modify firewall rules accordingly.
It should be noted that in convoluted situations you can have one subnet on multiple VLANs or you can also have multiple subnets on one VLAN. I don't think OPNsense natively supports wither. One subnet across multiple VLANs is actually useful because it lets you isolate physical devices from each other without requiring all traffic to go through the firewall. I don't think there's any _good_ reason for multiple subnets on the same VLAN but I do at home as a hack to deal with some hardcoded IPs.
Actually multiple subnets on the same VLAN makes sense when they are different types. You can have one IPv4 private, one IPv6 GUA, one IPv6 ULA, and also multicast traffic.
A diagram for the wiring of the switch after you introduced it would have been helpful, as would the position of all devices. An explanation of why you need to have the "trunk" (port 1) as tagged, in every vlanid, and why the pvid needs setting and it's purpose would be helpful too. A mention of Firewall rules and why the lan can communicate to the camera (most users are aware the firewall blocks all traffic unless specified in the rules). the diagram would have helped to understand that you plugged the laptop into a different port to the lan port?
How are you setting the public IPv6 address to 2001:db9::/32? Isnt the prefix on public IPv6 addresses given by the RIR and the rest of the prefix bits set by the provider?
2001:db8 is the documentation prefix, for documentation, which is why I used it.
You will get a v6 prefix delegation from your ISP over DHCPv6-PD usually, unless you have a business connection and then it might be static.
I don't have a managed switch but I want to put my servers on their own subnet. Worried about locking myself out so I haven't done it yet.
You can do subnets with direct cabling as well (or a separate switch), VLANs are not required to implement subnets.
Great video but why are you assigning IP4 addresses with the VLan tag in the number and therefore creating multiple subnets? Isnt the VLAN TAG enough to separate traffic on 1 single subnet?
VLANs are a link-layer construct, not IP layer, so while they separate traffic on the link layer, we also need separate subnets on the IP layer if we want inter-network routing to work properly
@@apalrdsadventures I think the purpose of the layers is that you don’t have to duplicate separation. If you setup subnets the packets travel separate based on different IP addresses. Why would you still need VLANs. ? They could all travel as one VLAN and still be distinguishable. No?
You don't have to duplicate your firewall/... but a separate VLAN is like a separate physical network. It's a separate layer 2 domain, so clients need to know to go to their layer 3 router to get routed to the correct layer 3 subnet associated with a different layer 2 domain.
Now that you got me hooked into ipv6, any hints on how to work with a /64 prefix from ISP? Its 5g network so thats all I’m going to get 😢
I have a setup in production somewhere using a single /64 as a LAN and using NDP Proxy (similar to ARP Proxy) for VPN clients to show up on LAN.
@@apalrdsadventures Thank you
I wanna watch all of this dude's videos. Then I remember that he uses IPv6 in all his examples and I quit.
I would love a discussion on how to break a /64 prefix given to me by my ISP in to two (or more) /80s within a virtual lab environment. The end goal would be to have my primary lab environment that runs my services w/in the home, and then a secondary "play thing" type lab environment that is entirely virtualized that I have a OPNsense firewall in front of. So if you're inside that virtual environment, the OPNsense firewall would treat everything upstream of it (including my physical lab hardware such as my Jellyfin server) as "internet". I would of course like to run it as dual stack like my main physical lab network is, which means that any subnets in the virtual lab would not be able to function via prefix delegation before the OPNsense firewall gets a /64. So the connection path would look like this (Internet) --> (Modem) --> (Router/Firewall) --> (HomeLab Environment VLAN for VirtualLab) --> (OPNsense) --> ("Toy Land")
If you want to use SLAAC, you *_mustn't_* use a prefix longer than /64. If you have any Android devices on your network, you must support SLAAC. Technically, the IPv6 base standard also stipulates that all network segments mustn't use a prefix longer than /64, and several other standards that build on top of the base IPv6 standard (such as SLAAC) assume this behaviour. Having said that, if all hosts on your network segment support DHCPv6 and you aren't using any IPv6 features that require a host/interface ID section of at least 64 bits, then you can use e.g. a /80 and have DHCPv6 assign the final 48 bits to make a 128-bit address.
The root of your problem is that your ISP *_should not_* just be giving you a /64. If they are in fact doing this, complain to them and tell them to refer to RIPE-690, which defines the best current operating practices for ISPs on how to number their IPv6 networks. They should *_at least_* be giving you a /60, *_hopefully_* be giving you a /56, and *_preferably_* be giving you a /48, though many ISPs reserve /48s for paying business customers, albeit usually unjustifably from a technical perspective; they just do it as an excuse to charge more to people who particularly have a need for the extra 8 bits downstream.
I want to add: It's possible that your ISP is actually reserving a shorter prefix / larger allocation than a /64 for you (e.g. a /56), but has supplied you with a router than only uses the first available /64 within that larger allocation. The router they supply to you may not support the use of additional subnets, in which case you will need to use your own router, e.g. as shown in this video with an OpnSense instance.
Perhaps I didn't make myself clear. My UDMSE is configured to get a /60. I then have several VLANs that each have their own /64. What I want to do is build a virtual network that takes one of those /64s and break it down even further to other VLANs houses within that virtual lab network.
@@travisaugustine7264 You still should avoid creating subnets with prefixes longer than /64 wherever possible. Again, if any devices on your network exclusively use SLAAC, they simply won't work on e.g. a /65.
Your ISP has given you a /60, so you are able to create 2⁴ = 16 subnets of size /64. If you want more than that, you need to talk to your ISP or find a new one. Again, cite RIPE-690 to them, which says /56 ought to be the bare minimum for residential customers. IPv6 address space is plentiful; ISPs should not be short-changing customers like this.
@@JivanPal my ISP is giving me at least a /60 because I have 4 different VLANS that are each getting their own /64 through prefix delegation. I just want to be able to break one of those delegations into something smaller to experiment with DHCPv6 on that specific VLAN
One key takeaway is that the smaller the /number the larger the size of the subnet and vice versa
Openvpn? Thanks Bro
I'm working on the script for the VPN video, OpenVPN included
It is 2024. Nothing should be this complicated. This is literal rocket science. Horrible. Makes me want to ditch computers all together.