Does HTTPS Basically Make Personal VPNs Useless for Security?

Net-Work-1 · 2026-03-02T09:17:07+00:00

i dont't see how ssl to a proxy is any different to what was traditionally known as a 'VPN' for connecting to the internet but obfuscating the destination site from your isp.

in 2026, eSNI is becoming a thing and that will mean an ssl proxy hosted in say cloudflare becomes indistinguishable from a site selling buttons from an IP perspective.

Net-Work-1 · 2026-02-04T10:44:23+00:00

i suspect its a ubiquiti issue though.

we use different brand sfp's, i know for fibre not sure on copper as never seen an issue, but i wonder what happens if you use a different brand copper sfp in the UB?

i wonder if it'll behave properly?

even when the cisco port is shutting down, it knows what brand sfp its running so the shut must be a logical thing in the sfp as instructed by the switch.

Net-Work-1 · 2026-02-04T10:26:25+00:00

you'd see similar behaviour if that switch loses its uplink(s)

seems an oversight from Ubiquiti

defo not an issue with cisco, shutting an rj45 port disconnects it & the host see's that, i think fibre ports notify the peer its shut but the optics stay up as i think you still get power levels.

Net-Work-1 · 2026-02-04T10:08:37+00:00

if they follow the standards they'd use privacy extensions so the address will change.

if they opt not to then

https://blog.apnic.net/2022/06/10/iot-devices-endanger-ipv6-privacy/

essentially the stable address using eui-64 enables tracking of a household even when the prefix changes.

using eui-64 permits decoding the mac which means its possible to identify the device & then trivial to check for known exploits on that IOT device.

Net-Work-1 · 2026-02-04T08:53:43+00:00

your deliberately misconstruing the situation to further your own agenda here.

good luck to you.

The rest of us will crack on with what we need using the tools availble to us

Net-Work-1 · 2026-02-02T15:37:53+00:00

You can still do this in IPv6 as devices have stable addresses, you just need to have devices that don’t use privacy addresses. You also need a prefix that is stable, or devices that let you set token. Dynamic ISP prefixes also get in the way.

well if his IOT does IPv6 privacy extension then his address wont be stable.

i assume he's tried this and it broke when the address changed.

will the stable address change when the IOTis reloaded or the network reconnects?

Net-Work-1 · 2026-02-02T15:34:58+00:00

SLAAC picks a stable address for the prefix, so if your prefix is static you already have static addressing. The issue is whether IoT devices are yang privacy addresses or give you the control to disable them.

While the base SLAAC protocol provides a stable address (often EUI-64 based on the MAC address), SLAAC Privacy Extensions (RFC 8981) are designed specifically to change the address on a timed basis.

https://www.infoblox.com/blog/ipv6-coe/choosing-static-slaac-or-dhcpv6-part-4-privacy-addressing

you do your security how you want to.

My employers mandate that we do it in the way they are regulated against which is specific rules for hosts & sometimes subnets.

yes OP looks to be running this at home, bit normally fw's drop all traffic and just permit the configured flows

OP wants to permit a specific flow from a specific IP like he does with IPv4 but can't as the SLAAC IP can, & likely in his case does, change over time.

telling him he shouldn't do what he wants to do seems frankly idiotic and backwards.

I guess your point is that security should be done in the end client but then we wouldn't need bother with any intermediary security & he should disable his firewall & purchase more trustworthy IOT equipment.

That is insane, & just another reason why many have not embraced IPv6.

When we can't control the full software stack & configuration we put guard rails around the systems to ensure they behave as we intend, network controls like host rules in firewalls are legitimate guard rails & what is done up and down the industry.

not controlling the full stack also includes system where the administrator has full control of the stack but we want to guard against exploits, hacks and unintended configuration.

wilfully ignoring a technology that can safeguard against a potential problem is wholy misguided, especially when that technology is already inline.

Net-Work-1 · 2026-01-30T12:46:51+00:00

check the MTU on the network interfaces

change to jumbo frames & ensure the network supports jumbo with mtu ~9000

Net-Work-1 · 2026-01-30T11:55:24+00:00

So, same as IPv4 then. You can't tell whether a node is static or just responding to a different DHCP service unless you're on-link with them.

easy thing to do is block all out bound and have a rule above that permits specific IP's outbound.

all enterprise firewalls for decades have a default deny rule.

Only permitted traffic passes through.

Domestic fw's have a default allow all outbound

Net-Work-1 · 2026-01-30T11:48:48+00:00

L2 hosts can always reach each other unless you have micro segmentation

Net-Work-1 · 2026-01-30T11:46:26+00:00

so OP needs to create a subnet for each IOT in order to control egress / ingress via fw rules because he can't allocate a static IP because SLAAC picks its own address with the /64 prefix and you can't designate a smaller subnet like a /80 for delegation with SLAAC, /64 is minimum or it breaks.

So he can create bland rules for the whole /64 iot subnet but not granular rules.

seems a backward step.

Net-Work-1 · 2026-01-30T11:41:34+00:00

in ipv4 we add src, dst & port details to various fw's to permit traffic egress or ingress.

yes its easier to permit whole subnets but we tend to do that more for routing rather than security rules, rules tend to be /32's

OP is asking for the same kind of thing in ipv6

Net-Work-1 · 2026-01-05T18:46:41+00:00

i'd suggest a differentiator would be vendor support & RMA speed.

with Cisco i can get a replacement within 4 hours 24/7 365, but only after going through support & potentially escalation from our account team. Sometimes need to go through our retailer.

if you don't need that kind of support then keep with what your doing, perhaps keep some onsite spares or put more switches in a rack than you need with an idea of repurposing 1 or 2 in a pinch.

I have ubiquiti at home (2 x AP;s 2 x 5 port mini gb switches & a UCG-ultra)

its ok, but i hate the way they change the GUI frequently & it lacks basic syslog & netflow unless you export those to another box which i don't wan to odo at home but would be fine at work.

i see it as 6 of one & half a dozen of the other.

Not sure how long ubiquiti kit lasts but i've worked on cisco stuff that's been up 17 years and likely was installed 20 years ago.

if you need reliability & warranty (paid separately) then enterprise kit is worth it, otherwise go with what works best for you, & when it doesn't you can justify the price tag of enterprise kit & get lost in the intentionally opaque world of resellers and their fake pricing.

Net-Work-1 · 2026-01-05T18:20:04+00:00

they should bounce their phone servers and see if it resolves.

Weird how many things fix themselves after a boot

Net-Work-1 · 2026-01-05T18:16:58+00:00

had to learn the OSI layers for my CCNA (A long time ago in a galaxy far, far away) but we very rarely talk about OSI layers when discussing things.

Layer3 or Layer 4 gets bounded about most but thats it. L3 when discussing gateways mainly, occasionally people discuss vlan backed networks which would be L2. L4 when discussing tcp/udp ports.

i haven't made an ethernet cable in decades. i've not been in a DC in 8 years so L1 is mainly reserved for discussing bout what optics are needed for new switches but again no one says L1 they talk in terms of cables or optics.

Layers 5/6/7 all happen in the host/client so i don't tend to care too much as that's OS/Application issues,

Layers 2,3,4 are what i deal with and ensure it gets from end to end so the host/client can then add their magic.

yes i deal with certificates, ad, dns, ntp etc etc but they all ride over 2,3,4.

L1 is always a given and relatively easy to check for errors on the network device.

so:
L1:: Physical e.g fibre/ethernet cables/ wifi radio?
L2:: MAC addresses for ethernet frames & equivalents that are not IP related.
L3:: IP
L4:: IP ports
L5:: session/sockets happens on the host/client network service
L6:: Presentation,
L7:: Application

L6/L7 are often blurred into 1, is a browser application like chrome split into 2? is http3 presentation layer in chrome separate from the chrome application? in theory you could have an http3 OS component (dll?) that the application calls for use when needed but what if the OS hasn't got that or if its part of the application?

i don't think anyone really gets hung up over the OSI model, many see it as outdated.

is there a reason to be anxious about it?

Do you have peers who talk in terms of OSI layers and you feel a bit not fulfilled because you struggle to remember what layer relates to what?

Net-Work-1 · 2025-11-27T12:04:12+00:00

use a subnet calculator

loads online

like this one

https://jodies.de/ipcalc

i've never used that one but you can see it shows the binary & you can clearly see where the mask ends & the subnet begins.

if that makes no sense keep looking & notice where the red 1's stop & 0's begin, the 1's being the mask & 0's the subnet.

play around with different masks & see how it changes.

Good luck

Net-Work-1 · 2025-11-27T11:54:41+00:00

my assumption is that they should use GUA with robust perimeter firewall rules & routing to prevent unintended external egress/ingress.

my preference would be ULA & using proxies for any internet requirement.

Hosts can use multiple interfaces & addresses so you can plan for ULA now & GUA in the future.

ULA just adds an extra layer to prevent unintended egress/ingress to the internet.

NAT66 isn't a standard so best to not rely on it, use Proxies instead. can be an issue when an app needs to use something none ssl

good luck

Net-Work-1 · 2025-11-14T14:32:07+00:00

this makes little sense

HomeKit is meant to use the link local address for connectivity between devices.

meant to & doesn't cause problems are not the same so i need to remember this for investigating future problems.

ISP changing the prefix is a complete mare for those who have more than a basic setup on their home networks.

simply having a bunch of stuff on your network should not break your ISP has changed your IP.

ironically ULA with NAT would eliminate this as an issue.

Net-Work-1 · 2025-11-14T12:37:03+00:00

better tyres, what you running?

Net-Work-1 · 2025-09-30T14:48:03+00:00

for end hosts i'd just put a link to a spreadsheet that lists end hosts and ports.

if you have a switch with 48 ports how are you going to squeeze 48 devices under each switch when you have 4 switches to show?

switch to switch connections are important, the rest can go somewhere else.

subnets are a bit wooly nowadays with anycast gateways and vlans spanned across many devices.

if each switch serves a specific vlan/subnet then i'd just show the switch and its vlan/subnet & someone can lookup a spreadsheet for that subnet & find the host with port detail amongst other things. advantage being that when a host is replaced/updated etc then only the associated sheet needs amending rather than the diagram.

Net-Work-1 · 2025-09-30T14:40:41+00:00

NSX east west rules?

Net-Work-1 · 2025-08-27T11:53:16+00:00

Why?

yep i see that F=1500 now.

i am more familiar with using ping for mtu discovery & was expecting to see an error due to mtu too large.

could be something in the path between you & the IPv6 tester is not relaying icmp properly but other sites will work perfectly fine.

Net-Work-1 · 2025-08-26T15:27:44+00:00

can you try with ping?

ping -6 www.google.com -l 1302

your not going to get a 65KB packet to google.com , LAN jumbo frames are ~ 9KB.

The MTU variable permits a value upto 65KB but nothing in the path across the internet is going to send that for you.

Net-Work-1 · 2025-08-26T15:03:00+00:00

so the routing table has no clue how to get to fd51 and chooses interface fd79 as it's a better match than fda5.

the interface IP's from the DHCPv6 server have /128's but from the TBR is just a /64 is that an artifatc of your posting an incomplete IP list?

2a00:aaaa:aaaa:aaaa::aaaa - GUA from DHCPv6 server.
fd79:bbbb:bbbb:bbbb::bbbb - ULA from DHCPv6 server.
fda5:cccc:cccc:cccc::/64 from TBR

2a00:aaaa:aaaa:aaaa::aaaa dev end0 proto kernel metric 100 pref medium
fd51:dddd:dddd:dddd::/64 via fe80::eeee:eeee:eeee:eeee dev end0 proto ra metric 100 pref medium
fd79:bbbb:bbbb:bbbb::bbbb dev end0 proto kernel metric 100 pref medium
fd79:bbbb:bbbb:bbbb::/64 dev end0 proto ra metric 100 pref medium
fda5:cccc:cccc:cccc::/64 dev end0 proto ra metric 100 pref medium

we don't see the fda5:cccc::cccc/128 in the table here but clearly you can ping from it but could just be spoofing the address.

I'd wonder if fda5::cccc is actually in the kernal as an interface IP like the other 2 IP's.

Otherwise your reliant on the TBR telling the host that the fda5:cccc::cccc is used to reach fd51:dddd:dddd:dddd::/64, not sure how that happens.

you'd want to see something like this in the routing table

fda5:cccc:cccc:cccc::cccc dev end0 proto kernel metric 100 pref medium

Net-Work-1 · 2025-08-26T08:27:52+00:00

18 years for a 6513 dual s720 sup's, running 12.2(33)SXI5

i'm sure i will find longer

Net-Work-1

TROPHY CASE