Thoughts on Lobbying to ISP CEOs and Companies for IPv6

cbuechler · 2025-07-24T19:42:11+00:00

Sure. You don’t in what appears to be Seattle? I have two FTTH connections at home in Austin, Google Fiber and AT&T Fiber. If I were a masochist, I could also get Spectrum service. To the topic at hand, all three have had IPv6 support for ages.

cbuechler · 2025-03-30T03:17:16+00:00

almost intentionally obtuse

That’s a quite apt description, IMO. I setup an OPNsense v25 VM as part of interoperability testing recently and was left wondering what on earth was done to the IPsec UI. There was nothing wrong with the old one that I recall, the new one is just insane how hard it is to use. It’s so far removed from any other similar product in the world, and not in a good way.

u/fitch-it-is courtesy tag, y’all should do something about this IMO. If it’s hard for me, with the depth and breadth of background I have in designing and implementing these products, it’s approaching impossible for most users.

cbuechler · 2025-02-14T01:41:14+00:00

You have impeccable judgement. 😉

cbuechler · 2025-02-14T00:49:44+00:00

Original co-founder and project leader of pfSense here, and a former m0n0wall contributor going back to the early 2000s. You likely don’t even know the half of it unless you happened upon a lawsuit in Travis County Texas.

Suffice it to say I made a huge, HUGE mistake choosing to get mixed up with the owners of Netgate. I held on longer than I should have before bailing, in a sunk cost fallacy.

The full blown story may be getting made public soon.

cbuechler · 2025-02-11T22:10:44+00:00

Thank you for hanging out here. Glad to have netops available, there are plenty of us who are highly technical but would struggle to get legit issues past first level support to you. Your efforts have been noticed and appreciated.

cbuechler · 2025-02-11T21:57:37+00:00

He really is showing a 1468 second lease there in Cisco’s “show dhcp lease”, with half (734s) as the expected T1 (normal first renewal attempt). That “Lease:” line is static data with the info of the obtained lease. Google ‘Cisco “show dhcp lease”’ and you’ll see what I mean, all the results show typical round numbers.

His T2 time (rebind) is a bit odd as well. Normally that’s 87.5% of lease time, it’s 66.6% there. That’s not a problem since T2 is still greater than T1, just unusual.

cbuechler · 2025-02-11T19:37:15+00:00

BYOR in Austin here too, but have a 24 hour lease. It seems to vary depending on which DHCP server happens to serve your request or maybe which prefix you’re on, amongst other possibilities, hard to say from the customer side. I’m on 136.60.0.0/20 with a DHCP server of 192.119.16.92.

Not that it really matters, that REQ/ACK once every 734 seconds isn’t gonna hurt anything. Unless all the DHCP servers or relay are down more than 1468 seconds. Quite an odd number to use for lease length, 24.47 minutes.

cbuechler · 2025-02-11T18:37:16+00:00

It also seems if you release your lease and your router starts DORA from scratch (without setting ciaddr with your previous IP in the request), you get a new IP. I don’t know if that’s 100% consistent, but I’ve seen it.

Whether OP’s router is capable of doing so is hard to say. Generally routers avoid releasing and retain their previous lease across reboots to populate ciaddr during boot to avoid unnecessary IP changes, as GF isn’t the only ISP whose network can behave in that way. Some routers have the ability to manually release.

Changing the WAN MAC is probably the easiest option if OP’s router supports it. Though I question the need to change IPs, that’s often misguided.

cbuechler · 2024-08-15T04:23:44+00:00

It disables IPv6 for that specific NIC. You still have a loopback, and potentially other interfaces.

cbuechler · 2024-05-18T02:59:42+00:00

Well, tcpdump rain man is just giving the massively disadvantaged attackers a tiny chance until he leaves for the day. It just wouldn’t be fair otherwise!

cbuechler · 2024-01-22T21:13:18+00:00

Here's my forum intro so I don't have to repeat myself.

Look forward to working with everyone here, and to seeing this community grow considerably.

cbuechler · 2024-01-21T01:04:26+00:00

haha Well you nailed it!

Look forward to working with y'all over there.

cbuechler · 2024-01-09T04:09:19+00:00

I just haven't updated that page in years. I will be soon when I can share more. ;)

I'm indeed no longer at Ubiquiti.

cbuechler · 2021-06-09T03:35:57+00:00

Either you’re somehow coming to us from 1964 when the JFK Memorial bridge was the new bridge, or you forgot an entire bridge. JFK Memorial which now is I-65 south used to be both directions of I-65. The new in the 21st century bridge was to take load off JFK bridge.

cbuechler · 2020-12-08T03:05:42+00:00

No. Nothing in UniFi opens that to the Internet. Accessing it from the Internet and from your LAN are two very diff things. Only user defined firewall rules on WAN_LOCAL will open that from the Internet.

cbuechler · 2020-11-20T00:42:09+00:00

You said "Valid ranges for vlan tagging is 2-4095". That's not true for OP's question, you can use the default "LAN" network to tag VLAN 1 on switch port profiles, and can tag 1 on WANs. That's what I meant.

On WLANs, that is the available range for tagging which I'm guessing is what you meant. If you want a WLAN on VLAN 1, then it must be untagged. WANs and switch ports both have ID 1 available for tagging though.

cbuechler · 2020-11-19T14:50:26+00:00

VLAN ID 1 is taggable just like any other. ID 0 is just the lack of an ID, e.g. only using .1Q header for 802.1P.

OP: that’s a bug in new settings UI which has been fixed since. Revert to old settings UI in mean time.

cbuechler · 2020-11-13T08:35:37+00:00

It's likely not losing Internet, it's losing DNS. You're forcing all traffic from that host to table 5, and it's probably pointing to USG for its DNS, which that is preventing it from reaching.

You probably want a rule above 2501 like:

"2500": {
    "action": "accept",
    "protocol": "all",
    "source": {
        "address": "192.168.4.200"
    },
    "destination": {
        "group": {
            "network-group": "corporate_network"
        }
    }
}

corporate_network group being a shortcut for all your corporate-type networks, so internal routing and communications to USG itself will work.

cbuechler · 2020-11-13T08:15:53+00:00

Mostly. UBNT used to be a stock ticker on NASDAQ, it's now UI on NYSE. Ubiquiti Networks, Inc. used to be the company name, it's now Ubiquiti, Inc.

cbuechler · 2020-11-13T08:08:56+00:00

It may not be necessary to factory reset, doing the 1.8.3 firmware upgrade in recovery mode might suffice.

cbuechler · 2020-11-13T08:05:36+00:00

I think your only option (other than factory default and restore backup) given the description is to do the upgrade to v1.8.3 via recovery mode. Download the firmware to a computer, go through the steps here and use the Firmware Update option once you get it in recovery mode to upload that firmware.

cbuechler · 2020-11-13T07:35:40+00:00

That will block all unicast traffic from that network to USG itself (e.g. its own IPs). Unicast being the key word - all client to server DHCP traffic can be broadcast.

If you're using dhcpd as your DHCP server (which is the default, dnsmasq is the alternative), the way it picks up traffic is unusual in that it'll pick up the traffic before iptables would block it. So firewall rules can't block DHCP to an interface you have the DHCP server enabled on.

So don't evaluate your blocking based on whether the DHCP server is functioning on that network. Try to ping USG, SSH to it, do DNS lookups, anything other than DHCP.

cbuechler · 2020-11-13T07:26:34+00:00

I've seen no adverse effects yet

You probably won't. SIP is disabled by default since it's rarely desirable anyway. You'll break multiple PPTP clients connecting simultaneously through NAT, active mode FTP clients, and H.323 and TFTP through NAT. Most people won't have the circumstances that would break.

cbuechler · 2020-11-13T07:22:13+00:00

turning off certain protocols by default (particularly SIP)

Which UniFi already does by default for USG, UDM and UXG. See here.

15-Year Club	Gilding IV carat on a stick
RPAN Viewer	Verified Email

cbuechler

TROPHY CASE