Just pondering after seeing update on internet providers

Hi everyone,

I didn’t talk in the past about my feald of work or where I am living.

But to give the people that read my pondering a idea I will share it.

I’m project leader in the electrical alarm installation, if I translate it good.
And I live in the Netherlands.

Only this week we had several clients with communication problem on there alarm system, this because the internet providers are doing update on there systems.
The problems came out because the alarm system are getting outdated and can’t keep up with the time.

A month ago was the 3G gone, from pretty much all of them only two is keeping the 3G thill next year but then bye bye 3G.

Coming back to this week, there’s a lot of internet providers is (pushing) switching to IPv6,
This gives some outdated alarm system problem.

I had sadly this to as my internet provider is switching to, as I know that ipfire can’t work on IPv6 I was hard broken and also no internet.

I’m thankful that I am handy and had a solution for my internet problem not on the way I want but I have internet.

After my solution for the internet at home bring me to share my touch with you all.

At last I want to say that this project is really good and I loved it totally.

In mijn feald of work those alarm system are like a brick and work for a minimum of 10 years some time even get to the 20 years if they make update or upgrade for the system to keep up with the time.

I hope ipfire can keep up with the internet providers where it’s getting used.

I need to do a big decision: search for a provider that give ipv4 and wait around 2 a 3 week for internet and then give all my friends and family my new email address and all the rest, or let ipfire go.

Best regards all

Neopegasus

Since I know you in real life Neopegasus, I can attest to the fact that you had a hard time letting go of ipfire. You loved the project but just had to let it go. Myself had only recently switched over from OpenWRT, which I loved, to OPNsense. Together we figured out what the problem was. It basically came down to IPv6 support, or rather, lack thereof. And now we’re both running OPNsense.

As an installer of security systems, you know as no other how important it is to have these systems functioning even after a decade or two. But to do so, they need regular maintenance and rigorous upgrading, even when communication mediums disappear and are replaced. As you described above, 3G, in the past thought as ever present, has been replaced by 4G, and most commonly now, 5G. If these critical systems can no longer function, or the customer want functionality that is not possible, the old system needs to go. Another example is the rise of camera’s exclusively fed power by PoE. I think its not hard to imagine this type of thing being applicable (eventually) to IPv4 vs IPv6.

An open source project led by a very small team with little time, like that of ipfire, unfortunately does not seem to be able to keep up with the very fast developments of the internet, new technologies and threats that come with it. I wasn’t surprised having searched for various topics on IPv6 on these forums that on tweakers.net, the previous comments on updates, mention the lack of IPv6 support.

I confess I’ve never ran ipfire myself, but there is, I’m sure, much sweat, time and love poured into the project, as evidenced by passionate responses in the forums. However, speaking to the ipfire team, maybe it’s time to let it go, and redirect that time and love to that other project you always wanted to do but couldn’t.

There are an average of 68 CVEs published every day in 2022, and third on the list of “companies” is Linux. I can hardly imagine the time and effort goes into properly maintaining such critical software, part of the first defence against malicious actors of every network it is installed in. I read somewhere that ipfire has an install base among corporate customers. I shiver to think of the consequences for a company relying on this, having it fail because of the lack of time to implement fixes. OpenCVE reveals no recent fixes, so either it is so well maintained that it does not have any bugs (rather unlikely, sorry), or CVEs aren’t being published because bugs haven’t been described yet. Such a promise of keeping the network safe, such an enormous responsibility. I couldn’t fathom maintaining, much less developing more features for software like ipfire, due to that responsibility.

Its going to be hard, but give people plenty of warning, guidance on how to switch over to other more supported projects, but stop giving people, and yourself, false hope of ever being able to catch up and thrive in this crazy environment that we call the internet. Be proud of what you’ve accomplished and learned. I hope you will apply this talent where it can do the most good.

Live long and prosper,
SuHwak

PS: Of course, the team owes me nothing, and I expect nothing. Just trying to be hopefully helpful.

You are lucky to have such a problem as a ISP going to IPV6.
I would probably just Double NAT my IPFire, behind another router.
My biggest fear living in America is that The ISP’s here may just Corporate Grade NAT everyone.
Just to Charge everyone that needs a Public IP more.
No more VPN from phone to home. will need to pay.
Want to run a game server? will need to pay more.
They will proxy you through there Corporate Grade Nat.
And scan the F out of your Network traffic and sell it to everyone.
Filter away all for your safety and security.
Just because IPFire doesn’t brake https doesn’t mean they will not.
So it could be Worst. America and Germany government both scan traffic in an of the border.
the Internet in not a Bar/Pub its a Church.

Or they are fixed upstream. IPFire is just a distribution where the defaults are sane and there is a UI to help the least experienced users. The rest is just packages and sane configuration, including the Linux Kernel. As far as I can see, there is not security concern with IPFire that would not be present also in Debian or Archlinux or Ubuntu.

Exactly because the security is paramount, the development of these new features is lagging behind. And as far as I know, very little contribution comes from the corporate world to help the developers put food on the table while working 24/7 on IPFire.

By the way, be happy to use OPNsense, but also you should celebrate the presence of a marketplace of competitors and if IPFire were to give up like you suggest, it would leave a huge hole in the offer of Linux-based firewalls which would also damage the quality of other firewalls, because without competition things deteriorate and quickly corrupt.

by telling them to give up? Thanks, but no thanks. As a user I will keep supporting IPFire (especially with my honest money) and encouraging every one to keep it up. Now please go help the OPNsense community.

So eventually IPV6 will be the standard? Sure, we all know that. Have for years. I do not have 10% of the network training some others in this thread claim to have but I do not work with advanced network and firewalling or related systems or topics either.

Maybe I am silly and maybe I oversimplify things, but since some ISP’s are directing their services towards IPV6 I just assume that my chosen firewall software will have support for this. I have no idea of what it entails towards programming or development, and frankly I do not really care. It is, to me, as basic as the network card having a NIC connector that works with RJ45.

After checking some of the posted links above and reading both on Tweakers and about IPV6 coming in v3 of IPFire I am not overly concerned. Yet.

I came to IPFire from testing mostly OPNSense and Zyxel (had a Zyxel USG40W for a while). I am not going back if I can help it and are also funding IPFire on a monthly basis.

IPFire is by far the Firewall I have managed to actually DO something in and UNDERSTAND what I do, without having to read up on thousand of pages and dozens of trial and errors. Sure, I don’t require much and I have probably a very simple setup compared to others, but I never got even that working with other products.

I have faith in the IPFire Team dealing with this, but I do also see the need for IPV6 becoming a part of IPFire sooner rather than later. It would be sad and a very big problem for me, should I end up in the same situation as Neopegasus.

RFC 2460, which introduced IPv6, was published in 1998. Yet, 25 years later, only 450 of the top 1000 websites have implemented IPv6. When do you think we’ll see a 90% market penetration for IPv6? Personally, I don’t foresee it happening within the next 5 years. Perhaps in a decade, but it wouldn’t surprise me if it takes even longer. Given the current landscape, what’s the motivation for providers to invest in IPv6 support as opposed to other solutions, such as carrier-grade NAT? I honestly don’t anticipate IPv4 being retired within my lifetime.

Is there not a difference between ISP and the Web?

I do not really know which is most exposed to running out of IPV4, but I would assume that ISP’s can control that to a greater extent than web hosting companies.

As for my webhost to support IPV6 or not for my sites, if DNS is working… ?

Where I am in The Netherlands my ISP and all the others available that I had a look at all support IPv4 still together with some support for IPv6. I haven’t found an ISP that only supplies IPv6

My ISP can support IPv6 for all customers that they provide service to over their own network but not where they use another network provider. There they only offer a 6RD tunnel.

Yes, of course there is. My assumption is that the web adoption of the technology drives the incentive for ISP to invest in the transition. As long as it is low, the incentive is also low. There is chicken/egg dilemma in play, but my point still stands, I think.

Interesting to know, when I call Ziggo, Ziggo is my provider for all ready 16 years (UPC in the past)they told me if a normal pc can connect to the internet they don’t need to do any adjustments, and when I checked why the laptop could connect, it was because he got a ipv6 from them and the ipfire could not get Anny ip and having a important meeting the next day I diceded to change it took me thill 3am to have at least the pc that needs to be online.

Again I wouldn’t never change but I needed, and to change to a different provider is a bigger change.

I just ponder if it was my company being protect by ipfire and this happens.

I was talking to my boss to use ipfire and he was waiting for me to give a green light witch weekend I can convert his firewall to ipfire but I am paus that because he will kill me if this happens with his network…

I am surprised that you got that response from Ziggo.

On their website in a section about IPv6 they have the following statement (translated to English)

IPv6 does not yet work with all devices and websites. But of course we support both IPv4 and IPv6.

So I am surprised that their system refused to give you an IPv4 address.

Yes I was to, I was on the phone with the support for 3 hour and 1hour was extra hour for the person so it was not he didn’t want to help me.

But one thing I remember is also that he wants me to use there crappy modem as the firewall, sorry but that is something I will never do!

I found somewhere a forum from them that they are starting with testing and rolling out ipv6 it was in 2021.

The same way 3g got out you can only have 3g at kpn till next year summer and at TMobile I think till end of this year. I am guessing something like that is going to happen soon.
At least in the Nederland.

I could be totally wrong but they are pushing electric cars here like crazy without really be able to handle all car charging at the same time…

So I could also be right on spot.

Again pondering and search a way to help where I can I always did it and will always do on the ipfire form even I am not using it now!

Yes, they used to try that with me. Back then I just put the modem in bridge mode and it worked fine with IPFire.
Not with Ziggo for 2.5 years now so no recent actual experience.

I just found an answer from a couple of days ago, from a Ziggo tech, in their community forum that says that disabling IPv6 has not been possible since end of June 2022 which is when Full Dual Stack was made available throughout their service area. Equipment can revert to IPv4 without problems was noted.

How easily that Dual Stack approach does or does not work I don’t know.

If you use whatismyipaddress.com it searches for both an IPv4 and an IPv6 address from your location. If Full Dual Stack is working correctly, and Ziggo say it is used for all their customers, then you should see both IP Addresses. If you only see the IPv6 address then Full Dual Stack is not working on your connection.

I will check that tonight, the only problem still stay: why not getting a ipv4 before Stay op.

The thing that changes btw at Ziggo is that they need to do bridge mode there self you can’t do that anymore .

I used a deferent link before that also check dns resolver strength that give me my ipv6 and 4 but also the strength of the dns resolver.

I will try yours tonight

Surley the first company. Probabily one of the biggest. Certainely, more will follow.

IPv4 addresses are out of stock I mean… Tailscale stole the whole 100.0.0.0 subnet and more addresses from “A subnets” of public addressing space will be available in the future. They are assets, will be sold to unlock money.

If you’re not changing your firewall every year, i’d not install any distro/appliance today without IPv6 support.
Maybe I won’t need that for few years, but sooner than later will be needed.

this is a recent article on the price evolution of IPV4 addresses and how IPV4 space has become a commodity.

I just checked it, when i do it from my phone trough my firewall I only get ipv4, when I do it from one of my pc’s I get bought ipv4 and 6.

I think my provider was tricking me to use there system.
I remember that if you use bridgmode with the provider they only take carte that internet is getting to you and the rest they don’t care( a little to brutally saying).
now if i check they are saying something new for me:

Did you buy your own router? Then you don’t have to buy your own modem. If you put the Ziggo modem in bridge mode, you can simply use your own router. Are you technically inclined? Then it is good to know that IPv6 can also be used in bridge mode.

I keep finding it strange and interesting, its still stay in my mind like a night mare…, how I reboot ipfire like 10 time and the modem also the same then take it from bridg mode then bacdk to bridg mode then even factory reset the providers modem ( i never know you can do that) no ipv4 for the Ipfire.

Maybe i would wake up from the nightmare and notice its just a dream and my ipfire is there and working like always