josephtgarcia wrote: ↑Wed Nov 08, 2023 9:31 am
Ooh shoot, I'm glad I came back to look at this again. I just had that router on my shopping cart as a possible option. I may look into using a VM, I have esxi running on a Dell T30 with a handful of VM's. I think I'm barely hitting 5 or 10% of that server's resources so I'll have to experiment with OpenWrt, Opnsense, or other alternative and see how it goes. Time to look for 10G NIC's now.
TP-Link just added an IPv6 firewall in the latest firmware beta: https://community.tp-link.com/en/busine ... pic/636166
. I switched back to my ER8411 and installed the beta firmware. IPv6 is working great now!
The one tricky thing is allowing incoming connections over IPv6. I want to be able to reach my home server via its public IPv6 address. The usual
solution is that the IPv6 range is statically assigned, so you can just hard-code the IPs in firewall rules. Unfortunately, Sonic's IPv6 /56 range allocation is dynamic and changes whenever you reconnect, so this doesn't work.
The ER8411's firewall doesn't provide a way of specifying dynamic destination addresses for rules. However, I'm using an Omada software controller, and TP-Link have a local (non-cloud) API for it, so I'm going to try to update the firewall via the API (i.e. when my server detects that its IPv6 address is different, call the API to update the firewall rule's IP address in addition to updating my dynamic DNS for the server's hostname).
OpenWrt works great. On a Core i5-9500, it was using less than 15% CPU when I was running a speed test reaching ~8.3Gbps. I posted some screenshots over here: viewtopic.php?p=63199#p63199
OpenWrt also lets you create firewalls just based on an IPv6 suffix, which solves the issue of allowing inbound connections to a server even when the IPv6 prefix changes, as long as the end of the server's IPv6 address remains the same.