Jump to content

How are IPv6 addresses allocated?

Trinopoty

I often see nodes getting assigned a block of IPv6 (mostly /64) rather than a single IP address. I see this most commonly on VPS servers but I also saw this on my mobile internet connection.

Additionally, when I connected my laptop to my mobile hotspot, my laptop got a public IPv6 address that I was able to ping over the internet.

 

So my question is, why are providers handing over /64 blocks to nodes and why is my mobile assigning a public IPv6 address to my laptop when it's doing NAT for the IPv4?

Also, as I mentioned, my VPS also gets a /64 block, does that mean I can assign any IP in the block to my server?

Can an OpenVPN server then hand any IP in the block to it's clients and have it publicly visible over the internet?

Link to comment
Share on other sites

Link to post
Share on other sites

Because there's literal shitton of available IPv6 adresses, 340,282,366,920,938,000,000,000,000,000,000,000,000 of them to be exact. In comparison with just about 4 billion for IPv4, which number are already exhausted so with limited IPv4 address space availabilty ISPs use NAT to allocate one IP to multiple users, whereas they can just throw blocks of IPv6 address space around like it's nothing (for the time being at least).

Tag or quote me so i see your reply

Link to comment
Share on other sites

Link to post
Share on other sites

To put it in another perspective, assigning a /48 to every human on Earth, and never recovering those, will still mean that IPv6 would have a lifetime over 480 years and we could repeat that several times. On that timescale, there will be other reasons, not just scarcity of IPv6 addresses, that will require the IETF to design a successor to IPv6.

It's considered bad practice to assign a home user/customer/etc anything smaller than a /56 and in most cases a /48 is ideal. You never want to subnet out a /64 for various reasons either unless you're breaking the subnet up to use for P2P links or loopbacks or something where you need to. Otherwise a /64 is the lowest you should go in most cases. I see some ISPs only handing out blocks in /64s which is kind of stupid but doesn't really break spec.

Current Network Layout:

Current Build Log/PC:

Prior Build Log/PC:

Link to comment
Share on other sites

Link to post
Share on other sites

I get what you're telling me about there being a ton of addresses and it not running out any time soon.

But I still take issue with my phone handing out and routing public traffic to devices connected to it's hotspot.

A NAT gateway acts as a firewall by default and as long as the router stands it's ground, devices behind it are relatively protected from the public internet.

A router suddenly handing out public IP addresses takes the security and throws it out the window, more often than not, without any warning.

Suddenly, all my devices are wide open to attacks from the internet. I don't think I like that idea.

Link to comment
Share on other sites

Link to post
Share on other sites

IPv6 has no NAT all IP's are internet route-able. IPv4 added NAT when they realized they would run out of IP's. IPv6 was designed not to use NAT at all. Hence so many IP's. Also the smallest network an ISP can hand out to a customer is a /64. A /64 has 65536 IP's. Firewalling is extremely important with IPv6.

Link to comment
Share on other sites

Link to post
Share on other sites

17 minutes ago, Trinopoty said:

I get what you're telling me about there being a ton of addresses and it not running out any time soon.

But I still take issue with my phone handing out and routing public traffic to devices connected to it's hotspot.

A NAT gateway acts as a firewall by default and as long as the router stands it's ground, devices behind it are relatively protected from the public internet.

A router suddenly handing out public IP addresses takes the security and throws it out the window, more often than not, without any warning.

Suddenly, all my devices are wide open to attacks from the internet. I don't think I like that idea.

NAT is not security to begin with so that argument is incorrect. Lack of NAT doesn't reduce security at all.

NAT does not equal a firewall. A firewall can and should exist without NAT.

Current Network Layout:

Current Build Log/PC:

Prior Build Log/PC:

Link to comment
Share on other sites

Link to post
Share on other sites

Keep in mind that a /64 has over 4 billion possible ipv6 addresses, that means that it would take longer to scan a whole /64 than to scan the whole ipv4 internet so no one is going to do it.

 

The only way in which someone could find a service running on your computer is by getting your computers ip (not your networks ip range) and scanning it, if you are concerned about security install a firewall on your computer that only allows the incoming traffic that you want to access the services on your computer.

 

honestly, you shouldn't be worried

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, schizznick said:

IPv6 has no NAT all IP's are internet route-able. IPv4 added NAT when they realized they would run out of IP's. IPv6 was designed not to use NAT at all. Hence so many IP's. Also the smallest network an ISP can hand out to a customer is a /64. A /64 has 65536 IP's. Firewalling is extremely important with IPv6.

Actually a /64 has 18,446,744,073,709,551,616 addresses in the range since it's 2^64 addresses. A /48 has 65536 /64 blocks that can be given out though.

Current Network Layout:

Current Build Log/PC:

Prior Build Log/PC:

Link to comment
Share on other sites

Link to post
Share on other sites

2 hours ago, Lurick said:

NAT is not security to begin with so that argument is incorrect. Lack of NAT doesn't reduce security at all.

NAT does not equal a firewall. A firewall can and should exist without NAT.

Boy that is a rabbit hole. 

 

People need to know this and understand this because its actually a large reason why IPv6 is not being deployed, basically by fear. People who do not understand IPv6 and the job of a firewall cant wrap their head around their devices having public IPs.

 

NAT is not security but NAT, more specifically PAT, has security LIKE side effects. Its not security nor a replacement for a firewall.

 

Also to contribute to the amount of IP space. If taken account with our current ARIN addressing of 2000::/3, we could give every human on earth right now not one /64 but 2 billion /64s and still have some left over. 

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, mynameisjuan said:

Boy that is a rabbit hole. 

 

People need to know this and understand this because its actually a large reason why IPv6 is not being deployed, basically by fear. People who do not understand IPv6 and the job of a firewall cant wrap their head around their devices having public IPs.

 

NAT is not security but NAT, more specifically PAT, has security LIKE side effects. Its not security nor a replacement for a firewall.

 

Also to contribute to the amount of IP space. If taken account with our current ARIN addressing of 2000::/3, we could give every human on earth right now not one /64 but 2 billion /64s and still have some left over. 

The fear is real though, as when you are dealing with closed systems like IoT and games consoles, we frankly don't know if they are firewalled correctly or not.

 

With IPv4, even if using public addresses, its easy to use DHCP to ensure specific clients get static IP assignments so the router can firewall traffic before it even enters the network. With IPv6 its not that simple, as there are multiple ways to issue IPv6 addresses and some devices will effectively change their UUID when rebooted, preventing a sticky IP.

 

Yes ideally you want to firewall every machine individually, but that gets damn complicated on a large network where the users might not understand all this stuff.  IPv6 is just a huge learning curve compared to how simple things were with NAT or even IPv4 routing.  I can see it being a HUGE security issue for the majority of users who expect everything to "just work" plug and play.  You can't block incoming connections by default, as it will break games and other services that need it, but leaving it open leaves a huge attack vector that probably wasn't there before.

Router:  Intel N100 (pfSense) WiFi6: Zyxel NWA210AX (1.7Gbit peak at 160Mhz)
WiFi5: Ubiquiti NanoHD OpenWRT (~500Mbit at 80Mhz) Switches: Netgear MS510TXUP, MS510TXPP, GS110EMX
ISPs: Zen Full Fibre 900 (~930Mbit down, 115Mbit up) + Three 5G (~800Mbit down, 115Mbit up)
Upgrading Laptop/Desktop CNVIo WiFi 5 cards to PCIe WiFi6e/7

Link to comment
Share on other sites

Link to post
Share on other sites

2 hours ago, Alex Atkin UK said:

The fear is real though, as when you are dealing with closed systems like IoT and games consoles, we frankly don't know if they are firewalled correctly or not.

OS firewalls have nothing to do with this

 

2 hours ago, Alex Atkin UK said:

With IPv4, even if using public addresses, its easy to use DHCP to ensure specific clients get static IP assignments so the router can firewall traffic before it even enters the network. With IPv6 its not that simple, as there are multiple ways to issue IPv6 addresses and some devices will effectively change their UUID when rebooted, preventing a sticky IP.

You are going to have to be more clear because none of that makes any sense.

 

2 hours ago, Alex Atkin UK said:

Yes ideally you want to firewall every machine individually, but that gets damn complicated on a large network where the users might not understand all this stuff.

Again not at all what I am talking about. A firewall, PFsense, ASA, Foritgate or just basic home router firewalls will do. Its a single device that just keeps track of sessions. You absolutely do not need to firewall every single device.

 

An IPv4 firewall vs and IPv6 firewall is literally no different. Only major difference being you NEED ICMP enabled and allowed to pass through. Its not at all even close to as difficult as you are making it out to be. Please dont spread misinformation, Im tired of rehashing this out to our customers.

 

Quote

You can't block incoming connections by default, as it will break games and other services that need it, but leaving it open leaves a huge attack vector that probably wasn't there before.

THIS IS HOW A FIREWALL WORKS BY DEFAULT, IT BLOCKS ALL INCOMING NON-EXPLICIT TRAFFIC

 

Its clear you have little knowledge on firewalls as well as IPv6. Not meant as a jab but all points you made are false and based around fear others with lack of IPv6 knowledge have spread. This is where my anger is coming from.

Link to comment
Share on other sites

Link to post
Share on other sites

10 hours ago, mynameisjuan said:

OS firewalls have nothing to do with this

 

You are going to have to be more clear because none of that makes any sense.

 

Again not at all what I am talking about. A firewall, PFsense, ASA, Foritgate or just basic home router firewalls will do. Its a single device that just keeps track of sessions. You absolutely do not need to firewall every single device.

 

An IPv4 firewall vs and IPv6 firewall is literally no different. Only major difference being you NEED ICMP enabled and allowed to pass through. Its not at all even close to as difficult as you are making it out to be. Please dont spread misinformation, Im tired of rehashing this out to our customers.

 

THIS IS HOW A FIREWALL WORKS BY DEFAULT, IT BLOCKS ALL INCOMING NON-EXPLICIT TRAFFIC

 

Its clear you have little knowledge on firewalls as well as IPv6. Not meant as a jab but all points you made are false and based around fear others with lack of IPv6 knowledge have spread. This is where my anger is coming from.

My claims are based on my own attempt to get IPv6 working on my LAN.  I'm not saying it can't be done, I'm saying that as someone who has managed to muddle his way through doing this sort of thing on IPv4, I hit a complete dead-end on IPv6.

 

The barrier to using a technology is not necessarily IF it can do something, its how complicated it is for the end-user to actually do it.  You're not the first person to tell me it CAN be done, but if I can't figure it out, how is someone with ZERO networking knowledge going to cope?

With IPv4 I can simply whitelist the clients I want incoming traffic to be allowed on at the firewall, on IPv6 I cannot because I can't figure out how to ensure clients get the same IP every time, specifically the XBox One which changes its UUID every reboot and AFAIK you can't set it static on the Xbox One itself.

 

Then there is the issue that some clients on my LAN are sent over a VPN, others are not.  I wouldn't even begin to understand how I could achieve that on IPv6 while preventing any IP leaks.

 

So to suggest that IPv6 is no more complicated than IPv4 is simply not true.  It requires a whole different way of thinking, largely due to no longer having the NAT safety net (which yes, was never intended to be so, but were used to it now).

Router:  Intel N100 (pfSense) WiFi6: Zyxel NWA210AX (1.7Gbit peak at 160Mhz)
WiFi5: Ubiquiti NanoHD OpenWRT (~500Mbit at 80Mhz) Switches: Netgear MS510TXUP, MS510TXPP, GS110EMX
ISPs: Zen Full Fibre 900 (~930Mbit down, 115Mbit up) + Three 5G (~800Mbit down, 115Mbit up)
Upgrading Laptop/Desktop CNVIo WiFi 5 cards to PCIe WiFi6e/7

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, Alex Atkin UK said:

My claims are based on my own attempt to get IPv6 working on my LAN.  I'm not saying it can't be done, I'm saying that as someone who has managed to muddle his way through doing this sort of thing on IPv4, I hit a complete dead-end on IPv6.

 

The barrier to using a technology is not necessarily IF it can do something, its how complicated it is for the end-user to actually do it.  You're not the first person to tell me it CAN be done, but if I can't figure it out, how is someone with ZERO networking knowledge going to cope?

With IPv4 I can simply whitelist the clients I want incoming traffic to be allowed on at the firewall, on IPv6 I cannot because I can't figure out how to ensure clients get the same IP every time, specifically the XBox One which changes its UUID every reboot and AFAIK you can't set it static on the Xbox One itself.

 

Then there is the issue that some clients on my LAN are sent over a VPN, others are not.  I wouldn't even begin to understand how I could achieve that on IPv6 while preventing any IP leaks.

 

So to suggest that IPv6 is no more complicated than IPv4 is simply not true.  It requires a whole different way of thinking, largely due to no longer having the NAT safety net (which yes, was never intended to be so, but were used to it now).

IPv6 can use DHCP just like IPv4, if you want absolute control you can do that. But what makes it easier is that you don't have to use DHCP, the Router advertises and the clients work. 

As for whitelisting you can allow specific ports as necessary just like IPv4 just without the NAT (or PAT to be precise). The issues Xbox and such have are usually with NAT which again does not exist in IPv6. 

For sending some traffic over a VPN no real difference that's a routing issue that can be achieved by destination instead of source, but if you need the control use DHCPv6. 

For most people IPv6 will be simpler, and work w/o an need to mess with it. In fact many of the issues customers have are related to NAT which we again resolve by going to IPv6, not to mention things like Multicast over the internet and IPSEC being built in will only improve what we can do on the internet. 

People fear it because it looks scary in reality it's not too bad, my biggest takeaway is that you really need a good DNS solution to manage it.

Link to comment
Share on other sites

Link to post
Share on other sites

Manufacturers need to start mentioning if their router has a default firewall configuration to block incoming traffic.

For instance, my phone does not do it and that makes me weary to connect to it's hotspot.

I wouldn't be worried as much if I knew my router has a sane default configuration that protects things located behind it.

Link to comment
Share on other sites

Link to post
Share on other sites

On 12/12/2019 at 9:44 AM, Trinopoty said:

I often see nodes getting assigned a block of IPv6 (mostly /64) rather than a single IP address. I see this most commonly on VPS servers but I also saw this on my mobile internet connection.

Additionally, when I connected my laptop to my mobile hotspot, my laptop got a public IPv6 address that I was able to ping over the internet.

 

So my question is, why are providers handing over /64 blocks to nodes and why is my mobile assigning a public IPv6 address to my laptop when it's doing NAT for the IPv4?

Also, as I mentioned, my VPS also gets a /64 block, does that mean I can assign any IP in the block to my server?

Can an OpenVPN server then hand any IP in the block to it's clients and have it publicly visible over the internet?

I do want to address parts of your original question that were not really responded to properly before.

 

So the reason why VPS providers (ones who know what they are doing) give a /64 to each VPS customer instead of having them share is mainly because email spam blacklists on IPv6 are configured to block the entire /64, not just the /128 (so this is different from IPv4 where just a single address is blacklisted). There was a VPS provider that I worked with that did not do this (they would instead place many customers into one /64), and we would constantly be blacklisted for spam created by another customer of theirs in the same /64, which is really frustrating. So splitting it is really necessary from that perspective - you don't want to be blocked because of what some other customer of the same VPS provider is doing.

 

Your phone gets an entire /64 because of Google. The Android developers refused to support stateful DHCPv6 client (which everybody else supports) and this led to the creation of a new /64-per-host standard. Google developers insisted on this because they felt everybody needs tethering all the time on IPv6, that it was such a critical feature for everybody that they would not add support for DHCPv6 client. Many took exception to this of course, but since Android has such a large chunk of the market, we now have /64-per-host as the norm.

Edited by Michael Ducharme
Link to comment
Share on other sites

Link to post
Share on other sites

3 hours ago, Michael Ducharme said:

I do want to address parts of your original question that were not really responded to properly before.

 

So the reason why VPS providers (ones who know what they are doing) give a /64 to each VPS customer instead of having them share is mainly because email spam blacklists on IPv6 are configured to block the entire /64, not just the /128 (so this is different from IPv4 where just a single address is blacklisted). There was a VPS provider that I worked with that did not do this (they would instead place many customers into one /64), and we would constantly be blacklisted for spam created by another customer of theirs in the same /64, which is really frustrating. So splitting it is really necessary from that perspective - you don't want to be blocked because of what some other customer of the same VPS provider is doing.

 

Your phone gets an entire /64 because of Google. The Android developers refused to support stateful DHCPv6 client (which everybody else supports) and this led to the creation of a new /64-per-host standard. Google developers insisted on this because they felt everybody needs tethering all the time on IPv6, that it was such a critical feature for everybody that they would not add support for DHCPv6 client. Many took exception to this of course, but since Android has such a large chunk of the market, we now have /64-per-host as the norm.

I see. That actually answers some of my questions without discussing why NAT isn't firewall.

Link to comment
Share on other sites

Link to post
Share on other sites

2 hours ago, Trinopoty said:

I see. That actually answers some of my questions without discussing why NAT isn't firewall.

So suppose you only have NAT with no firewall capability (with ipv4). What that means is that any other user on the same public subnet as you has the ability to reach your internal systems. So for instance, I am connected to a cable modem connection, and there are a few hundred other customers on the same network as me. If I had NAT but no firewall, those customers on the same network could reach my internal devices at their leisure.

Link to comment
Share on other sites

Link to post
Share on other sites

9 hours ago, Michael Ducharme said:

So suppose you only have NAT with no firewall capability (with ipv4). What that means is that any other user on the same public subnet as you has the ability to reach your internal systems. So for instance, I am connected to a cable modem connection, and there are a few hundred other customers on the same network as me. If I had NAT but no firewall, those customers on the same network could reach my internal devices at their leisure.

I'm not sure that would work that way. NAT is meant to hide multiple devices behind one single IP.

Devices on the public side would only see your NAT gateway, even if someone were to connect to your gateway on the public side, your NAT gateway needs to be told where to forward traffic to.

If you have 10 devices behind a NAT gateway, it won't know by default where to forward incoming traffic and so, it doesn't do it. This is why we configure DMZ to receive all traffic or set up specific port forwarding.

If you have only one device then maybe it will forward all incoming traffic to that but then it's just a bridge and not a NAT.

Link to comment
Share on other sites

Link to post
Share on other sites

9 hours ago, Michael Ducharme said:

So suppose you only have NAT with no firewall capability (with ipv4). What that means is that any other user on the same public subnet as you has the ability to reach your internal systems. So for instance, I am connected to a cable modem connection, and there are a few hundred other customers on the same network as me. If I had NAT but no firewall, those customers on the same network could reach my internal devices at their leisure.

Also, I meant my comment to be a positive thing but I suppose the meaning got lost in writing.

Link to comment
Share on other sites

Link to post
Share on other sites

11 hours ago, Trinopoty said:

I'm not sure that would work that way. NAT is meant to hide multiple devices behind one single IP.

Devices on the public side would only see your NAT gateway, even if someone were to connect to your gateway on the public side, your NAT gateway needs to be told where to forward traffic to.

If you have 10 devices behind a NAT gateway, it won't know by default where to forward incoming traffic and so, it doesn't do it. This is why we configure DMZ to receive all traffic or set up specific port forwarding.

If you have only one device then maybe it will forward all incoming traffic to that but then it's just a bridge and not a NAT.

Yes, it will work this way, with a bit of configuration. Let me explain how:

 

Imagine Router 1 and Router 2 are on the same public subnet. Say router 2 has an LAN ip address of 192.168.1.1/24. The user of Router 1 first adds a static route on their device for subnet 192.168.1.0/24 with next hop set as the WAN IP of Router 2. If Router 2 has only NAT and no firewall, then packets that the user of Router 1 sends will then successfully reach the devices on Router 2's subnet (Router 2 will deliver them, routing them from WAN->LAN, instead of dropping them).

 

The user of Router 1 would have to know or guess the subnet that Router 2 has and add the static route first, but this could be automated easily to rapidly try many IPs on the same subnet, especially since most home routers use 192.168.0.0/24 or 192.168.1.0/24. However, even scanning all 192.168.x.x ranges would be trivial, since most routers are on .1, so you would really only have add a route for the entire 192.168.0.0/16 to point at Router 2 and then try pinging all combinations of 192.168.x.1 (where x is 0-255) until they get a reply.

Link to comment
Share on other sites

Link to post
Share on other sites

22 hours ago, Michael Ducharme said:

Yes, it will work this way, with a bit of configuration. Let me explain how:

 

Imagine Router 1 and Router 2 are on the same public subnet. Say router 2 has an LAN ip address of 192.168.1.1/24. The user of Router 1 first adds a static route on their device for subnet 192.168.1.0/24 with next hop set as the WAN IP of Router 2. If Router 2 has only NAT and no firewall, then packets that the user of Router 1 sends will then successfully reach the devices on Router 2's subnet (Router 2 will deliver them, routing them from WAN->LAN, instead of dropping them).

 

The user of Router 1 would have to know or guess the subnet that Router 2 has and add the static route first, but this could be automated easily to rapidly try many IPs on the same subnet, especially since most home routers use 192.168.0.0/24 or 192.168.1.0/24. However, even scanning all 192.168.x.x ranges would be trivial, since most routers are on .1, so you would really only have add a route for the entire 192.168.0.0/16 to point at Router 2 and then try pinging all combinations of 192.168.x.1 (where x is 0-255) until they get a reply.

And sane public internet router should drop any and all traffic in private IPv4 subnet floating around in the public internet. This shouldn't be possible in a real world situation.

Link to comment
Share on other sites

Link to post
Share on other sites

43 minutes ago, Trinopoty said:

And sane public internet router should drop any and all traffic in private IPv4 subnet floating around in the public internet. This shouldn't be possible in a real world situation.

It is possible in real world situations. First, this traffic between two customers would not even reach the ISP router - since their WAN interfaces for those two hypothetical routers are on the same subnet, the traffic would go directly from one router's WAN interface to the other router's WAN interface, so any blocking the ISP does of private sourced traffic would not work yet. And not all ISPs bother blocking RFC1918 from escaping onto the Internet. The ISP I work for blocks it, but only at the Internet gateway (BGP edge), so RFC1918 sourced traffic could potentially make it as far as the gateway before being dropped.

 

This means that if the router does not have a firewall and only does NAT, this attack vector works in all but two situations:

 

Possibility 1: You are the only customer on that subnet (dedicated subnet), this attack vector cannot work.

Possibility 2: There are other customers on that subnet but they are blocked from communicating with each other at all, then this attack vector cannot work.

 

In every other case it can.

Link to comment
Share on other sites

Link to post
Share on other sites

21 hours ago, Michael Ducharme said:

It is possible in real world situations. First, this traffic between two customers would not even reach the ISP router - since their WAN interfaces for those two hypothetical routers are on the same subnet, the traffic would go directly from one router's WAN interface to the other router's WAN interface, so any blocking the ISP does of private sourced traffic would not work yet. And not all ISPs bother blocking RFC1918 from escaping onto the Internet. The ISP I work for blocks it, but only at the Internet gateway (BGP edge), so RFC1918 sourced traffic could potentially make it as far as the gateway before being dropped.

 

This means that if the router does not have a firewall and only does NAT, this attack vector works in all but two situations:

 

Possibility 1: You are the only customer on that subnet (dedicated subnet), this attack vector cannot work.

Possibility 2: There are other customers on that subnet but they are blocked from communicating with each other at all, then this attack vector cannot work.

 

In every other case it can.

This is not generally possible, most ISP's separate customer traffic till it hits the Network Gateway/BRAS or whatever they happen to be using. For example we use QinQ or nested VLANs this prevents any customer from talking to any other customer without first traversing our router. Now it's possible some ISPs don't do this. 

 

However your example still works using public IP's with static routes to private networks. Without a firewall the router will route traffic allowing everything through provided it has a route to get to it. a /16 route would access everything in most consumer router private networks. 

 

I also want to add that the /64 in an IPv6 address is the subnet mask, it dictates how many IPs exist in that network. The Device however still only uses one of those IPs. It works the same as IPv4 routing. the WAN/TIP IP on the Phone in the example used before is part of the /64 used by the ISP/Carrier and a different /64 us handed out for LAN purposes in the case of Tethering, the phone uses 1 IP from that as the LAN gateway.

Link to comment
Share on other sites

Link to post
Share on other sites

2 hours ago, schizznick said:

This is not generally possible, most ISP's separate customer traffic till it hits the Network Gateway/BRAS or whatever they happen to be using. For example we use QinQ or nested VLANs this prevents any customer from talking to any other customer without first traversing our router. Now it's possible some ISPs don't do this.

We isolate customer traffic until it hits the BRAS (we use PPPoE). The ISP that I have for my home connection in the city (large cable provider) appears to use a combination of  isolation and local proxy ARP. But most of the other ISPs that cover areas that we serve (rural, remote) do not have the greatest technical knowledge and tried isolation without a solution like local proxy ARP or PPPoE, only to get complaints from customers that they could not communicate with each other at all. So many of them simply turn off the customer isolation for the customers who complain, or don't use it at all. One small ISP that we absorbed had their customers rebooting their routers like 6 times in a row to get online, due to rogue DHCP servers from no customer isolation and they didn't know how to find or block the rogue DHCP, or even know that rogue DHCP was the cause.

 

Occasionally even our techs manage to mess up a config here or there and have isolation disabled by mistake - we are a WISP and I've seen a few APs or switches go out that had isolation disabled, and it was sometimes only caught when a rogue DHCP situation appeared.

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×