June 28, 20179 yr Testing done with 6.4 RC6, with unRAID and a test client in VM's. Even though an interface is configured for "Network Protocol = IPv4 only", an IPv6 link local address is being assigned to the interface or bridge. This happens if an IPv4 address is assigned, or the interface is configured for "IP Address Assignment=None". The enclosed screenshots show the server Network Settings, an ipconfig, and a Windows client connected to eth1 with no IP addresses assigned. The client can ping the server, access the management GUI, and access server shares, all through the IPv6 Link Local address. This can be a security concern if the interface is Internet facing, with the intent that the bridge will be used for the wan port of a vm firewall . unRAID 6.4 RC6 IPv6.zip
June 28, 20179 yr The linux kernel has IPv6 enabled, as a result all active interfaces in the system receive a link-local address, this is part of the IPv6 standard, which foresees in automatic interface assignment. LL addresses are non-routable and do not bring a security issues. A bridge or router directly connected to the Internet can never forward a LL address to a remote destination.
June 28, 20179 yr Author If the interface is connected to a cable modem (not router) or some such device, your upstream provider's first hop is on the same link-local subnet that you are. It seems that the most secure way to run a vm firewall is with a pass-through wan nic.
Archived
This topic is now archived and is closed to further replies.