Posts

Fixing IPv6 Router Advertisements on the UXG Pro

-
Image
Motivation I recently bought a Ubiquity UniFi Next Generation Gateway Pro and at first glance I was happy that the transition from the USG Pro 4 went smoothly. But then I had to realize that my clients did not receive IPv6 addresses. So I did some research and found this post, but it's about the Dream Machine Pro. https://blog.mikejmcguire.com/2020/12/13/fixing-ipv6-router-advertisements-on-the-udm-pro/ Environment Currently I'm using Firmware 1.13.8 for the UXG Pro. Prerequisites Be sure to enable both IPv6 RA and DHCPv6 for your networks. Otherwise the configuration composed to /run/dnsmasq.conf.d/ will not show any IPv6 configuration. Fixing things to get SLAAC (not managed) Smart people found a way to put boot scripts in the UXG Pro. All steps were executed through SSH into the UXG Pro. https://github.com/unifi-utilities/uxg-boot After the installation, a directory is available under /mnt/data/on_boot.d/ whose shell scripts are executed after the boot process. I wrote a s
Post a Comment
Read more

A working IPv6 guest network for the UniFi ecosystem

-
Image
Motivation The number of forum entries on the Internet suggests that IPv6 and UniFi are like fire and water. While corporate networks can be configured without any problems, the implementation for guest networks seems more or less broken. After several attempts and more than a year of research, I found a solution for my setup at home. Caveat The setup does not cover a functional "Guest Portal". Since it is not necessary for my home network, I have not bothered with it. If you require this feature for your network, please treat this guide with caution. My environment I operate a Controller (Build: atag_7.0.22_17284) on a Raspberry Pi 4, a USG Pro 4, a USW 24 PoE and some UAP AC Pro distributed in the house. The wired part A configured guest network for the wired network is required. Here's how I did. My guest network covers the subnet 10.255.0.1/16  for IPv4 and  XXXX:XXXX:XXXX:XXXX::1/64  for IPv6 (masked). The DNS entries (DHCP name server) point to my Pi-Hole. You can l
Post a Comment
Location: Vienna, Austria
Read more

Pi-hole with DNSCrypt-Proxy and Quad9

-
Image
Motivation So far I've been very happy with my setup of Pi-Hole and DNS upstreams from Quad9. I have rarely thought about the security of the DNS service. However, DNS is very easy to hijack and very susceptible to man-in-the-middle attacks and sniffers that can compromise privacy. Solutions on the market There are now several ways to make DNS a little "more secure". From DNSSEC to DoT to DoH and DNSCrypt , the possibilities are in competition and are reminiscent of the first browser wars. Ultimately, what convinced me about DNSCrypt was this comparison , which also serves as an excellent source of understanding the technical mechanisms behind it. Unfortunately, Pi-hole doesn't directly support DoT, DoH or DNSCrypt, but there is a perfect solution that at the same time preserves the "separation of concerns" pattern. DNSCrypt-Proxy A proxy acts like a man-in-the-middle under your control. It enables you to use classic DNS internally in your network while t
Post a Comment
Read more