<thefloweringash>
maybe off topic, but I switched my gateway from routeros to nixos, and it only took all weekend!
<andi->
what are the gains? (besides having it on NixOS) What are the gotchas?
<thefloweringash>
biggest gain that I have yet to fully test: endpoint independent nat (rfc4787, REQ-1)
<thefloweringash>
smaller gain: I have icmp echo request/reply working again (routeros validates its inputs too hard, so you can't --to-ports for icmp, even though it's well defined for echoes)
<thefloweringash>
biggest gotcha: my isp's dhcpv6 server is incredibly picky about the packet format. I spent a lot of time iterating on reducing all the features in the packet until it replied, like rebuilding with --no-auth, patching out some default requests, and modifying the duid generation logic. I need to do more science to see what actually fixed it
<thefloweringash>
most satisfying part: improving on my implementation of map-e (rfc7597
<flokli>
the "reducing all the features in the packet until it replied" might be interesting for gchristensen. He couldn't get his ISP to provide some IA_PD
<andi->
It provided IA_PD at some point. I still think we were very close. thefloweringash any idea what software stack the ISP is using? Whats the ISP?
<andi->
and one last one: do you publish those config files?
<thefloweringash>
I have no idea about the upstream implementation, the isp is So-net via NTT flets hikari
<andi->
thefloweringash: I thought maybe some of your packet captures might have shown a vendor string
<thefloweringash>
closest thing I see to a vendor is a cisco mac address
<thefloweringash>
I haven't published the config, it's a real mess, and it has quasi-personal things in there (well, my ip addresses)
<andi->
would be nice to at least see some snippets for the dhcpv6 config
<thefloweringash>
technically it should all be configured from dhcp and have no secrets, practically it's constant data delivered over dhcp so I hardcoded it
<clever>
main thing i can see being somewhat a secret, is port forwarding entries
<clever>
but if you rely on the port being a secret, your one port-scan away from being hacked :P
<clever>
thefloweringash: also, my dhcp config has 2 if statements in it, to deal with ipxe quirks
<clever>
the outer if detects if ipxe is the one doing the dhcp request
<clever>
so when the bios tries to dhcp, its told "fetch ipxe"
<clever>
but then when ipxe re-dhcp's, its told "fetch boot.php"
<clever>
the inner if doesnt work, but that detects if your trying to efi netboot
<gchristensen>
for the twitch-configures-ipv6 project I'm planning on having my laptop on the wifi of a hotspot with the serial port connected to my laptop available over ssh
<gchristensen>
plus I suppose I should have a couple devices internally for test points?