| ▲ | ghusto 4 days ago |
| What are the advantages of IPv6 if I don't want direct routing (NAT is a feature for me, not a workaround)? |
|
| ▲ | hnlmorg 4 days ago | parent | next [-] |
| It depends what you want NAT for. If it’s for security then most of the actual security provided by NAT routing is actually just the routers firewall itself. So a good ipv6 firewall provides the same level of security. If it’s just because you’re a bit of a control freak and like to manage the assignment of IP addresses (and I fall into that category too) then my understanding is that you can also do this with ipv6 as ISPs typically hand you a wider subnet range (unlike ipv4 where you get just 1 IP). However I’ve tried a couple of times to adopt ipv6 into my stupidly bespoke home networking stack and failed each time. I really do want to adopt IPv6, if only because I like fiddling with tech, but, like yourself, I keep getting stuck on the “how do I integrate IPv6 into the infrastructure I already have” problem. Edit: if anyone has any recommended guides to configuring IPv6 using ISC dhcpd and unknown addresses supplied by your ISP, then I’d be interested to read them. |
| |
| ▲ | simoncion 4 days ago | parent | next [-] | | To be clear, what you have is a router that's asking your ISP for a DHCPv6-PD prefix, assigning slices of that to one or more interfaces on that router, and what you want is for your dhcpd on that router to assign prefix-oblivious addresses to specific hosts on your LAN? In other words, you want things to work like this? ISP-provided-PD-prefix 2001::/64 + Host address ::22 = Assigned address 2001::22
ISP-provided-PD-prefix 2001:1:/64 + Host address ::22 = Assigned address 2001:1::22
If so, I'll poke around the docs to see if this is possible. I'm running both dhcpcd and ISC dhcpd on my LAN and have a hobbyist's experience with them.But -honestly- what I've done is just relied on SLAAC to handle the globally-routable addresses, and advertised a ULA prefix for stable addresses. These go into my local DNS, but you could just as easily use that for DHCPd. | | |
| ▲ | hnlmorg 4 days ago | parent [-] | | Not sure if this is what you were describing, but my dhcpd server is a separate machine to the router. I’m just using an off the shelf
ASUS router because it’s actually surprisingly good at the basics. But I wanted PXE booting so set up ISC dhcpd on a home server. To be fair, it might actually be possible to do this on my ASUS router. I’ve not actually checked. I’ve had the same setup up for years. Easily more than a decade. Only updating hardware when necessary. So I might be missing a trick with these latest ASUS routers. | | |
| ▲ | simoncion 4 days ago | parent [-] | | > Not sure if this is what you were describing, but my dhcpd server is a separate machine to the router. That was not what I was describing. I was figuring that your DHCPv6 client (that talks to your ISP) and your DHCPd would be on the same machine, but maybe that's okay. How does your dhcpd server get its address? A DHCPv6 request to the router? If so, the following report might (might!) be useful to you: So, while I DID find out about dhcp-eval(5), it doesn't look to me like ISC DHCPd will do what you want. I didn't see any parameters documented in the dhcpd.conf manual that looked like they were prefix-independent. Probably your best bet is to template your dhcpd.conf and known_hosts files, then use your network manager's [0] "on address change" hooks to fill in the currently-assigned prefix, write out new files, and bounce dhcpcd. [0] NB: NOT (neccessarily) NetworkManager (that nasty, wretched thing), but maybe like dhcpcd's run hooks. | | |
| ▲ | hnlmorg 4 days ago | parent [-] | | > How does your dhcpd server get its address? It’s hardcoded. For IPv4 it doesn’t need to be dynamic because NAT allows you to hardcode private address ranges. But that whole concept of networking doesn’t translate (no pun intended) to IPv6 This is the problem I’m running into with deploying IPv6. I don’t know what address ranges to allocate because the dhcp server doesn’t perform any handshakes with the ISP. And I’m a bit reluctant to rearchitect the network topology for IPv6 because everything already works really well without IPv6. So ideally I’d want a way of sliding in IPv6 without having to break what’s already working. Every solution I’ve explored thus far hasn’t achieved that. But there’s lots of good information shared here today so I’ll have another read and maybe they’ll offer up an insight I’d previously missed. | | |
| ▲ | ninjin 4 days ago | parent | next [-] | | I have had success running a hybrid IPv4/6 network by reading this guide for inspiration: https://blog.infected.systems/posts/2024-12-07-building-an-i... This allows me to have a mixture of both protocols and even some boxes that have both IPv4 and IPv6 addresses. I still have some issues writing routing rules that does not fail for link-local addresses, but the network has now been fully operational for well over a month. | |
| ▲ | simoncion 4 days ago | parent | prev [-] | | Oof. Yeah, because you're gonna have to have a DHCPv6 client running on your router (and because your ISP is almost certainly using DHCPv6-PD the router is where you're pretty much going to have to first learn about your LAN-side DHCPv6 prefixes), it's probably going to be a bit tricky (but probably not impossible) to do what you want. Best of luck. If you figure out how to do it within the HN comment freeze period (I think it's 14 days?), please do leave a follow-up comment. I'd be very interested in hearing what you come up with. |
|
|
|
| |
| ▲ | everforward 4 days ago | parent | prev | next [-] | | > If it’s for security then most of the actual security provided by NAT routing is actually just the routers firewall itself. So a good ipv6 firewall provides the same level of security. Nitpicky, but I think this is not true. NAT's security is based on the router not knowing where to route the traffic and dropping it, where the firewall intentionally drops the traffic. Agreed that it's functionally equivalent, though. | | |
| ▲ | simoncion 4 days ago | parent | next [-] | | I think it is true... at least on Linux. I am pretty sure that if my firewall didn't have this line in the filter table -A INPUT -i wan-interface -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
along with this line in the nat table (or the equivalent with the SNAT target if you have a static WAN IP) -A POSTROUTING -o wan-interface -j MASQUERADE
then IPv4 NAT simply wouldn't work... well, not the NAT that nearly all regular folks have on their home networks.It is true that without the firewall's involvement the router would drop all traffic destined to the LAN. [0] But it's the decisions made in the firewall that both make the NAT work, and ensure that WAN traffic that hasn't been requested stays out. [0] Unless the router were "excitingly" misconfigured! | | |
| ▲ | Dagger2 3 days ago | parent | next [-] | | The second line is the only one you need for NAT to work. The first is irrelevant to forwarded traffic. If you have no other rules then a) NAT will be applied to your outbound connections, and b) you'll have no firewall for the network behind the router. NAT and firewalling might both done in netfilter via iptables/nftables rules, but they're completely orthogonal decisions. You can do either of them without the other. > It is true that without the firewall's involvement the router would drop all traffic destined to the LAN. [0] Which means this is completely wrong. It won't do this unless you do something to make it do this (i.e. put some rules into FORWARD that control what traffic is/isn't allowed). MASQUERADE just changes the source IP on outbound connections; it doesn't drop inbound connections. | |
| ▲ | everforward 4 days ago | parent | prev [-] | | > [0] Unless the router were "excitingly" misconfigured! This is probably the pivotal difference lol. Most of the ISP-provided routers I've used either have a default-allow policy or auto-create firewall rules when you add a NAT forwarding rule. I don't honestly recall which because it's been like a decade, but I do remember that I didn't have to explicitly add a firewall rule. | | |
| ▲ | simoncion 3 days ago | parent [-] | | The exciting misconfiguration I was thinking of was one where Internet hosts could send packets to the router with LAN IPs as the destination IP and the router would happily forward those along and output them on the LAN interface(s). On a Linux router, perhaps setting ip_forward to 1 and leaving rp_filter at 0 would do the trick? It has been ages since I've had to play with rp_filter, so I can't remember exactly what its behavior is. |
|
| |
| ▲ | lmm 4 days ago | parent | prev [-] | | > NAT's security is based on the router not knowing where to route the traffic and dropping it Nope, the router does know where to route the traffic for obvious reasons. At least for Linux if it's able to do NAT then it's ipso facto able to forward packets from one interface to another, and will do so unless explicitly told not to. |
| |
| ▲ | ghusto 2 days ago | parent | prev [-] | | I get that I can do equivalent things with IPv6, but what are the _advantages_ of using IPv6 if I don't want/care about direct routing? |
|
|
| ▲ | yjftsjthsd-h 4 days ago | parent | prev | next [-] |
| > NAT is a feature for me, not a workaround NAT can be fine, but why would it be a feature? (I guess maybe some privacy by way of sharing a public IP?) |
| |
| ▲ | progbits 4 days ago | parent | next [-] | | People grow up with (CG)NAT and mistake it for a firewall. | |
| ▲ | kortilla 4 days ago | parent | prev [-] | | It is an inadvertent firewall. It doesn’t allow unsolicited connections to whatever software is running is running on all of the crap in your house. IPv6 requires a stateful firewall on the router to provide the same protection. Then if you turn that on, it kinda defeats the point. | | |
| ▲ | hnlmorg 4 days ago | parent | next [-] | | NAT requires a stateful firewall too. In fact all router firewalls are stateful otherwise you’d have to have large ranges of ports permanently open to incoming connections. So you don’t actually need anything different nor special to have the same level of security with IPv6 vs IPv4 + NAT. | | |
| ▲ | kortilla 3 days ago | parent [-] | | > NAT requires a stateful firewall too. Yes, you’re repeating what I’m saying. NAT forced router vendors to implement stateful connection tracking and it increased the security of everything behind them. > So you don’t actually need anything different nor special to have the same level of security with IPv6 vs IPv4 + NAT. This isn’t how it played out in practice though. Huge swaths of home routers had no firewall at all when you enabled IPv6 support because it would have taken slightly extra work to enable the v6 conn tracking. |
| |
| ▲ | homebrewer 4 days ago | parent | prev | next [-] | | I think enough consumer routers run upnp servers out of the box that relying on NAT as a firewall is very unreliable. Have a look at upnp state table on your router, you might be surprised at things that have poked holes for the whole world to hammer at without you noticing. | | |
| ▲ | kortilla 3 days ago | parent [-] | | UPNP is not enabled by default on my router nor has it been on the last few. I think that was common like 15 years ago before all of the gaming consoles figured out how to do STUN on their own. |
| |
| ▲ | Dagger2 3 days ago | parent | prev | next [-] | | It's an imaginary firewall. NAT won't stop unsolicited connections in to your network -- if anything, its entire purpose is to do the exact opposite of that. If you actually want to block inbound connections when you're doing NAT, you need the stateful firewall anyway. At that point, pretty much the only thing NAT is doing for your security is making it harder to understand what's going on. | |
| ▲ | unethical_ban 4 days ago | parent | prev [-] | | Having a default deny policy for traffic to your network doesn't defeat the point of IPv6 or direct routing. |
|
|
|
| ▲ | the8472 4 days ago | parent | prev | next [-] |
| When I was on an ISP with DS-Lite the IPv4 functionality regularly failed because the AFTR's port mapping saturated (equivalent to reaching ip_conntrack_max on linux). IPv6 wasn't affected since it doesn't involve a stateful middlebox that I don't control. |
|
| ▲ | silotis 4 days ago | parent | prev | next [-] |
| If your ISP issues you a routable IPv4 address then not much. Otherwise IPv6 lets you avoid CGNAT and all of the issues that come with that. |
|
| ▲ | wmf 4 days ago | parent | prev | next [-] |
| None. |
| |
| ▲ | ghusto 2 days ago | parent | next [-] | | After reading all the replies, this appears to be the correct answer. | |
| ▲ | eddythompson80 4 days ago | parent | prev [-] | | Cheaper IPs? | | |
| ▲ | yjftsjthsd-h 4 days ago | parent | next [-] | | If someone doesn't want direct routing, why would that matter? | |
| ▲ | wmf 4 days ago | parent | prev [-] | | IPv6 is cheaper but also you can't access half the Internet. | | |
| ▲ | simoncion 4 days ago | parent [-] | | I've had "native" IPv6 service for something like twenty years. I've not had a problem with accessing any of the internet. If you're hinting that roughly half of the internet-connected servers don't have IPv6 addresses, then my reply is "so what?". Only idiots are suggesting that folks who aren't running an experimental lab (or ISPs that have the expertise required to set up the NATs needed to reach the IPv4 internet from v6-only service) go IPv6-only. | | |
| ▲ | yjftsjthsd-h 4 days ago | parent [-] | | I think they did in fact mean IPv6-only hosts. For instance, you can save some money getting a virtual box on Hetzner that doesn't have IPv4 connectivity. Of course, that box won't be able to talk to ex. github, so for some people it's really not worth it. | | |
| ▲ | herczegzsolt 3 days ago | parent [-] | | GitHub.com not being available over IPv6 is the most harmful thing for IPv6 penetration. | | |
| ▲ | Thiez 3 days ago | parent [-] | | That and poor support from cloud vendors. Looking at you, Azure. How is IPv6 not enabled for everything by default? It boggles the mind. |
|
|
|
|
|
|
|
| ▲ | Spooky23 4 days ago | parent | prev | next [-] |
| Very little. I started using it with Spectrum after upgrading a firewall and found. Lots of weird gotchas with DNS. |
|
| ▲ | rasguanabana 4 days ago | parent | prev | next [-] |
| The only thing that comes to mind for me is simpler header, but not sure if it makes much of a difference anyway. |
| |
|
| ▲ | paulddraper 3 days ago | parent | prev [-] |
| “Unfortunately, NAT reduces the number of options for providing security.” - RFC 1631 |
