mapping public to private IPv6 networks when firewalling

Seth Mos seth.mos at
Thu Nov 24 08:44:42 CET 2011

On 23-11-2011 22:23, Eugen Leitl wrote:
> What's the address space to use in IPv6 for such
> purposes? Is fc00::/7 (RFC 4193) unroutable on
> the public Internet in the same way as RFC 1918
> addresses?

Yes, you can, but you need NPtv6 to get out. That's the new term for 1:1
NAT and basically maps the 1st 64 (or larger) GUA bits from upstream
onto your 1st 64 bits of your inside prefix.

And as mentioned elsewhere in the thread this has nothing to do with the
firewalling. If you don't put a deny incoming traffic rule on your
outside then traffic will happily flow in and out of the network.

Do realize that even with NAT your host are still all accessible with
their corresponding GUA address from the internet. The internet will
only see the GUA addresses as well.

I normally only recommend using those if you intend to use:

- Need IPv6 Multi WAN for failover/traffic engineering
- Have no PI space (the money)
- Have no ISP subscriptions that do BGP (the money)

If you satisfy all these requirements, and there are quite a few
consumers out there in this situation. Then that is for you.

As a side benefit, you never have to renumber your LAN.

As a bigger issue, you keep all the NAT issues you had before with voip
and basically everything else. So that's a serious drawback. I know NAT
reflection is part of the draft RFC but don't expect it anytime soon.


More information about the ipv6-ops mailing list