mapping public to private IPv6 networks when firewalling

Eugen Leitl eugen at leitl.org
Thu Nov 24 10:20:05 CET 2011


On Thu, Nov 24, 2011 at 08:44:42AM +0100, Seth Mos wrote:
> On 23-11-2011 22:23, Eugen Leitl wrote:
> > 
> > What's the address space to use in IPv6 for such
> > purposes? Is fc00::/7 (RFC 4193) unroutable on
> > the public Internet in the same way as RFC 1918
> > addresses?

I'm Cc: this to pfsense as the thread will likely move
to pfSense/FreeBSD specifics.
 
> Yes, you can, but you need NPtv6 to get out. That's the new term for 1:1
> NAT and basically maps the 1st 64 (or larger) GUA bits from upstream
> onto your 1st 64 bits of your inside prefix.
> 
> And as mentioned elsewhere in the thread this has nothing to do with the
> firewalling. If you don't put a deny incoming traffic rule on your
> outside then traffic will happily flow in and out of the network.

But if the firewall fails to open state, the traffic will stop at the 
next router, and will not propagate across the wider Internet as the 
fc00::/7 addresses will not be routed beyond that, correct?
 
> Do realize that even with NAT your host are still all accessible with
> their corresponding GUA address from the internet. The internet will
> only see the GUA addresses as well.

Obviously.
 
> I normally only recommend using those if you intend to use:
> 
> - Need IPv6 Multi WAN for failover/traffic engineering

Not yet, but I'd like to go there next year.

> - Have no PI space (the money)

Yes, that seems a pretty exclusive club for us Europeans.

> - Have no ISP subscriptions that do BGP (the money)

I've tried to do that, but my hoster definitely does not
support it and has no plans of supporting it. IIRC OVH used
to support BGP in the past, but dropped it.

Any recommendations for an *really* affordable (European) ISP who
allows BGP for customers? What's the annual cost, roughly?
 
> If you satisfy all these requirements, and there are quite a few
> consumers out there in this situation. Then that is for you.
> 
> As a side benefit, you never have to renumber your LAN.
> 
> As a bigger issue, you keep all the NAT issues you had before with voip
> and basically everything else. So that's a serious drawback. I know NAT
> reflection is part of the draft RFC but don't expect it anytime soon.

Which IPv6 setup do you recommend currently for pfSense/FreeBSD?
I want to run carp+pfsync failover. No redundant WAN yet.

Unrelated to that, is the procedure for IPv4 still the same
(mapping e.g. a public /24 to a private /24 1:1) or has this also
changed?

-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE


More information about the ipv6-ops mailing list