IPFW Local network (IPv6) - IPv4 internet connection

Dear All,

I wantto migrate my local network to ipv6 network but my isp supports only ipv4.

I am using ipfw.

how can I nat IPV6 clients to internet?

Thanks.
 
You can't, NAT means "network address translation", but IPv6 is an entirely different protocol.

The typical solution is to go for dual-stack in your local network (enabling both IPv4 and IPv6). If you want IPv6 connectivity to the outside as well, use some free tunnel service, e.g. https://tunnelbroker.net/ – or look out for a better ISP ;-)
 
ipfw supports NAT64 in stateful (ipfw_nat64lsn) and stateless modes (ipfw_nat64stl). These loadable modules provide IPv6 connectivity to IPv4 hosts out on the Internet. While this is doable, it generally requires the use of a companion service, DNS64 which has to be configured in in a local DNS server, or for you to find a public DNS server that provides DNS64 support.

It is possible to configure ipfw to perform stateful nat64 to provide IPv6 hosts accesses, though my experience has been limited by what I perceive as a bug in ipfw (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=263974). (Could be pilot error - my ruleset may be the problem.) I'm waiting a response about that.

You can see my example testbed and description in the entry.

You can read more about NAT64 and similar transition mechanisms in IETF RFCs.
https://datatracker.ietf.org/doc/html/rfc7269 is an good overview of current progress.

Jim B.

See also https://datatracker.ietf.org/doc/html/rfc6144 , 6145 , 6146 , and 6147 for more background.
 
Agree - 100% - with getopt


There’s another document that was from a networking standards or something non security centric but some of the issues with running dual stack will cause a pause to consider whether or not it’s really something you need (if you do I think Zirias has the only solution and his statement of it being an entire different protocol is the nugget of gold I’d take away from everything said)
 
if you do I think [FONT=monospace]Zirias[/FONT] has the only solution and his statement of it being an entire different protocol is the nugget of gold I’d take away from everything said
What's the purpose of that remark? They are different protocols, you can't just rewrite addresses like NAT is doing. Sure, there are things like NAT64, but that's more than just NAT, it rewrites the whole protocol headers. And it's pretty limited, all it can offer is to route to IPv4-hosts from IPv6-only hosts. I wouldn't recommend starting with something like this.

IPv6 adds complexity that one only wants if needed in a LAN.
It's roughly 10 years too late for that to be a valid argument. IPv4 address space is exhausted. There are already lots of hosts on the internet not reachable with IPv4 any more. Most of them are just clients or at least not relevant for "the web", but that's subject to change as well. My practical example are the official FreeBSD builder machines -- only relevant if you're working on ports, but if you want to read a full build log of an official package build, you already need IPv6.

An ISP only offering IPv4 is an anachronism. In fact, I see much more the opposite problem: ISPs only offering IPv6 (plus some "crippled" IPv4, typically in the form of "DS-Lite", where for IPv4, a tunnel is established to some router operated by the ISP that does NAT, so many customers can share the same public IPv4 address). The simple reason for this is the price you pay for public IPv4 addresses nowadays.
 
With HE you can get a /64 and a /48. That's plenty of address space to experiment with. Tunnels work fine, easy to set up. It only adds a tiny bit of latency but overall the performance has been excellent.

One thing I have noticed with the IPv6 tunnel broker from HE, sometimes Netflex and all start complaining about using a VPN or proxy to circumvent region-locks. Netflix, Disney, Amazon Prime, they all complain at the same time, which leads me to believe they all use the same service that checks this. The only way to get rid of those proxy warnings is by turning off IPv6 on those devices. Quite annoying. But not as annoying as my ISP not supporting IPv6 on bridged modems.
 
getopt that's not the point. If you want IPv6 connectivity to the outside, anything except having IPv6 in your LAN as well is actually more complexity.
 
One thing I have noticed with the IPv6 tunnel broker from HE, sometimes Netflex and all start complaining about using a VPN or proxy to circumvent region-locks. Netflix, Disney, Amazon Prime, they all complain at the same time
That's interesting. I only use Amazon for streaming, but my (IPv6-enabled) TV set never complained so far. Is it possible that your tunnel endpoint is not inside your "region"?
 
getopt that's not the point. If you want IPv6 connectivity to the outside, anything except having IPv6 in your LAN as well is actually more complexity.
Zirias
The point is that the OP does not have an ISP offering IPv6 but he is wanting IPv6 in his LAN. Later he said for education purposes. So reading OP's posts carefully too does not hurt.
 
That's interesting. I only use Amazon for streaming, but my (IPv6-enabled) TV set never complained so far. Is it possible that your tunnel endpoint is not inside your "region"?
It is, I specifically picked one in Amsterdam so the endpoint is in my own "region". But the whois information of that range shows a US owner (Hurricane Electric), and I think they're fussy about that. As I only use Netflix and all on my NVidia Shields I simply turned off IPv6 on those (it's easy to turn IPv6 on/off in the settings).
 
What's the purpose of that remark? They are different protocols, you can't just rewrite addresses like NAT is doing. Sure, there are things like NAT64, but that's more than just NAT, it rewrites the whole protocol headers. And it's pretty limited, all it can offer is to route to IPv4-hosts from IPv6-only hosts. I wouldn't recommend starting with something like this.


It's roughly 10 years too late for that to be a valid argument. IPv4 address space is exhausted. There are already lots of hosts on the internet not reachable with IPv4 any more. Most of them are just clients or at least not relevant for "the web", but that's subject to change as well. My practical example are the official FreeBSD builder machines -- only relevant if you're working on ports, but if you want to read a full build log of an official package build, you already need IPv6.

An ISP only offering IPv4 is an anachronism. In fact, I see much more the opposite problem: ISPs only offering IPv6 (plus some "crippled" IPv4, typically in the form of "DS-Lite", where for IPv4, a tunnel is established to some router operated by the ISP that does NAT, so many customers can share the same public IPv4 address). The simple reason for this is the price you pay for public IPv4 addresses nowadays.
I was agreeing with you Zirias - i was stating the comment you made was the nugget of gold to take from this if nothing else…
 
Back
Top