NAT with IPv6?

O

oliver@

Developer
Hi,

I have a FreeBSD System acting as a router behind a crippled Cable-Router/Modem-Combination. I can only acquire a single IPv6 address from this cable-router as it does not support prefix delegation.
I tend to switch my home network to Dual Stack as I'm experiencing severe problems with the AFTR Gateways acting-as-kind-of-NAT64 of my ISP so I'm thinking of using IPv6 based connections as much as possible to bypass the AFTR Gateways.
The problem is now, that I can create a local IPv6 network in my LAN, but it is of course not routed by this crippled router. The only thing which would help me out here would be some sort of NAT on my FreeBSD router like in the good old IPv4 days....

I'm using ipfw(8) + natd(8) right now (like I do since '99). It feels like pf(4) could support ipv6-nat? Can anyone confirm this?

Any ideas/suggestions?
 
If what you have in mind is to use the traditional old fashioned way of NAT, using the single IPv6 address, then the answer is no. You could try using the Router/Modem in bridge mode, if this is supported and use the prefix that your ISP has delegate you directly on the FreeBSD box.
 
The router does not support bridge mode. This would have been the first way to go. I really need something like "old fashioned way NAT" for ipv6.....
 
I wonder if someone tried net/tayga yet - I guess I set it up correctly, but I have no clue how to redirect all my traffic through it so far.

root@reis tayga> ifconfig tun1
Code: 
tun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
  options=80000<LINKSTATE>
  inet 172.16.0.1 --> 172.16.0.1 netmask 0x0
  inet6 2001:db8:1:ffff::1 prefixlen 64
  inet6 fe80::ec4:7aff:fe02:320%tun1 prefixlen 64 scopeid 0x7
  nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
  Opened by PID 77426
root@reis tayga> ping6 2001:db8:1:ffff::172.16.0.1
Code: 
PING6(56=40+8+8 bytes) 2001:db8:1:ffff::1 --> 2001:db8:1:ffff::ac10:1
16 bytes from 2001:db8:1:ffff::ac10:1, icmp_seq=0 hlim=64 time=0.185 ms
16 bytes from 2001:db8:1:ffff::ac10:1, icmp_seq=1 hlim=64 time=0.181 ms
^C
--- 2001:db8:1:ffff::172.16.0.1 ping6 statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.181/0.183/0.185/0.002 ms
 
You can use NAT64 of course if this is what you really want. But the traditional NAT of IPv4 does not apply to IPv6.
 
So... "nat" in pf will not work with ipv6 like it does with ipv4? This is what I thought after reading the docs.
NAT64 does not help as I want to access ipv6 hosts from my systems behind my firewall and not access ipv4 hosts "translated" to ipv6 addresses....

There must be a solution... routers with bridge mode disabled and not delegating a prefix aren't that uncommon and I don't want to attach all my systems directly to the hardware my ISP gave me - I just don't trust this hardware (and it is bad hardware anyway...) so I would never connect all my devices directly to the internet through a system which is not "mine". And without bridging or prefix delegation, NAT seems to be the only way to go...
 
It is not an matter of PF. It is how the protocol works. One of the major features of IPv6 that it makes NAT unnecessary. The only way to work around your problem is to get new equipment that supports bridging mode.
 
NAT is not recommened to be used with IPv6 but it should work, at least I've been able to use NAT with IPv6 when I only had a tunnel from SixXS but I didn't yet have the routed subnets approved. This PF rule should do the trick:
Code: 
nat on $extif inet6 from ! $extif to any -> $extif
Do note that while IPv6 NAT might work on 10.1-RELEASE there are some big problems with rdr rules when used with IPv6 that are being worked on at the moment in 10-STABLE.
 
gkontos said:
The only way to work around your problem is to get new equipment that supports bridging mode.
Click to expand...

Which is not an available option in my case.....
I'll try to play around with pf's NATing on the weekend to see what it can do or can't
 
You must log in or register to reply here.
Back
Top