I recently ran into an issue with trying to access a local company's web site. On my LAN/WiFi, I could not access the site at all with mobile devices (part of my testing) but it worked fine from the same devices on the cellular data network. It turned out that the issue was because they never bound an IPv4 address to the site, only IPv6.
My ISP assigns both an IPv4 and an IPv6 address to my firewall via DHCP. Opening up a site like whatismyip.com shows that only the IPv4 address is being used.
Is it possible to set up NAT rules that will translate my internal IPv4 network to IPv6 when the destination is an IPv6 address? What are my options here to be able to support both address types for translation?
Quote from: ember1205 on April 17, 2023, 07:08:41 PMWhat are my options here to be able to support both address types for translation?
NAT the IPv4 and allow the IPv6. There is no need for IPv6 NAT. Concentrate on routing the IPv6 internally. You'll likely need RADVD.
You could run a reverse proxy if your ISP doesn't give you static IPv6 delegation but that's just dumb and you should complain. Apply the KISS principle.
Bart...
Quote from: bartjsmit on April 18, 2023, 08:07:05 AM
NAT the IPv4 and allow the IPv6. There is no need for IPv6 NAT. Concentrate on routing the IPv6 internally. You'll likely need RADVD.
You could run a reverse proxy if your ISP doesn't give you static IPv6 delegation but that's just dumb and you should complain. Apply the KISS principle.
Bart...
I already have NAT in place for IPv4 from my internal LAN to the WAN (using the WAN IPv4 address) and I'm using private IP Address space on my LAN so NAT is required.
It sounds like you're saying that I need to contact the ISP to find out what they are providing to me for IPv6 use on my LAN, and I fully expect they aren't providing anything at all but are only allocating an IPv6 address to the modem because that's something that all of the cable ISP's seem to be doing.
I severely doubt that. Usually, ISPs hand out two IPv6 adress(es):
1. An IPv6 for the router itself (IA_NA)
2. An IPv6 range for the devices behind the router (IA_PD)
Normally, you would request both and on your LAN, you would use "track interface" in the IPv6 configuration. Also, you would use RADVD with a prefix ID for each local subnet / interface.
That way, your LAN devices would pick up IPv6 adresses with the ISP-assigned prefix (plus prefix ID) and could then use native IPv6.
If you do not get a prefix or if you do not want to have IPv6 in your local networks, you could install a squid proxy on your OpnSense and configure your browsers through it, if only the OpnSense itself was IPv6-capable.
Quote from: meyergru on April 18, 2023, 03:55:28 PM
I severely doubt that. Usually, ISPs hand out two IPv6 adress(es):
1. An IPv6 for the router itself (IA_NA)
2. An IPv6 range for the devices behind the router (IA_PD)
Normally, you would request both and on your LAN, you would use "track interface" in the IPv6 configuration. Also, you would use RADVD with a prefix ID for each local subnet / interface.
That way, your LAN devices would pick up IPv6 adresses with the ISP-assigned prefix (plus prefix ID) and could then use native IPv6.
If you do not get a prefix or if you do not want to have IPv6 in your local networks, you could install a squid proxy on your OpnSense and configure your browsers through it, if only the OpnSense itself was IPv6-capable.
How does an ISP "hand out" the IP range?
It also sounds like I would need to be running DHCP services on the OpnSense box. If that's the case, then I'm going to wait until we move to invest -any- effort into that at all since the ISP is likely to change anyhow.
They hand out both types of addresses via DHCPv6 like they hand out an IPv4 via DHCP.
You can see which you get on the dashboard.
And no, you do not need a DHCPv6 server for your LAN, just use RADVD and let clients do SLAAC.
How does your need to have IPv6 connectivity change if your ISP changes? They are quite alike in how they provide you with IPv6.
Thanks... None of this appears to be in the default Dashboard, but I am able to see more info in the Interfaces->Overview screen. It appears that they offer a /64 by default and I am able to request and obtain a /56. It does appear that, for the subnet that the OpnSense is on, IPv6 tracks through to the clients for auto-config without an issue but does not go beyond the border of my router to other client subnets. In the end, this might not actually be an issue like this.
With regard to my comment about changing ISP's... I wasn't saying my potential need for IPv6 would change, only that the specifics of the address and prefix would change. I didn't want to have to invest any effort at this point into any sort of specific configuration to get my various devices working as I would have to "re-do it" when I moved. My focus would have been on specific configuration efforts post-move.
I'll have to look more into RADVD to see what it will take to get that working to allow clients on other subnets be able to pick up IPv6 addresses.
Quote from: ember1205 on April 17, 2023, 07:08:41 PM
My ISP assigns both an IPv4 and an IPv6 address to my firewall via DHCP.
Unlike IPv4, your ISP doesn't assign one IPv6 address to your WAN interface. It delegates a range - /64 as an utter bare minimum but usually /56 or /48 which allow you to run loads of subnets on your LAN side. Remember that IPv6 subnets are /64
Try meyergru's advice and set up RADVD with SLAAC. You may need a static IPv6 on the LAN interface. Private (RFC1918) IP ranges are a consequence of NAT, not a requirement for security. There is no need to NAT IPv6 since the address space is humongous.
TLDR: IPv6 is different. Don't use NAT or DHCP
Bart...