Currently I have a nice setup using private IPv4 address space and uplinks from two ISPs to the Internet. Thanks to NAT I can just take down one of the interfaces and the Internet access is still there.
I've been thinking how to duplicate this configuration in IPv6. From what I read is that "NAT is dead", I really glad for that, I don't like it (and sometimes outright hate it), but it has its uses.
To put some perspective in: this is a small company, 3 dozen computers in network, we don't have budget for fancy links with SLA and BGP support. So I think that our own IPv6 subnet from RIPE-NCC won't work.
On the other hand, having two independent links is more than useful. Is there a way to do a 1-to-1 NAT in IPv6 (I'm using Linux machine as a router)? How do I do it? Will it allow me to continue using two ISPs (provided that they both support IPv6).
When I get a subnet from my ISP I need to have an IP address facing the Internet (to be able to route packets to my ISP) and a second one facing my LAN. In IPv6 both should be routable. Doesn't this mean I have to get at least 2 subnets from my ISP? Or ISPs are required to provide a /48 subnet not only two /64 subnets? (And dedicate first /64 subnet to intra router communication.) What to do if I get only a single /64 subnet from ISP?
To summarize:
Questions
- Can I do 1-to-1 NAT in IPv6 in Linux? How do I do it?
- Do I need to receive at least two /64 subnets to comfortably set up routing in LAN behind firewall?
- Is there a way to have public addresses in my LAN if I get a single /64 subnet from my ISP?
Without BGP and 'business class' ISPs multihoming isn't going to work for you. It is possible to do 1-to-1 NAT with IPv6. I don't know how to configure it on Linux though. There is another way though:
You will get a prefix from both ISPs. Probably a /56 or a /48. It doesn't really matter in this case if the link to the ISP gets it's own addresses or not. IPv6 can work perfectly with unnumbered uplinks. What you then do is to connect a router from each ISP to your LAN, and both should advertise a /64 from their own ISP on your LAN. So all your systems get (at least) two public IPv6 addresses: one from each ISP. You can give the advertisements of your primary ISP a higher priority. When the link to the ISP goes down the corresponding router should withdraw its advertisement and your systems will start using the other link.
The only downside is when one ISP doesn't accept packets with a source address from the other ISP. If that is the case then the routers should check the source address and forward traffic with the wrong source address to the other router.
If you only get a single /64 from your ISP then you can use that on your LAN. They should give you more than that though. A /48 used to be the standard for many years, a /56 is becoming more normal these days, but you should definitely get more than a /64.
The solution is the same as for IPv4 - you have to hide a private network behind a NAT with two WAN links.
Unique Local Addresses (ULA) is "Private networks for IPv6". Network Prefix Translation (NPt) is "NAT for IPv6". Assign an internal IPv6 Unique Local Address for your network. While it is not required to do so (the chances of colliding ULAs is much smaller than colliding IPv4 subnets should the network need to merge with another private network), there is at least theoretical benefit to registering your ULA. Enable NPt on each WAN interface, providing your internal ULA and each provider's IPv6 prefix to NPt. Your own IPv6 subnet from RIPE-NCC won't work for all the same reasons your own IPv4 subnet will not work (your lack of budget for BGP support).
NPt has worked quite well for me. My intention was only to provide independence between my internal IPv6 addressing scheme and that of my ISP so that if I switch ISPs only the ISP prefixes need to change, not my entire network configuration. In theory it will suffer the same problems as IPv4 NAT if a protocol sends the non-routable address to a remote machine that then tries to connect back.
This is known as "network prefix translation" and yes linux does support it. You use the "SNPT" and "DNPT" targets in the "mangle" table (the "nat" table is only used for stateful NAT).
You use the SNPT target to change the source prefix on outgoing packets and the DNPT target to change the destination prefix on incoming packets. Since it's stateless you must explicitly translate in both directions.
You can either use one ISPs addresses on your lan and translate for the other ISP or you can use ULA addresses on your lan and translate for both ISPs.
Yes.
Obviously as with V4 NAT you will want to make sure that routing is fairly stable since an ISP switch will break established connections.
The IPv6 purists don't like it but linux recently added a stateful NAT implementation for IPv6. So you can hide a whole network behind a single V6 IP if you want.
If you are putting public IPs on the machines or using NPT you will want subnets to do that with.
Afaict the typical scenario for IPV6 on consumer/small buisness ISPs is that they allocate a single address to the intenet side of the CPE router. Then they use DHCPv6 prefix delegation to allocate a prefix for the customer to use on their networks. Typical is to allocate a /56 to each customer.
Unfortunately at least one ISP i'm aware of insists on you using an ISP-provided CPE router which doesn't support onward prefix delegation at this time. So if you want to put your own firewall behind their router you are kinda stuck :(