Home / server / Questions / 988666
In Process
Hannes
Asked: 2019-10-20 04:14:12 +0800 CST

Multiple devices with one IPv6 to the Internet?

  • 772

I want to connect several devices (in the LAN) to the Internet via a single public IPv6 address.

Unfortunately I did not find a good way to do this. The only idea I had was to tunnel everything from the PF/OPNsense via OpenVPN to an Raspberry Pi or similar before the Sense and then go to the Internet with the IPv6 from the Pi.

The planned setup would be Internet (WAN) - Fritzbox (LAN1) - PFSense / OPNsense (with WAN interface) - LAN2

Are there any other possibilities? The VPN solution is not really nice.

Why? Assigning each (private) device its own public IP (also with privacy extension) simplifies tracking. In addition, some devices do not have a privacy extension or it is not active.

routing

7 Answers

  1. IPv6 is designed to not do that. Trying IPv4 style NAT with IPv6 will break things. That said, I'm pretty sure you can do NAT IPv6 with Linux iptables, so it's not impossible. But I would strongly recommend not to do it.

    • 37

  2. IPv6 doesn't have a NAT standard the way IPv4 does. There is an EXPERIMENMTAL RFC for one-to-one NAT (one outside address for each inside address) on IPv6, but explicitly forbids what you want to do (I highlighted it below):

    6. A Note on Port Mapping

    In addition to overwriting IP addresses when datagrams are forwarded, NAPT44 devices overwrite the source port number in outbound traffic and the destination port number in inbound traffic. This mechanism is called "port mapping".

    The major benefit of port mapping is that it allows multiple computers to share a single IPv4 address. A large number of internal IPv4 addresses (typically from one of the [RFC1918] private address spaces) can be mapped into a single external, globally routable IPv4 address, with the local port number used to identify which internal node should receive each inbound datagram. This address-amplification feature is not generally foreseen as a necessity at this time.

    Since port mapping requires rewriting a portion of the transport layer header, it requires NAPT44 devices to be aware of all of the transport protocols that they forward, thus stifling the development of new and improved transport protocols and preventing the use of IPsec encryption. Modifying the transport layer header is incompatible with security mechanisms that encrypt the full IP payload and restricts the NAPT44 to forwarding transport layers that use weak checksum algorithms that are easily recalculated in routers.

    Since there is significant detriment caused by modifying transport layer headers and very little, if any, benefit to the use of port mapping in IPv6, NPTv6 Translators that comply with this specification MUST NOT perform port mapping.

    Also, you will find that NAT breaks some IPv6 features.

    IPv6 has plenty of addresses so that you do not need to use NAPT the way you do with IPv4. NAPT on IPv4 breaks the IP paradigm where each host is assigned a unique address so that connections are from end-to-end, with no middle devices needing to maintain state on the connections. IPv6 restores the IP paradigm, allowing protocols other than TCP, UDP and ICMP*, and it fixes applications and application-layer protocols that are broken by NAPT.

    You may misunderstand the tracking and function of Privacy Extensions. The fact is that the tracking that Privacy Extensions prevents is tracking a device as it is connected to different networks, getting a new address on each connected network, not tracking the services that the device uses on the Internet. By using only the original SLAAC, a device will always have the same IID (Interface Identifier) on the same interface, and it could be correlated, no matter the network to which the device was attached, tracking it as you move it from network to network. This does not matter if the device only exists on a single network, you have no movement to track. If you do move the device to other networks, and the device does not support Privacy Extensions, then you will be able to be tracked, but I would also argue that the device software is so old as to be riddled with security problems.

    If the device only connects to a single network, then there is no tracking risk, and you could also use DHCPv6 to assign addressing, or you could manually assign an address, rather than use SLAAC that uses an identifier, such as a MAC address.

    *RFC 3022, Traditional IP Network Address Translator (Traditional NAT) explains IPv4 NAT, including NAPT in Section 2.2:

    Sessions other than TCP, UDP and ICMP query type are simply not permitted from local nodes, serviced by a NAPT router.

    • 21

  3. IPv6 addresses are not the most powerful way to track. DNS traffic shows where on the Internet you are going. On desktop and mobile, ad and social tracking identifiers follow users across devices and IPs.

    IPv6 addresses can be changed frequently, leaving only the common prefix identifying your site, not the host. On devices without privacy extensions, consider implementing something similar yourself. Generate random host identifiers, and assign that as an IP address within your prefix statically.

    Encrypt traffic. Use TLS for all applications.

    Use secure overlays where necessary to transit networks you do not trust.

    Avoid NAT. Every device can choose from billions of IPs, why would you break end to end connectivity by funneling through one?

    • 8

  4. As others have noted, there are many ways your devices will be tracked. Even if you had thousands (instead of just dozens) of them and mapped them all on same IP it wouldn't make much difference.

    See for example https://panopticlick.eff.org/ if you want to try it yourself, and click on "Show full results". Try with different devices, even change your IP via VPN or router reboot. It is appalling. So even with privacy hardened browser (which would hardly be available on all your devices) and rebooting the router after each connect so your IP changes (hopefully), your devices are still quite well identified.

    Now imagine if you are dealing with unscrupulous trackers (which most of problematic ones are) which are going to have access to way more information, and the fact that most of your accesses are going to be coming from one IP (or one IPv6 range, does not make a difference).

    Using NAT-ing for enhancing privacy avails to "I want to put a wet towel around exhaust of my diesel car so it would reduce its pollution". Just won't help in any measurable way.

    If you don't care about end-to-end connectivity, you shouldn't bother with IPv6 at all. It is highly likely your devices will function just fine under plain IPv4 NAT for the rest of their lifetimes.

    That being said, if you still insist on idea that all your outgoing connections should come from one IPv6 address, you would do that by disabling routing and installing proxy software instead. There is generic SOCKS proxy protocol, but for HTTP you would be better served with privacy-enhancing proxies like Privoxy. You can in addition link Privoxy's upstream to Tor network to get benefit of changing IP source addresses. If you can't use proxies, VPN is your best and least ugly way.

    That might actually help a little with privacy, although for better results nowadays you would need to completely disable Javascript (or at the very least install uBlock Origin and NoScript in more secure modes and painfully configure them on site-by-site basis) on all your devices (and of course disable horrors like Flash and other browser plugins!)

    • 7

  5. If you want to do unusual/frowned upon stuff then using a pre-canned "router distro" as your edge router probablly isn't the best way to go. Further pfsense is based on freebsd pf which does not support "one to many" ipv6 NAT.

    If you want to do one to many ipv6 NAT I would suggest using a recent version of a generic linux distro as your edge router. Linux added support for ipv6 nat in 3.9.0 and using it is basically as simple as it's ipv4 counterpart, e.g. "ip6tables -A POSTROUING -t nat -o -j MASQUERADE".

    • 5

  6. You can do IPv6 NAT just fine with any sufficiently modern iptables-supporting router between the network you are hiding and the network you have the single IP on. It is in practice used to put several machines behind a gateway on the cjdns IPv6 overlay network, as documented here.

    Assuming you have IPv6 forwarding set up in your kernel, and your router is already set up to be on the path between the two networks, the iptables rules look like this:

    ip6tables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
ip6tables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -i eth1 -o eth0 -j ACCEPT

    Here, eth0 is the interface on the network you are hiding, and tun0 is the interface that has the IP that you want everything to appear to be behind.

    Note that with this sort of NAT you are going to screw up any inbound connections or traffic that is not part of an established session. Packets addressed to the "real" IPv6 addresses of the internal machines will come in fine, but replies will be NAT-ed and appear to come from a different address. Only sessions initiated from behind the NAT will work properly. You might want to add firewall rules to block incoming traffic that isn't related to a session that the NAT knows about.

    • 3

  7. Adressing your concern of being tracked via IPv6 adress: the possibility to use temporary Adresses exists. I know of this only from theory, but feel like that must be the standard setup.

    https://www.rfc-editor.org/rfc/rfc4941

    also: https://www.rfc-editor.org/rfc/rfc7721

    • 1