Reply
New Member
Posts: 13
Registered: ‎01-21-2015
Kudos: 11
Solutions: 1

Re: IPv6 and NAT / NPTv6

I'm thinking of the case where your ISP gives out DHCPv6 assigned address ranges instead of static IPv6 ranges.  Using NPTv6 avoids having to reconfigure the internal network when the external address changes but seems to avoid the pitfalls of NAT since there is a clear 1:1 address mapping.

 

I'd also like to avoid reconfiguring as much of the firewall as possible when the external address changes. For the firewall this means addresses assigned to internal interfaces, rules allowing access to servers inside the network, etc.  If ip6tables took as the --to argument in the command you suggested a destination interface and from it automatically detected the destination network then it won't have to be reconfigured if the external IPv6 address changes, either.   Of course it would have to detect changes to the configured network on that interface.  Don't most IPv6 NAT implementations do this?

 

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5457
Solutions: 1656
Contributions: 2

Re: IPv6 and NAT / NPTv6


csch wrote:

Can you somehow "predict", how the whole offloading engine will react to usage of NAT66/NPT?


For the offload question, we'll need to look into implementation details when/if we get to it, but at a high level it should work like the IPv4 mechanism and NAT should be supported.

 


csch wrote:

And (let's phrase it differently this time): Would you consider any efforts of mine to create a Vyatta CLI for this "in vain"?


Not sure what you mean but I don't think it will be "in vain"? I'm sure some people will find it useful. Thanks for looking into this!

Member
Posts: 118
Registered: ‎06-08-2013
Kudos: 148
Solutions: 3

Re: IPv6 and NAT / NPTv6

Update:

 

NAT66 does seem to "offload" - at least turning on/off offloading for "ipv6 forwarding" does make a quite noticable difference in throughput.

 

Nice ... Ubnt Banana

New Member
Posts: 15
Registered: ‎08-18-2015

Re: IPv6 and NAT / NPTv6

Question for ubnt engineers, when do you think the vyatta nat NTPv6 patches which merged in Feb2015 will be available ?

 

This will make multi WAN sites with load/balance/failover much simpler

New Member
Posts: 15
Registered: ‎05-25-2013
Kudos: 6

Re: IPv6 and NAT / NPTv6

[ Edited ]

Hi,

 

I have two requests/questions, related to this thread (on NPTv6, but more specifically on getting IPv6 working without DHCPv6-PD support from the ISP):

 

1) I was wondering if ip6tables netmap (-j NETMAP) support will be added to the ipv6 nat configuration? It works when added manually via ip6tables, but it would be nice to have it as part of the real configuration tools.

 

2) This request is a bit longer:

I currently succeeded into using NPTv6, combined with an NDP proxy, to enable routed/firewalled IPv6 traffic on my LAN. This seems easy, but the problem is that my ISP (Telenet Belgium) does NOT provide DHCPv6 with Prefix Delegation. The ISP modem is the router (with built-in IPv4 NAT and wifi), and it takes up a full /64 prefix for IPv6 (my ISP delivers /56 to customers, but only one /64 is available). The ISP states that it cannot currently deliver PD, because hierarchical PD is not yet standardized (not sure what that means). However, I don't like my LAN exposed to a device that is managed externally. I love to retain some firewalling capabilities in my own hands Man Happy

 

So, my current setup is:

Internet --- ISPMODEM --- EdgeMax --- MyLAN

 

The ISPMODEM runs DHCPv4 (and NAT) to provide RFC1918 (192.168.x.y) IPv4 addresses, and it also runs DHCPv6 to provide internet routable IPv6 addresses from a /64 prefix (not NAT'ed).

 

My EdgeMax router is currently configured IPv6-only and performs NPTv6 to translate the ISP /64 into an ULA address space (thanks to @rps and @csch for their input in this thread).

 

Now, the technical challenge is that the ISPMODEM needs to know what IPv6 addresses are actually in use on my LAN. Normal devices (those directly connected to the ISPMODEM) can use Neighborhood Discovery to signal their presence. However, for all devices behind the EdgeMax, some form of NDP proxying is needed. For this to work, it is possible to manually add proxy entries in the linux kernel to forward ND packets, but this requires a lot of manual work (one entry for every device on the LAN). It is also difficult to maintain, as I would need to add an entry for each device on my LAN.

 

So I went looking for a better solution and found an NDP Proxy Daemon (https://github.com/DanielAdolfsson/ndppd). Basically, I just cross-compiled this project for the EdgeMax Lite and it works without any (noticable) issues (yet).

 

Thus, my second request: Is it possible to add support for the NDP Proxy Daemon (this implementation or another one, don't really care) to EdgeOS? I believe this would be an extremely valuable feature. Normal IPv6 users would never need this, but adding it allows IPv6 support for ISP that do not support IPv6 PD. If this requires work, I'm willing to throw in my support...

 

I hope the explanation is somewhat correct Man Happy

 

Kind regards,

Tim

Member
Posts: 285
Registered: ‎01-15-2011
Kudos: 74
Solutions: 2

Re: IPv6 and NAT / NPTv6

I wanted to bump this thread, it's been some time and getting the upstream -j NOTRACK pruned would be ideal for day-to-day operation of the devices in the default setup, even if this is done with a hidden config tree directive.  Ideally I would like to use 66+PT or NPTv6 to assist a wireless ISP that could use the help rolling IPv6 but lacks the low-level linux capabilities to understand ip[6]tables that would be necessary.  Did this show up somewhere in 1.7-1.9 that didn't make it on my radar, or is this stil an ongoing issue?

 

(This reminds me of the UniFi devices breaking IPv6 when guest portal is enabled as well, there's a lot of ipv6=off activity that needs to be fixed.  I'm Ok with it not being offloaded btw Man Happy )

Emerging Member
Posts: 95
Registered: ‎07-09-2016
Kudos: 29
Solutions: 3

Re: IPv6 and NAT / NPTv6

Hi,

 

re-bump from me.

I too am very interested in some progress on this, especially in the area of Loadbalancing on two IPv6 WAN uplinks.

 

Also @madler's note on not hard-coding the WAN prefix in the configuration is something I would be very interested in. Was there any update on this in another thread, because I don't see anything about it here...

 

BR

 Alex

Member
Posts: 251
Registered: ‎03-06-2016
Kudos: 118
Solutions: 8

Re: IPv6 and NAT / NPTv6

[ Edited ]

Apologies for the continued necroposting, but it's very relevant to the topic at hand.

 

I decided to experimentally go all-in with NPTv6, as sooner or later I'm going to have to give up my perfect static Hurricane Electric world and enter the big bad world of ISP-driven rotating /64s.

 

At a purely network level, all went well - inside, I was pure ULA, and outside, I was pure GUA, using NETMAP to translate bidirectionally between the two.  Routing and NAT worked exactly as expected (including ICMP), and it was fantastic and remarkably simple to implement...but.  (Isn't there always a but? Man Happy

 

I've known for a long time that Windows client DNS has the following order preference:

 

IPv6 GUA

IPv4

IPv6 ULA

 

Shockingly, I found that the entire Windows network stack follows that sequence - so all Windows client browsers on the pure-ULA-with-NPTv6 configuration suddenly started to prefer IPv4 - for _everything_.  Needless to say, this *sucks*.

 

(Actually, I just learned all RFC-compliant operating systems and applications do this, see RFC 6724 for details.)

 

It seems the only Windows-friendly strategy is to SLAAC (or otherwise propagate) the ISP GUA network and have a ULA on top of that, referencing internal resources by ULA address (but again comes the problem of ULA vs. IPv4 precedence when hosts have an IPv4 and a ULA entry)...but even if _that_ worked, firewalling now becomes a major issue, because without NPTv6, I have no effective means of writing static firewall rules independent of my ISP's whims.

 

How are people handling this in the real world?  Clients get a GUA _and_ a ULA *and* use NPTv6?

[Edit: No, they can't be.  NETMAPping incoming packets destined to traverse the firewall to a server will work, but the response will prefer the "real" GUA, causing asymmetric routing, won't it?  I need to think about this - it makes my head hurt.]

 

Gah!  My kingdom for a sane dual-stack implementation!  Man Tongue

 

Rodney

New Member
Posts: 15
Registered: ‎05-25-2013
Kudos: 6

Re: IPv6 and NAT / NPTv6

[ Edited ]

Hi @rhester72,

 

I think the "intended" way of IPv6 is to assign both GUA and ULA (and potentially many of both) to arrange your network. And, to not bother about the GUA's as they are often dynamic and can change at any time. Your internal traffic can use the ULA addresses, while internet traffic will select a GUA address. The firewall rules should be made in such a way that these do not depend on the prefix, and normally you also want to avoid NETMAP at all costs. So far for theory Man Happy

 

That being said...

 

I started out using an ULA subnet as well, and noticed the exact same thing regarding the preference order. My "solution" currently is to use GUA internally with NETMAP, in a special ISP-dependent manner (ugly IPv6 hacking).

 

My ISP installed a NAT'ing modem that hands out GUA IPv6 addresses in a /64 subnet. Now, it is known that the ISP actually hands a /56 to the NAT modem and the modem then takes subnet 0 to assign addresses to internal clients. As such, I "reserved" myself subnet 1 internally and NETMAP this subnet back onto subnet 0 for external traffic (1-to-1 mapping). Now, all this was more of a practice to me than a pure necessity and I think it would be best for me to clean up this stuff and install a transparent IPv6 firewall instead.

 

My firewalling policy is rather simple, in that I trust al internal devices and allow them to open connections to the out-side world. I agree that doing good firewalling is much harder when the prefix is unknown or can randomly change. Mine hasn't for over two years now.

 

So to answer your questions:

- I do not use ULA's (started with them, but found out it didn't do what I wanted, just like you did)

- I use a self-proclained GUA /64 range that I now 100% will not exist anywhere else than at my network (and NETMAP to the ISP assigned GUA).

 

One remark: all of this would be not of an issue if my ISP would use IPv6 PD and let my router handle it from there.

 

One more thought: try to get rid of the dual-stack, and your problem is solved Man Tongue 

 

Curious how other people handle this ULA stuff?

 

Member
Posts: 251
Registered: ‎03-06-2016
Kudos: 118
Solutions: 8

Re: IPv6 and NAT / NPTv6

Agree that the 'right' answer (for clients) is GUA + ULA...except for the caveat that ULA will literally never get used in a dual-stack environment, so there's little point.  (Not being dual-stack...too funny =)

 

Your solution is clever, but the whole point of the exercise (in many cases) is to eliminate dependency/churn based on ISP prefixes...which is exactly the problem I'm seeking to solve.

 

NETMAP doesn't really do it, because it's effectively dependent on ULA (so the prefix doesn't change), except ULA's useless...see above.

 

I could get by with pure GUA + ULA if I never had to open outside ports, but the moment I try to open a IPv6 for, say, a web server or VPN, I'm boned without ULA...but if I use ULA, that won't work either, because I'm going to be receiving on ULA but answering on GUA.

 

This is ridiculous!  *sigh*  I swear, it's hard _not_ to imagine that standards are put in place by those who will never have to use them.

 

If the precedence issue weren't an issue, the entire problem would literally go away in an instant, and a clean NETMAP solution would be all that's required (in all but very extreme edge cases).

 

*grrrrrrrr*

 

Rodney

Emerging Member
Posts: 95
Registered: ‎07-09-2016
Kudos: 29
Solutions: 3

Re: IPv6 and NAT / NPTv6

Hi Rodney,

I'm following this discussion with great interest (in my case I'm still trying to get my head around how to do load balancing on two IPv6 WAN uplinks) and stumbled over your following statement

> I'm going to be receiving on ULA
> but answering on GUA.

I thought your router would receive on GUA, netmap and forward to server's ULA, server responds on same address as the request was received (i.e. ULA) and router will map back to GUA on the way out. Where am I wrong?

BR
Alex
Member
Posts: 251
Registered: ‎03-06-2016
Kudos: 118
Solutions: 8

Re: IPv6 and NAT / NPTv6


Alestrix wrote:
Hi Rodney,

I'm following this discussion with great interest (in my case I'm still trying to get my head around how to do load balancing on two IPv6 WAN uplinks) and stumbled over your following statement

> I'm going to be receiving on ULA
> but answering on GUA.

I thought your router would receive on GUA, netmap and forward to server's ULA, server responds on same address as the request was received (i.e. ULA) and router will map back to GUA on the way out. Where am I wrong?

BR
Alex

I left out the early gory details, but you're right about the early part of the chain.  The full sequence:

 

- Packet arrives at router from foreign GUA and is netmapped to server ULA

- Packet delivered to app listening on ULA

- Packet responds to source address on inbound packet

- Routing decision on internal server selects GUA route for reply as destination cannot be reached via ULA

- Response packet now has dest address from foreign GUA with source address of server GUA

- Packet departs router to original caller

 

There are two issues here:

 

- Unless the ULA and GUA are identical save prefix, the routing is going to be a problem, because the header on the response packet is going to be coming from a different GUA than the original packet was sent to

- Even if it is, there's a very good chance that conntrack will break, as it has no means of determining that the outbound GUA response is associated with the inbound ULA packet

 

Rodney

Member
Posts: 185
Registered: ‎05-24-2014
Kudos: 68
Solutions: 4

Re: IPv6 and NAT / NPTv6

Seems to be a bug with hwnat offload, or a case that I don't understand.

 

Removed the ER-X-SFP hwnat and ipsec offload:

offload {
    hwnat enable
    ipsec enable
}

Rebooted, and I have IPv6 prefix delegation working!

 

Confirmed that it is hwat offload, as I re-enabled hwnat offload, issued:

release dhcpv6-pd interface eth0
delete dhcpv6-pd duid
renew dhcpv6-pd interface eth0

And lost IPv6. Disabled hwnat offload again, rebooted, and IPv6 is back.

 

I will do further testing to see if this only affects Spectrum, as I have ER-X-SFPs with Google Fiber with hwnat offload enabled and no problems with IPv6. Or maybe it's just a problem with this particular EdgeRouter?

 

 

Reply