Hurricane Electric's IPv6 Tunnel Broker Forums

General IPv6 Topics => IPv6 Basics & Questions & General Chatter => Topic started by: guideclothing on March 03, 2015, 12:15:50 AM

Title: I want IPv6 internet access but my computers not to be publically addressable
Post by: guideclothing on March 03, 2015, 12:15:50 AM
Hi,

I have a Draytek 2925 router that (yesterday) I have successfully created a "6in4 Static Tunnel" tunnel.

Prior to this, about 4 years ago, I set up an ipv6 DHCP server on my windows server to issue internal IPv6 address in the range fc00:1234:5678:9abc::

From what I have now read these are only accessible internally on the network and will not be routed over the internet.

The problem is that I do not have IPv6 internet access when the computers on my network have an IPv6 address in the range fc00:1234:5678:9abc::

If I allocate an address that is part of my allocation from 2001:470:1f09:ad4::/64 to the machines on my network I believe they will all be publically addressable which I do not want.

I want to allocate IPv6 addresses fro my internal IPv6 DHCP server. what range should I use so that the computers will have IPv6 addresses but not be accessible from outside my network?

thanks

jack

Title: Re: I want IPv6 internet access but my computers not to be publically addressable
Post by: cholzhauer on March 03, 2015, 05:02:57 AM
Quote
If I allocate an address that is part of my allocation from 2001:470:1f09:ad4::/64 to the machines on my network I believe they will all be publically addressable which I do not want.
Correct, they will be publicly addressable

Quote
I want to allocate IPv6 addresses fro my internal IPv6 DHCP server. what range should I use so that the computers will have IPv6 addresses but not be accessible from outside my network?
There is no "magic address" that will do this for you.  However, if this is what you want, you need to use a firewall to control access to your network, just like you would for IPv4.
Title: Re: I want IPv6 internet access but my computers not to be publically addressable
Post by: guideclothing on March 03, 2015, 05:49:14 AM
cholzhauer

Thanks for your reply.

With IP4 I use NAT then port forward from my public pool of IP's to the internal IP address where I want (on the Draytek router).

so if did as you suggest and assign public IP's to all computers and use the firewall to control access - if I move to an ISP that provides an IPv6 range I would need to re-assign new addresses to the machines on my internal network - which seems like a bad solution to me.

do I have any other options with IPv6 other than to allocate the publically accessible IP address to my whole network?

thanks

jack


Title: Re: I want IPv6 internet access but my computers not to be publically addressable
Post by: cholzhauer on March 03, 2015, 05:52:59 AM
Quote
so if did as you suggest and assign public IP's to all computers and use the firewall to control access - if I move to an ISP that provides an IPv6 range I would need to re-assign new addresses to the machines on my internal network - which seems like a bad solution to me.
Use RA and DHCPv6.  Change the setting in one place and the changes roll out to everything else.

I'm not going to recommend any sort of NAT...what I mentioned above is the best way to do this.
Title: Re: I want IPv6 internet access but my computers not to be publically addressable
Post by: guideclothing on March 03, 2015, 06:17:51 AM
sorry - what is RA? probably a very stupid question!
Title: Re: I want IPv6 internet access but my computers not to be publically addressable
Post by: cholzhauer on March 03, 2015, 06:32:41 AM
RA= router advertisements

https://tools.ietf.org/html/rfc4861
Title: Re: I want IPv6 internet access but my computers not to be publically addressable
Post by: guideclothing on March 03, 2015, 01:44:39 PM
sorry - of course - but on my servers I have put static IPv6 IP's and these would need to be re-allocated.

if there is no way around it then fine - but it just surprises me

thank-you for your prompt responses
Title: Re: I want IPv6 internet access but my computers not to be publically addressable
Post by: cholzhauer on March 03, 2015, 05:13:09 PM
http://security.stackexchange.com/questions/44065/with-ipv6-do-we-need-to-use-nat-any-more
Title: Re: I want IPv6 internet access but my computers not to be publically addressable
Post by: evantkh on March 04, 2015, 06:47:56 AM
Allow only one direction forwarding on your firewall. Of course with connection tracking or else servers cannot reply to your addresses.

This will make your computers have public ipv6 but cannot be accessed outside your network.
Title: Re: I want IPv6 internet access but my computers not to be publically addressable
Post by: ravenstar on March 05, 2015, 01:27:32 AM
The myth of NAT being good for security strikes again :(

NAT was never about security it was all about making the IPv4 pool last longer. 

As has been said using proper firewall rules helps.  Windows for example by default only allows incoming connections from the local subnet so even if a machine has a public address it doesn't mean the public can get to it unless you change the rules to allow it.

Ravenstar68
Title: Re: I want IPv6 internet access but my computers not to be publically addressable
Post by: tombii on June 02, 2015, 02:34:24 PM
sorry - of course - but on my servers I have put static IPv6 IP's and these would need to be re-allocated.

if there is no way around it then fine - but it just surprises me

thank-you for your prompt responses

Why allocate static IPv6? Use RA together with SLAAC and they will be autoconfigured and static due to how SLAAC works.
If you change ISP, change the setting on the router and RA will take care of the rest.
Title: Re: I want IPv6 internet access but my computers not to be publically addressable
Post by: kcochran on June 02, 2015, 03:15:03 PM
'Static'.  As SLAAC assigns usually based on the machine's MAC address and you wind up changing out a NIC, your address will change.  If you really want static, RA and DHCPv6 if you're looking for more centralized management.  SLAAC for systems that don't provide services, DHCP for those that do.
Title: Re: I want IPv6 internet access but my computers not to be publically addressable
Post by: snarked on June 03, 2015, 01:06:49 PM
A technical answer to the original question is:  It's impossible.  You can't have "access" with unaddressable computers because you will never get replies to your queries.  There is no such thing as NAT for IPv6.

As mentioned before, a properly set firewall is your solution.  You allow response packets to queries but nothing else at your network boundary.
Title: Re: I want IPv6 internet access but my computers not to be publically addressable
Post by: evantkh on June 05, 2015, 02:45:46 AM
A technical answer to the original question is:  It's impossible.  You can't have "access" with unaddressable computers because you will never get replies to your queries.  There is no such thing as NAT for IPv6.

As mentioned before, a properly set firewall is your solution.  You allow response packets to queries but nothing else at your network boundary.

There is NAT in IPv6 but usually it is not included in commercial routers for home uses. There is an extension for doing IPv6 NAT in ip6tables.