• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

I want IPv6 internet access but my computers not to be publically addressable

Started by guideclothing, March 03, 2015, 12:15:50 AM

Previous topic - Next topic

guideclothing

Hi,

I have a Draytek 2925 router that (yesterday) I have successfully created a "6in4 Static Tunnel" tunnel.

Prior to this, about 4 years ago, I set up an ipv6 DHCP server on my windows server to issue internal IPv6 address in the range fc00:1234:5678:9abc::

From what I have now read these are only accessible internally on the network and will not be routed over the internet.

The problem is that I do not have IPv6 internet access when the computers on my network have an IPv6 address in the range fc00:1234:5678:9abc::

If I allocate an address that is part of my allocation from 2001:470:1f09:ad4::/64 to the machines on my network I believe they will all be publically addressable which I do not want.

I want to allocate IPv6 addresses fro my internal IPv6 DHCP server. what range should I use so that the computers will have IPv6 addresses but not be accessible from outside my network?

thanks

jack


cholzhauer

Quote
If I allocate an address that is part of my allocation from 2001:470:1f09:ad4::/64 to the machines on my network I believe they will all be publically addressable which I do not want.
Correct, they will be publicly addressable

Quote
I want to allocate IPv6 addresses fro my internal IPv6 DHCP server. what range should I use so that the computers will have IPv6 addresses but not be accessible from outside my network?
There is no "magic address" that will do this for you.  However, if this is what you want, you need to use a firewall to control access to your network, just like you would for IPv4.

guideclothing

cholzhauer

Thanks for your reply.

With IP4 I use NAT then port forward from my public pool of IP's to the internal IP address where I want (on the Draytek router).

so if did as you suggest and assign public IP's to all computers and use the firewall to control access - if I move to an ISP that provides an IPv6 range I would need to re-assign new addresses to the machines on my internal network - which seems like a bad solution to me.

do I have any other options with IPv6 other than to allocate the publically accessible IP address to my whole network?

thanks

jack



cholzhauer

Quote
so if did as you suggest and assign public IP's to all computers and use the firewall to control access - if I move to an ISP that provides an IPv6 range I would need to re-assign new addresses to the machines on my internal network - which seems like a bad solution to me.
Use RA and DHCPv6.  Change the setting in one place and the changes roll out to everything else.

I'm not going to recommend any sort of NAT...what I mentioned above is the best way to do this.

guideclothing



guideclothing

sorry - of course - but on my servers I have put static IPv6 IP's and these would need to be re-allocated.

if there is no way around it then fine - but it just surprises me

thank-you for your prompt responses


evantkh

Allow only one direction forwarding on your firewall. Of course with connection tracking or else servers cannot reply to your addresses.

This will make your computers have public ipv6 but cannot be accessed outside your network.

ravenstar

The myth of NAT being good for security strikes again :(

NAT was never about security it was all about making the IPv4 pool last longer. 

As has been said using proper firewall rules helps.  Windows for example by default only allows incoming connections from the local subnet so even if a machine has a public address it doesn't mean the public can get to it unless you change the rules to allow it.

Ravenstar68

tombii

Quote from: guideclothing on March 03, 2015, 01:44:39 PM
sorry - of course - but on my servers I have put static IPv6 IP's and these would need to be re-allocated.

if there is no way around it then fine - but it just surprises me

thank-you for your prompt responses

Why allocate static IPv6? Use RA together with SLAAC and they will be autoconfigured and static due to how SLAAC works.
If you change ISP, change the setting on the router and RA will take care of the rest.

kcochran

'Static'.  As SLAAC assigns usually based on the machine's MAC address and you wind up changing out a NIC, your address will change.  If you really want static, RA and DHCPv6 if you're looking for more centralized management.  SLAAC for systems that don't provide services, DHCP for those that do.

snarked

A technical answer to the original question is:  It's impossible.  You can't have "access" with unaddressable computers because you will never get replies to your queries.  There is no such thing as NAT for IPv6.

As mentioned before, a properly set firewall is your solution.  You allow response packets to queries but nothing else at your network boundary.

evantkh

Quote from: snarked on June 03, 2015, 01:06:49 PM
A technical answer to the original question is:  It's impossible.  You can't have "access" with unaddressable computers because you will never get replies to your queries.  There is no such thing as NAT for IPv6.

As mentioned before, a properly set firewall is your solution.  You allow response packets to queries but nothing else at your network boundary.

There is NAT in IPv6 but usually it is not included in commercial routers for home uses. There is an extension for doing IPv6 NAT in ip6tables.