Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: I want IPv6 internet access but my computers not to be publically addressable  (Read 5859 times)

guideclothing

  • Newbie
  • *
  • Posts: 4

Hi,

I have a Draytek 2925 router that (yesterday) I have successfully created a "6in4 Static Tunnel" tunnel.

Prior to this, about 4 years ago, I set up an ipv6 DHCP server on my windows server to issue internal IPv6 address in the range fc00:1234:5678:9abc::

From what I have now read these are only accessible internally on the network and will not be routed over the internet.

The problem is that I do not have IPv6 internet access when the computers on my network have an IPv6 address in the range fc00:1234:5678:9abc::

If I allocate an address that is part of my allocation from 2001:470:1f09:ad4::/64 to the machines on my network I believe they will all be publically addressable which I do not want.

I want to allocate IPv6 addresses fro my internal IPv6 DHCP server. what range should I use so that the computers will have IPv6 addresses but not be accessible from outside my network?

thanks

jack

Logged

cholzhauer

  • Hero Member
  • *****
  • Posts: 2715

Quote
If I allocate an address that is part of my allocation from 2001:470:1f09:ad4::/64 to the machines on my network I believe they will all be publically addressable which I do not want.
Correct, they will be publicly addressable

Quote
I want to allocate IPv6 addresses fro my internal IPv6 DHCP server. what range should I use so that the computers will have IPv6 addresses but not be accessible from outside my network?
There is no "magic address" that will do this for you.  However, if this is what you want, you need to use a firewall to control access to your network, just like you would for IPv4.
Logged

guideclothing

  • Newbie
  • *
  • Posts: 4

cholzhauer

Thanks for your reply.

With IP4 I use NAT then port forward from my public pool of IP's to the internal IP address where I want (on the Draytek router).

so if did as you suggest and assign public IP's to all computers and use the firewall to control access - if I move to an ISP that provides an IPv6 range I would need to re-assign new addresses to the machines on my internal network - which seems like a bad solution to me.

do I have any other options with IPv6 other than to allocate the publically accessible IP address to my whole network?

thanks

jack


Logged

cholzhauer

  • Hero Member
  • *****
  • Posts: 2715

Quote
so if did as you suggest and assign public IP's to all computers and use the firewall to control access - if I move to an ISP that provides an IPv6 range I would need to re-assign new addresses to the machines on my internal network - which seems like a bad solution to me.
Use RA and DHCPv6.  Change the setting in one place and the changes roll out to everything else.

I'm not going to recommend any sort of NAT...what I mentioned above is the best way to do this.
Logged

guideclothing

  • Newbie
  • *
  • Posts: 4

sorry - what is RA? probably a very stupid question!
Logged

cholzhauer

  • Hero Member
  • *****
  • Posts: 2715
Logged

guideclothing

  • Newbie
  • *
  • Posts: 4

sorry - of course - but on my servers I have put static IPv6 IP's and these would need to be re-allocated.

if there is no way around it then fine - but it just surprises me

thank-you for your prompt responses
Logged

evantkh

  • Full Member
  • ***
  • Posts: 122

Allow only one direction forwarding on your firewall. Of course with connection tracking or else servers cannot reply to your addresses.

This will make your computers have public ipv6 but cannot be accessed outside your network.
Logged

ravenstar

  • Jr. Member
  • **
  • Posts: 63

The myth of NAT being good for security strikes again :(

NAT was never about security it was all about making the IPv4 pool last longer. 

As has been said using proper firewall rules helps.  Windows for example by default only allows incoming connections from the local subnet so even if a machine has a public address it doesn't mean the public can get to it unless you change the rules to allow it.

Ravenstar68
Logged

tombii

  • Newbie
  • *
  • Posts: 2

sorry - of course - but on my servers I have put static IPv6 IP's and these would need to be re-allocated.

if there is no way around it then fine - but it just surprises me

thank-you for your prompt responses

Why allocate static IPv6? Use RA together with SLAAC and they will be autoconfigured and static due to how SLAAC works.
If you change ISP, change the setting on the router and RA will take care of the rest.
Logged

kcochran

  • Sr. Network Engineer, Hurricane Electric
  • Administrator
  • Sr. Member
  • *****
  • Posts: 415

'Static'.  As SLAAC assigns usually based on the machine's MAC address and you wind up changing out a NIC, your address will change.  If you really want static, RA and DHCPv6 if you're looking for more centralized management.  SLAAC for systems that don't provide services, DHCP for those that do.
Logged

snarked

  • Hero Member
  • *****
  • Posts: 766

A technical answer to the original question is:  It's impossible.  You can't have "access" with unaddressable computers because you will never get replies to your queries.  There is no such thing as NAT for IPv6.

As mentioned before, a properly set firewall is your solution.  You allow response packets to queries but nothing else at your network boundary.
Logged

evantkh

  • Full Member
  • ***
  • Posts: 122

A technical answer to the original question is:  It's impossible.  You can't have "access" with unaddressable computers because you will never get replies to your queries.  There is no such thing as NAT for IPv6.

As mentioned before, a properly set firewall is your solution.  You allow response packets to queries but nothing else at your network boundary.

There is NAT in IPv6 but usually it is not included in commercial routers for home uses. There is an extension for doing IPv6 NAT in ip6tables.
Logged