http://www.juniper.net/documentation/en ... rview.htmlIPv6 NAT
IPv6-to-IPv6 NAT (NAT66), defined in Internet draft draft-mrw-behave-nat66-01, IPv6-to-IPv6 Network Address Translation (NAT66), is fully supported by the Junos OS.
No offense, but that's just a lame argument and you know it. By that logic if you are using NAT on IPv4 (which I am sure you do) then you are doing something wrong. There isn't right and wrong. NAT is just a tool among many others. Just because you don't need it or you don't like it doesn't make it 'wrong'.If you need to use NAT with IPv6 you're doing something wrong..
+1It would be really nice to add NAT66 support for IPv6 ...
You mean NPT, and both NAT66 and NPT (or netmap) are types of NAT.NETMAP needed.
not nat.
ip6tables -t mangle -A PREROUTING -i ${EXTERNAL_INTERFACE} -d ${GUA_BLOCK} -j DNPT --src-pfx ${GUA_BLOCK} --dst-pfx ${ULA_BLOCK}
ip6tables -t mangle -A POSTROUTING -o ${EXTERNAL_INTERFACE} -s ${ULA_BLOCK} -j SNPT --src-pfx ${ULA_BLOCK} --dst-pfx ${GUA_BLOCK}
ip6tables -t nat -A PREROUTING -i ${EXTERNAL_INTERFACE} -j NETMAP -d ${GUA_BLOCK} --to ${ULA_BLOCK}
ip6tables -t nat -A POSTROUTING -o ${EXTERNAL_INTERFACE} -j NETMAP --to ${GUA_BLOCK} -s ${ULA_BLOCK}
Is NAT66 the same as NPTv6 though? I believe they are a different concept, different RFCs even.Once again, I had to change all IPv6 addresses for services on my local network because Comcast changed my /60 for what seems like the sixth time. I am quite tired of this, so this time, I defined a ULA for my local network instead of changing all of my servers' addresses and reverse DNS zones to the new Comcast block. Since Mikrotik RouterOS still cannot do IPv6 Network Prefix Translation, I had to rely on a little Raspberry Pi 4 to do it through a tiny intermediate VLAN segment. I do not like this solution because it is a hacky workaround. I wish I could do this right on my Mikrotik CCR2004 border router and remove the extra bottleneck and single point of failure.
The new Linux kernel in RouterOS 7 should already be able to do prefix translation. It's not like Mikrotik needs to reinvent the wheel. All Mikrotik needs to do is allow us to define the prefix translation in using their RouterOS abstraction. We need a way to do the equivalent of either of these iptables commands:
Using the Linux Network Prefix Translation tables from the mangle table: (man: DNPT, SNPT)
Code: Select allip6tables -t mangle -A PREROUTING -i ${EXTERNAL_INTERFACE} -d ${GUA_BLOCK} -j DNPT --src-pfx ${GUA_BLOCK} --dst-pfx ${ULA_BLOCK} ip6tables -t mangle -A POSTROUTING -o ${EXTERNAL_INTERFACE} -s ${ULA_BLOCK} -j SNPT --src-pfx ${ULA_BLOCK} --dst-pfx ${GUA_BLOCK}
Using the Linux NETMAP table from the nat table: (man: NETMAP)
Code: Select allip6tables -t nat -A PREROUTING -i ${EXTERNAL_INTERFACE} -j NETMAP -d ${GUA_BLOCK} --to ${ULA_BLOCK} ip6tables -t nat -A POSTROUTING -o ${EXTERNAL_INTERFACE} -j NETMAP --to ${GUA_BLOCK} -s ${ULA_BLOCK}
This one little feature would immensely help all Mikrotik users deal with ISPs who dynamically assign and often change IPv6 prefix delegations on their customers.
As long as end-users' router/client devices still get the end-to-end principle (the whole point of IPv6), it should be fine. But keep in mind IPv6 was designed to make our lives easier by being stateless/ND/RADVD based.On IPv6 I generally avoid NAT but see the need for NPT.
However, I do actually agree that in a few corner cases NAT66 can be helpful. I would never use it to NAT users, but in one case I am using NAT66 port forward for a RADIUS IP to avoid having to manually add dozens of clients as RADIUS clients. The NAT66 rule ensures that the RADIUS server sees all clients as actually coming from the same source IPv6 address. I don't see any harm in allowing it for such uses.
Is NAT66 the same as NPTv6, though? I believe they are a different concept, different RFCs even.
My useless ISP gives only a single /64, you can imagine trying to subnet that. I'm moving to VyOS as soon as I can as they support NPTv6 natively.
Yes, I second this suggestion about the prefix hint. A lot of ISPs around here default to /64, but will give larger with a prefix hint. It is unfortunately commonplace that ISPs have to default to giving out /64's. The underlying issue is that a *lot* of home router vendors (D-Link, Linksys, Belkin, TP-Link, etc.) will expect the ISP to provide a /64 and only a /64. If you give those devices something bigger like a /56, they will take the entire /56 and place it on the LAN interface, which breaks SLAAC and then nothing gets an IPv6 address. We give our customers /56's and out of about 1500 customers, we have at least 200 customers who have routers that are affected by this. If I reduced the prefix size to /64, I would have 200 more customers using IPv6 immediately. The home router vendors for the most part don't care to fix this - contacting them gives such responses as "you don't need IPv6 anyway", which makes me suspect that they don't really care about IPv6 support and just add a half-baked version so that they can check the "IPv6" box in product comparisons with competitors.Have you tried setting your DHCPv6 client to ask for a /60 or /56 in the prefix hint? I did that when I was first messing around with IPv6 a few years ago, and Comcast miraculously granted a /60. If they don't, you should whine and rock the boat.My useless ISP gives only a single /64, you can imagine trying to subnet that. I'm moving to VyOS as soon as I can as they support NPTv6 natively.
I wouldn't bother with /64 for now, until networking vendors catch up with a more reliable solution for subnetting a /64.Is NAT66 the same as NPTv6, though? I believe they are a different concept, different RFCs even.
You're right: NAT66 is not the same thing as NPTv6. The Opening Post originally asked for NAT66 six years ago, but many people in this thread have asked for NPT instead. NAT66 is the stateful port translation from a single overloaded address hack that we have to do for IPv4. On the other hand, Network Prefix Translation can be stateless and grants end-to-end connectivity. I can access any internal host using any protocol from the outside through the prefix swap (that is, if I allow them through my firewall). In IPv4 terms, Network Prefix Translation is as if your ISP would grant your connection an entire IPv4 /24 (class C) block which you then map directly to a private /24, with a 1:1 address relationship at layer 3, with no necessary knowledge of ports, connections, or whatever else is going on in layers 4 and above.
My useless ISP gives only a single /64, you can imagine trying to subnet that. I'm moving to VyOS as soon as I can as they support NPTv6 natively.
Have you tried setting your DHCPv6 client to ask for a /60 or /56 in the prefix hint? I did that when I was first messing around with IPv6 a few years ago, and Comcast miraculously granted a /60. If they don't, you should whine and rock the boat.
You can do prefix translation for a single /64, but if the router (i.e., Mikrotik) is not doing the translation, it would require proxying neighbor discovery, which has other issues because of the sheer size of a /64.
You can subnet the 18 quintillion addresses in a /64 if you turn on the managed flag in your router advertisements and use DHCPv6 instead of SLAAC, but the tradeoffs of doing this is a different topic.
Sometimes the ISP does not consider it a mistake. E.g. there are places where it is considered to be "best practice" to give residential users a new address every day.That said, of course RouterOS should support NPTv6 and NAT66 too, because those are tools that in some cases can be useful. Downside is that if it can also cover someone else's mistakes, there will be less pressure to fix them.
I agree, which is why we do not do this. However, users can at least request larger prefixes from ISPs that do implement such workarounds by using a prefix hint of /60 or /56. The thing I do not like about that is that it removes pressure from the home router vendors to fix their broken products. The good news is that I'm starting to see more and more new routers behave correctly, so the vendors seem to be slowly (and finally) starting to fix it.The way forward is to slowly fix current mess. But really fix what's broken, not create workarounds that allow broken stuff to work. If home routers can't deal with larger prefix, then they are broken and users should get their money back. If ISPs give out single /64s to accomodate broken routers, they should not.
I haven't looked into the RPi world for "router" images to use - which one are you considering?Now sorry to say that but I'm thinking about to ditch my Mikrotik hAP router in favor of RPi.
I decided to try out ROS 7 beta on a CHR in GNS3 just to kick the tires a little, and was sad to see that there's still not 'nat' tab in the IPv6 firewalls menu.
ICMPv6:: forward: in:eth2 out:eth1, src-mac 00:15:5d:e7:1f:0a, proto ICMP (type 128, code 0), fd20::30->2a00:1450:401b:806::200e, len 40
/ipv6/firewall/nat/add chain=dstnat src-address=fd20::/64 action=netmap to-address=2001:560:6264:201::/64
ICMPv6:: forward: in:eth2 out:eth1, src-mac 00:15:5d:e7:1f:0a, proto ICMP (type 128, code 0), fd20::30->2001:560:6264:201::, len 40
/ipv6/firewall/nat/add chain=srcnat src-address=fd01::/64 action=netmap to-address=2001:db8::/64
failure: dstnat/redirect/netmap action must be in dstnat/output chains
ip6tables -t nat -A POSTROUTING -s fd01::/64 -j NETMAP --to 2001:db8::/64
ip6tables -t nat -A PREROUTING -d 2001:db8::/64 -j NETMAP --to fd01::/64
Yes, I noticed this before and came to the same conclusion. Also, the action src-nat is not available in the srcnat chain for some reason, only masquerade. I haven't checked on a Linux box but I assume this option is available in ip6tables.Which is the same way as I'd do it with IPv4, then for now I'm going to stick with my theory that MikroTik simply added only half of netmap by mistake.
/ipv6 firewall mangle
add chain=postrouting action=snpt src-address=fd00:1234:5678:9a00::/56 src-prefix=fd00:1234:5678:9a00::/56 dst-prefix=publ:icpr:efix:b700::/56
add chain=prerouting action=dnpt dst-address=publ:icpr:efix:b700::/56 src-prefix=publ:icpr:efix:b700::/56 dst-prefix=fd00:1234:5678:9a00::/56