NPt?



  • I need help. I am playing with ipv6 and I still don't get some things:

    I set up my lan with ULA addresses. My lan interface has a static ipv6 subnet of fdf5:4d23:aaaa:bbbb:0:0:0:1/64.
    Awesome. My lan now is in ipv6.
    Now I got my /64 from hurrican elecetric, and I set up the tunnel, the gateway and everything like described in [1]: except the LAN part: since I have ULA addresses on my LAN, I would like to try to keep them as is, and NPt the addresses to my public /64.
    So I configured npt like this:

    I can access the ipv6 internet now from my lan, and http://test-ipv6.com/ says I'm on a cool 10/10:

    BUT if I try to access a published service on my lan from the ipv6 internet on my public ipv6 address, i just get a connection timeout.
    Did I miss something? If I NPt my internal ULA addresses to my public 2001:470…. addresses, shouldn't that be enough? Do I need to do something else?
    I looked at the firewall rules, and there does not seem to be blocking going on. Can there be something else?

    [1]https://doc.pfsense.org/index.php/Using_IPv6_with_a_Tunnel_Broker





  • Ok it works now. Sorry for the spam.
    In the firewall rules, on the tunnel interface, I needed to allow traffic to the internal ULA address of the host I have the service published on.



  • Strange.
    I never used that NPt tab before.
    I'm using HE.NET and some devices on my LAN are accessible from WAN using IPv6.

    It's a matter of adding some firewall rules on the interface that passes the IPv6 traffic : NOT your WAN (IPv4 only) but the interface called "HENETV6".

    Now, my "disk station" on my LAN is accessible from the Internet (on my 2 servers on the net, actually) pass using IPv6.



  • LAYER 8 Netgate

    Now I got my /64 from hurrican elecetric, and I set up the tunnel

    Get a /48 and do it right. Still free.



  • @Derelict:

    Now I got my /64 from hurrican elecetric, and I set up the tunnel

    Get a /48 and do it right. Still free.

    By doing it right you mean setting my internal ips to my reserved /48?
    I would like to keep my ula addresses for the moment and npt them to the external addresses.
    I think I will add an other ipv6 wan interface in the near future, so I'd like to play with npt.


  • LAYER 8 Netgate

    No reason to NAT/NPt with IPv6 unless it is absolutely a last resort (or some other extenuating circumstances.)

    Release your IPv4 mind. Imagine a world without NAT where billions and billions of addresses are yours for the asking.



  • @Derelict:

    Get a /48 and do it right. Still free.

    Doing it right ? I'm all Ok with that. It would be a nice thing if this page https://doc.pfsense.org/index.php/Using_IPv6_with_a_Tunnel_Broker reflects a pure /48 setup.
    Right now, I'm using the /64 for my LAN.

    edit: sorry, this off topic.


  • LAYER 8 Netgate

    Building a Tunnel
    Sign Up

    This article assumes that an account has already been registered with Hurricane Electric or some other broker. After registering an account and getting the first /64 or /48 IPv6 block assigned, the gif tunnel may be configured on pfSense.

    It's pretty much the same thing. You would just be using a /64 out of the /48 for your LAN.



  • @Derelict:

    No reason to NAT/NPt with IPv6 unless it is absolutely a last resort (or some other extenuating circumstances.)

    Release your IPv4 mind. Imagine a world without NAT where billions and billions of addresses are yours for the asking.

    Ok I am trying to: so say I set my internal servers services ips to a /48 I own. Say
    2001:470:1f0a:f30::1
    2001:470:1f0a:f30::2
    2001:470:1f0a:f30::3
    and so on.

    Do I use these addresses to get to the services internally in my LAN? Or do I use other addresses? Maybe the ULA address?

    What happens when I change ISP?
    Do I still use the "old" IPs from HE? Do I still have to use the tunnel even if I get IPv6 directly from my ISP? Do I have to change all of them?

    Or if I add an other WAN interface from an other ISP? So I maybe have 2001:470:1f0a::/48 and 2001:41d0:8::/48. Can I loadbalance between them? Why should I prefer one over the other for my "internal" addressing? What happens when one ISP goes down?

    Having internal ULA addresses and translating them over to the public side with NPt seems so much nicer to me. Where am I wrong?



  • @pox:

    What happens when I change ISP?
    Do I still use the "old" IPs from HE? Do I still have to use the tunnel even if I get IPv6 directly from my ISP? Do I have to change all of them?

    ISP's could have give you a static IP (WAN). Some do it always, some ask money for it. Others change your IPv4 all the time (pppoe connections).
    When you move, your IPv4 will change - I'm pretty sure.
    But …. have a look at the "tunnel server" that your are using with he.net (the town it's located) : if that one is ok for you - still the closest - then you do not have to create another tunnel with them.
    Same tunnel means : same /64 and same /48.
    This is an advantage when one uses he.net.

    From what I understand why you would use this "NPt" : maybe your right ;) (I never had a real look at this NPt - didn't need it).



  • @pox:

    Having internal ULA addresses and translating them over to the public side with NPt seems so much nicer to me. Where am I wrong?

    Now I had to change the routed subnet from HE because I wanted to make a new tunnel on an other location.
    Having used ULA addresses inside my lan, I just had to go to Firewall->NAT->NPt on pfsense, and change "Global Unicast routable IPv6 prefix" from 2001:470:aaaa:: to 2001:470:bbbb:: and everything works like before.

    If I had assigned all IPs statically on the servers, I would have had to change them all somehow. With NPt it was one textbox.

    I really don't understand why this is considered bad? I am sure I am missing something, but I would like to understand. What problems could I incur into that I did not foresee?


  • LAYER 8 Netgate

    Because NAT sucks. It breaks protocols that contain connection addresses in them, such as SIP and (who cares) FTP.



  • @Derelict:

    Because NAT sucks. It breaks protocols that contain connection addresses in them, such as SIP and (who cares) FTP.

    Ok, I don't use SIP.
    So I would tend to keep the convenience of changing my public facing addresses with one textbox… or is there more?


  • LAYER 8 Netgate

    NAT sucks. If what you are doing works for you, that's cool.



  • @pox:

    @Derelict:

    No reason to NAT/NPt with IPv6 unless it is absolutely a last resort (or some other extenuating circumstances.)

    Release your IPv4 mind. Imagine a world without NAT where billions and billions of addresses are yours for the asking.

    Ok I am trying to: so say I set my internal servers services ips to a /48 I own. Say
    2001:470:1f0a:f30::1
    2001:470:1f0a:f30::2
    2001:470:1f0a:f30::3
    and so on.

    Do I use these addresses to get to the services internally in my LAN? Or do I use other addresses? Maybe the ULA address?

    What happens when I change ISP?
    Do I still use the "old" IPs from HE? Do I still have to use the tunnel even if I get IPv6 directly from my ISP? Do I have to change all of them?

    Or if I add an other WAN interface from an other ISP? So I maybe have 2001:470:1f0a::/48 and 2001:41d0:8::/48. Can I loadbalance between them? Why should I prefer one over the other for my "internal" addressing? What happens when one ISP goes down?

    Having internal ULA addresses and translating them over to the public side with NPt seems so much nicer to me. Where am I wrong?

    First off, you can have both ULA and global addresses on the same interface.  IPv6 is designed to have multiple addresses.  I have my network configured with ULA as well as global addresses.  I use the ULA between local devices and global for the Internet.  Second forget about NAT.  It's a hack designed to get around the IPv4 address shortage but causes other problems.  With the IPv6 address space, there's absolutely no need to use NAT.  For example, a single /64 provides 2^64 or 1.84467440737 x 10^19 addresses.  With a /48 prefix, you get 65536 /64s.  That's a LOT of addresses!

    Another nice thing about IPv6 is it's easy to change ISPs.  You get a new address block and everything updates automagically.  You can even have more than one and use either or both as appropriate.  Should you move to another ISP, all you have to do is update any DNS that points to your network.  Of course, there'd be no change for ULA addresses.

    In general, people have to stop being limited by the IPv4 way of doing things.  IPv6 is so much better.



  • @JKnott:

    First off, you can have both ULA and global addresses on the same interface.  IPv6 is designed to have multiple addresses.  I have my network configured with ULA as well as global addresses.  I use the ULA between local devices and global for the Internet.  Second forget about NAT.  It's a hack designed to get around the IPv4 address shortage but causes other problems.  With the IPv6 address space, there's absolutely no need to use NAT.  For example, a single /64 provides 2^64 or 1.84467440737 x 10^19 addresses.  With a /48 prefix, you get 65536 /64s.  That's a LOT of addresses!

    Another nice thing about IPv6 is it's easy to change ISPs.  You get a new address block and everything updates automagically.  You can even have more than one and use either or both as appropriate.  Should you move to another ISP, all you have to do is update any DNS that points to your network.  Of course, there'd be no change for ULA addresses.

    In general, people have to stop being limited by the IPv4 way of doing things.  IPv6 is so much better.

    Thank you for your answer.
    So you use ULA addresses assigned from the DHCP for internal traffic, and public addresses assigned with SLAAC for traffic that goes out to the internet.
    BUT I seem to get the idea that with SLAAC you can't give a specific subnet to a device/host, so how can you make a firewall rule to say that my chinese webcam is not allowed to go out on the internet, but my ps4 is?
    Do you use different VLANs for every device? Is that even manageable? Or is there an other way to do that?

    Thank you



  • I do not use DHCP, SLAAC only.  Why do you want to assign a subnet to a host?  SLAAC, like DHCP, gives a device an address.  It doesn't make any difference to the firewall.  If your webcam has only a ULA address, it will never be passed to the Internet.  You could create a VLAN for the cameras that has ULA only and also allow the computer on that VLAN, so that it can access the camera.  The PS4 would be on the main LAN and get a global address.  And no, you don't have a VLAN for every device.  Just create one, with ULA only, for the cameras.



  • @JKnott:

    I do not use DHCP, SLAAC only.  Why do you want to assign a subnet to a host?  SLAAC, like DHCP, gives a device an address.  It doesn't make any difference to the firewall.  If your webcam has only a ULA address, it will never be passed to the Internet.  You could create a VLAN for the cameras that has ULA only and also allow the computer on that VLAN, so that it can access the camera.  The PS4 would be on the main LAN and get a global address.  And no, you don't have a VLAN for every device.  Just create one, with ULA only, for the cameras.

    All right, starts to make sense. Please help me out with just one more thing: at the moment I have vlan 20 for devices I trust, and vlan 30 for devices I do not trust. Say on vlan 20 I have

    • the server

    • the laptop

    • the phone and

    • the mediacenter

    and on vlan 30 I have

    • the ps4

    • two chinese webcams

    • the fridge

    • the tv

    all the things on vlan 20 can go to the internet, but on vlan 30 just the tv and the ps4 can. As I did things until now, I just give all those devices a fixed ip and make firewall rules to let them out on the internet or not.
    How do you do this the ipv6 way?
    As I understand it, you would create 3 vlans:

    • one main vlan for the things I trust - that get ULA addresses and global addresses

    • one for things I do not trust, but that can get to the internet - that get ULA addresses and global addresses (ps4 and tv)

    • one for things I do not trust, that can not go to the internet - that get just ULA addresses (the webcams, the fridge)

    This way, if the global addresses assigned to me change, SLAAC takes care of that. I just have to change the ips I assigned statically (if any).
    Did I get it?



  • On the networks you want to access the internet, you assign global addresses and can also assign ULA.  On the network you don't want to reach the Internet, ULA only.  Assuming you have more than a /64 IPv6 prefix, you select a different prefix ID for each interface.  For example, I have a /56.  That means I can pick anything between  0 & FF for a network.  Routing between interfaces means your computer should be able to reach the cameras etc..


Log in to reply