The question above for the most part, been reading up on it. Also want to it for learning purposes.

  • 30021190@lemmy.cloud.aboutcher.co.uk
    link
    fedilink
    English
    arrow-up
    2
    arrow-down
    1
    ·
    1 year ago

    IPv6 doesn’t support NAT… Or am I woefully out of date.

    But your home router will just firewall like it does already but you don’t have NAT as a simple fall back for “security”. It does make running internal services much easier as you no long need to port forward. So you can run two webservers on port 80 and they be bother allowed inbound without doing horrible load balance or NAT translation.

    • NocturnalEngineer@lemmy.world
      link
      fedilink
      English
      arrow-up
      6
      ·
      1 year ago

      IPv6 has NPTv6, which allows you to translate from one prefix into another.

      Useful if you’ve got dual WAN, and can’t advertise your own addressing via the ISP. You can use NPTv6 to translate between your local prefix and the public prefixes. But NPTv6 is completely stateless. It’s literally a 1:1 mapping between the prefixes.

      • orangeboats@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        edit-2
        1 year ago

        IPv6 has both NAT66 and NPTv6. (Note that NPTv6 was once called NAT66 too, but I am referring to the “stateful, one-to-many” NAT66 here. Yeah, it’s confusing.) NAT66 is more like the traditional stateful NAT that all of us know and understand.

    • fedev@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      The router does have a firewall but it blocks everything inbound by default. Some routers (at least mine) do not offer the granularity to filter traffic for certain devices (no NAT either). It’s either allow all in or nothing.

      When you enable IPv6 and switch off the firewall (since you can’t host anything otherwise), every device becomes exposed to the internet.

      Then unless the devices have a firewall themselves, all is exposed. Not just the web services, ssh and the rest as well.

      • fedev@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        There was a way around it however but not something everyone will be able to do with their home router. I had to ssh to the router using ISP admin credentials leaked on the internet, then create a file in init.d that loads a custom iptables file with the firewall rules I needed for IPv6. NAT for IPv6 however was not supported by the kennel used for my router.