5

One of the things NAT has permitted us to do in the past decade is split physical services onto different servers whilst hiding behind a single interface.

For example, I have example.com behind a NAT on 192.0.2.10. I port-forward :80 and :443 to my web server. I'm also port forward :25 to my mail server, and :3389 to a terminal server and :8080 to the web interface of my computer that downloads torrents, and the story goes on.

So I have 5 port forwardings going to 4 different computers on example.com.

Then, I go and get me some neat IPv6. I assign example.com an IPv6 address of 2001:db8:88:200::10. That's great for my websites, but I want to go to example.com:8080 to get to my torrents, or example:3389 to log on to my terminal server.

How can I do this with IPv6, as there is no NAT. Sure, I could create a bunch of new DNS entries for each new service, but then I have to update all my clients who are used to just typing example.com to get to either the website or the terminal server. My users are dumber than two bricks so they won't remember to connect to rdp.example.com.

What options do I have for keeping NAT-style functionality with IPv6?

In case you haven't figured it out, the above scenario is not a real scenario for me, or perhaps anyone yet, but it's bound to happen eventually. You know, with devops and all.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
Mark Henderson
  • 68,316
  • 31
  • 175
  • 255

1 Answers1

6

We finally have the chance to leave one of the Internet's biggest mistakes behind in the dustbin of history. Don't blow it.

  1. Strongly encourage your customers to stop worrying and learn to love IPv6 without NAT and get accustomed to typing in things like rdp.example.com (which they already should have been doing; the scenario you've described strikes me as horribly bad design). We have hostnames in part because various services are located at different addresses on the network; this NAT misfeature you're long accustomed to, which let you address individual services on the same hostname which were actually at different addresses on the network, will and must go away.

    Begin helping your customers transition to the new normal by providing those hostnames now and encouraging their use, even if you still only have IPv4. This will make the transition easier for almost everyone.

  2. In cases where you must forward ports for the rare legacy applications that can't be updated, and the guy who can't remember his own name unless it's written on a sticky note on his monitor, this can still be done at layer 7 with tools such as xinetd and socat. Socat can forward both TCP and UDP connections, so it will probably be more useful.

A similar question, with much the same answer, was recently asked on Super User: How to port-forward IPv6 in m0n0wall?

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • 3
    In addition to everything above, remember that ***load balancing still works just as well if everything has a public IPv6 address*** -- This is the other common use of NAT (one public IPv4 on a load balancer mapping to multiple servers with private IPv4 addresses), and the only change is you'll have one public IPv6 address mapping to multiple *public, but firewalled,* IPv6 addresses... – voretaq7 Dec 19 '12 at 04:08
  • Maybe the key to this lies in utilizing services that rely on SRV records – SpacemanSpiff Dec 19 '12 at 05:02