Without NAT on IPv6, and only one DNS name, how do i talk to my servers?

2

1

Right now we own one domain name (e.g. superfault.com).

From the internet i can connect to a variety of networked devices using that single DNS name:

                         superfault.com
                         ╔════════════╗              ╔══════════════╗
                         ║device with ║  ┌─────────80╢Web Server 1  ║
                         ║ public IP  ║  │┌────────81╢192.168.1.10  ║
        superfault.com:80╫────────────╫──┘│┌─────3389╢              ║
        superfault.com:81╫────────────╫───┘│         ╚══════════════╝
      superfault.com:3389╫────────────╫────┘         ╔══════════════╗
        superfault.com:25╫────────────╫────────────25╢E-mail server ║ 
       superfault.com:110╫────────────╫───────────110╢192.168.1.11  ║ 
      superfault.com:3390╫────────────╫──────────3389╢              ║ 
       superfault.com:443╫────────────╫────┐         ╚══════════════╝
      superfault.com:3391╫────────────╫───┐│         ╔══════════════╗      
      superfault.com:3392╫────────────╫──┐│└──────443╢Web Server 2  ║ 
      superfault.com:3393╫────────────╫─┐│└──────3389╢192.168.1.12  ║ 
                         ╚════════════╝ ││           ╚══════════════╝
                                        ││           ╔══════════════╗   
                                        │└───────3389╢Desktop PC 1  ║ 
                                        │            ║192.168.2.100 ║
                                        │            ╚══════════════╝
                                        │            ╔══════════════╗   
                                        └────────3389╢Desktop PC 2  ║ 
                                                     ║192.168.2.101 ║
                                                     ╚══════════════╝

Now, with IPv6, i can give all these devices a publically routable IPv6 address:

      superfault.com
      ╔════════════╗              ╔══════════════╗
      ║Gatway      ║              ╢Web Server 1  ║
      ║Firewall    ║              ╢2001::10      ║
      ║2001::1     ║              ╢              ║
      ║            ║              ╚══════════════╝
      ║            ║              ╔══════════════╗
      ║            ║              ╢E-mail server ║ 
      ║            ║              ╢2001::11      ║ 
      ╚════════════╝              ╢              ║ 
                                  ╚══════════════╝
                                  ╔══════════════╗      
                                  ╢Web Server 2  ║ 
                                  ╢2001::12      ║ 
                                  ╚══════════════╝
                                  ╔══════════════╗   
                                  ╢Desktop PC 1  ║ 
                                  ║2001::2:100   ║
                                  ╚══════════════╝
                                  ╔══════════════╗   
                                  ╢Desktop PC 2  ║ 
                                  ║2001::2:101   ║
                                  ╚══════════════╝

But i only own one domain name, which can only resolve to one IPv6 address:

  • superfault.com: 2001::1

So how to i find the IP address of all my other devices? The simple method is to use my firewall device as a proxy - which is the functionality that NAT provides. The undesirable, and expensive way, is to find a free domain name for every IPv6 address i own.

What's the IPv6 equivalent of NAT?

Update:

The other problem is that IPv6 does not allow

http://superuser.com

you have to use:

http://www.superuser.com

So if a user forgets the www, then your site will appear broken.

Same way that IPv6 does not allow:

ftp://superuser.com

as you have to use:

ftp://ftp.superuser.com

and it doesn't allow

> ventrillo superuser.com

you have to be sure to tell users:

> ventrillo ventrillo.superuser.com

Ian Boyd

Posted 2011-08-04T17:44:04.450

Reputation: 18 244

Re edit: Nonsense. IPv6 does allow this; many websites simply have an AAAA record on the bare domain, such as he.net. What IPv6 makes a little harder is having multiple computers behind a single name, but that's purely a limitation of Linux ip6tables, which lacks -j REDIRECT. However, it already has -j TPROXY which can be used in a very similar way. – user1686 – 2012-03-28T05:50:49.577

@grawity i've asked the question of how to do it here: http://superuser.com/questions/405709/how-to-port-forward-ipv6-in-m0n0wall

– Ian Boyd – 2012-03-28T11:45:01.557

Answers

3

That's what subdomains are for.

If you own, for example, superfault.com, you can freely create desktop.superfault.com, mail.superfault.com, ian.superfault.com... (If you don't – buy one, they are fairly cheap. Or visit za.net or eu.org for a free domain.)

Also, you do not need NAT in order to forward ports. Try ip6tables with -j TPROXY.

user1686

Posted 2011-08-04T17:44:04.450

Reputation: 283 655

They may be cheap; but getting one i want would be pretty darn impossible. But i can't believe i forgot about subdomains. On the downside right now people can use superfault.com for http, smtp, pop3, that all breaks with subdomains. – Ian Boyd – 2011-08-04T18:57:48.927

@Ian: There's so much more than .com and .org, if all you need is a cheap domain. (I do wish more software supported SRV for service discovery, reconfiguration is indeed a pain.) – user1686 – 2011-08-04T19:20:23.633

2

What makes you think that you only own that domain name, and no subdomains thereof? Conventionally in the domain name system, the owner of example.net. thereby gets to be the owner of

  • workstations.example.net.
  • mike.workstations.example.net.
  • betty.workstations.example.net.
  • second.servers.example.net.
  • third.servers.example.net., and even
  • ian.boyd.personal-laptops.example.net.

If you don't have control of the subdomains, then you don't really own the domain in the first place. If you do own the domain, then the answer here is the simple and straightforward one that the rest of the world widely uses. ☺

JdeBP

Posted 2011-08-04T17:44:04.450

Reputation: 23 855

free accounts on dyndns may not allow you to configure a wildcard for subdomains, and gives you limited control on DNS records such as adress aliases. Buy your own domain name, dyndns domains are only brought to you as a temporary lease (that you must renew often) – verdy_p – 2019-10-25T22:25:55.697

Also you're probably limited by your router if that's a box given and preconfigured by your ISP with limited configuration. The solution is to use a Ethernet-to-Ethernet router (working in "transparent" mode) that you can configure freely (and then if you can, configure the ISP router in bridge mode, but some ISP may limit the bandwidth and other services, like VoIP or TV/VOD packs). – verdy_p – 2019-10-25T22:32:16.923

What makes me think that i don't own subdomains? Cause i forgot! And also cause i don't really own the domain in the first place (dyndns.org) - and they don't let me have subdomains (for free). But i'm going to give the accept to grawity; he beat you to it. – Ian Boyd – 2011-08-04T18:55:40.443

If SuperUser — as, alas, it didn't — had told me that grawity had answered whilst I was writing my answer, I'd have just upvoted instead, on the that-would-have-been-my-answer-too principle. ☺ – JdeBP – 2011-08-05T13:14:32.650

Asked: 2011-08-04T17:44:04.450

Viewed: 580 times

Active: 2012-03-28T01:28:52.447