IPv6 and NAT, routing to multiple ISPs

linux nat ipv6 linux-networking routing

Solution 1:

Without BGP and 'business class' ISPs multihoming isn't going to work for you. It is possible to do 1-to-1 NAT with IPv6. I don't know how to configure it on Linux though. There is another way though:

You will get a prefix from both ISPs. Probably a /56 or a /48. It doesn't really matter in this case if the link to the ISP gets it's own addresses or not. IPv6 can work perfectly with unnumbered uplinks. What you then do is to connect a router from each ISP to your LAN, and both should advertise a /64 from their own ISP on your LAN. So all your systems get (at least) two public IPv6 addresses: one from each ISP. You can give the advertisements of your primary ISP a higher priority. When the link to the ISP goes down the corresponding router should withdraw its advertisement and your systems will start using the other link.

The only downside is when one ISP doesn't accept packets with a source address from the other ISP. If that is the case then the routers should check the source address and forward traffic with the wrong source address to the other router.

If you only get a single /64 from your ISP then you can use that on your LAN. They should give you more than that though. A /48 used to be the standard for many years, a /56 is becoming more normal these days, but you should definitely get more than a /64.

Solution 2:

The solution is the same as for IPv4 - you have to hide a private network behind a NAT with two WAN links.

Unique Local Addresses (ULA) is "Private networks for IPv6". Network Prefix Translation (NPt) is "NAT for IPv6". Assign an internal IPv6 Unique Local Address for your network. While it is not required to do so (the chances of colliding ULAs is much smaller than colliding IPv4 subnets should the network need to merge with another private network), there is at least theoretical benefit to registering your ULA. Enable NPt on each WAN interface, providing your internal ULA and each provider's IPv6 prefix to NPt. Your own IPv6 subnet from RIPE-NCC won't work for all the same reasons your own IPv4 subnet will not work (your lack of budget for BGP support).

NPt has worked quite well for me. My intention was only to provide independence between my internal IPv6 addressing scheme and that of my ISP so that if I switch ISPs only the ISP prefixes need to change, not my entire network configuration. In theory it will suffer the same problems as IPv4 NAT if a protocol sends the non-routable address to a remote machine that then tries to connect back.

Solution 3:

Is there a way to do a 1-to-1 NAT in IPv6 (I'm using Linux machine as a router)?

This is known as "network prefix translation" and yes linux does support it. You use the "SNPT" and "DNPT" targets in the "mangle" table (the "nat" table is only used for stateful NAT).

How do I do it?

You use the SNPT target to change the source prefix on outgoing packets and the DNPT target to change the destination prefix on incoming packets. Since it's stateless you must explicitly translate in both directions.

You can either use one ISPs addresses on your lan and translate for the other ISP or you can use ULA addresses on your lan and translate for both ISPs.

Will it allow me to continue using two ISPs (provided that they both support IPv6).

Yes.

Obviously as with V4 NAT you will want to make sure that routing is fairly stable since an ISP switch will break established connections.

I've been thinking how to duplicate this configuration in IPv6. From what I read is that "NAT is dead"

The IPv6 purists don't like it but linux recently added a stateful NAT implementation for IPv6. So you can hide a whole network behind a single V6 IP if you want.

Do I need to receive at least two /64 subnets to comfortably set up routing in LAN behind firewall?

If you are putting public IPs on the machines or using NPT you will want subnets to do that with.

Afaict the typical scenario for IPV6 on consumer/small buisness ISPs is that they allocate a single address to the intenet side of the CPE router. Then they use DHCPv6 prefix delegation to allocate a prefix for the customer to use on their networks. Typical is to allocate a /56 to each customer.

Unfortunately at least one ISP i'm aware of insists on you using an ISP-provided CPE router which doesn't support onward prefix delegation at this time. So if you want to put your own firewall behind their router you are kinda stuck :(

Related

Logging in from different computers using SSH keys
Is 'Include /path/to/*/live.conf' possible with Apache?
Strategies/tools for controlling spending in printing
Disaster Recovery Planning, tower or rack?
How to Install an executable as a Windows Service
Solaris ZFS volumes: workload not hitting L2ARC
Why can't ec2-consistent-snapshot find my AWS cert/keys?
Force Munin email notifications only on status change, not on update
Can I get the original MAC address after it has been changed?
How to fix "405 - HTTP verb used to access this page is not allowed." on Windows web server 2008 RS2
How to use/debug Debian preseed with SSL using Startssl Certs
Ganeti master IP and cluster name