Mark Henderson asked:
One of the things NAT has permitted us to do in the past decade is split physical services onto different servers whilst hiding behind a single interface.
For example, I have
example.com behind a NAT on
192.0.2.10. I port-forward
:443 to my web server. I’m also port forward
:25 to my mail server, and
:3389 to a terminal server and
:8080 to the web interface of my computer that downloads torrents, and the story goes on.
So I have 5 port forwardings going to 4 different computers on
Then, I go and get me some neat IPv6. I assign
example.com an IPv6 address of
2001:db8:88:200::10. That’s great for my websites, but I want to go to
example.com:8080 to get to my torrents, or
example:3389 to log on to my terminal server.
How can I do this with IPv6, as there is no NAT. Sure, I could create a bunch of new DNS entries for each new service, but then I have to update all my clients who are used to just typing
example.com to get to either the website or the terminal server. My users are dumber than two bricks so they won’t remember to connect to
What options do I have for keeping NAT-style functionality with IPv6?
In case you haven’t figured it out, the above scenario is not a real scenario for me, or perhaps anyone yet, but it’s bound to happen eventually. You know, with devops and all.
We finally have the chance to leave one of the Internet’s biggest mistakes behind in the dustbin of history. Don’t blow it.
Strongly encourage your customers to stop worrying and learn to love IPv6 without NAT and get accustomed to typing in things like
rdp.example.com(which they already should have been doing; the scenario you’ve described strikes me as horribly bad design). We have hostnames in part because various services are located at different addresses on the network; this NAT misfeature you’re long accustomed to, which let you address individual services on the same hostname which were actually at different addresses on the network, will and must go away.
Begin helping your customers transition to the new normal by providing those hostnames now and encouraging their use, even if you still only have IPv4. This will make the transition easier for almost everyone.
In cases where you must forward ports for the rare legacy applications that can’t be updated, and the guy who can’t remember his own name unless it’s written on a sticky note on his monitor, this can still be done at layer 7 with tools such as
socat. Socat can forward both TCP and UDP connections, so it will probably be more useful.
A similar question, with much the same answer, was recently asked on Super User: How to port-forward IPv6 in m0n0wall?
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.