Basics of moving from NAT ipv4 to no-NAT ipv6

JMain asked:

Imagine a ipv4 setup like this, only on a much larger scale:

10.0.0.1 = Nat Router
10.0.0.2 = Business Server A
10.0.0.3 = Business Server B
10.0.0.4 = Workstation A
10.0.0.5 = Workstation B
10.0.0.6 = Workstation C

The workstations access the Servers with their IP address, easy.
The workstations and servers access the router through the nat router, easy.

Now, move to ipv6. No more nat. You have something like this:

xxxx:xxxx:xxxx:yyyy:yyyy:yyyy:yyyy:0001 = firewall
xxxx:xxxx:xxxx:yyyy:yyyy:yyyy:yyyy:0002 = Business Server A
xxxx:xxxx:xxxx:yyyy:yyyy:yyyy:yyyy:0003 = Business Server B
xxxx:xxxx:xxxx:yyyy:yyyy:yyyy:yyyy:0004 = Workstation A
xxxx:xxxx:xxxx:yyyy:yyyy:yyyy:yyyy:0005 = Workstation B
xxxx:xxxx:xxxx:yyyy:yyyy:yyyy:yyyy:0006 = Workstation C

I understand that for the prefix, this is provided by your ISP. If you are using these to access your servers inside your location, and the prefix changes, you lose access (until you fix it). Or, assume that your modem or ISP is down for some reason and you lose the prefix because it can’t hand it out. Or, maybe you watch to quickly switch to a backup ISP with a CradlePoint or similar.

With ipv4, the ISP doesn’t really matter, your internal devices never see your ISP provided addresses. You can fairly easily switch ISP in a moment by just swapping a cable around.

With ipv6, at least the way I understand it, without NAT now the ISP controls your internal IP addresses. Outside addresses changing might not be a big deal, but internal addresses changing would cause a large mess.

Many companies today use the solution to simply stay with IPv4.

What is the IPv6 solution to this scenario? I know that NAT=bad in lots of cases, but in this scenario, it literally keeps the internal network running.

My answer:


You can use Unique Local Addresses in addition to your global IPv6 addresses to provide connectivity within your internal network.

You simply pick a random ULA prefix (it must be random; don’t try to use fd00:: or something you pulled out of your head; visit a ULA generator web page) and begin assigning subnets, starting from the edge and going inward, the same as you would for global subnets.

Note that ULA addresses cannot reach the global Internet or vice versa. The global addresses are still required for global connectivity. But purely internal communications can use the ULA addresses forever.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.