Solved: IPv6 internet routing question. To NAT or to Route

rtjensen4 · ‎09-30-2014

Hello!

I've gotten 2 /56 block of IPv6 addresses from our ISP. We're in the process of rolling out a new website and along with that I'm pushing that we create our IPv6 presence at the same time.

My Question is in regards to Routing vs NAT-ing... in my "Internet" environment, the space between my ISP routers and my firewalls, I have configured one of my 256 /64 networks 2001:XXXX:YY:100::1/64. That would mean My firewall could be 2001:XXXX:YY:100::B/64. My web servers sit in a DMZ off my firewall.

Should I:

A. Provision a random IPv6 subnet in the DMZ and use the firewall to NAT to an IP in the 2001:XXXX:YY:100::/64 range. I thought one of the points of IPv6 was to do away with NAT.

B. Provision 2001:XXXX:YY:101::/64 network in DMZ and ROUTE to the DMZ server. I am thinking this is the solution, but what Protocol to use? Im guessing I advertise my /56 via BGP to ISP, and use what? OSPFv3 between internet routers and firewalls? Use Static Routes? Is there anything that's considered 'best practice' for this type of situation?

To Route or to NAT?

Mark Pace Balzan · ‎10-01-2014

Hi,

if I understand correctly you have /64 on the external interface of your firewall facing your isp.

you should not use stateless auto config SLAAC on your Dmz. Setup your servers statically.

also there is not nat in ipv6, just ensure your stateful firewall handles ipv6 ok, taking special care for icmpv6.

That means you should use a /64 from your /56 for your Dmz. No nat.

whether you setup a static route towards your firewall to reach your Dmz from outside the firewall depends on your network design.

Whether you use bgp with your isp depends on what you agreed with your isp. Has your isp setup a static route of your /56 on their router to you, or are they expecting you to use bgp ?

hope this helps

mark

View solution in original post

Mark Pace Balzan · ‎10-01-2014

Hi,