IPv6 and intranet/NAT

I would like to use IPv6 as much as possible.

My ISP “supports” IPv6. My computers use Win10 or Linux, which support IPv6. My router is a Windows 10 PC running Internet Connection Sharing (works very well and supports IPv6, I think). My “ISP router” is not a router but it is set up as a Bridge.

So I can see my public IP addresses (IPv4 and IPv6) on the Windows 10 router PC. That machine creates the intranet on the 192.168.137/24 block. The intranet machines also get link-local IPv6 addresses.

So it’s all working as it should.

Except of course, I can’t use IPv6 from my intranet, only directly from the router machine.

E.g. I can go to https://ipv6.google.com or http://ipv6.cybernode.com only from the router PC. https://test-ipv6.com/ gets a 10 out of 10. From my intranet, the former two links don’t work and the latter gets a ZERO out of 10. (Rather pessimistic!?)

What is the official answer to really get IPv6 working on my intranet?

Googling, I only find heated discussions about how NAT is not needed / should not be used for IPv6. No simple answer how this should actually, officially work.

I think I need public IPv6 addresses for the intranet machines. I suppose the DHCP server in the router should get these from the ISP. So is it just a minor flaw in Microsoft’s built-in ICS DHCP service?

Are there separate DHCP servers I can install (on Windows or Linux) that implement something like this?

I can find instructions for DHCP servers, but I have to configure the public block manually. I would first have to request that block manually from my ISP. Cumbersome, but is that the official answer how this should work? (I remember when that was how my IPv4 worked…)

Microsoft’s ICS isn’t designed for IPv6.

The intent of IPv6 is to get rid of the need to do NAT. Instead of your Windows 10 computer acting as a NAT server, the intent of IPv6 is that each computer on your local network can get a unique IP from your internet provider’s DHCPv6 server.

So what you would do is get rid of ICS on the Windows 10 computer and just bridge the networks so that the computers on the local network can reach your internet provider’s DHCPv6 server.

ICS / NAT was never intended to be a security layer, but it does sorta function as one since anything coming in from the outside can’t directly see the computers behind the ICS machine. You lose that with IPv6, but the IPv6 folks say that since it was never intended as a security thing, you aren’t really losing much. Personally I disagree with that a bit. The IPv6 approach is to handle the security issues at the firewall level.

Okay, thanks. I had thought of that too.

That would certainly work for IPv6 on the intranet.

But on its own, it would lose the NAT I still need for IPv4 (to save on those precious IPv4 addresses).

I know and understand about security. Intranet NAT is not about security (for me). It’s a separate issue. All machines have their own firewalls. I use a separate NAT router with firewall on my intranet for IOT gadgets (i.e. an intra-intranet - I sure don’t trust their security otherwise).

What I’m asking is about co-existence of IPV4-with-NAT and IPv6-without-NAT on an intranet.

I can’t find if anyone has even thought about this scenario. Even though it should be extremely common.

An intranet machine sends out a DHCP request. It is served by a DHCP server. On an intranet, that DHCP server should respond with a private IPv4 out of its own pool but relay the DHCP upstream for the public IPv6. Does anything like this exist?

I am by no means an IPv6 expert, but I have it working on my network as you want it to work. Everything inside my network gets a local IPv4 address, and then accesses the IPv4 internet with NAT. Everything also gets a globally routed IPv6 address (among other IPv6 addresses). So, each device that does IPv6 can be reached directly from an external IPv6 capable host (excepting I do have an IPv6 firewall). All of the stuff in my network use IPv6 by default to reach Google, Facebook, Netflix, and lots of other things.

My router gets whats called a “prefix delegation” from my ISP. This is a block of IPv6 addresses (enough for all the stars in the sky, or whatever) that I can use on my local network. So my ISP tells my router to use 1111:222:3333:4444::/56. My router runs DHCPv6 (and v4). Devices on my network then acquire IPv6 addresses using either DHCPv6 or SLAAC (their choice) and are assigned something like 1111:222:3333:4444::aaa/128 or 1111:222:3333:4444::aab/128. Through the magic of open source software and some ICMP packets this all works in ways I don’t completely understand.

I have no clue how to make Windows Internet Sharing do this. I’m using a router running OpenWRT, and it all just works. Except that I spent a long time messing with it a few years ago to make it all work. This was mostly due to silly things, such as the default IPv6 firewall denying necessary ICMP traffic. If your ISP is setup correctly, and your router has sane defaults, then I think it should just work. What are the chances of both being true?

Wow, thanks echoreply! Sounds like that was the answer I was looking for. The official way to do what I wanted - the way this is supposed to work.

And yeah, I guess the Windows ICS does not implement that.

But now at least I have the search term to go study this technology!

And thanks for the tips on how to make this work in practice! Yes those sound like the typical issues you get when trying to get things like this to work.

Look, an interesting search result: DHCPv6 Prefix Delegation in Windows Vista

Seems like Windows ICS had it in Windows Vista in 2007?

Anyway, thanks again for the pointer, I can now study further.