IPv6-only network--is NAT64+DNS64 really this easy now?

Wolfgang Zenker wolfgang at lyxys.ka.sub.org
Tue Jun 25 10:21:23 UTC 2019

* Mel Pilgrim <list_freebsd at bluerosetech.com> [190625 04:47]:
> On 2019-06-24 19:33, Ultima wrote:
>>   While it may be possible to have an IPv6 only environment, I don't
>> think it is really viable. There are simply too many things that don't run
>> on or have very limited support for IPv6 that it makes it very hard
>> to drop IPv4 altogether and until something comes along forcing the
>> move it likely won't happen for at least another decade at the minimum.

> Yes, that is why I wrote "Waving a hand at bug-hunting and lamentations 
> over the inertia of embedded systems designers".

> This a lab experiment specifically to iron out the very wrinkles you 
> just stated.

Depending on what you want to do it is viable now.
At work we use IPv6-only jails for web hosting, where all jails on
one physical machine share one NAT64 gateway for outgoing connects to
IPv4-only services like Github. That gateway is the only dual-stack jail
on a machine, the host and all other jails are IPv6 only. The NAT64 jail
also provides a reverse proxy for incoming web access on IPv4. Customers
on an IPv4-only connection use a ssh jumphost to access the server.
We use ipfw for NAT64 and bind for DNS64.

At RIPE meetings twice a year I use the provided IPv6-only network for
net access with phone and notebook; in these 10 days per year for the
last couple of years I have not seen any problems myself. Some people
reported problems accessing VPN gateways though, and accessing IPv4-only
services that use DNSSEC is a problem if your local resolver on the
client does DNSSEC validation.

>> On Mon, Jun 24, 2019 at 6:50 PM Mel Pilgrim <list_freebsd at bluerosetech.com>
>> wrote:
>>> I'm looking to set up a pure-IPv6 environment to test the viability of
>>> it.  I tried this a few years ago and fell flat on my face due to the
>>> lack of NAT64 and DNS64 support.

>>> Reading through docs now, it looks like unbound has a DNS64 module, and
>>> NAT64 is baked into ipfw.  Waving a hand at bug-hunting and lamentations
>>> over the inertia of embedded systems designers, has it really become
>>> this easy to turn up an IPv6-only site?

More information about the freebsd-questions mailing list