Date: Tue, 25 Jun 2019 12:11:40 +0200 From: Wolfgang Zenker <wolfgang@lyxys.ka.sub.org> To: freebsd-net@freebsd.org Cc: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: IPv6-only network--is NAT64+DNS64 really this easy now? Message-ID: <20190625101140.GG26071@lyxys.ka.sub.org> In-Reply-To: <19784363-6543-ccc1-b13f-5f1a67dc10d1@bluerosetech.com> References: <5e24739b-bbd0-d94a-5b0e-53fdeba81245@bluerosetech.com> <CANJ8om6WmNQWibnSCMR2hf09he-wWBUnBmY5Mnn7%2BNtvUHhcBQ@mail.gmail.com> <19784363-6543-ccc1-b13f-5f1a67dc10d1@bluerosetech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
* Mel Pilgrim <list_freebsd@bluerosetech.com> [190625 04:47]: > On 2019-06-24 19:33, Ultima wrote: >> While it may be possible to have an IPv6 only environment, I don't >> think it is really viable. There are simply too many things that don't run >> on or have very limited support for IPv6 that it makes it very hard >> to drop IPv4 altogether and until something comes along forcing the >> move it likely won't happen for at least another decade at the minimum. > Yes, that is why I wrote "Waving a hand at bug-hunting and lamentations > over the inertia of embedded systems designers". > This a lab experiment specifically to iron out the very wrinkles you > just stated. Depending on what you want to do it is viable now. At work we use IPv6-only jails for web hosting, where all jails on one physical machine share one NAT64 gateway for outgoing connects to IPv4-only services like Github. That gateway is the only dual-stack jail on a machine, the host and all other jails are IPv6 only. The NAT64 jail also provides a reverse proxy for incoming web access on IPv4. Customers on an IPv4-only connection use a ssh jumphost to access the server. We use ipfw for NAT64 and bind for DNS64. At RIPE meetings twice a year I use the provided IPv6-only network for net access with phone and notebook; in these 10 days per year for the last couple of years I have not seen any problems myself. Some people reported problems accessing VPN gateways though, and accessing IPv4-only services that use DNSSEC is a problem if your local resolver on the client does DNSSEC validation. >> On Mon, Jun 24, 2019 at 6:50 PM Mel Pilgrim <list_freebsd@bluerosetech.com> >> wrote: >>> I'm looking to set up a pure-IPv6 environment to test the viability of >>> it. I tried this a few years ago and fell flat on my face due to the >>> lack of NAT64 and DNS64 support. >>> Reading through docs now, it looks like unbound has a DNS64 module, and >>> NAT64 is baked into ipfw. Waving a hand at bug-hunting and lamentations >>> over the inertia of embedded systems designers, has it really become >>> this easy to turn up an IPv6-only site?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20190625101140.GG26071>