All IPv6 addresses are considered public, the correct term is global unicast addresses, this means that all our devices can be seen from the Internet.
In IPv6, the concept of NAT (Network Address Translation) as known in IPv4 is, in effect, unnecessary due to the vast address space available, allowing virtually every device to have a globally unique address.
However, in certain scenarios, you may want to implement a form of isolation or access control similar to NAT to manage traffic between a “private” network and the “public” internet over IPv6.
Below we describe how to configure a common scenario in MikroTik to handle this situation:
Step 1: IPv6 Address Assignment
First, make sure your Internet Service Provider (ISP) has assigned you a block of IPv6 addresses. You will use a portion of this block for your internal network.
- Assign addresses to the WAN interface: Configure your WAN interface in MikroTik to receive an IPv6 address from your ISP, either statically or via DHCPv6, depending on how your ISP provides IPv6 connectivity.
- Assign addresses to the internal network: Define a segment of your IPv6 block for your local network. This can be done in MikroTik under the IPv6 menu, assigning static addresses or using DHCPv6 Server to distribute addresses to your internal devices.
Step 2: Firewall Configuration
Although NAT is not necessary, the firewall plays a crucial role in the security of your IPv6 network, filtering incoming and outgoing traffic according to your policies.
- Inbound firewall rules: Configure rules in the MikroTik firewall to limit unauthorized access from the internet to your internal network. This may include blocking certain ports or protocols and only allowing specific incoming traffic to defined services.
- Outbound firewall rules: Similarly, you can configure rules to manage outbound traffic, although by default, most firewalls allow all outbound traffic.
Step 3: Configure Prefix Delegation (if applicable)
If you have devices behind your MikroTik router that also need global IPv6 addresses, you can use Prefix Delegation to distribute segments of your assigned IPv6 block to these devices or subnets.
Step 4: Configuring IPv6 Privacy Extensions (if desired)
Privacy Extensions for SLAAC (Stateless Address Autoconfiguration) allow devices on your network to use IPv6 addresses that change periodically, increasing user privacy.
Additional considerations
- Security: Although IPv6 eliminates the need for NAT for address management, security should not be overlooked. Make sure you implement a solid security strategy that includes a well-configured firewall.
- Device Support: Verify that all your devices support IPv6. Although most modern devices do this, some older devices may not be compatible.
Configuring IPv6 in MikroTik for a “public” to “private” network scenario mainly involves managing address assignments and firewall configurations, keeping your network secure without the need for NAT.
This demonstrates the advancement and improved capabilities that IPv6 offers over IPv4 in terms of address management and network security.
There are no tags for this post.