What's new

Port Forwarding and IPv6

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

archiel

Very Senior Member
I currently have both IPv4 and IPv6 running and using port forwarding for a couple of services. I am looking at changing ISP (to Community Fibre, cheaper and much faster), but they only offer CGNAT on IPv4. I am using Asus DDNS which is working fine on both IPv4 and IPv6, but would like to understand what will happen to my port forwarding rules will happen if I switch to CGNAT.

I.e. if the traffic is finding the router via IPv6 and the Port Forwarding rules redirect to a LAN device specified by a local IPv4 address, will the traffic still get routed?

Thanks,

Archiel
 
IPv4 is IPv4 and IPv6 is IPv6. There's no translation done by the router between the different protocols. So your IPv4 port forwarding will no longer work because of the CGNAT. IPv6 will be routed as normal to IPv6 devices.
 
I am still finding this confusing, but if I understand it any port forwarding will fail because it forwards to an ipV4 address; by way of example

I have a server on the LAN listening on 45600 and on the WAN at 47800 on Port Forwarding I set
Code:
Service: External Port: Internal Port: Internal IP Address: Protocol
Emby   :     47800    :  45600       :    192.168.10.5    :     TCP

Once I am on CGNAT this will stop working as the the traffic on 47800 routed to the WAN interface by DDNS will be IPv6 only, so It will not have any means of recognising 192.168.10.5. Is that it?
 
I think you are conflating IPv4 traffic with IPv6 traffic. They are two completely separate things.

IPv4 traffic (on a home interconnection) is NATed. One IPv4 WAN address is shared by all IPv4 LAN clients. That's why you need port forwarding to direct an incoming IPv4 connection to a specific IPv4 LAN device. This is also why CGNAT stops this working, because the ISP doesn't give you your own public WAN IPv4 address unsolicited incoming connections never reach your router.

IPv6 is completely different. IPv6 connections are not NATed. Each IPv6 device has it's own public IPv6 address which is accessible from the internet, if the router's IPv6 firewall allows it.

So while someone on the internet will no longer be able to connect to your LAN server over IPv4 they could connect if they had an IPv6 internet connection and your server was configured with an IPv6 address (in addition to its IPv4 address), e.g. 2001:460:1d09:104::10.

At the moment (AFAIK) there's no way in the GUI to do port translation for an incoming IPv6 connection, e.g. port 47800 to 45600. This usually isn't a problem though.
 
Last edited:
I am still finding this confusing, but if I understand it any port forwarding will fail because it forwards to an ipV4 address; by way of example

I have a server on the LAN listening on 45600 and on the WAN at 47800 on Port Forwarding I set
Code:
Service: External Port: Internal Port: Internal IP Address: Protocol
Emby   :     47800    :  45600       :    192.168.10.5    :     TCP

Once I am on CGNAT this will stop working as the the traffic on 47800 routed to the WAN interface by DDNS will be IPv6 only, so It will not have any means of recognising 192.168.10.5. Is that it?


Unfortunately there's no perfect way to "translate" how CGNAT is implemented by a provider.
Most times they are allocating ONLY ipv6 to customers and they do NAT624 for ipv4 only hosts on the internet. And if that is the way they are implementing it, there's no way for you to keep accessing the "Emby" service highlighted above.
Sometimes carriers that are doing CGNAT by default leave a gate open and they can allow a customer to be IPv4 only. So you'll get a single public IPv4 address to NAT all your traffic to. My carrier does that and I could keep myself out of CGNAT.
Worth checking with them prior switching the service. Or do not disconnect the existing service and make sure you can cancel the new service if it doesn't suit your needs.
Use an common excuse: your work VPN doesn't work behind CGNAT and see what they tell you.
 
@ColinTaylor @drabisan Thank you both - I will assume that the port forwarding options will become redundant, so that problem then translates into 'how to point to the Emby server (or any other services) on a specific device.' Both my current and proposed ISPs allocate the IPv6 prefixes by DHCP and the LAN device identifiers are also dynamic (sorry if if I have the terminology wrong) - the net effect that the IPV6 for any given device is not static.

I can see that I could connect via VPN (e.g. WireGuard to the server, devices identified by Ipsets linked to their MAC), alternatively I have seen suggestions of using services like ZeroTier or TailScale, do either of you have any thoughts, suggestions on this.

Finally, while I use DDNS on the router, is it also possible have IPv6 DDNS running on/pointing to a device?
 
It will help if you can share ipv6 configuration you have on your router.
I take it you don't get any IPv4 address on your LAN. But you do get IPv6 address on WAN.
Then one way or another your hosts are getting an IPv6 address. And that "one way or another" is the key. Ideally provider does prefix delegation so your router allocates the same IPv6 address to your clients (based on MAC address of the client).
And you do have IPv6 firewall enable. Cause if you don't...well...you have a bigger problem than a port forwarding.

It's messy, I know! And there are no clear ways out! Too much influence of what IPv6 implementation your carrier does.
 
It will help if you can share ipv6 configuration you have on your router.
This is all speculative at the moment because he said he's thinking about changing ISPs. But yes, without knowing exactly which implementation of IPv6 he would be getting from the ISP it's a bit pointless speculating further.

I take it you don't get any IPv4 address on your LAN. But you do get IPv6 address on WAN.
He will always have an IPv4 network locally, even when his WAN is CGNAT. It's only the addition of IPv6 to his LAN which is optional.

Ideally provider does prefix delegation so your router allocates the same IPv6 address to your clients (based on MAC address of the client).
My guess is also that this will be the case. But until he actually gets this service it's difficult to know for sure.
 
This is all speculative at the moment because he said he's thinking about changing ISPs. But yes, without knowing exactly which implementation of IPv6 he would be getting from the ISP it's a bit pointless speculating further.


He will always have an IPv4 network locally, even when his WAN is CGNAT. It's only the addition of IPv6 to his LAN which is optional.


My guess is also that this will be the case. But until he actually gets this service it's difficult to know for sure.
As you say this is currently speculative, however I do not quite follow
Ideally provider does prefix delegation so your router allocates the same IPv6 address to your clients (based on MAC address of the client).

I agree that my current ISP does prefix allocation and my understanding is that the new ISP is the same, but as far as the suffixes/device IDs are concerned these are are also dynamic, for example if my prefix is
2a02:cb6c:ee57:af00:: then a using this PC as an example and the looking at ipconfig
Code:
   IPv6 Address. . . . . . . . . . . : 2a02:cb6c:ee57:af00:f178:2c4:af18:d558
   Temporary IPv6 Address. . . . . . : 2a02:cb6c:ee57:af00:3142:7e6b:8631:53dd
   Temporary IPv6 Address. . . . . . : 2a02:cb6c:ee57:af00:3420:8712:1060:5209
   Temporary IPv6 Address. . . . . . : 2a02:cb6c:ee57:af00:643f:8f37:4ed5:f276
   Temporary IPv6 Address. . . . . . : 2a02:cb6c:ee57:af00:ac31:5406:7b40:8a69
   Temporary IPv6 Address. . . . . . : 2a02:cb6c:ee57:af00:c4af:62cd:fb15:e44
   Temporary IPv6 Address. . . . . . : 2a02:cb6c:ee57:af00:c9de:327b:b95:2645
so both the prefix (as set by the ISP) and the suffix (as determined by the router / windows?) are subject to regular change, hence the questions as to how to point to a server on the LAN where the IPV6 address is not static (even if the local IPv4 address is).
 
The problem (IMHO) with IPv6 is that there's multiple ways to skin a cat. Which you choose is largely dependent on your specific use case and the operating system you have. The following page and those surrounding it explain it quite well:

 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top