My ISP has decided to phase out public IPv4 addresses. When this happens, it would put me behind CGNAT which from a previous experience was not transparent and did cause some issues. They do offer public IPv6 addresses which I presume bypass the CGNAT. I currently require the public IPv4 address to access a service over a known port (or perhaps two). This service runs on the router, so has access to the WAN.
My internal network is IPv4. I do not see a need to change this. I also don’t think it fits my mental model (which presumes NAT), and so I want to avoid switching to the whole “public IPv6 prefix” model.
Is it possible to replace just the WAN side of the existing NAT with IPv6, while leaving the rest of the network alone? I want to make as least a disruptive change as possible, that would allow me to use the assigned public IPv6 prefix (updated via whatever ddns service I’m using) to remotely access the service, but otherwise functions as it did before.
Yes your service can listen on IPv6 and you can register a FQDN for it with DDNS that supports IPv6 records (AAAA). The people using the service must of course have access to the v6 Internet.
If your service is Wireguard or OpenVPN or most other VPN protocols, it is possible to have IPv4 traffic inside a tunnel though the outer (encrypted) connection is IPv6. So your internal network can continue to be v4 only.
Yes, the IPv6 traffic will bypass the CGNAT. That's also why you should strongly consider using IPv6 for your clients too so that as much traffic as possible will bypass it. CGNAT can cause all sorts of issues, both weird/broken behavior and performance issues.
As long as you have IPv6 on the devices that need to reach that service from the internet, yes. Otherwise you need to use either:
A tunnel from another server (like a VPS) with both a public IPv4 and functioning IPv6 to your service.
A service like Tailscale, ZeroTier, etc. that have servers that help with NAT bypassing.
If you want to access internet services over IPv6 and also avoid the CGNAT as much as possible, you will need to have IPv6 on your internal network. Period. I would strongly suggest that you try updating your mental model. It's not that difficult (in many ways it's actually a lot simpler) and OpenWrt will block incoming traffic for you by default, so you can still see your router as the border firewall.
If you stop OpenWrt from assigning ULA addresses by removing the ULA prefix, it removes some potential confusion.
Asking another way, is it possible for the WAN side of whatever is currently doing the private LAN-IPv4 <> public WAN-IPv4 NAT to use IPv6 instead?
Even if I move private devices to IPv6, isn’t it possible for remaining IPv4 devices to send their traffic via the public IPv6 interface?
My hope was to decommission the IPv4-WAN altogether once it moves to CGNAT, and then route everything over IPv6 regardless of the protocol being used internally. I’m surprised if that’s not possible! I know the correct solution is to rebase to IPv6, but that’s a bit low on my to-do list.
Why not just run dual-stack? That usually makes roughly half your traffic go over IPv6. Sure, you’d still be behind CGNAT for half of it so you won’t avoid CGNAT entirely. A VPN could also be used to provide you IPv4 over an IPv6 tunnel.
No, you can’t easily translate from IPv4 to IPv6 since the address space of IPv4 is so much smaller so you obviously can’t address every IPv6 host using only IPv4. For reference, a standard /64 subnet in IPv6 is 4 294 967 296 times larger than the entire IPv4 address space, and it’s common for consumers to get either 256 (a /56 prefix) or 64 000 (a /48 prefix) of those /64 subnets. NAT46 is still a thing, but I think the point of that is to allow for translation to a small subset of IPv6 hosts.
Translation that allows IPv6-only hosts to access IPv4 hosts is possible though, as mapping the entire IPv4 address space into IPv6 is very easy. 464XLAT is what smartphones use to reach the IPv4 internet on IPv6-only cellular networks, but it requires client support (CLAT). Besides Android and iOS, it’s supported on MacOS, some Linux distros and is currently in preview status on Windows 11.
The answer to both of those is that reaching a v4 only Internet server over a v6 only link requires there exist some sort of v6 to v4 converter on the Internet side of the v6 only connection. There used to be public machines that did that but due to heavy traffic and abuse they are all shut down. It may now be provided by the ISP (reachable only by customers), or you can build your own out in the Internet on a VPS that supports dual stack.
In any case your v4 access is always NATd due to lack of a public IP for each LAN endpoint. IPv6 implemented fully does place a unique public IP on each LAN endpoint.
blunden is right, by trying to avoid IPv6 on the inside at all costs, you're only making your life considerably more complicated than it would be by just using (cgNATed) IPv4 and IPv6 side by side, in the typical dual-stack configuration. Yes, IPv6 does work a little differently in some aspects, but it will just side-step all your cgNAT issues (as long as you can get an end-to-end IPv6 connection for the services you need).
I've been in this situation for the last 6 years, cgNAT and a (semi-static) /56 IPv6 prefix. The IPv4 side is 'useless' for anything incoming, but IPv6 usually works "well enough" (problems only arise for me, if I'm connected to some WLAN (hotspots or business/ enterprise'ish networks) that doesn't provide IPv6 connectivity, all major ISPs (residential and mobile, 4g/ 5g) do however, so things generally do work for me. However you really want full IPv6 connectivity to profit from this, end-to-end. These days around 60-65% of my monthly traffic is IPv6 based, with the numbers continuing to increase.
By default, IPv6 is enabled on OpenWrt and the default firewall configs are sane and safe - you only need to consider derivations from the defaults you want to expose to the outside. Likewise all modern operating systems (Windows, Linux, MacOS, Android, iOS, etc.) do support IPv6 just fine, IoT or smarthome devices often don't, but they generally don't need to either and will ignore the presence of IPv6 just fine.
You can disable ipv6 at the device level, so to make sure nothing propagates into your lan or gets routed out you can just disable ipv6 on the lan device (br-lan is the default) and any ports in the bridge.
That way your router grabs a ipv6 address for the wan and you can use it for server tasks etc but it’s blocked for the lan, etc etc, on any layer 2 basis you can have a network be able to use ipv6 or not just by controlling whether its enabled or disabled at the device level.
Thank you all for the guidance. My approach wasn’t ideological but pragmatic, as in my ignorance I thought v4-v6 bridges were a thing. I’m still a little apprehensive but will go dual stack until I learn enough to make actual choices.
Do any of you run with a network or individual devices that are purely ipv6?
Sure, but only as a temporary curious novelty.* Generally, I configure clients not to request an IPv4 address, or disable the IPv4 stack (depending on OS). Additionally, some cloud providers for example offer virtual machines without a public IPv4 address. That requires setting up an IPv6 tunnel to convey IPv4 traffic to the virtual host.
*- If your desire is to have an IPv6-only network that can reach IPv4-only destinations, that requires more advanced setup.
It's not that difficult (in many ways it's actually a lot simpler) and OpenWrt will block incoming traffic for you by default, so you can still see your router as the border firewall.
