IPV6 NAT Downside clarification

So, I've seen everywhere that IPv6 NAT is a bad idea, and that I shouldn't use it. I don't see all that much reason as to why
I specifically want to AVOID having to advertise devices on my network directly, if possible. I have a homelab, AND I have equipment for my business on the network, and I want strict access control through the router's firewall.

My primary goal is to avoid any services or public-facing systems from being advertised directly, without NAT. I don't care if other systems are IPv6 NAT-ed, but I would prefer having IPv6 enabled inside my network, for obvious reasons. I do eventually hope to move to IPv6 only,, but I recognize that that's a long way off. I'm already communicating between my devices inside my network almost exclusively with IPv6, with IPv4 being used solely for testing server connectivity.

What are the downsides to trying to set up NAT for IPv6? It feels like it would suit my use case perfectly, but it's possible that I'm missing something. It's also possible that the reasons it isn't great for the average user don't apply to me, so I'm just trying to figure out how to move forward.

If it's a bad idea, as well, can you suggest an alternative to accomplish what I want to accomplish?

What makes destination NAT (DNAT/port forwarding) desirable?

Edit: I guess one of the advantages is that you would be able to treat public IPv4 and IPv6 services the same way.

NAT6 has it's uses. It is more of a subjective view point than anything, but there are specific use cases where it makes sense.

Although with with a properly configured IPv6 firewall, your hosts will not be "publicly" available. Yes they'll have a global IPv6 address which traffic will go out from, but doesn't mean you have to allow any inbound access. However if the goal is to have all IPv6 traffic going through a single address, then yes you'll need NAT6.

OpenWrt does support it:

https://openwrt.org/docs/guide-user/network/ipv6/ipv6.nat6

I have personally done it, but for different reasons, related to multiple WANs with IPv6.

Are there? I suspect in most, if not all, cases whatever is being attempted can be achieved without NAT.

Two examples:

1. Creating a subnet, when the network doesn't support subnetting or prefix delegation.
2. Multiple IPv6 WANs e.g. mwan3

I agree it shouldn't be needed for most use cases.

It appears that email responses don't work to reply to a topic, sorry.

Well, again, I host several services behind my router.

I have a web server, a media server, multiple ssh servers, a VM host, a render node, a couple Linux build hosts, and a NAS. I only expose, like, 16 ports total to the outside world, and I try to keep as tight a lock on those exposed services as possible.

I want to be able to provide JUST my router IP to users, and provide them with access to just the specific port on the server they need access to, rather than the entire range. Some systems have SSH servers, and some users have the ability to log in via ssh, for instance, but I don't want them doing so outside of the network. Plus, I want to be able to shut off a service to the outside world at any moment, without having to shut the service itself down (for instance, I was troubleshooting a web server, And i needed to bring it up to test it. If users have its IP address directly, that exposes potentially insecure configurations to the open internet. I route via hostname for the ports, so it's as simple as a checkbox and a confirmation to cut off port forwarding for IPv4. I want that quick and complete disconnection for IPv6 as well.

No, no, I know it can be done.

But I've seen in a bunch of places that there are specific reasons not to do it. I'm wondering what they are. I've put a lot of thought into it, and in fact almost implemented it, but I'm looking to see if there are any potential repercussions I've overlooked.

It looks like the discussion actually happened exactly as it would have had I not responded at all, which is amusing. But you guys answered my question. It seems it isn't about me NEEDING it, but about it being a more comfortable solution to problems I'm actively having, and it still looks like it is. I'll get to work on implementing it. Thank you!

Everything you want, short of only handing out one IP, can be done with the firewall. It sounds like you're conflating NAT with having a secure system which isn't what it does. You need the firewall for that and should just be opening the ports you want accessible from outside.

Interfering with end to end connectivity, which is what NAT does, is a bad thing. Especially in the IPv6 world which expects that to be the case.

This. NAT is not a firewall. It's not intended as a firewall. But to be fair to OP's concerns, NAT does have a natural firewall effect due to how NAT is designed to work. NAT was patch for the shortage of IPv4 addresses, and things went wrong when people started to use NAT as a form of firewall. But than I say again, NAT is not a firewall and should be never considered as a vital security layer in network configurations. That should be handled by a real firewall. If you depend on NAT in order for your network to be secure, your upstream firewall and client firewalls are not configured properly.

Unfortunately, people did start using NAT as a firewall. That's why ISP were reluctant with rolling out IPv6 in the beginning. Almost every provider deploys IPv6 with a good firewall integrated in supplied modem-router combination devices. I was reading about this subject years ago, and I remember a topic where this was discussed. It took me a while but I found the website here.

The answer to your concerning with IPv6 is having a good firewall. That was always the correct answer imho, even when we fooled around with NAT and IPv4 in the past. Now lets take a more technical approach when talking about firewalls and OpenWRT. Please correct me if I'm wrong here.

When we look at the kernel configuration of OpenWRT, we see that net.ipv4.ip_forward and net.ipv6.conf.all.forwarding is both enabled by default. That means all inbound traffic can be routed if it has a destination. And the destination is often the router itself when talking about NAT with IPv4, or the end-host when talking about IPv6. The lack of a downstream destination address is the reason why NAT with IPv4 gives an extra security layer.

So what prevents all inbound traffic from reaching their destination when talking about IPv6 and OpenWRT? That's the firewall of course, which should block all inbound traffic by default. Only inbound traffic with explicitly defined allow rules should be able to pass. The firewall in OpenWRT is fw3, which is build on netfilter/iptables. Netfilter operates at kernel level and is considered a very robust stable framework, which makes it an excellent firewall framework. I never seen Netfilter ever fail in my life. I trust it.

But let's take a hypothetical approach here. What if the firewall does fail? A good firewall should fail in a closed state, not allowing any packages to be forwarded anymore. Unfortunately I can't confirm whether this is the case for Netfilter. But what I do know, is when Netlink fails, it should cause a kernel panic because it operates at kernel level. We see that kernel.panic is to 3 in OpenWRT, which means the router reboots after 3 seconds when a kernel panic occurs. If Netlink doesn't fail in a closed state (and again, I don't know if that is the case), it means that IPv6 hosts with a global address (UGA) are reachable for 3 seconds from the outside. After these 3 seconds, the router reboot itself while dropping all connections, and and the firewall should be in a working state again when it's up. Within this hypothetical 3 seconds window, unauthorized access should be prevented by firewall software running on the host itself.

At host level the firewall should also block all inbound traffic by default, with the exception of explicitly defined allow rules. Public facing services should allow all inbound traffic on a specified port, while LAN restricted services should only allow inbound traffic from restricted subnets or IP addresses on a specified port.

Windows does a good job by enabling the built-in firewall by default. However when talking about Ubuntu.. Ubuntu doesn't enable firewall by default. They don't ship the OS with open ports. Therefore they believe that enabling the firewall isn't necessary. This is so weird imho, as this doesn't account for user actions after deployment. Looks like a dick measuring contest to show of how secure they are (and they do take security very seriously).

In the end, a good configured environment should be still secure despite the lack of NAT. NAT was never designed to be a security measure, just as IPv6 wasn't designed to be used with NAT - in theory at least.

As bonus, if you don't want to expose your IPv6 addresses to the world out of privacy reasons, you can use privacy extensions. Windows enables this by default. Ubuntu is again a weird duck here. It also doesn't enable privacy extensions by default. Alternatively, you can also use DHCPv6 (which is slightly less controversial compared to NAT6 when talking to IPv6 evangelists).

Well, again, I host several services behind my router.
I have a web server, a media server, multiple ssh servers, a VM host, a render node, a couple Linux build hosts, and a NAS. I only expose, like, 16 ports total to the outside world, and I try to keep as tight a lock on those exposed services as possible.
I want to be able to provide JUST my router IP to users, and provide them with access to just the specific port on the server they need access to, rather than the entire range. Some systems have SSH servers, and some users have the ability to log in via ssh, for instance, but I don't want them doing so outside of the network. Plus, I want to be able to shut off a service to the outside world at any moment, without having to shut the service itself down (for instance, I was troubleshooting a web server, And i needed to bring it up to test it. If users have its IP address directly, that exposes potentially insecure configurations to the open internet. I route via hostname for the ports, so it's as simple as a checkbox and a confirmation to cut off port forwarding for IPv4. I want that quick and complete disconnection for IPv6 as well.

NAT is not a firewall, while it does offer some firewall effects. You should configure your firewall instead of relying on NAT for security.

Why do you even provide IP addresses to users, shouldn't this be just hostnames? What's the problem of knowing IP addresses of servers that needs to be accessible?

Firewall.. On client and upstream. You don't allow all traffic to a server. Just a specfic port. In the same spirit as you do with NAT.

Hostname for the ports? Hostnames are related to IP addresses. Anyway, again firewall.. It's just a simple as a button for disabling or enabling a firewall rule.

Anyway you do you, NAT66 is there so use it if you want it. But don't be blinded and try to educate yourself on IPv6 and how its meant to work, and what the security implications really are.