I hear a lot about people with home networks who say they are running a dual stack and that it doesn't work right because of IPv6.
It occured to me this morning that maybe the people having these issues are not separting their IPv4 from their IPv6 networks using VLANs somehow and that they should be.
For example, if router1:eth0.103 and router2:eth2.103 both have a pair of IPv6 (ULA and LLA) and an IPv4 address it causes the problem they refer to
; when what they should be doing instead to avoid the issues is be splitting the protocols into separate VLANs at layer 2.
Another words, router1:eth0.103 and router2:eth2:103 each with a single IPv4 address and router1:eth0.203 and router2:eth2.203 each with a pair of IPv6 addresses (ULA and LLA).
Thanks for the civil replies. BTW, no need to make a new post for each individual inquiry.
It's not clear why you suggest a translation methods when the [hypothetical] situation you offered suggests the user has native IPv4 and IPv6.
As others have expounded, what you're describing isn't the normal method of troubleshooting or resolving an issue with Dual Stack Internet connectivity.
In a layer 2 networks you can run ALL layer 3 protocols in parallel. That's the whole idea of the osi layers.
If one protocol breaks then it's not the fault of an other because no 2 layer 3 protocols share anything.
Each protocol is its own realm so to speak.
Sorry, I was on my phone and still getting used to Discourse; I'm used to bbedit; I know it's been a few years, I just didn't get around to it yet.
I am trying to learn IPv6; and I think I understand it; please let me know where my knowledge is lacking, as it may be.
I understand that there are 3 different types of addresses:
Global (Very much public internet-wide unique addresses)
ULA (keep these addresses private in the LAN or DMZ or whatever)
LLA (Nearest Neighbor etc...)
I understand that there are better ways to go about it than relying on ULA for machine addresses, assigning IPv6 with SLAAC sounds a million times easier; but I'm financially and knowledgeably constrained for paying for a public IPv6 IP. (I don't know how to sign up for that, and presently and I don't want to pay the money for a /48 from Xfinity in the ISP monopoly of the United States, though I still wish to have separate VLANs as they are a security imperative.
My router is set up with separate /64 VLANs that have IPv6 Internet access, but it prevented me from accessing IPv4 sites; so I started looking into using NAT64 and DNS64 to be able to translate them; as was the suggestion of the concept of "IPv6-mostly".
The router is a little under-powered from a CPU, RAM and network namespace standpoint for this purpose; so I decided I needed to forward the packets to an old IBM R51 Thinkpad also running OpenWRT to run NAT64 and DNS64 translations to IPv6 and return them back to the IPv6 client while IPv4 is phased out for the next 15 years or as long as it takes for that to happen.
I'm very much in the dark here and just trying to figure out the correct course of action to implement IPv6-mostly given the constraints of the hardware I have available. I've been reading the OpenWrt wiki and looking for solutions that work.
The situation is very much hypothetical. I was anticipating that I might experience the issue in the scenario above.
(BTW, this is not really an OpenWrt-specific discussion.)
Fairly accurate descriptions.
Xfinifty was one of the first major ISPs to mass implement IPv6 in the US. As I recall, this was implemented at no additional cost to users - and is currently available to all subscribers. Your comment about paying completely lost me.
The 2 (VLANs and IPv6) are unrelated and on different layers of the OSI Model (as others already noted), so I guess you perceive some security benefit by separating IPv4 and IPv6 traffic?
If so, what?
Are you saying your IPv4 is broken on your VLANs?
For what purpose?
This paragraph completely lost me.
I assume you're using some pseudo techno-jargon, what is "IPv6-mostly"?
I would suggest simply disabling IPv4 on the client with issues. It may help if you described your issue - without first discussing the non-standard solutions and ideas.
Thank you for the suggestion. I tried that years ago, and I got certified to the Explorer level. I believe it required an HE tunnel of some sort, which I implemented on the router to get there. But I didn't understand firewalls very well at the time.
Then at some point the certification I had disappeared and I wasn't able to log back into HE's Certification site, or sign up for an account, because my email accounts were "too consumery".
Eventually, I got an email account with a shell account somewhere and I was able to sign back up again; but by that point I had found a better course on IPv6.
They have IPv6, but it's crippled by them providing you with a /64.
I have heard rumors that you can use your OpenWRT router to request a /59 or something weird like that and get one to use with subnetting and SLAAC; but I'm somewhat new to this; and I don't want to put the first IPv6 router I have configured on the DMZ yet.
No, I perceive a security benefit from having separate Layer 2 VLANs.
The benefit I was perceiving was that the two protocols don't interfere with each other on the same VLAN.
It wasn't a perceived security benefit, it was a basic perception that things might not work right since IP is such a base level thing for a LAN and since I heard so many people complain about it; I don't know if they were running OpenWRT or something else on their hardware.
-and-
No, I'm saying that I can't reach IPv4 sites on my IPv6 VLAN and it's like having holes in the Internet. From what I can tell JOOL can configure a range of IPv6 addresses (64:ff9b::/96) that are forwarded to NAT64's IPv6 interface, so it's packets can be translated into an IPv4 packet send out its IPv4 interface to request the IPv4 site, before translating the response from IPv4 back to IPv6 and finally back to the machine that requested it.
The 64:ff9b::/96 range is large enough to contain addresses for the entire IPv4 internet, and that's why it can be translated.
Also, DNS64 and DNS servers often can return both A (IPv4) and AAAA (IPv6) records, but all of that has to go over IPv(4|6) first before we can find out what the IP of the server is for the requested name.
My stupid router can't handle network namespaces such as the ones in the tutorial, and I'm not familiar with why network namespaces are used in the first place. But if for some reason they are important, I still want to implement them on a separate machine per the NAT64/DNS64 tutorial.
My router fails when it runs the script in option 2, on line ip netns exec jool sh <<EOF mainly because it doesn't seem to be able to use namespaces. It only has 64MB of memory, but the ThinkPad has like 512 MB of RAM, so despite it being old and a 32-bit, single processor machine, I figure it will be enough to get the job of NAT64 / DNS64 done.
IPv6-Mostly refers to any of the following references:
You've performed some unknown steps to separate IPv4 and IPv6, then kludge transition technology to make them work again. This was not the intention of those technologies [in the long goal].
Wow.
This idea of somehow separating them for some perceived security benefits, just to use make them work again, seems - odd.
You could simply setup IPv6 masquerade on WAN, then block IPv6 traffic from LAN to WAN with a simple firewall rule. You could then do vice versa on the other network to make it IPv4 only. Your ULA can (would) be used for this while you have a Public IPv6 address on wan6. You can do this per VLAN, but from your descriptions, you don't use VLANs for the same purposes others would. You could also disable IPv4 on the clients.
Since it's clear you've probably configured your router outside or standard practice, have perceived constraints with your routers, etc., so I'm not sure how well this discussion will continue to progress.
Lastly:
The tunnel provides a free prefix to use on your router (for free).
No need to beg Xfinity.
Not weird, just a properly configured wan6 interface.
I noticed in making the diagram that if I add an additional vlan say for IPv6 it might take up another port on my router and I don't necessarily want that because I'd like to use that VLAN for a different VLAN.
But I'm still a bit lost about where I might put a laptop that runs JOOL for DNS64 and NAT64; would it go on the network of the Cable Modem to resolve those addresses and DNS records?
