Re: [pfSense] Upgrade 2.0.1 to 2.1

Mon, 23 Apr 2012 06:06:45 -0700 

Op 23-4-2012 14:30, Chris Bagnall schreef:

Are there any plans to incorporate something like NAT64 (or another
4-to-6 translation method) to allow v6-only networks?



Yes, for 2.2 at it's earliest. There is a patch for pf in OpenBSD in 
circulation but that's not useful right now.


http://redmine.pfsense.org/issues/2358


Any NAT that translates from one address family to another is a huge 
pain since any sort of handle it is obscured.



It combines with DNS64 which translates A records into crafted AAAA 
records, you can probably see where this is going from here.



Then another NAT64 gateway downstream which puts it back on the IPv4 
internet. It doesn't make for a good medium. And you still have double NAT.



So with that in mind I'd rather have CGN/LSN double NAT for IPv4 in the 
future and a clean IPv6 path. NAT444 is already convoluted, and with 
NAT64 it only gets worse from there. It might change in the future.



I now have a IPv6 only internet at work and it's barely useful at all. I 
mean, pfSense works fine with it, and I can do auto firmware updates 
just like normal. But that's because we have our infrastructure online 
on both IPv4 and IPv6.



People that only have IPv6 will run into things like gitsync not 
working, which is pain because I now can't check out code on the box I'm 
developing on.



I've contacted github but their response is lukewarm at best. A lot of 
companies seem to be in the position that this somehow is not a issue 
for them.



If you operate a website and only have it reachable through IPv4 you 
_are_ going to run into people that only have IPv6 and thus can not 
reach your website.



I'm using GitHub here because that's what the pfSense project uses, and 
lot's of people check out the tree using the gitsync playback in pfSense.



Also useful to know is that GitHub does have issues to work through 
DNS64 and NAT64. So much for that.



In the mean time I've setup a haproxy instance in the DC that listens on 
github.iserv.nl which has both v4 and v6 and talks to github.com over 
v4. That way people can still gitsync.


Obviously I can't do that for every website.

Cheers,

Seth
_______________________________________________
List mailing list
[email protected]
http://lists.pfsense.org/mailman/listinfo/list






















					Reply via email to