[zekica]

NAT is not disallowed in IPv6, it's just discouraged as it breaks end-to-end principle. You can still have stateful firewalls that work for the majority of cases and you can also use NPT (network prefix translation also called 1-to-1 NAT) if you want. There is even a RFC specifying on how to do NPT without creating compute overhead for routers by making the packets have the same CRC.

[Spivak]

NAT is actually probably preferred too for homelabbers one because you don’t have to re-address things ever and also because you can use your whole ISP assignment as a pool of dynamically assignable/attachable public addresses.

[DarylZero]

Are you thinking of prefix translation?

[Spivak]

Not that I know of. I’m using ip6tables with an, honestly garbage, script to give me similar functionality to AWS Elastic IPs.

- Everything inside the network gets a private address from DHCPv6.

- I have a pool of some of my assigned prefix designated as generic outbound which use masquerading and multipath routing so my home traffic isn’t all coming from a single address. This is mostly useless but was fun to set up.

- Then for the rest of the prefix I can create “attachments” where traffic from one of the public ips in the pool is routed to the private address using DNAT and then all outbound traffic from that host is SNATted to come from that public ip.

So the internal hosts can have zero knowledge that they even have a public address, their privates will just start receiving traffic from the internet. When I get a new assignment from my ISP nothing internal will have to change.

It’s port forwarding on steroids!

[DarylZero]

I see. Well it sounds like you "should" be using prefix translation instead of DNAT/SNAT (i.e., use the iptables DNPT/SNPT targets instead). Probably doesn't matter enough to change though.