[wongabu]

There is no working solution to ipv6 dual WAN failover, 30 years later... A critical design flaw that was simply ignored by the designers despite being used in almost any SME network.

inb4 no you can't have all lan devices have multiple ipv6 addresses and choose for themselves, typically 1 WAN is cheap and the second WAN is expensive/slow and should be used only for WAN1 failover

Inb4 no you can't just advertise new RA, devices on lan can takes minutes to update.

On ipv4, NAT+changing route on router just works, 1-2 seconds failover.

[bigfatkitten]

> There is no working solution to ipv6 dual WAN failover, 30 years later... A critical design flaw that was simply ignored by the designers despite being used in almost any SME network.

One of the major issues with IPv6’s design and development is that the people who designed it do not operate networks, nor do they build networking products. They literally fly around the world to committee meetings for a living.

Critical use cases like this are missed and/or ignored because they do not fall within the committee members’ ivory tower world view.

[icedchai]

The actual solution is network prefix translation. You effectively NAT the primary network when failed over to the secondary. See https://docs.netgate.com/pfsense/en/latest/recipes/multiwan-... for an example.

[wongabu]

That's one ugly hack, which assumes (1) WAN1 has static ipv6 (the typical SME has dynamic DHCPv6 address...) (2) all the devices will behave correctly when running on NPT on failover WAN2. Many devices do not know about NPT which is basically NAT for ipv6, and break on p2p protocols like voice, video, streaming. They'll send the wrong NPT address to the other side, which try to connect back to the WAN1 address, which is down because of failover.

[icedchai]

It is a hack, no argument. It seems fine for web traffic... You'd have to do some scripting to handle the dynamic prefixes. My own dynamic v6 prefix hasn't changed in years.

If you want "real" failover, get an ASN, your own prefixes, and run BGP. I know that's not for everyone!

[mrsssnake]

IPv4 has exact same problem, the NAT is working here because devices does not actually have proper Internet connection, all connections are terminated on NAT and reassembled after.

Actual solution could be extending TCP and UDP or make a new transport layer procotol that handles changing addresses, similar to what QUIC do. But we cannot do it exactly because things like NATs existing, thus QUIC build was build on ossificated UDP. Imagine if instead of IP+port a connection use unique per-connection hash to persist IP addreses changing. No more trying fighting to keep the IP the same.

[wongabu]

Ipv4 does NOT have this problem. The typical setup is always NAT for ipv4 lan, so external address can be changed with minimal disruption.

All ipv4 apps that require hole punching assume they will need to "discover" the external address anyways, for every new p2p connection.

In contrast to the vast majority of ipv6 apps which assume their ipv6 address is identical to external ipv6 address, as this is(was) the main marketing point of ipv6 - directly addressable end points.

[icedchai]

"Directly addressable endpoints" is how the Internet is supposed to work. It's how it did work for anyone who grew up with the 90's Internet.

NAT is a hack that let us get 30+ more years out of IPv4, nothing more. Sadly, we now have a generation of engineers who thinks NAT is normal.

[yjftsjthsd-h]

Can you just NAT66?

[wongabu]

Have you tried it? NAT66 implies using fd00::/8, which then gets deprioritized in all devices below ipv4, in accordance with RFC 3484. The end result: all devices revert to using ipv4 on dual stack lan.

Ipv6 is fundamentally broken for failover scenarios.

[Dagger2]

> NAT66 implies using fd00::/8

No it doesn't. Use the GUA from your primary ISP.

[ectospheno]

You can change the priority.

[JackSlateur]

Pretty sure BGP exists. NAT, also.

[wongabu]

BGP is not for everyone: get an ASN, your own prefixes, and run BGP. Compare that to the simplicity of ipv4 NAT.

Ipv6 NAT66 is fundamentally broken, see sibling comment.

[bigfatkitten]

If you ever find a cellular carrier who will do BGP over LTE for a retail customer, let me know.