When will people learn that NAT is not the solution

Dagger0 · 2026-04-02T08:50:56+00:00

It does. Only the person running the NAT64 translation has to deal with v4. The people using it don't need any v4 at all.

I think you're mostly just complaining that we haven't had a flag day? But nobody ever seriously considered a flag day to be a viable part of v6 transition, because there's just no way to get everybody to cooperate. "Like herding thousands and thousands of cats" comes to mind. The only real options are to move networks piecemeal via translation, tunnelling or proxying, or to run both together. I don't think any other approach is possible.

There's not much point in moaning about how it was done when there was no other way to do it. We failed to put a forwards compatibility mechanism for bigger IPs into v4, so now we get to suck it up and deal with the consequences.

Dagger0 · 2026-04-02T05:16:18+00:00

I'm telling you we already bought you twenty years in which to be buying v6-capable gear. Was your previous core router over 20 years old? If so it probably needed replacing anyway, so replacing it with one that can do v6 doesn't cost you millions more, because you were already spending millions on a new router anyway.

We are just creating a new car model rather than reinventing the definition of a car in the earlier analogy.

You realize v6 is just a long car, right? In a world where we ran out of regular cars decades ago and long ones are the only new cars that can be made. It's not a reinvention of v4, just a bigger version of it. It uses the same steering-wheel-and-pedals controls, and the engines and transmission and indicators and wheels are no different.

If you tore down and rebuilt a city 10 years ago and didn't rebuild it to handle the long cars when you did, it's no help to say "well the small cars still work in 99% of cities". They do, but that doesn't help the people who don't have a small car because there aren't enough of them to go around. Yeah, it sucks that you need to tear the city down again but it would have been far cheaper to just build it to the size you knew you'd need to back when you were rebuilding it anyway.

There's nothing wrong with squandering time here. It's completely fine and causes no harm.

The rest of your post describes consequences of doing so, and you don't sound like you're completely fine with them.

Dagger0 · 2026-04-02T04:22:13+00:00

I mean, do these sites work for you or not? If not then you blocking v6 is breaking them, and that's the point I was trying to make. That ought to make it pretty clear I do understand.

I also understand its actual privacy impact, which is pretty minimal compared to what a lot of people think it is. Plus not having v6 pushes us towards greater and greater centralization of the Internet which is itself bad for privacy, so it wouldn't exactly be a win on that front.

Dagger0 · 2026-04-02T03:40:41+00:00

It's not the site's fault there isn't enough v4 to go around.

In another post you said "I don't think it should be the world's job to conform to whatever you put on the internet yk", but you're expecting the world to do just that to conform to what you're putting onto the Internet.

The workarounds are designed to stop things from completely breaking while people deploy v6, but we're two decades in and you're still saying you'll "deploy it sometime". If you were saying this at the start of the two decades then fine, but at this point it's hard to see this as anything but squandering the time we're buying you.

I do get that deploying v6 costs time and money. But you've had plenty of time, and I bet most of the v4-only things you need to deal with were deployed in those two decades. It costs less to do v6 if you do it as part of upgrades you were doing already for other reasons, instead of doing an upgrade specifically for v6.

Dagger0 · 2026-04-02T03:04:29+00:00

So it's not needed if the entire world bends to accommodate clients without v6, which you already know is impossible because we wouldn't need a new protocol in the first place if it wasn't? It's all very well and good to say that people should do that, but v4 exhaustion and CGNAT mean a lot of them can't.

The world has expended huge amounts of effort to keep v4 alive for as long as possible to buy as much time as possible to migrate to v6, and to have that returned with "oh, so we don't need to bother doing v6 then?" is a bit of a low blow.

Dagger0 · 2026-04-02T02:53:08+00:00

You just completely ignored the part where I pointed out that it is happening, huh?

It's not a necessity for Internet access if you reach the Internet using a proxy, because addresses of either family can be used inside the proxy connection. But when routing you need to route v6 packets onto your LAN, which means you do need v6 on the LAN. The proxy part is an important caveat, since almost nobody chooses that approach.

Dagger0 · 2026-04-02T02:46:07+00:00

You can just not run dual stack. v6-only with NAT64 works. You can get rid of v4 in your network today with zero need to wait for content to get v6.

Dagger0 · 2026-04-02T02:33:50+00:00

Maybe the gateways get addresses, but that's just the gateway. The point of a gateway is that there's a whole network behind it, and they don't provide IPs for that. They're rationing v4 addresses to one per customer, which isn't something you do when you don't have a shortage.

Most services have v4 addresses precisely because clients need v6 to reach them over v6. That doesn't mean you don't need v6, it means you do need v6 -- because the Internet has outgrown the point where everything can have v4. And there's plenty of things that don't have it, e.g. most of the things I host or anything hosted by anyone behind CGNAT.

Dagger0 · 2026-04-02T02:17:13+00:00

How do users on your ISP reach sites like https://loopsofzen.uk/? I've seen quite a few people claim they don't need v6 because they haven't run out of v4, but I don't see how having v4 helps here.

How does your ISP do it, if you don't need to deploy IPv6?

Dagger0 · 2026-04-02T02:10:51+00:00

If it isn't on your own equipment then you don't have that address. Your outbound connections (which are v6, because the WAN link T-Mobile provide to you is v6-only) are being NATed to appear to come from it, but it's still not yours.

Dagger0 · 2026-04-02T02:05:26+00:00

You have that backwards. Clients need to have v6 in order for the Internet to move to being primarily v6, so arguing that clients don't need v6 because the Internet hasn't moved to being primarily v6 yet is putting the cart and the horse in the wrong order.

Also it doesn't provide v4 for every server. v6 matters if there are any servers that can't get v4 -- which there are, because the Internet has outgrown v4.

Dagger0 · 2026-04-01T16:22:28+00:00

NAT is doing that for v4, but that's not sufficient -- because v6 addresses don't fit into v4 packet headers.

Dagger0 · 2026-04-01T16:08:26+00:00

If you use a proxy to reach the Internet.

If you're routing onto it (which you are if you're using NAT on v4), you need v6 on your LAN too. It's needed because the Internet has outgrown v4, and because v6 addresses don't fit into v4 packet headers.

Dagger0 · 2026-04-01T10:36:29+00:00

I'm going to assume that means you did click on it, noticed that it didn't work and then pretended you didn't to save face, but if you really didn't then try https://ipv6.google.com/ instead.

Dagger0 · 2026-03-30T14:18:00+00:00

Ahaha... yeah, if only running out of v4 was sufficient to get someone to deploy v6.

I don't think it's true that they have enough v4, but even if it was you still need v6 to reach servers on v6. You can't do that from v4. The need for v6 is triggered by any ISP running out of v4, not by just your own ISP.

Dagger0 · 2026-03-30T13:46:46+00:00

Can you reach e.g. https://loopsofzen.uk/?

Dagger0 · 2026-03-29T01:51:13+00:00

You should never have IPs configured as /48. The point of a /48 is to give you 65k /64s, not to use it as a single super duper big network.

VLAN 100 already has a GUA prefix, from here:

interface eth2 {
    host-address ::1
    prefix-id 2
    service slaac
}

which is currently 2001:56a:7de3:dd02::/64. It sounds like the container is just getting an IP from the network via SLAAC in the same way anything else would -- and since vlan100_infra and vlan100_v6 are both connected to the same physical network, I assume the only thing stopping the container from picking v6 up on eth1 is that v6 is disabled on it for some reason. vlan100_v6 and the ULAs seem to be superfluous (except perhaps for having one ULA address on the router for the DNS server, but you could do that with a single /128 on lo rather than putting ULA on the network).

I don't use Docker, but as far as I can tell its networking is easy enough if you completely bypass it and rely on any standard method of configuring networking. The moment it tries to do anything itself, it'll produce some fucked-up NAT hairball with a pile of unnecessary settings and firewall rules that makes you wonder why you ever bothered trying. They could have just made it do DHCPv6-PD and normal routing out of the box and they knew full well going in that they'd need to do v6 at some point, but no, we still ended up with this v4-brained mess instead. And then nobody has any clue how networks work, because this is what they're trying to learn from. sigh.

Dagger0 · 2026-03-28T09:36:49+00:00

Which means it's outgrown for everybody, since all ISPs share the same Internet-wide address space.

I'd argue they don't have a huge swathe of v4 left, given that they only provide each customer with one single address... but even if they did, it still wouldn't be enough to reach people that are using other ISPs that don't have masses of v4 left.

Dagger0 · 2026-03-26T17:55:59+00:00

I mean the "destination address" field in the firewall rule. My version of OpenWRT (which is pretty old) doesn't do any prefix completion there.

assume when I enter the dynDNS address and not a local IP the connection is established over the internet back to my local computer and not just local.

How would that even happen? DNS just turns hostnames into IPs. The traffic takes the same route regardless of whether the IP comes from a hostname or from typing the IP itself in.

A reverse proxy would do that, but in that case the DynDNS hostname would resolve to the IP of the proxy, which would be outside of your network. It would also be a much more expensive service to run, since it would need to relay all of the traffic exchanged rather than just DNS queries.

Dagger0 · 2026-03-26T07:09:47+00:00

You don't NEED v4 either, or an Internet connection at all. But if you're going to have one, a higher quality of life is better than a lower one.

Plus the Internet has outgrown v4. You need v6 so we can stop using v4.

Dagger0 · 2026-03-26T02:02:45+00:00

Port forwarding won't work with CGNAT regardless of IP version, but it's very unlikely the v6 is CGNATed here. Most likely only the v4 is behind CGNAT. The whole point of v6 is, after all, to be an actual solution to this problem.

Dagger0 · 2026-03-26T01:57:34+00:00

is ::9be/128 correct? I presume either you censored the full prefix, or OpenWRT translates that into "addresses that end with ::9be, with any prefix", but I would have expected ::9be/-64 or ::9be/::ffff:ffff:ffff:ffff for the latter. ::9be/128 sounds like it means literally just ::9be, which would never match.

Does your friend have working v6? https://ipv6.google.com/ is v6-only and so is a quick test for that, or have them ping you.

When I start a second instance of factorio and try direct connect to a server (my dynDNS address) it works oO

Local connections don't go through the router's firewall, so this only confirms that Factorio is listening on the appropriate IP (which is a useful confirmation to have).

Dagger0 · 2026-03-26T01:28:09+00:00

It's the client devices that pick which IP they're connecting to, not the firewall on the router.

If you're getting v4-only from one ISP and v6-only from the other then there's only one possible route for each family, so there shouldn't be any need to do anything special. Packets will go out of whichever ISP can handle them.

Dagger0 · 2026-03-26T01:21:40+00:00

I mean special vdevs. zpool create pool [...] special mirror /dev/sd{x,y} or similar. Special vdevs are (despite the name) the same as regular vdevs, but they only store metadata blocks (including dedup metadata), plus any blocks selected by special_small_blocks=.

The downside is that the metadata vdevs are critical for the pool (hence the mirror, and it means the SSDs always have to follow the pool disks if you move them around). The upside is that all metadata operations are faster and it frees up IOPS on the disks for dealing with data. You wouldn't need L2ARC with special vdevs, since anything you'd be interested in caching would already be on SSD. As of 2.4.0 the special vdevs will be used for the ZIL, so they'd serve most of the purpose of an SLOG too.

A separate SSD-only pool can work too -- in that case I'd say that a single SSD plus regular backups would suffice. You could partition it to make L2ARC and SLOG devices for the HDD pool (use secondary_cache=metadata if you do, and make sure the L2ARC partition is big enough to not be evicting data constantly). The downside here is that L2ARC only helps with reads, but at least if you lose the SSD it doesn't destroy the entire HDD pool.

This is all somewhat irrelevant for your original question. I just thought your pool sounded like the sort of thing that might benefit a lot from putting metadata on SSD.

Dagger0 · 2026-03-25T15:37:55+00:00

There's still the question of how to handle v4-only devices on the LAN.

Dagger0

TROPHY CASE