It would be really nice to add NAT66 support for IPv6 in ROSv7!
Thanks.
You mean NAT64?
No, I mean proper IPv6 NAT support.
As far as I know it is now supported on kernels 3.9+
Please give links to the RFC or description of what you mean.
IPv6 doesn’t need any NAT by design 
The only NAT is needed to access IPv4 (NAT64)
Forgive me, I meant to say NAT66 (which is the proper term).
https://tools.ietf.org/html/draft-mrw-behave-nat66-01
Juniper has already implemented NAT66.
http://www.juniper.net/techpubs/en_US/junos14.1/topics/concept/network-address-translation-overview.html#jd0e173
IPv6 NAT
IPv6-to-IPv6 NAT (NAT66), defined in Internet draft draft-mrw-behave-nat66-01, IPv6-to-IPv6 Network Address Translation > (NAT66), is fully supported by the Junos OS.
http://www.juniper.net/documentation/en_US/junos12.1x46/topics/concept/ipv6-nat-overview.html
Also CentOS for example with kernel 3.7+ already supports NAT66
http://atoomnet.net/howto-ipv6-nat-in-centos-6/
http://kernelnewbies.org/Linux_3.7#head-103e14959eeb974bbd4e862df8afe7c118ba2beb
There is also an RFC about NPT (Network prefix translation) - also useful.
https://tools.ietf.org/html/rfc6296
Regardless of the RFCs though, I believe NAT66 is an extremely useful feature.
It would be a shame to not implement it when giants like Juniper do.
Since RouterOS is essentially linux based, and since the linux kernel in recent versions does support NAT66 it’s merely a matter of integrating an already implemented feature on ROS UI/CLI (ok that’s a speculation on my part, but I mean the hard work - implementation - has already been done ).
Please consider adding support for NAT66. I am sure many people will appreciate it.
It won’t hurt those who oppose NAT but it will help those who need it for whatever reasons (good or bad - in network engineering terms).
I’m not for NAT66 but NPT (RFC6296 ) is in some configuration usefull for SME with multi homing connection to the Internet and linux kernel supports this. For this feature I vote.
But please - firstly policy routing for IPv6 (witout it is not multihoming NPT possible) and router advertisement with router selection priority (RFC4191 / cap 2.1 a 2.2).
If you need to use NAT with IPv6 you’re doing something wrong..
No offense, but that’s just a lame argument and you know it. By that logic if you are using NAT on IPv4 (which I am sure you do) then you are doing something wrong. There isn’t right and wrong. NAT is just a tool among many others. Just because you don’t need it or you don’t like it doesn’t make it ‘wrong’.
Or just because the so called IPv6-evangellists say there shouldn’t be NAT, that does not mean that there are not legit use cases for some networks.
What I really don’t understand is what is the problem? If someone does not want to use NAT (for ideological IPv6 nonsense or because there is no need) then don’t use it. But some of us need to use it so please enough with this ‘propaganda’ about NAT.
If Juniper - which is among the leaders that actually route the whole internet - implements it then there is a reason and a use for it.
I don’t think that a company that deals only with enterprise clients would spend time implement a feature that wasn’t asked for.
I honestly cannot understand why anyone would oppose to a feature that they don’t need. If you don’t need it just don’t use it. Don’t deprive the rest of us of the opportunity to have it.
Ok. NAT66 is wrong.
Let’s see…
You have a private network, and IPv6 IPs assigned to your machines from one provider.
Now you want a secondary provider as redundancy for outgoing IPV6 access, and that provider hands you out another IPv6 subnet (maybe even dynamically assigned).
Except paying a lot of money to have your own IPv6 subnet and publish it via BGP on both providers, can you offer a solution to have this redundancy AND not change network’s internal v6 IPs other than NAT66?
Second use case:
A slower static IPv6 subnet from one provider. A high speed dynamically assigned IPv6 subnet from a second one. You want to have incoming connection on the first, outgoing connections for the internal machines on the second… Any other (cheap) solution except NAT66?
Both scenarios handle IPv6 natively without NAT66 or BGP peering with PI prefixes…
First scenario (active-backup multihoming) I uses in combination with Mikrotik routers on many places for years.
The second (active-active multihoming) is not possible with Mikrotik because ROS do not have support for IPv6 policy routing.
Well, for the second example is now simplest way to use NPT - network prefix translation (RFC6296). that other mechanism (default source address selection configuration and so on). So support for NPT will be nice for this situation in some enviroments - but first, there is missing policy routing for IPv6 (and router preference adverstiment) as background for active-active multihoming in any way.
Ok. Got it now.
Basically both situations can in fact covered by NPT (I have always regarded that one as a kind of NAT).
Tnx. for clarifying this to me.
So +1 for NPT.
Yes, with NPT or any other IPv6 NAT variant looks configurtation a bit simplest that to use dynamic renumbering and so on… But, but - do you tried to use any form of the IPv6 NAT in real life?
I did it and very fastly leave it. This NAT break end-to-end transparency and there are protocols that expect it. When I tested this last time the linux IPv6 NAT was able handle only active FTP.
But protocols like IPsec, SIP VoIP, MIP, … was not able operate over IPv6 NAT. And if you look deeply in some RFC editorials about IPv6 NATing / IPv6 multihoming and there are recommendatitons for the IPv6 NAT implemetation to not implement any protocol helpers, a recommnedation for the application developers/protocol designers to not complicate their products/protocols with NAT traversal extensions becouse IPv6 NAT is inot intended as mainstream solution…
Regardless of what some applications/protocols do or don’t, having some form of NAT (at least NPT) in your toolbox is useful.
Not all networks are the same, or are able to change because of this arbitrary ‘requirement’ of end to end connectivity.
Plus not all networks are connected to the public internet but may need a quick n dirty ‘gateway’ to it without changing tons of IPs just ‘because’…
We’ve all used FTP, SIP, and all of that jazz for 2 decades now with NAT. Yes, it’s not perfect, nor ‘right’ but just because a few protocols require you to have end to end connectivity to work, does not mean that NAT becomes useless or even bad for all the other protocols out there.
Not all use cases are the same.
To put it differently, let’s say I don’t use RIP because I prefer OSPF or because I am just biased against it.
Should Mikrotik (or any other vendor) ditch RIP because I don’t use or like it? Of course not.
I may not need it, but someone else might! I wouldn’t go downvoting feature requests just because I don’t need them. Especially when they don’t interfere with my way of working (as I said, NAT is just a tool, if you don’t want it don’t use it).
can someone please explain why there isnt ipv6 (internet adress) to ipv4 (internal network) nat? Lets dont talk about masquerade, but what about 1:1 NAT?
I would +1 this, I have plenty of devices in my setup that I see no need in even having a public address (local media servers,printers) and if I wanted something public nothing is stopping me from assigning one of the /64 addresses to it. It may not be “needed” but I also don’t want to have update all firewall rules anytime my ISP decides my currently assigned /64 needs to change. I want to be in control of my assignments ( which means I need a local pool to myself) and allow them to connect whenever I choose (NAT).
so far both NAT64 and NAT66 derrivatives are essential and handy.
and NPT-forks for IPv6 aswell, inlcuding rebranded versions from two biggest vendors.
but personally i care bout NAT64 and NAT46(yep, its exist TOO ж)bit more for obvious resons, yet ;=)
either way - NAT remain cornerstone of networking with or without IPv6 or TCP/IP itself(in different shapes/forms, then) 
+1.
+1
I am dual-homed residential customer and both my ISPs support IPv6.
IPv6 multihoming without BGP is nearly impossible to do “the IPv6 way”, i.e. with two advertised prefixes on the same LAN, from the two routers of the two ISPs. Most people use NAT66 to have a predictable behaviour in case of single failure.
I use it with iptables, it is included in linux kernels since many years. Add it to the list of benefits of an upgraded kernel.
I believe stateless NPTv6 to be useful as well (it solves the use case above), but I do not have a production deployment at this time.
I have been using ND proxy for a while, on a OpenWRT device that I am now trying to replace with a mikrotik using bridge firewall + “use-ip-firewall”, i.e. an ND bridge with IPv6 stateful firewall (same /64 prefix in the two interfaces). I am doing it in spare time, but if/when done I will keep you informed.
I asked if there would be extensions to IPv6 on a recent MUM (mentioning only policy routing as an example, as without that the NAT66 usecase is not valid either)
and unfortunately the reply was that MikroTik do not see much use of IPv6 and that new development on it cannot be expected before RouterOS v7.
(and of course we all know about that one…)
It is unfortunate, because indeed the Linux kernel in v6 can probably do all that we need to have at least some support for dual-uplink IPv6 without BGP routing,
just for load balancing and failover.