Whilst this isn’t a question about MikroTik really at all, I thought I’d ask it here as I find there are some pretty switched on people on the forum.
I’ve got a reasonable understanding of how routers work but one thing I’ve never worked out is how the various methods of discovering your public IP address work? https://www.ipchicken.com/ tells me my current Virgin Media public IP address. Where is it getting that address from??
It gets the information from actual IP packets arriving at their servers.
I will never tell (get out of my drawers). WANIP = hogwarts, its magic!
Anything you access on the Internet knows your IP address, otherwise it wouldn’t be able to reply. It’s in the “Source Address” field of every IP packet that you send.
So at some point, NAT stops when it gets out onto the single network that is the public internet and the last “Source IP” address in the IP packet will be the public IP?
Yup.
Thank god for NAT and IPV4, not sure what disaster IPV6 will bring. 
IPv6 “disaster” is already here … no more NAT, thank god. Every networked device has a public address so one only needs firewall accept rules instead of NAT rules.
BTW, IP chicken doesn’t show IPv6 address (not for me at least), but others (like https://whatismyipaddress.com/ ) do.
But then … I guess I’ll have a shot of a good home-made brandy, Canadian rye obviously hurts brain 
You have to give it to IPv4 and NAT that it makes some things simple. As a home user, you get your 192.168.88.0/24 LAN (or whatever subnet you have) and it’s only yours, static, and completely separated from ISP. You can connect to ten ISPs, one after another or all at once, and no matter how your WAN addresses change, you still have the same one LAN subnet. And ISP couldn’t care less what subnet you have in LAN.
IPv6 kind of ruins this, but it’s not directly its fault. If you get public IPv4 subnet, it’s statically routed to you, so even though your network is not completely independent on ISP, it’s still predictable, once you assign some addresses, they stay the same. It could work the same with IPv6, but ISPs seem to prefer prefix delegation using DHCPv6. I get this this part, users are usually not networking experts, so the less manual steps required, the better for most of them. What I don’t get at all, why some ISPs insist on squeezing most from the “dynamic” part and randomly change prefixes. It’s terribly annoying and there’s no good reason for that.
Another problem with IPv6 is multihoming support, or the lack of it. It’s not entirely true, you can have several ISPs and devices in LAN can have addresses from each. But it’s up to device to decide what address (and as a result what ISP) it will use for each outgoing connection. With IPv4 it’s simple, LAN device doesn’t even know about multiple ISPs and everything is controlled by router. But this only became popular lately for home and other smaller users. The solution for IPv4 was simple, but so far it seems that nobody thought much about some elegant solution for IPv6. It can use NAT too, in a simpler and more predictable form of mapping one prefix to another, but it’s still kind of NAT, so nothing for purists. In theory, there are provider-independent addresses, so you can have a static subnet of yours and use it with different ISPs at once, but it’s not something you’ll easily get at home.
That said, NAT is not great, it causes many problems and it’s only because we mostly got used to it, it may seem ok. The sooner we move to IPv6, the better, because we will be able to focus on improving something that has any hope for bright future. Unlike IPv4, where we’re just trying to find millionth way how to get through NAT.
I have never seen a sensible solution suggested. Take an example of a user with multiple sites, centralised Internet access via a main and a secondary connection. When the main Internet fails, the hosts at the remote sites won’t be aware of this as the routing change is happening several hops away. Vaguely possible solutions would be ..
(1) Use Provider Independent addressing. Downside is that you can only deal with ISPs who are prepared to announce your PI prefix. You can’t really have active/active except by having multiple prefixes and persuading your ISPs to prioritise them to your requirements. And you need BGP on all your Internet routers. And if everyone does this the Internet routing tables would grow immense with no summarisation possible.
(2) NAT, except as we know IPv6 means you don’t need NAT, so it has to be called something else. Prefix Translation means that the host portion of every address remains unchanged, but the prefix is translated to match the Internet connection in use. So it’s a one-to-one NAT and can be completely stateless. Any outside address has an unambiguous mapping to it’s internal equivalent.
Other “downsides that nobody mentions” of IPv6 without NAT include having to renumber your entire enterprise everytime you change ISP, and the fact that using stateless address assignment means everyone on the Internet knows your device’s MAC address.
What’s so special about my tablet’s MAC address that nobody should know it?
It gives a pretty good idea about your hardware.
So does typical agent string used by browser. Some cookies, enforced by many popular sites, can contain even more data … and about OS as well, which is plenty more important than the fact I’m using a Huawei MediaPad T5 with MAC address AC:BD:70:97:94:54 to post this.
BTW, my tablet has currently 3 IPv6 addresses: 1) a link-local address, 2) routable address with my prefix, but the rest is MAC address (just like the link-local address) and 3) routable address which does not resemble MAC address at all. And guess what: tablet uses address #3 for internet connections. And all addresses are result of ND, I don’t have DHCPv6 server in the network.
IPv6 is faster than IPv4 and enables end to end connectivity. You need to be deploying IPv6 
https://www.zdnet.com/article/apple-tells-app-devs-to-use-ipv6-as-its-1-4-times-faster-than-ipv4/
We’ve run it in dual stack for several years at our data centers, our offices and at home. Happy eyeballs sorts just about all issues these days. IPv4 with NAT is not a long term solution - it should be considered a transition technology to enable IPv6. The price of IPv4 blocks at auction continues to climb.
I was just recently on the IPv6 Buzz podcast (Packet Pushers) talking about CGNAT and how we use it to enable IPv6 adoption in service providers.
https://packetpushers.net/podcast/ipv6-buzz-065-understanding-carrier-grade-nat-cgn-and-ipv6/
And FWIW, mobile phones have been using IPv6 for a decade with IPv4 CGNAT and nobody seems to have an issue with that
Sorry to push this further, I’d just like to show how irrelevant the concern about ND-constructed IPv6 addresses is …
My Windows 10 desktop has currently no less than 7 IPv6 addresses, one of them is link-local and 6 are routable, of which 5 are tagged as “Temporary IPv6 Address”, one is “IPv6 address” (implying that this one might be a sticky one and resembles the link-local address - the least significant 64 bits are the same). When connecting to one of sites with web page displaying your IP address, it uses one of temporary ones.
Do I have to write that none of addresses (not even the link-local one) resemble NIC’s MAC address?
So do have faith in OS makers to “anonymize” made-up IPv6 addresses … the mechanism is there (for making up an Automatic Private IPv4 address) and some vendors are even using it for making up MAC addresses …
This is why RFC4941 exists - Windows, Mac and Linux all support privacy extensions to obscure the MAC address when using SLAAC + EUI64. The problem of exposing identifying information was considered as far back as 2007 and operating systems have long since enabled this functionality.
As long as I can get one IPV6 address for my router and I will NAT everything behind it '=PPPPP
Of course if we all want to do one to one nat for every device argg…
Imagine making a firewall rule for every device,… this is stewpid… need more rye!!
It’s no different from IPv4. You’ll allow few things you want to have open, and the rest will be blocked by default drop/reject at the end. The only difference is that now you typically handle the filtering part with connection-nat-state=dstnat and allow everything, after you forward ports in dstnat, i.e. that’s where you control what’s open. With IPv6 you won’t need dstnat, so you’ll simply have access control in forward filter.
But this is another thing that needs some more work. When you have public IPv4 address, the expectation is that it’s reachable from internet. It’s the same for IPv6, because it’s still public address. But because all devices will have public addresses, it may not be desirable (you probably don’t want your passwordless printer accessible from everywhere). So the recommendation is to block incoming connections from internet by default on router. Which ruins the reachability for devices where you want it.
It’s not so bad as with IPv4, because with IPv6 you still have public addresses everywhere, so you can easily unblock anything you want, for as many devices you need (think e.g. about same port for ten gaming consoles, impossible with single IPv4 address, but no problem with IPv6, because each device has own public address).
But manual config is not for everyone. Home users would benefit from incoming connections to some devices, but setting it up manually is not for them. So it needs some automated mechanism. There’s PCP (Port Control Protocol), but it doesn’t seem to be widely implemented. Plus it’s not clear whether that should be enabled by default. If yes, it’s kind of security hole. If not, it’s the same problem again that too many users won’t have incoming connections at all.
About multihoming, professional solutions aside (own prefix, BGP and stuff, because that’s not for little guy), it’s not completely hopeless.
If you’re interested in incoming connections, servers can have addresses from more ISPs at the same time and you can use DNS to control what remote clients will use. Either publish multiple addresses and let clients choose (it should also work as failover, because if one address doesn’t respond, client should try others), or use shorter TTL and update records depending on what connection should be used. Probably good enough.
If it’s about outgoing connections, to have backup and not depend on just one provider, it’s doable too. Devices can have addresses from more prefixes and when router detects that its uplink failed, it can advertise the prefix as unavailable and devices should stop using it. But I’m still missing some nice centralized mechanism how to tell devices to selectively use one address or another (e.g. to route everything to selected subnet via one router, while using other one for everything else). Translating prefixes is possible, but it doesn’t feel clean enough.
Using multiple addresses for a dual homed organisation, Inbound sounds relatively straightforward, the way you explain it. Effectively two overlaid addressing schemes one derived from each ISP’s allocation.
Outbound multi homing will require some sort of mechanism to strip out the prefixes derived from the failed ISP. This is where it would be interesting to here from people who actually run these sorts of multi site and multi provider networks on IPv6, I’ve only used IPv6 in my home network which of course is trivial, and in lab or simulation settings. I have a feeling that trying to think in IPv4 terms isn’t helping.