IPv6, subnet isolation, NAT

At home, I have a pure IPv4 network with multiple subnets, which are isolated by small Mikrotik routers. These routers act as NAT firewalls. The Internet router (Fritzbox) has IPv4 and IPv6 connectivity to the Internet. All Mikrotik routers are connected to this Internet router via IPv4. I know that this leads to a double NATing, but this configuration worked well and was safe. I need the protection between these subnets and the protection from the internet. With IPv4 NAT firewalls, the implementation was relatively easy. I did not use the IPv6 connection provided by my provider to keep my security level (disable IPv6 completely).

I now need IPv6 connectivity from one of my subnets to the Internet and I do not know how to do it in a mature way. I searched for best practice configurations, but what I’ve found in relevant internet forums are fundamentalist religious creeds of IPv6 mullahs who oppose any kind of NAT in IPv6. I do not want the unique IP addresses of my devices outside my networks visible. IPv4 NAT was a simple solution. Not every device in my local networks should be able to connect to Intermet. How can I configure this for IPv6 without great complexity with Mikrotik routers?

With FC00 addresses?

You really shouldn’t try to use only local addresses and NAT with IPv6. If you want local addresses use them additionally to your public prefix.

For public routable addresses enable IPv6 prefix delegation on your Fritz Box, add DHCPv6 client on your Fritz Box facing mikrotik interface to request prefix, assign address (like ::1/64) from derived pool to your lan interface and make sure ipv6 neighbour discovery is enabled. Security is achieved by firewall filters, not by Nat.

PS: it’s even possible to avoid double Nat with ipv4 by manually feeding the fritz box’s routing table with your internal local Networks.

PPS: you may want to consider, that all these fundamentalist religious creeds of IPv6 mullahs might actually know how to do IPv6.