Today in our newest take on “older technology is better”: why NAT rules!

5 points

I felt dirty! and broke so much shit when i had to implement NAT on networks in the mid 90’s. Nowdays with ipv6 and getting rid of NAT is much more liberating. The difference is staggering!

  • you do not need NAT any longer, firewall is the security, just like on ipv4, just less obscurity.
  • you do not need dns views, to workaround NAT any more
  • you do not need hairpin NAT to workaround NAT any more
  • you do not need to renumber to resize a network. they are always /64, and the answer to how many hosts can it fit is: ALL of them!
  • many ALG’s will be unnecessary since there is not NAT.
  • vpn’s are easier, since it can be the same address both inside and outside the vpn, the firewall (or host even) enforces the encryption.
  • vpn’s are MUCH easier since you will have less rfc1918 collisions due to some other network using the rfc1918 of the vpn’s network
  • vpn’s are MUCH MUCH easier since you will have less rfc1918 collisions due to you using the rfc1918 of the vpn partner network, to 1:1 nat a previous vpn network you collided with some months ago… ARGH!!!
  • vpn are generally less required, heck i swear 95% of the time the VPN are just to workaround the NAT problem and the data is pointlessly double or triple encrypted.
  • you can make more granular firewall rules (eg the spesific host, or network of the source address, instead of the whole enterprise’s public ip) this is real tangible improved security, where any random machine in a network you do not control. do not automatically have openings into your own network.
  • firewall objects can if it is suited easily use and depend on FQDN DNS objects when allowing traffic. reducing the need of coordinating firewall object ip address changes between 15 companies.
  • firewall rules are easier, more readable, and much more predictable how they will work. All the hairpin nat, public to private nat, private to public nat for a thing that need a different public ip, 1:1 nat for a separate zone, NAT to a vpn or 50 (where 10 of them are 1:1 nat due to collisions, making you require 4 dns views of the same ip space!! ) very quickly gets messy and unreadable. this is probably the largest security benefit. just to reduce the complexity.
  • much easier to get people to use dns, since nobody wants to remember ipv6 addresses :D
  • nibbles in the ipv6 address can have meanings you assign to them, making the networks and structure both easy to remember and logically structured.
  • aggregating routes becomes very easy if you design your network that way.
  • firewall policies can become easier if you design your network that way.
  • your routing tables is leaner and easier, and of a better consistency. We have 1 large public ipv6 prefix, but 25ish ipv4 prefixes of all kinds of various sizes.
  • no need to spend $$ to buy even more ipv4 prefixes.
  • no need to have spent hundreds of $$ on a new ipv4 prefix only to be unable to use them for over a year because you need to sanitize the addresses from all the reputation filters. and constantly hound geo ip database providers to update the new country of the prefix. (i am bitter, can you tell…)
  • did i mention no need to renumber since you need to grow the /24 to /23 due to to many hosts in a network ?
  • did i mention no need to renumber 2 /24’s to /25’s to make space for that larger /23.
  • you do not even need any ipv4 addresses any more, use a public NAT64 service, for outgoing. and for incoming just use one of the many free public ipv4 to ipv6 proxies for your services online. for a homelab i really like http://v4-frontend.netiter.com/ (go support them) But most large business l networks use cloudflare, or akamai
  • since you do not need your ipv4 address space any more, you can ~~sell them for a profit $$$ ~~ return them to the RIR and give some address space to one of the thousands of companies struggling because they do not have any IPv4 : https://www.ripe.net/manage-ips-and-asns/ipv4/ipv4-waiting-list/
  • much lower latency on ipv6, since you do not go across a cloud based ipv4 to ipv6 proxy in order to reach the service ;)

Now the greatest and best effect of ipv6 is none of the above. It is that with ipv6 we have a slim hope of reclaiming some of what made the Internet GREAT in the first place. When we all stood on equal footing. Anyone could host their own service. Now we are all vassals of the large companies that have made the common person into a CGNAT4444 using consumer mindlessly lapping up what the large company providers sees fit to provide us. with no way to even try to be a real and true part of the Internet. Fight the companies that want to make you a eyeball in their statistic, Set up your own IPv6 service on the Internet today !

permalink
report
reply
2 points

I felt dirty!

“Senpai, route me like one of your French ISPs”

permalink
report
parent
reply
0 points

Con: you are now even more dependent on DNS, increasing the blast radius even more if when it breaks.

permalink
report
parent
reply
0 points

But DNS rarely break. The meme about it beeing DNS’s fault is more often then not just a symptom of the complexity of IPv4 NAT problem.

If i should guesstimate i think atleast 95% of the dns issues i have ever seen, are just confusion of what dns views they are in. confusion of inside and outside nat records. And forgetting to configure the inside when doing the outside or vice verca. DNS is very robust and stable when you can get rid of that complexity.

That beeing said, there are people that insist on obscurity beeing security (sigh) and want to keep doing dns views when using IPv6. But even then things are much easier when the result would be the same in either view.

permalink
report
parent
reply
1 point

I broke DNS plenty of times in my homelab independent from NAT. In the last few months:

  • didn’t turn off DNS server in a wifi router set up as bridged access point
  • dnsmasq failing to start because I removed an interface
  • dnsmasq failing to start because the kernel/udev didn’t rename an interface on time
  • dnsmasq failing to start because hostapd error didn’t set proper interface settings
  • forgot to remove static DNS entries in /etc/hosts used for testing
  • forgot to remove DNS entries from /etc/resolve.conf after visiting a friend and working on his setup

Yes, most of them is my dumb ass making mistakes, but in the end it’s something that constantly breaks and it helps knowing the IP addresses of my servers and routers.

Aditionally, obscurity is a security helper. The problem is relying only on obscurity. But if I have proper firewall rules in place and strong usernames and passwords I still prefer if you don’t even know the IP addresses of my servers on top of that (in case I break some of the other security layers).

permalink
report
parent
reply
0 points

If all that is true, then why do I still hate ipv6 so much.

permalink
report
parent
reply
1 point

I’d bet it’s this little bugger " : "

It is for me.

permalink
report
parent
reply
0 points
*

What is localhost now again…

Edit, remember you could use 127.0.0.1, but then it was changed to like 127.0.0.1…something…ff

So guess I was wrong :-) thanks for the info!

permalink
report
parent
reply
0 points

For me is because it’s so fucking slow. As soon as I disable ipv6 on every device it has better speeds.

IPv6 is trash.

permalink
report
parent
reply
2 points

Tell that to your ISP which has fucked their IPv6 deployment up. In my experience IPv6 is actually faster since it bypasses the IPv4 CGNAT.

On busy days my IPv4 connection can get as slow as 15KB/s, now that’s trash.

permalink
report
parent
reply
0 points

Lol that’s ridiculous. There’s nothing about ipv6 that’d make it any slower

permalink
report
parent
reply
1 point

Slightly related to the issue of remembering addresses, I think the main issue is with the fact that local nameservers are pretty much non-existent if you’re not running OpenWrt or OpnSense. Which is shameful because the local nameserver is an amazing quality of life tool.

Also the fact that officially there are no local TLDs except for “.arpa” while browsers won’t resolve one word domains without adding http://

And don’t get me started on TLS certificates in local networks… (although dns01 saves the day)

permalink
report
reply
0 points

I don’t get why ‘.local’ isn’t a top level domain for LAN hosts.

permalink
report
parent
reply
1 point

.local is already used by mDNS

permalink
report
parent
reply
0 points

I’ve taken to using .here (or .aqui, “here” in Español, much harder to match outside) as alternatives until something better comes up.

Ideally I’d use .aquí, correctly with the diacritic, but DNS doesn’t seem to support even the basics of Unicode in 2024.

permalink
report
parent
reply
0 points

Well, there is Punycode, which, if I understand correctly, is a layer before DNS, which translates a Unicode string into a DNS-compatible ASCII string.

I don’t actually recommend using that, though. Every so often, the ugly ASCII string shows up in places, because Punycode translation isn’t implemented there. Certainly increases administration complexity.

permalink
report
parent
reply
1 point

Ha I can remember the ipv6 of cloudflare DNS just fine! It’s uh… something : something : something :: 1111

permalink
report
reply
1 point
*

2606:4700:4700::1111

Hmm, maybe Google is easier:
2001:4860:4860::8888

Quad9 is 2620:fe::fe or 2620:fe::9

I don’t understand why they can’t get better addresses than that. Like surely 1::1 would be valid?

Edit: So IANA only control addresses 2001:: and up and there are quite a few IETF reservations within that. I don’t know why they picked such a high number to start at. Everything else seems IETF reserved with a little space allocated for special purposes (link-local, multicast, etc.).

permalink
report
parent
reply
1 point

Fire bad, change scary

permalink
report
reply
1 point

Apes together weak

permalink
report
parent
reply
1 point

Bro used <> instead of !=

permalink
report
reply

Programmer Humor

!programmer_humor@programming.dev

Create post

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

  • Keep content in english
  • No advertisements
  • Posts must be related to programming or programmer topics

Community stats

  • 3.5K

    Monthly active users

  • 810

    Posts

  • 12K

    Comments