On Sun, 10 Jul 2016 21:53:52 +0300, Nikolai Petrov said:
1. Currently we do not have IPv6 in our network but I have seen the ISP is giving us a "/56 Block" which from what I understand is a couple hundred "/64 Subnets". I think you can only have /64 subnets in IPv6. In our IPv4 setup we
You can have other sized subnets, but 64 is very handy if you intend to use SLAAC auto-configure. There's also the danger of running into broken equipment that doesn't understand other sized subnets (similar to very old IPv4 gear that understood a /24, but exploded if told about a /23 or /25).
have 32 addresses, four of which I will use for NAT and the remaining needed for online services and servers. In IPv6 we have a lot of addresses but I am not sure whether I should give an address of the ISP to every device. I found
Assign a /64 to everyplace that you would assign a subnet in IPv4. Give each device on that subnet its own address. Use DHCPv6 or SLAAC or both, whatever gets the job done in your situation. Don't worry about NAT anymore, you have enough addresses.
that there is an organization that can help avoid collisions in private IPs: https://www.sixxs.net/tools/grh/ula/ . From what I can tell it is just a registry, but I am thinking of registering the ranges there and then use these subnets and NAT them to the IPv6 address of the router.
Don't do that. NAT was invented to fix a problem that IPv6 doesn't have. Feel free to give every single device a global address. (You'll still want a stateful firewall someplace, but it doesn't have to do NAT, it just has to keep track of legitimate versus malicious traffic). And don't freak out if a device has more than one address. As I'm writing this from the sofa in my living room, my laptop wireless has: ra0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.1.150 netmask 255.255.255.224 broadcast 192.168.1.159 inet6 2601:5c0:c100:6431:cad7:19ff:fe37:c02 prefixlen 64 scopeid 0x0<global> inet6 2601:5c0:c100:6431:c01:a589:19a4:236e prefixlen 64 scopeid 0x0<global> inet6 2601:5c0:c100:6431::d67 prefixlen 128 scopeid 0x0<global> inet6 2601:5c0:c100:6431:1dc3:657:eda6:8abf prefixlen 64 scopeid 0x0<global> inet6 fe80::cad7:19ff:fe37:c02 prefixlen 64 scopeid 0x20<link> inet6 2601:5c0:c100:6431:ad68:c60c:583:19e9 prefixlen 64 scopeid 0x0<global> ether c8:d7:19:37:0c:02 txqueuelen 1000 (Ethernet) (One DHCPv6 - ::d67. One SLAAC - the one with ff:fe in it. And 4 different RFC3041 privacy addresses that it's chunked out over the weekend. It works just fine that way - and it's *designed* to do so. (Of course, in a corporate environment, you may want to turn the privacy addresses off, and only use one of DHCPv6/SLAAC - I do it this way because it tests for broken software...) Oh, and don't block ICMPv6. :)
something strange. The WAN port of our router gets a /64 IPv6 address which is not in our IPv6. Should I use this for NAT or one of "our" addresses?
You use it for the IP address of the provider-facing interface of your router. Assign the "inside" interface(s) addresses on the appropriate /64 subnet that they will be on.