So, what side effect of NAT is making your server unreachable here? It sounds like you could turn the NAT off and it would be exactly as unreachable as it was when the NAT was on.
(Just to double-check... have you tried DHCPv6-PD? ISPs will normally only give your router a single IP on its WAN interface, or sometimes no IP on the WAN. Getting the routed prefix for the LAN-side networks involves doing a PD request, which is separate from requesting the WAN IP.)
With NAT your device does not have a publicly routable address. Attackers have no way of contacting you at all. Without NAT you have a publicly routable address and attackers can try reaching out to your device. You rely entirely on your device's and your router's firewall.
So it's not really about NAT although it ends up being a consequence—it's about having a truly private network "air gapped" from the public internet.
No, NAT only affects which IP your connections appear to be coming from. It doesn't change which IPs your devices actually have.
The person I replied to said that they only get a single v6 address. If that's true, it doesn't matter whether they have NAT or not; their network isn't going to have publicly-routable addresses either way.
If your network is air-gapped then no connections will be happening at all, in or out... and if you connect a router to both the Internet and to your network, and enable routing on it, then it's not air-gapped any more.
> No, NAT only affects which IP your connections appear to be coming from. It doesn't change which IPs your devices actually have.
Well no shit. The NAT is a requirement for devices without a publicly routable IP because if my router just sends packets out with a source address being my 192.168.1.101 local IP, my ISP is most likely just going to drop the packets.
You know this, I'm sure, so I'm really unsure what point you're trying to make.
> The person I replied to said that they only get a single v6 address. If that's true, it doesn't matter whether they have NAT or not; their network isn't going to have publicly-routable addresses either way.
Correction: It will have ONE publicly-routable IP, and if I assign it to my router, but don't use NAT, then none of my devices on the network will be able to talk to the Internet, either in or out.
The point was that turning NAT on or off doesn't affect whether your LAN is reachable or not. NAT just edits the source address of your outbound connections. It's irrelevant to how your inbound connections behave.
> Correction: It will have ONE publicly-routable IP, and if I assign it to my router, but don't use NAT, then none of my devices on the network will be able to talk to the Internet, either in or out.
Right, and then if you add NAT you'll be able to make outbound connections, but inbound connections will be unaffected and will still not work. So what is NAT doing here to prevent inbound connections, given that the exact same connections already didn't work before you were NATing?
Turn fireball off. Keep NAT on, internal addresses are still not reachable. You are protected against firewall misconfigurations as well as the outside world. Defense in depth.
NAT in its customary usage is a bit of a historical accident that as a side effect happens to make it basically impossible for non-technical people to expose their devices.
Again, I ask: what is NAT doing to make those internal addresses unreachable? What side effect of NAT is making it basically impossible to expose your devices?
In the post I was replying to, the hosts were already unreachable (or... mostly unreachable, not completely unreachable) before NAT was even in the picture.
I think the problem is that everyone else is operating under the assumption that all the computers on the network still to be able to make outgoing connections to the Internet and you're not.
If I want all the computer on my network to have Internet access, I have two options: Each gets a publicly routable IP, which results in all computers being exposed to incoming connections unless I have a firewall, or I get a single IP which gets assigned to my router, use NAT, and all my devices are no longer exposed to incoming connections unless I go out of my way to configure port forwarding on the router.
So when I talk about the "side effect of using NAT", I really mean "side effect of using NAT instead of assigning public IPs to each computer on my network".
(Just to double-check... have you tried DHCPv6-PD? ISPs will normally only give your router a single IP on its WAN interface, or sometimes no IP on the WAN. Getting the routed prefix for the LAN-side networks involves doing a PD request, which is separate from requesting the WAN IP.)