Home scenario: DOCSIS EPC3208G in true Dual Stack mode going to a RouterBoard, which then goes to a switch.
The switch, and therefore the intranet, lives in another subnet as the EPC3208G. The RouterBoard does IPv4 NATting, so that the EPC3208G sees the entire home traffic as originating for the RouterBoard. Since the EPC3208G is also a NATting router/gateway, I effectively have a dual-natted access to the internet, which is what I want. All works ok, home servers accessible from the outside as well as VoIP devices are usable.
Now I want to slowly enable IPv6 in my home network, using the RouterBoard's firewalling capabilities to stop chatty devices to contact the internet and, at a later point, to disable "Block Anonymous Internet Requests" on the EPC3208G in order for external devices to initiate connections into my home network, in a very controlled manner.
Let's assume that the subnet the EPC3208G is in is 192.168.1.x and the switch/home-devices live in the 192.168.2.x subnet.
For testing purposes I've moved a Raspberry Pi into the "outer" 192.168.1.x network, IPv4-ssh'd into it and successfully made it connect to IPv6 servers (ssh, http). So this outer network has functioning IPv6 connectivity.
Here comes the problem, in steps: I enable the IPv6 functionality on the RouterBoard The inner NIC gets assigned a local-link (automatically) and a public IPv6 address (manually). I'm assigning the public IPv6 address manually, parting from the LAN IPv6 Prefix the EPC3208G hands out to it's clients (ie to the Raspberry Pi). I turn Advertise on for the inner and outer interface, so that (at least) the devices in the innner network auto-configure themselves to get a public IP living in the IPv6 Prefix assigned to me.
When I then ping the Raspberry Pi at its IPv6 address from the inside of the network, I see that it does receive the pings. But I have to enter a manual route into the Raspberry Pi so that it doesn't attempt to reply via the EPC3208G, which doesn't know that there are devices behind the RouterBoard, but instead sends the replies to the RouterBoard. So adding the route manually to the Raspberry Pi effectively enables IPv6 communications across the RouterBoard.
For clarification: If the LAN IPv6 Prefix is: 2a02:123:123:5c00::/56, then the Raspberry Pi assigns itself an address in the 2a02:123:123:5c01::/64 range. So I'm assigning the outer NIC of the RouterBoard an 2a02:123:123:5c01::/64 address and the inner NIC an 2a02:123:123:5c02::/64 so that all the devices on the switch assign themselves a 2a02:123:123:5c02::/64 IP. So the RouterBoard is effectively routing between these two subnets, right?
The issue is that devices in the inner network cannot communicate with IPv6 servers on the internet. I think that it is because the EPC3208G doesn't know that it must send the incoming (reply) traffic to the RouterBoard, and I have no way to tell the EPC3208G that all traffic destined to a certain subnet of this IPv6 Prefix subnet (2a02:123:123:5c02::/64) must be directed to the RouterBoard for it to route it to the destination device.
Am I understanding the situation correctly? What can I do to resolve this issue?
I think that I'm having an additional issue. Apparently the EPC3208G gets told by the ISP to change the Local IPv6 Prefix at times. This would mean that I have to adapt the manually assigned IP's on the RouterBoard on every change, right?
So, what are my chances to migrate this network device by device into the IPv6 standard? How can I do that? Do I need to rely on 3rd party services like SixXS to which the RouterBoard connects to directly? The problem is the lack of configuration of the EPC3208G, right?
Thanks for your help.
PD: If I "up" my plan to bigger up/download, I could get a FritzBox as the DOCSIS Router/Gateway. According to its docs it has an option to:
In the "Additional IPv6 Routers in the Home Network" section, enable the option "Allow IPv6 prefixes announced by other IPv6 routers in the home network".
would this solve my problem?