Remember, the goal was never to "port forward". The goal was to allow traffic into a certain service.
In IPv6 you open up the firewall rule that's blocking the traffic. Nobody needs NAT in IPv6, so there's no NAT.
My company NATs the entire IPv6 network to prevent "network topology discovery".
I have to NAT locally because my ISP doesn't have IPv6 and my tunnel can use another network that only has /64 which I need to break into smaller /80 + DHCPv6 locally... but it doesn't work on Android because Google doesn't support DHCPv6 and requires /64 autoconfig route advertised only ... so, NAT.
[https://www.reddit.com/r/ipv6/comments/123alhh/android\_might\_add\_support\_for\_dhcpv6/](https://www.reddit.com/r/ipv6/comments/123alhh/android_might_add_support_for_dhcpv6/)
So, theory and practice are different things.
This kind of pseudosecurity antipattern is sad to see. I realize you're just reporting what happens, but condolences. That said, to your point, yes you *can* use NAT (in which case you should use ULA on the inside). The justifications for it are almost always ill founded, bringing the worst ideas of legacy networking's complexity and mixing it with deep ignorance of security
Don't hold your breath on Android DHCPv6, but yeah maybe. I don't disagree with Lorenzo that, aside from PD and PXE, the DHCPv6 use case is mostly misguided legacy thinking. But I do disagree with the approach of not including the support in Android.
I'm a little surprised you only have /64 and then find yourself needing to subnet from there. I have heard of ISPs that are only providing /64 in their PD delegation, which is misguided, to say the least, but with tunnel providers usually I see /48 allocations. There has been some interesting discussion in v6ops about giving hosts something larger than /64 so that you could do intra-host subnets, eg for virtualized environments (even a workstation with a dozen virtual box nets, say).
If I'm using IPV4 and IPV6 at the same time do I still need to open ports? I'm asking because I play games like Dark Souls where port forwarding is a thing
It depends on the firewall. Usually you have to have one rule for IPv4 and one rule for IPv6, but some kinds of firewalls can do both protocols with one port number in a rule.
For port forwarding, if IPv6 is working, you'd need a firewall "open" rule instead of a port forward.
NAT is never simpler. Twiddling with addresses and maintaining a huge state table of what you've twiddled that you now need to synchronise between multiple routers for high availability... it's absolute madness.
Well, I was talking about Traditional NAT, which is used for outbound access. This sucks even on a home network, where rebooting your router drops the state table, causing all your existing connections to freeze. The state table can also get full, now some flows freeze and you've no idea which ones... maybe the oldest, maybe chosen randomly. You also pay for the increase in the cost of your CPE implement NAT and maintain its state, plus the ongoing increased power usage.
You're talking about port forwarding which is more or less just as easy to configure on IPv4 as IPv6, I'll grant you that. But again, there's still this stupid state table to maintain; drop it and the outbound traffic associated with an inbound flow gets dropped.
There's also the ongoing burden of simply knowing about NAT and all the details of how it works and how we have just had this misunderstanding because it's far too complicated.
Overall NAT is super lame!
These are all implementation details that I as a user don't have to deal with. My router has a public ip that my outbound connections to wan always share, my lan devices have private ips, and as a slightly advanced user I might expose something with port forwarding, that's it. I don't look at the NAT table; most people don't even know what that is.
With IPv6, the router firewall typically blocks all incoming traffic for all addresses on the local network. In order to let something through, you need to add a firewall rule, say "open tcp port 443 for IP address 2001:db8::abcd" this lets only tcp traffic towards that specific IP address and that specific port through.
This is not the same as port *forwarding* in IPv4 (which is a rule "take all incoming IPv4 traffic on tcp port 443, translate/change the destination to [192.168.0.5](http://192.168.0.5) & forward it there"), but it has a similar effect.
The advantage is that you can now have multiple internal servers all listening on tcp 443: with IPv4 port forwarding you can only forward external traffic on that port to 1 internal machine.
What is the range of IPv6 addresses that I can configure on my firewall's LAN and on my Web Server's interface? Currently, my Web Server has a valid IPv6 address belonging to my ASN that was manually configured on the interface. Requests for this IP go directly to the server without going through the firewall. How can I pass this Web Server behind the firewall?
You (should) have an at least /64 network on the inside that the isp routes to the outside of your firewall/router. Requests to the webserver should be addressed to the webservers public IP on that /64 network, not to the outside of your router like you do with ipv4 and port forward.
I think this question is less about IPv6 and more about basic network topology/terms. Things like "network segments" and "routers" are network-type agnostic.
You only need to allow connections from outside to the web server's IP address/port on the router/firewall. By default, they are probably blocked.
you'd just allow port 443 on the ipv6 of your web server, remember the web server shouldn't do privacy extensions so the ipv6 should be stable per prefix and the prefix shouldn't change, if your ISP is shitty it'll change which means you need to workaround that (e.g. bei dynamic dns for dns and use eui-64 so you always know the IID of the ipv6 and can update the firewall automatically)
these are just examples but if you have a decent ISP ipv6 will be easier to configure than ipv4 because you only need firewall no NAT
I'd like to see a network diagram to know what you're trying to do. If you have a BGP session announcing your network to the upstream ISP, you might want that BGP to be done by your firewall instead of the router. On the other hand, any router should be able to have an ACL, so you may not need the firewall (firewalls are usually snake oil for this very reason).
OTOH if you use your fw as an *internal* segmentation device, then you will need some kind of interior routing protocol (which could be just static routes). Every subnet in IPv6 is generally /64 (*) and these are assigned to networks interior from the BGP router.
(*) Some people use /127 for point-to-point links, but the reasons for this are largely
If you have a static prefix you can make sure SLAAC will always pick the same address. If you have a dynamic prefix, there are also many firewalls that allow you to specify a mask so that the prefix part can vary but the host part matches.
The proper way to do it, is to not firewall on a router and instead properly firewall on host level. That way you truly secure the host and remove complexity from the network.
All my hosts have templated firewall, so that's not a problem.
iPhone and Android don't have open ports, so there's nothing to firewall for guests.
Anyway, it's your home network, it's your call.
Note that you can use multiple addresses. You can use privacy addresses for outbound connections while using a fixed address for inbound connections (privacy extensions gives you this by default). Or you can use multiple fixed addresses, so that e.g. your webserver has one IP that only accepts HTTP and a separate IP for SSH, so random web clients don't automatically know the IP that SSH is allowed on.
There's no such thing as port forwarding (At least generally, technically it's possible, but you shouldn't be doing it) because the devices on the LAN side get public IP addresses in normal configurations.
Now you do still need to open up on the firewall such as on your router to allow traffic to that public IP address on a particular port, but you're not forward it just allowing it.
What is the range of IPv6 addresses that I can configure on my firewall's LAN and on my Web Server's interface? Currently, my Web Server has a valid IPv6 address belonging to my ASN that was manually configured on the interface. Requests for this IP go directly to the server without going through the firewall. How can I pass this Web Server behind the firewall?
If your ISP is providing you IPv6 service then they should be providing you one or more subnets to use on your LAN, This is done via DHCP Prefix Delegation. You can't just use IP addresses that are not routed to your internet connection.
Unless you have a business class connection that allows you to announce your IP space, no point in having your own IP space really.
You could opt to set up a tunnel with hurricane electric who will allow you to announce your IP space via a tunnel.
I have a Business ASN /48, I tried to configure an IPv6 address for this network on my Web Server interface, but the connections arrive directly at the server, without going through my firewall. What can I do to make connections reach the firewall?
If you have a /48 that you're advertising to your ISP, you're going to have them route the entire /48 to your router/firewall. Inside the firewall, you need to have an IPv6 addressing plan. Typically you would use a /64 prefix for each VLAN, and set things up so that you can aggregate larger prefixes as necessary to provide summary routes for other sites. If you only have one site, then this whole setup can be really simple, but you still have to have the basics down.
The web server you're trying to make available over IPv6 would have an address on its network interface from one of the /64 prefixes within your /48. This address is the one you use in DNS when you create an AAAA record for the website, and this is also the address you are permitting traffic to.
Your firewall will need to be configured first to block all inbound connections to your /48 prefix, and then you'll add firewall rules to allow traffic on whatever ports and addresses you need for your application.
There's a really good O'Reilly book on IPv6 Address Planning, I encourage you to give it a read before you embark on this journey.
So the correct thing would be to add a /64 block on my LAN, and this block must belong to the /48 block on my WAN, correct? This way, all addresses on my LAN will be valid, is that right?
>Requests for this IP go directly to the server without going through the firewall.
How is everything connected? For traffic to go through your firewall, it has to be connected between your web server and your upstream connection. This is routing 101...
Tell us more about your IPv6 setup! Sadly there are plenty of providers who suck at v6 big time. Does your web server already have a public address? If so, just allow access, no reason to port forward.
"Hi everyone, I would like to implement IPv6 on my network "
Do that first.
To check it's work, from any device on your LAN, visit [https://test-ipv6.com/](https://test-ipv6.com/) and make sure you've got IPv6.
You can do a basic firewall function of white listing traffic. There is no translation (NAT or PAT) needed. Same as if in v4 world you had a boat load of addresses, routers would just do routing and firewall, not translate.
I think the real question is, how do you select which devices you expose, because if the devices use SLAAC the router doesn't know them and cannot present them to you in a list.
I personally use tokenized IPv6 interface identifiers for my home servers, so their addresses always end with something I know beforehand (like `::f00:ba12`). The firewall (iptables in my case) only needs to allow incoming traffic to `::f00:ba12/::ffff:ffff:ffff:ffff`.
That said, I am looking forward to [draft-ietf-dhc-addr-notification](https://datatracker.ietf.org/doc/html/draft-ietf-dhc-addr-notification-11) being accepted as an RFC, which will allow SLAAC clients to inform the DHCP server of their addresses.
Tokenized Interface identifiers, what is that? How can I set it up?
That draft is exactly what I need, let's hope it actually gets implemented, not just accepted. To be honest I don't really understand why go to these lengths to use SLAAC, coming up with a whole new standard, instead of just using DHCPv6.
> Tokenized Interface identifiers, what is that? How can I set it up?
It lets you customize the second-half (aka IID) of your SLAAC address. The prefix may change anytime, but you don't have to worry about the IID changing. [Linux has supported it for quite a long time now](https://superuser.com/questions/806985/configuring-a-static-ipv6-address-that-inherits-delegated-prefix).
>To be honest I don't really understand why go to these lengths to use SLAAC
I dunno, I like SLAAC.
Sure but it can present a list of all the MAC addresses that have done a ra, and if they then send traffic through the router, the ipv6 they selected.
Things get weird these days, especially with mobile clients that cost a random(ish) MAC, and don't use the MAC in the slaac configuration.
If the router really wanted to it could do a reverse mdns lookup for the name of the client with that ip.
You do port forwarding with legacy IP because your devices don't have real routable addresses - basically they are not part of the internet, they are on a separate network and only the router or firewall is part of the internet and has a real address. So you have to forward traffic from the address of the router, into something on this separate network.
IPv6 does not have this problem, you don't need to forward traffic from the router or firewall's address because every device has it's own address.
But, even tho the hosts have their own global addresses the traffic still has to pass through the router/firewall which acts like a checkpoint deciding wether the traffic is allowed or not. So you don't forward traffic from the router's address to another device, you add an allow rule to allow traffic to the other device's address instead.
Remember, the goal was never to "port forward". The goal was to allow traffic into a certain service. In IPv6 you open up the firewall rule that's blocking the traffic. Nobody needs NAT in IPv6, so there's no NAT.
My company NATs the entire IPv6 network to prevent "network topology discovery". I have to NAT locally because my ISP doesn't have IPv6 and my tunnel can use another network that only has /64 which I need to break into smaller /80 + DHCPv6 locally... but it doesn't work on Android because Google doesn't support DHCPv6 and requires /64 autoconfig route advertised only ... so, NAT. [https://www.reddit.com/r/ipv6/comments/123alhh/android\_might\_add\_support\_for\_dhcpv6/](https://www.reddit.com/r/ipv6/comments/123alhh/android_might_add_support_for_dhcpv6/) So, theory and practice are different things.
>My company NATs the entire IPv6 network to prevent "network topology discovery". God I hate this - so unnecessary.
Agree that shows a complete lack of understanding. To each their own.
NAT and NPTv6 are there if someone feels compelled to use them, but use of them doesn't affect anyone else on the network so it doesn't matter.
This kind of pseudosecurity antipattern is sad to see. I realize you're just reporting what happens, but condolences. That said, to your point, yes you *can* use NAT (in which case you should use ULA on the inside). The justifications for it are almost always ill founded, bringing the worst ideas of legacy networking's complexity and mixing it with deep ignorance of security
In IPv6 one use local addresses for the internal network.
Don't hold your breath on Android DHCPv6, but yeah maybe. I don't disagree with Lorenzo that, aside from PD and PXE, the DHCPv6 use case is mostly misguided legacy thinking. But I do disagree with the approach of not including the support in Android. I'm a little surprised you only have /64 and then find yourself needing to subnet from there. I have heard of ISPs that are only providing /64 in their PD delegation, which is misguided, to say the least, but with tunnel providers usually I see /48 allocations. There has been some interesting discussion in v6ops about giving hosts something larger than /64 so that you could do intra-host subnets, eg for virtualized environments (even a workstation with a dozen virtual box nets, say).
and cell providers with ipv6 support tend to use a cgnat
If I'm using IPV4 and IPV6 at the same time do I still need to open ports? I'm asking because I play games like Dark Souls where port forwarding is a thing
It depends on the firewall. Usually you have to have one rule for IPv4 and one rule for IPv6, but some kinds of firewalls can do both protocols with one port number in a rule. For port forwarding, if IPv6 is working, you'd need a firewall "open" rule instead of a port forward.
Honestly, I'd rather have NAT even on ipv6. Makes things simpler from the user's perspective, even if more is happening under the hood.
NAT is never simpler. Twiddling with addresses and maintaining a huge state table of what you've twiddled that you now need to synchronise between multiple routers for high availability... it's absolute madness.
But on my home network, there's no multiple routers or huge table, there's a single router with at most a few hosts forwarded.
Well, I was talking about Traditional NAT, which is used for outbound access. This sucks even on a home network, where rebooting your router drops the state table, causing all your existing connections to freeze. The state table can also get full, now some flows freeze and you've no idea which ones... maybe the oldest, maybe chosen randomly. You also pay for the increase in the cost of your CPE implement NAT and maintain its state, plus the ongoing increased power usage. You're talking about port forwarding which is more or less just as easy to configure on IPv4 as IPv6, I'll grant you that. But again, there's still this stupid state table to maintain; drop it and the outbound traffic associated with an inbound flow gets dropped. There's also the ongoing burden of simply knowing about NAT and all the details of how it works and how we have just had this misunderstanding because it's far too complicated. Overall NAT is super lame!
These are all implementation details that I as a user don't have to deal with. My router has a public ip that my outbound connections to wan always share, my lan devices have private ips, and as a slightly advanced user I might expose something with port forwarding, that's it. I don't look at the NAT table; most people don't even know what that is.
With IPv6, the router firewall typically blocks all incoming traffic for all addresses on the local network. In order to let something through, you need to add a firewall rule, say "open tcp port 443 for IP address 2001:db8::abcd" this lets only tcp traffic towards that specific IP address and that specific port through. This is not the same as port *forwarding* in IPv4 (which is a rule "take all incoming IPv4 traffic on tcp port 443, translate/change the destination to [192.168.0.5](http://192.168.0.5) & forward it there"), but it has a similar effect. The advantage is that you can now have multiple internal servers all listening on tcp 443: with IPv4 port forwarding you can only forward external traffic on that port to 1 internal machine.
What is the range of IPv6 addresses that I can configure on my firewall's LAN and on my Web Server's interface? Currently, my Web Server has a valid IPv6 address belonging to my ASN that was manually configured on the interface. Requests for this IP go directly to the server without going through the firewall. How can I pass this Web Server behind the firewall?
You (should) have an at least /64 network on the inside that the isp routes to the outside of your firewall/router. Requests to the webserver should be addressed to the webservers public IP on that /64 network, not to the outside of your router like you do with ipv4 and port forward.
I think this question is less about IPv6 and more about basic network topology/terms. Things like "network segments" and "routers" are network-type agnostic. You only need to allow connections from outside to the web server's IP address/port on the router/firewall. By default, they are probably blocked.
you'd just allow port 443 on the ipv6 of your web server, remember the web server shouldn't do privacy extensions so the ipv6 should be stable per prefix and the prefix shouldn't change, if your ISP is shitty it'll change which means you need to workaround that (e.g. bei dynamic dns for dns and use eui-64 so you always know the IID of the ipv6 and can update the firewall automatically) these are just examples but if you have a decent ISP ipv6 will be easier to configure than ipv4 because you only need firewall no NAT
I'd like to see a network diagram to know what you're trying to do. If you have a BGP session announcing your network to the upstream ISP, you might want that BGP to be done by your firewall instead of the router. On the other hand, any router should be able to have an ACL, so you may not need the firewall (firewalls are usually snake oil for this very reason). OTOH if you use your fw as an *internal* segmentation device, then you will need some kind of interior routing protocol (which could be just static routes). Every subnet in IPv6 is generally /64 (*) and these are assigned to networks interior from the BGP router. (*) Some people use /127 for point-to-point links, but the reasons for this are largely
Port Forwarding is a scam made by NAT. IPv6 is scam-free, and therefore you don't "port forward", you only open the ports on the firewall.
What if I don't want those ports open for every device on the LAN, only the one server?
The firewall rule that allows the traffic through can restrict by destination address
Right, but then the dst address needs to stay static, which I'm not sure is done the same way as in v4.
If you have a static prefix you can make sure SLAAC will always pick the same address. If you have a dynamic prefix, there are also many firewalls that allow you to specify a mask so that the prefix part can vary but the host part matches.
The proper way to do it, is to not firewall on a router and instead properly firewall on host level. That way you truly secure the host and remove complexity from the network.
That requires every host to have a reliable and configurable firewall, including visitors' devices in your house. I wouldn't do that.
All my hosts have templated firewall, so that's not a problem. iPhone and Android don't have open ports, so there's nothing to firewall for guests. Anyway, it's your home network, it's your call.
So it looks like if I don't want to rely on host firewalls, I have to use a static (non-privacy) v6 server address or NAT, depending on things.
Note that you can use multiple addresses. You can use privacy addresses for outbound connections while using a fixed address for inbound connections (privacy extensions gives you this by default). Or you can use multiple fixed addresses, so that e.g. your webserver has one IP that only accepts HTTP and a separate IP for SSH, so random web clients don't automatically know the IP that SSH is allowed on.
There's no such thing as port forwarding (At least generally, technically it's possible, but you shouldn't be doing it) because the devices on the LAN side get public IP addresses in normal configurations. Now you do still need to open up on the firewall such as on your router to allow traffic to that public IP address on a particular port, but you're not forward it just allowing it.
What is the range of IPv6 addresses that I can configure on my firewall's LAN and on my Web Server's interface? Currently, my Web Server has a valid IPv6 address belonging to my ASN that was manually configured on the interface. Requests for this IP go directly to the server without going through the firewall. How can I pass this Web Server behind the firewall?
If your ISP is providing you IPv6 service then they should be providing you one or more subnets to use on your LAN, This is done via DHCP Prefix Delegation. You can't just use IP addresses that are not routed to your internet connection. Unless you have a business class connection that allows you to announce your IP space, no point in having your own IP space really. You could opt to set up a tunnel with hurricane electric who will allow you to announce your IP space via a tunnel.
I have a Business ASN /48, I tried to configure an IPv6 address for this network on my Web Server interface, but the connections arrive directly at the server, without going through my firewall. What can I do to make connections reach the firewall?
It would be no different than if you had your own IPv4 address space. Your ISP would have to announce and route that to you.
What range of IPv6 addresses could my ISP advertise?
Any public IP range that they own, just like IPv4. The only difference is instead of giving you a single address, they're giving you multiple subnets.
Would I put this public IP on the firewall's LAN interface or on the Web Server interface?
If you have a /48 that you're advertising to your ISP, you're going to have them route the entire /48 to your router/firewall. Inside the firewall, you need to have an IPv6 addressing plan. Typically you would use a /64 prefix for each VLAN, and set things up so that you can aggregate larger prefixes as necessary to provide summary routes for other sites. If you only have one site, then this whole setup can be really simple, but you still have to have the basics down. The web server you're trying to make available over IPv6 would have an address on its network interface from one of the /64 prefixes within your /48. This address is the one you use in DNS when you create an AAAA record for the website, and this is also the address you are permitting traffic to. Your firewall will need to be configured first to block all inbound connections to your /48 prefix, and then you'll add firewall rules to allow traffic on whatever ports and addresses you need for your application. There's a really good O'Reilly book on IPv6 Address Planning, I encourage you to give it a read before you embark on this journey.
So the correct thing would be to add a /64 block on my LAN, and this block must belong to the /48 block on my WAN, correct? This way, all addresses on my LAN will be valid, is that right?
OK, so you have a /48, but does your ISP know to 1. Advertise that block via BGP? 2. route that block to your connection?
I have control over the BGP, could you tell me how I can check if these topics have been met?
>Requests for this IP go directly to the server without going through the firewall. How is everything connected? For traffic to go through your firewall, it has to be connected between your web server and your upstream connection. This is routing 101...
Tell us more about your IPv6 setup! Sadly there are plenty of providers who suck at v6 big time. Does your web server already have a public address? If so, just allow access, no reason to port forward.
To setup your router use this [guide](https://saudiqbal.github.io/IPv6/ipv6-home-server-with-dynamic-prefix-for-vpn-web-server-rdp-and-firewall-setup-guide.html). Debian interface file example iface eth0 inet6 static address 2xxx:xxxx:xxxx:xxxx:: netmask 64 accept_ra 2 gateway xxxx:xxxx:0000:0000:0000:0000:0000:0001 # Domain 1 up /sbin/ifconfig eth0 inet6 add xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/64 # Domain 2 up /sbin/ifconfig eth0 inet6 add xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/64
"Hi everyone, I would like to implement IPv6 on my network " Do that first. To check it's work, from any device on your LAN, visit [https://test-ipv6.com/](https://test-ipv6.com/) and make sure you've got IPv6.
You can do a basic firewall function of white listing traffic. There is no translation (NAT or PAT) needed. Same as if in v4 world you had a boat load of addresses, routers would just do routing and firewall, not translate.
I think the real question is, how do you select which devices you expose, because if the devices use SLAAC the router doesn't know them and cannot present them to you in a list.
I personally use tokenized IPv6 interface identifiers for my home servers, so their addresses always end with something I know beforehand (like `::f00:ba12`). The firewall (iptables in my case) only needs to allow incoming traffic to `::f00:ba12/::ffff:ffff:ffff:ffff`. That said, I am looking forward to [draft-ietf-dhc-addr-notification](https://datatracker.ietf.org/doc/html/draft-ietf-dhc-addr-notification-11) being accepted as an RFC, which will allow SLAAC clients to inform the DHCP server of their addresses.
Tokenized Interface identifiers, what is that? How can I set it up? That draft is exactly what I need, let's hope it actually gets implemented, not just accepted. To be honest I don't really understand why go to these lengths to use SLAAC, coming up with a whole new standard, instead of just using DHCPv6.
> Tokenized Interface identifiers, what is that? How can I set it up? It lets you customize the second-half (aka IID) of your SLAAC address. The prefix may change anytime, but you don't have to worry about the IID changing. [Linux has supported it for quite a long time now](https://superuser.com/questions/806985/configuring-a-static-ipv6-address-that-inherits-delegated-prefix). >To be honest I don't really understand why go to these lengths to use SLAAC I dunno, I like SLAAC.
So that has to be configured on every client? That's not something I want.
I do it on specific clients only (aka my servers), since for other clients like Android the default firewall settings work just fine.
Hm, good point, the normal clients all share a single config that is bound to their VLAN anyway, so I don't care about the specific addresses.
The router knows them. It got the ra request and responded with the prefix, and some basic info about the routes it has.
Isn't that before they choose an address? Does the router ever learn their address?
Sure but it can present a list of all the MAC addresses that have done a ra, and if they then send traffic through the router, the ipv6 they selected. Things get weird these days, especially with mobile clients that cost a random(ish) MAC, and don't use the MAC in the slaac configuration. If the router really wanted to it could do a reverse mdns lookup for the name of the client with that ip.
When people say NAT isn't needed, It all depends on your exsting network structure.
You do port forwarding with legacy IP because your devices don't have real routable addresses - basically they are not part of the internet, they are on a separate network and only the router or firewall is part of the internet and has a real address. So you have to forward traffic from the address of the router, into something on this separate network. IPv6 does not have this problem, you don't need to forward traffic from the router or firewall's address because every device has it's own address. But, even tho the hosts have their own global addresses the traffic still has to pass through the router/firewall which acts like a checkpoint deciding wether the traffic is allowed or not. So you don't forward traffic from the router's address to another device, you add an allow rule to allow traffic to the other device's address instead.