I have a dynamic IPv6 address assigned to me via DHCP, that is an interface on the firewall. I use ULA space (fd00::/8) internally, and then do an outbound NAT. This works with pfsense. It does not with opnsense 19.7.2. The reason? My translation target is set to "interface address", but instead of grabbing the publicly routable IPv6 WAN address, opnsense translates my packets to the link local (fe80::) address, which obviously won't work on the internet.
root@cerberus:~ # tcpdump -Nni em0 host 2607:f8b0:4005:808::2004
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em0, link-type EN10MB (Ethernet), capture size 262144 bytes
06:42:07.475749 IP6 fe80::2e0:67ff:fe13:6324 > 2607:f8b0:4005:808::2004: ICMP6, echo request, seq 106, length 72
I don't know what my public IPv6 address is going to be day to day, so I can't hard code it. Is there any way to have opnsense ignore link local addresses when its doing an outbound nat? I can think of no reason that would be needed.
Why the hell do you need to NAT ipv6?
The smallest recommended ipv6 subnet (/64) can hold the complete ipv4 address space ^2.
No need to masquerade any more. Public ips for every node. :)
If I had a /64 I wouldn't NAT.