Hi,
I am trying to setup NPTv6 for my home with my ISP which provides IPv6-PD as /56. I am running 23.1.5_4.
WAN interface is set to DHCPv6, it is getting the IPv6 delegated prefix.
I am able to ping6 out to the internet already from OPNSense console.
LAN interface is set to static IPv6, with fddd:xxxx:yyyy:z::1/64.
Setup DHCPv6 for LAN, enabled, range fddd:xxxx:yyyy:z::100 to fddd:xxxx:yyyy:z::120.
Firewall > NAT > NPTv6
Interface WAN
Internal IPv6 prefix fddd:xxxx:yyyy:z:: / 64
External IPv6 prefix left it blank.
Save.
ping6 behind the firewall, no lucky.
Firewall > Log Files > Live view
__timestamp__ 2023-04-13T16:56:32-07:00
action [binat]
anchorname
class 0x00
dir [out]
dst 2607:f8b0:4005:813::2004
flow 0x00000
hoplimit 128
interface vlan07
interface_name wan
ipversion 6
label binat rule
length 40
protoname ipv6-icmp
protonum 58
reason match
rid
rulenr 0
src fd0f:xxxx:yyyy:3::100
subrulenr
__timestamp__ 2023-04-13T17:00:40-07:00
action [pass]
anchorname
class 0x00
dir [in]
dst 2607:f8b0:4005:813::2004
flow 0x00000
hoplimit 128
interface vlan01
interface_name lan
ipversion 6
label Allow Outbound
length 40
protoname ipv6-icmp
protonum 58
reason match
rid 8a899f5fb6680084e61474ff6a9575f9
rulenr 182
src fd0f:xxxx:yyyy:3::100
subrulenr
Please help, what am I missing?
Thanks!
You need to set the external prefix to use NPT6. But why use that at all? The reason for delegating a /56 is so you can use up to 256 /64. Ethernet type links are always /64 in IPv6. What does the ifconfig output for your WAN interface look like after acquiring an address from your provider?
I have a Pi-hole as DNS server behind the LAN interface. I will like to setup dual stack on pi-hole. I will need to get static IPv6 address for the pi-hole. The only way I can think of it by using ULA with NTPv6.
the ifconfig does not include the prefix delegation information.
Interface -> overview > WAN
Status up
DHCP
DHCPv4 up DHCPv6 up
MAC address <redux> - Intel Corporate
MTU 1500
IPv4 address aa.bb.cc.44/21
IPv4 gateway auto-detected: aa.bb.cc.1
IPv6 link-local fe80::aaaa:ffff:ffff:1/64
IPv6 address 2001:<redux>::65cd/128
IPv6 delegated prefix 2001:<redux>::/56
IPv6 gateway auto-detected: fe80::5555:aaaa:fddd:6666
OK, so you get a single /128 externally and a link local default gateway. This is common best practice.
Why can't you assign the first /64 of your delegated /56 to the LAN interface statically? Does the prefix change? You did not make that clear or I missed it.
NPT6 only works with static prefixes.
I'd recommend using "track interface" if you have a dynamic prefix and instead of a separate pihole run AdGuard Home on your OPNsense.
ULA simply won't work:
https://blog.ipspace.net/2022/05/ipv6-ula-made-useless.html
QuoteDoes the prefix change?
The prefix can change (ie, if I reboot opnsense.)
QuoteNPT6 only works with static prefixes.
ok. I got confused by the Full help in NPTv6 setup.
QuoteEnter the external (WAN) IPv6 prefix for the Network Prefix Translation. Leave empty to auto-detect the prefix address. The prefix size specified for the internal prefix will also be applied to the external prefix.
I thought it will auto-detect.
Thanks for the link to ipspace. Let me read about it..
Since you do not have an external prefix assigned to the interface but only a /128 plus delegation, there is nothing to autodetect. Sorry not to have better news. Dynamic prefixes suck.
QuoteSince you do not have an external prefix assigned to the interface but only a /128 plus delegation, there is nothing to autodetect. Sorry not to have better news. Dynamic prefixes suck.
Thanks for the explanation on NPTv6! I am happy that I don't need to use 6in4 tunnel anymore!