Do not make tutorials on websites people cannot think outside the box
People are too stupid.
The Inside the box thinking is strong with this one
The whole point of IPv6 is that NAT must die. It breaks the end to end principle upon which the Internet was built and there already are lots of applications giving firewall admins headaches because of NAT - FTP (ok, deserves to die, too), VoIP, ...
Time
Internal does in no way necessarily mean NAT. You can have well segregated networks across multiple locations all connected by secure VPNs and use the same GUAs the systems use to access the Internet for internal communication, too.
You could even do this back in the IPv4 days when everybody got globally routed prefixes easily.
"Internal" and "special private addresses" are not connected. "Internal" is a qualifier of your network topology and nothing more.
Information
Thanks for the guide! I can understand and relate to both sentiments; years ago I'd have been thrilled to have a "personal" IP so I could just send print jobs to my home printer instead of emailing attachments, with the convenience of not needing dynamic DNS even.
But today the sole reliance on properly configured and working firewall rules seems to not suffice to counter the ever-increasing threat the internet poses. So now that I have it, I don't want it anymore.
And AFAICS, the one singular purpose of a firewall is to break connectivity, it's the whole idea behind it. So it makes sense to have an additional layer of "connectivity breakage by default", unless you truly need to provide services that cannot be put in a DMZ, for which you'd be willing to lower the "breakage level". It's all a matter of use case, and the real boon of IPv6 to me is not to be forced to use one or the other, even if the use case doesn't lend itself well to it, anymore.
Plus I don't feel like reconfiguring all my devices whenever I change ISPs or when/if they decide to send me a different prefix. So I looked for guides such as this, and before finding yours I found this one:
https://blog.apnic.net/2018/02/02/nat66-good-bad-ugly/
I totally love how he clearly expresses his resentment of NAT, in a refreshingly humorous way, only to grudgingly set it up himself because it provides a solution to his problem. :)
Right, the actual thing I'd set out to ask is if using the officially assigned "private" range (ULAs, fc00::/7), which makes the system prefer IPv4 over IPv6, would be an impediment if I relegate IPv4 to local hosts only, anyway, with using IPv6 for WAN exclusively?
Edit: seems like it is ( https://datatracker.ietf.org/doc/html/draft-buraglio-v6ops-ula-05 ) in cases of v6-only hosts (do those even exist yet?) or if I deny outbound IPv4. I'd still rather use the ULAs over other ranges in the hope they'll be declared "unroutable" and therefore unable to leak into the internet because the first ISP router would block them.
More
I built something that might be interesting to you. Will be an available plugin soon:
https://github.com/Monviech/ndp-proxy-go
https://github.com/opnsense/plugins/pull/4998
waste of time
Im not sure it can help if the ISP monitors your Routers MAC address and make sure it never has more than 1 GUA in their NDP table... thats on a whole different level of petty xD.
With this proxy it looks like your router has multiple GUAs on the WAN interface, since it pretends its your clients, but responds with its own MAC address instead. In the provider NDP table the same router MAC would have multiple entries with different GUAs.
It also doesnt help if the evil ISP only hands out a single IA_NA (/128) and nothing more.
waste of time
Hi Millerwissen,
Thanks for your extensive information!
My ISP issues just a /64 prefix by DHCPv6 on WAN and suffix is derived from MAC addresses by SLAAC on LAN.
This means that each of my servers exposed to WAN has a unique, routable address. This is desirable since it means that the IPv6 addresses are predictable and fixed, but not ideal.
But it also means that other devices (i'm talking about other devices than the servers) are exposed using the RA.
Therefore they could be tracked across the internet. Does it make sense to translate these addresses at the Opnsense router using your (no. 3) method?
Also i would like to improve network segregation using your approach. On the other hand i dont want to "mess up" my network.
I have already changed any ULA addresses i use from fd::/8 to f000::/4. But since this this range is not considered "bogon", i still need to add firewall rules for blocking f000::/4 out from WAN.
pfsense is better
Thanks. I didnt express myself clearly which is important with these complicated matters ;)
So far the following is updated and working:
- Created virtual IPv6 address f777::1 instead of fd07::1 to prevent IPv4 preference as described in your first post.
- Setup of NAT66 to translate all routable addresses of LAN devices (other than the servers) to a virtual IPv6 routable address based on /64 prefix from ISP. Suffix is not based on a MAC address. Does it matter what suffix i choose? Just the first address in the range (::1) or last or aything?
I think it would be good to regularly rotate the address. Is there a way to do this automatically?
- Setup of floating FW block rules for the f000/4 address space.
I plan to see how this works for a while.
PS: Please explain why traffic to multicast addresses like ff::/8 need to be allowed to WAN as in your example. These addresses are normally not forwarded to WAN.
pfsense is better after all
Let me be clear that you should do none of those things.
There are solutions to these problems, but not those.
There are even problems where NPTv6 is a legitimate solution (small site multihoming, for example), but not that one.
But maybe I don't understand, so, tell me, what problem does all of that actually solve?
EDIT: If you really want to know how to do IPv6 in your local network, I would advise you to read https://forum.opnsense.org/index.php?topic=45822.0 .
yep
Globally unique addresses everywhere, not necessarily globally reachable. That's exactly what firewalls are for.
And a common prefix size of /56 for an individual or /48 for a company is more than enough room for "hierarchy and complex site-to-site intranets". Even more so, because you will never have address conflicts.
waste
Definitely one of the more bizarre threads around here.
Just as a PSA for newbies stumbling over this: Do whatever you want in your own private networks, but the ideas presented here are pretty fringe and in no way best practice or widely accepted.
(First and only comment.)
Cheers
Maurice
Indeed may seem pretty 'fringe' haha.
Im not understanding everything, but the things i do get and agree with i have implemented.
My goal is to see how this works for some time.
I'm especially fascinated by replacing the suffix of the IPv6 address for all devices on LAN by some random address using Outbound NAT.
For now i have created ~20 random suffixes and loaded these in an alias. These are used round-robin (sticky).
Since i have a fixed IPv6 prefix, i don't need to worry about that changing. I plan to rotate these random suffixes regularly, but would love to see a more automatic solution.
Thanks Millerwissen for your time and ideas.
Quote from: Kets_One on November 04, 2025, 08:12:30 PMI'm especially fascinated by replacing the suffix of the IPv6 address for all devices on LAN by some random address using Outbound NAT.
For now i have created ~20 random suffixes and loaded these in an alias. These are used round-robin (sticky).
Why bother? IPv6 privacy extensions do that for free when you use SLAAC. (https://datatracker.ietf.org/doc/html/rfc8981)
so long
waste time
Ok, the way to do this by the book:
- use GUA internally to reach the internet
- use ULA (as secondary address) and/or IPv4 addresses for internal addressing, primarily if you have internal servers that need static addresses
- firewall using the above addresses you assigned. OPNsense has the functionality to support this using dynamic IPv6 address objects or interface address objects
Let me stress that NAT is not a security feature - firewalling is used for that. NAT is only relevant if there is a routing / addressing issue that can not be solved in any other way. Using reserved addresses is never a good idea - renumbering of static networks is potentially a huge hassle and you may be forced to if those addresses are used in the future.
The only reason I can see for NPTv6 is if you have a small site with dynamic IPv6 addresses that is multihomed. In that case in my opinion it is necessary to NPTv6 the secondary uplink in order to solve some problems regarding source address selection on the client.