I need to use a GUA prefix for the pool. So, I selected a /96 from the address space provided by my ISP. Internal usage works fine, but it also appears to be accessible from outside. How can I prevent this through the firewall?
By default, it shouldn't be accessible from the outside. External access would require creating an allow rule on the WAN interface. So you might want to check your firewall rules.
Cheers
Maurice
Quote from: Maurice on December 13, 2025, 11:53:33 AMBy default, it shouldn't be accessible from the outside. External access would require creating an allow rule on the WAN interface. So you might want to check your firewall rules.
Cheers
Maurice
The only rules on my WAN interface are the automatically generated rules. (https://i.imgur.com/sRszVP8.png)
Watching Live View though it seems that an auto rule is passing it back out. The src is not one of mine. I don't see anything in regards to the in direction.
The screenshot shows a packet passing the nat64 interface. That's an internal virtual interface connecting Tayga to the kernel. In this context, "let out anything" means "allow the kernel to send packets to Tayga".
Do you only see such matches for ICMPv6? The default rules allow certain inbound ICMPv6 types on all interfaces, like Destination Unreachable or Time Exceeded.
Do you maybe use Tayga as a CLAT?
Cheers
Maurice
Fair.
Thats all I see if i filter for the translated prefix.
I setup Tayga with https://docs.opnsense.org/manual/how-tos/tayga.html . I'm trying to go IPv6-Mostly, so I do use Tayga as a CLAT on my desktop for 464XLAT.
It isn't just ICMPv6 messages getting in. But Live View doesn't show it.