Hello,
I am having a dual-stack connection with a dynamic prefix for IPv6 and set a delegation size of /58 for the WAN interface. I run multiple VLANs with track interface on WAN. Also I am running multiple WireGuard server on the OPNsense.
Assume the following setup:
VLAN 80: GUEST Network 10.100.80.0/24 and prefix ID 0x2
WG_GUEST: GUEST WireGuard instance with tunnel addresses: 10.100.81.1/24 and fda9:7933:346b:100:81::1/64
and a peer with allowed IPs: 10.100.81.100/32 fda9:7933:346b:100:81::100/128 assigned to that instance.
I created a Loopback interface: WAN_WG_GUEST and enabled it, tracking the WAN interface with prefix ID 0x3. Afterwards I created a NPTv6 rule with the following settings:
Interface: WAN
Internal IPv6 Prefix (source): fda9:7933:346b:100:81::/64
Track interface: WAN_WG_GUEST
I have firewall rules in place, which allow the required traffic and my connected peers get a IPv6 address and pass all IPv6 tests online.
My question is, is there something else do consider or change? Is the IP address layout fine? Should I switch to Outbound NAT? I guess NPTv6 is the recommended and compliant approach or?
You can do that, absolutely. I've been using the "tracking loopback interface" workaround for getting dynamic subnets into NPT for quite a while now and it works fine.
Be aware though that for your use case, NPT has limited use. As long as the WireGuard clients also have an IPv4 address, NPT will only be used when they need to access hosts which only have a GUA (no ULA, no IPv4).
Cheers
Maurice