I am on 26.1_4 and have Tayga setup according to the NAT64 How-To in the opnsense documentation. It works just fine, but I am not sure I have the firewall rules setup properly. I have the anti-lockout disabled and only allow access to the opnsense web gui via my LAN. For some reason, I can still access the gui from other VLANs when Tayga is enabled. I notice in the firewall live log that the connection is sourced from the Tayga NAT64 IPv4 pool no matter which VLAN I access the gui from. As soon as I disable Tayga, The gui is correctly only accessible from the LAN as I would expect. Any ideas?
If you use firewall rules to block access to specific IPv4 addresses / networks, you also need to block access to the mapped IPv6 addresses / networks.
Example:
You have a firewall rule on the Guest interface which blocks inbound packets to destination 192.168.1.0/24.
When using Tayga with prefix 2001:db8:64::/96, you need an additional block rule for destination 2001:db8:64::192.168.1.0/120.
Also, if you use an FQDN for accessing the OPNsense Web GUI, make sure you have a AAAA DNS record.
Cheers
Maurice