This has been many hours in the making and much hair-pulling. I'm trying to get T-Mobile Home Internet (TMHI) -> OPNSense -> LANs working with IPv6. There's a lot of community discussion and issues. Overall their implementation is pretty cursed in so many ways and I would not recommend. I've also seen that NDP Proxy was meant to solve this issue but I couldn't get it working.
Why I care:
IPv6 is noticeably faster on TMHI. ~15ms stable vs jittery 20-70ms for the IPv4 translation. I assume the IPv4 traffic is routing through an overloaded datacenter.
What I did get working:
I decided to get NAT66 working since TMHI blocks all incoming anyway. There's no hosting behind it and so nothing to be lost from IPv6 NAT translation.
HOWEVER... it took a firewall rule of
Firewall: NAT: Source NAT
Interface: WAN
Version: IPv6
Source Address: <my LAN targets>
Translate Source IP: Single Host or Network
2000:...:...
To get NAT66 working I had to drop in (one of) my literal IPv6 addresses - the GUA globally routable one; and it rotates reasonably frequently.
I couldn't track the WAN net like I wanted.
It appears to me that OPNSense is using the ULA link local address for the WAN, and TMHI won't route that to the internet. I just get "unreachable" drops if I put the firewall rule directly on the interface. However, if I pull the full address list and manually type in the 2k series globally routable GUA IPv6 address, it works!
So the question:
The interface gets 3 IPs in the order [ULA, GUA, link-local]. It appears that OPNSense just selects the first address (ULA) and TMHI refuses to route it.
Is there a way to make an alias or similar to slice the interface address into a narrower window? Can I somehow drop all but the ULA from that address?
Any help would be appreciated! This one has been a struggle.