Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - aerandir

Pages1
#1
Tutorials and FAQs / Guide: Achieving Full IPv6 on All VLANs with an ISP-Limited /64 Prefix
September 05, 2025, 09:33:55 PM

TL;DR - The Short Version
My ISP only provides a single /64 IPv6 prefix, making it impossible to give different VLANs their own native IPv6 subnets. The solution is to use a private ULA (Unique Local Address) range for all internal VLANs and create a single IPv6 Outbound NAT rule in OPNsense. This translates the private ULA addresses to the WAN's public IPv6 address, giving every device on every VLAN full internet access.

Summary of Steps - The Long Version

  • Plan Your Network: Choose a private ULA prefix for your network (e.g.,

    Code Select
    fd00:dead:beef::/48) and assign a /64 subnet from it to each of your VLANs.
  • Configure Interfaces: Set up your OPNsense interfaces. The WAN interface gets its public address via DHCPv6. Your LAN/VLAN interfaces are configured with static ULA gateway addresses from your plan (e.g.,

    Code Select
    fd00:dead:beef:10::1/64).
  • Enable Router Advertisements (RA): On each internal interface, enable Router Advertisements in "Assisted" mode so clients can auto-configure their IPv6 addresses. Clients will get DNS server info from your existing IPv4 DHCP setup.
  • Create the NAT Rule: In Firewall > NAT > Outbound, switch to Hybrid mode and add one IPv6 rule. This rule should be on the WAN interface and translate the traffic from your entire ULA source (

    Code Select
    fd00:dead:beef::/48) to the Interface Address.
  • Verify Firewall Rules: Ensure your firewall rules for each VLAN allow IPv4+IPv6 traffic to pass from the local subnet to any.

The Problem: One /64 to Rule Them All

Many of us are enthusiastic about deploying IPv6 on our home networks. The dream is to have multiple, neatly segmented VLANs—for trusted devices, servers, IoT, guests—each with its own properly routed IPv6 subnet.
I want to preface this by saying that I am very new to the world of IPv6, and this entire project has been a massive learning experience. After migrating my home network from pfSense to OPNsense, I spent weeks trying to solve this exact problem. I scoured forums and documentation but couldn't find a clear guide for this specific scenario—or perhaps my inexperience meant I wasn't searching for the right terms. This guide is the product of that struggle, written to hopefully save others the time and frustration I went through.
The core of the issue is that many ISPs create a significant roadblock:
  • They provide only a single /64 IPv6 prefix to residential customers.
  • They often require you to use their provided router, which may or may not support features like Prefix Delegation (PD).
A single /64 prefix cannot be subnetted further for different VLANs. This leaves you with a frustrating choice: give one VLAN native IPv6 and leave the rest on IPv4-only, or dive into complex workarounds that are often unreliable.
After moving from pfSense to OPNsense and spending a great deal of time researching, I found a stable and effective solution. This guide documents how to use Unique Local Addresses (ULA) combined with Outbound NAT (NAT66) to provide robust IPv6 internet access to every device on every VLAN, even with a limited ISP setup.
The Solution: ULA for Internal, NAT for External
Instead of trying to split the unsplittable /64, we will sidestep the problem entirely.
  • Internal Network: We will assign a private

    Code Select
    fd00::/8 ULA prefix to our internal networks. This allows us to create as many /64 subnets as we need for our VLANs, giving us full control over our internal addressing scheme.
  • External Access: We will create a single Outbound NAT rule. This rule will take all outgoing IPv6 traffic from our private ULA range and translate its source address to the single public IPv6 address on our OPNsense WAN interface.

This is conceptually identical to how IPv4 NAT has worked for decades and is a perfectly valid way to handle this common ISP limitation.

Step 1: Plan Your ULA Network
First, choose a ULA prefix for your network. You can use an online generator or create your own
Code Select
fd00::/48 prefix. For this guide, we will use the example prefix
Code Select
fd00:dead:beef::/48.
Next, plan the /64 subnets for your VLANs.

Network NameVLAN IDIPv4 SubnetIPv6 ULA Subnet
LAN (Trusted)10
Code Select
10.10.10.0/24
Code Select
fd00:dead:beef:10::/64
SERVERS20
Code Select
10.10.20.0/24
Code Select
fd00:dead:beef:20::/64
DMZ50
Code Select
10.10.50.0/24
Code Select
fd00:dead:beef:50::/64
GUEST99
Code Select
10.10.99.0/24
Code Select
fd00:dead:beef:99::/64

Step 2: OPNsense Interface Configuration

Assign your IPv4 and the newly planned IPv6 addresses to your OPNsense interfaces.

WAN Interface
  • Navigate to Interfaces > [WAN].
  • IPv4 Configuration Type: Set to DHCP.
  • IPv6 Configuration Type: Set to DHCPv6.
  • Ensure Request only an IPv6 prefix is not checked. You need OPNsense to get a public IPv6 address on the WAN interface itself for the NAT to work.

LAN & VLAN Interfaces
  • Navigate to Interfaces > [LAN] (and repeat for your other VLANs).
  • IPv6 Configuration Type: Set to Static IPv6.
  • In the Static IPv6 configuration section, enter the gateway address for that subnet (e.g.,

    Code Select
    fd00:dead:beef:10::1 with a /64 prefix length).

Step 3: Configure Router Advertisements (RA)

Router Advertisements are essential for your clients to automatically configure their IPv6 settings.
  • Navigate to Services > Router Advertisements > [LAN] (and repeat for other interfaces).
  • Set the Router Advertisement mode to Assisted. This is a flexible option that allows clients to get their address via SLAAC while still getting DNS information from a DHCPv6 server.
  • Set Router Priority to Normal.
  • DNS Configuration: Since your clients will be dual-stack, the simplest method is to let them receive DNS server information via their IPv4 DHCP configuration. Leave the DNS servers field in the RA settings blank. As long as your internal DNS resolver (like Technitium or Pi-hole) can resolve AAAA records, everything will work seamlessly.

Step 4: Create the Outbound NAT Rule

This is the core of the solution.
  • Navigate to Firewall > NAT > Outbound.
  • Change the mode to Hybrid outbound NAT rule generation and click Save.
  • Click Add to create a new rule.
  • Configure the rule as follows:

    • Interface: WAN
    • TCP/IP Version: IPv6
    • Source address: Enter your entire ULA prefix,

      Code Select
      fd00:dead:beef::/48. This single rule will cover all your VLANs.
    • Translation / target: Select Interface Address.
    • Description:

      Code Select
      NAT66 for all ULA networks
  • Click Save and then Apply changes.

Step 5: Verify Firewall Rules

Ensure your internal interfaces have a firewall rule that permits IPv6 traffic to the internet. A default rule allowing traffic from [Interface] net to any is usually sufficient. Just make sure the TCP/IP Version is set to IPv4+IPv6.

Conclusion

By implementing this ULA and NAT66 configuration, you can overcome the limitations of a single ISP-provided /64 prefix. This setup provides stable, firewalled IPv6 internet access to all your internal networks, allowing you to build a fully modern, dual-stack environment without relying on your ISP for proper network delegation.
Pages1