How to prevent outside use of Tayga's translation pool?

Redmond · December 13, 2025, 08:47:45 AM

I need to use a GUA prefix for the pool. So, I selected a /96 from the address space provided by my ISP. Internal usage works fine, but it also appears to be accessible from outside. How can I prevent this through the firewall?

Maurice · December 13, 2025, 11:53:33 AM

By default, it shouldn't be accessible from the outside. External access would require creating an allow rule on the WAN interface. So you might want to check your firewall rules.

Cheers
Maurice

Redmond · December 13, 2025, 11:33:57 PM

Quote from: Maurice on December 13, 2025, 11:53:33 AMBy default, it shouldn't be accessible from the outside. External access would require creating an allow rule on the WAN interface. So you might want to check your firewall rules.

Cheers
Maurice

The only rules on my WAN interface are the automatically generated rules.

Redmond · December 13, 2025, 11:48:20 PM

Watching Live View though it seems that an auto rule is passing it back out. The src is not one of mine. I don't see anything in regards to the in direction.

Maurice

The screenshot shows a packet passing the nat64 interface. That's an internal virtual interface connecting Tayga to the kernel. In this context, "let out anything" means "allow the kernel to send packets to Tayga".

Do you only see such matches for ICMPv6? The default rules allow certain inbound ICMPv6 types on all interfaces, like Destination Unreachable or Time Exceeded.

Do you maybe use Tayga as a CLAT?

Cheers
Maurice

How to prevent outside use of Tayga's translation pool?

Redmond

December 13, 2025, 08:47:45 AM

Maurice

December 13, 2025, 11:53:33 AM #1

Redmond

December 13, 2025, 11:33:57 PM #2

Redmond

December 13, 2025, 11:48:20 PM #3 Last Edit: December 13, 2025, 11:53:51 PM by Redmond

Maurice

Today at 04:07:13 AM #4